Privacy and Security Our Priority

This Privacy Policy explains how personal data is collected, used, shared, and protected during your use of the social media management platform provided by Kulga Yazılım ve Telekomünikasyon Limited Şirketi ("Company", "Sosyal Köprü", "we", "our" or "us"). This policy is prepared in compliance with the Turkish Personal Data Protection Law (KVKK Law No. 6698) and the European Union General Data Protection Regulation (GDPR).

By using the Sosyal Köprü platform or creating an account, you accept the practices described in this Privacy Policy. Please read this document carefully.

1. DATA CONTROLLER AND CONTACT INFORMATION

Under this Privacy Policy, the processing of your personal data is the responsibility of Kulga Yazılım ve Telekomünikasyon Limited Şirketi.

2. ABOUT THE PLATFORM

Sosyal Köprü is a B2B SaaS (Software as a Service) platform that enables businesses to manage their social media accounts from a single location. Through our platform, you can share, schedule, and track analytics on social media platforms such as Instagram, Facebook, LinkedIn, X (Twitter), YouTube, and TikTok.

3. PERSONAL DATA COLLECTED

We may collect your personal data in the following categories to provide our service:

3.1. Identity and Contact Data

• Name and surname
• Email address
• Phone number (optional)
• Password information (encrypted format)
• Profile photo (optional)

3.2. Company and Billing Information

• Company/organization name
• Tax number
• Tax office information
• Company address
• City and country information
• Billing information

3.3. Social Media Account Information

• Connected social media platforms (Instagram, Facebook, LinkedIn, X, YouTube, TikTok)
• Account IDs and usernames
• API access tokens (encrypted format)
• Account type information (personal, business, etc.)
• Follower counts and account statistics
• Avatar/profile picture URLs

3.4. Content and Media Data

• Content created through our platform
• Uploaded media files (images, videos)
• Hashtag and mention information
• Content templates
• Scheduled posts and calendar data

3.5. Technical and Device Information

• IP address
• Browser type and version
• Operating system information
• Device type and unique identifiers
• Session information and access times
• Data collected through cookies

3.6. Payment and Transaction Information

• Payment method information (via İyzico integration)
• Transaction history and invoice records
• Subscription plan information
• Accounting data via Paraşüt integration

3.7. Usage and Analytics Data

• Platform usage statistics
• Monthly post counts
• Social media performance data
• Feature usage reports
• Support requests and communication records

4. PURPOSES OF PERSONAL DATA PROCESSING

We process your personal data for the following purposes:

1. Service Provision: To provide and improve social media management platform services
2. Account Management: To create, verify, and manage your user account
3. Social Media Integration: To establish secure connections with Instagram, Facebook, LinkedIn, X, YouTube, and TikTok platforms
4. Content Management: To perform content creation, editing, scheduling, and sharing operations
5. Payment Processing: To process secure payments via İyzico integration
6. Invoicing: To manage e-invoicing and accounting operations via Paraşüt integration
7. Customer Support: To provide technical support and resolve customer issues
8. Security: To ensure platform security and prevent abuse
9. Analytics and Reporting: To provide usage statistics and performance reports
10. Communication: To send important updates, security alerts, and service notifications
11. Legal Obligations: To comply with Turkish Republic and European Union laws
12. Research and Development: To conduct analysis and development work to improve service quality

5. LEGAL BASIS FOR PERSONAL DATA PROCESSING

We process your personal data based on the following legal bases under Article 5 of KVKK and Article 6 of GDPR:

5.1. Performance of Contract (KVKK Art.5/2-c, GDPR Art.6/1-b)

Data processing activities necessary for the establishment and performance of the service contract fall under this basis.

5.2. Explicit Consent (KVKK Art.5/1, GDPR Art.6/1-a)

We process data based on your explicit consent for marketing communications, preference-based features, and optional services.

5.3. Legitimate Interest (KVKK Art.5/2-f, GDPR Art.6/1-f)

We process data for our legitimate business interests such as platform security, service development, analytics, and customer satisfaction.

5.4. Legal Obligation (KVKK Art.5/2-b, GDPR Art.6/1-c)

We process data to fulfill legal obligations required by Turkish Republic and European Union laws.

6. SHARING AND TRANSFER OF PERSONAL DATA

We may share your personal data in the following situations and with the following persons/organizations:

6.1. Technology Partners and Service Providers

• Railway: Application hosting and infrastructure services
• Upstash: Redis caching and message queue services (QStash)
• PostgreSQL + Prisma ORM: Database management system and ORM solution
• İyzico: Secure payment processing services
• Paraşüt: E-invoicing and accounting services
• Cloudflare R2 Storage: Secure storage of media files and user content
• Cloudflare CDN: Content delivery network and security services
• Resend: Transactional email delivery service

6.2. Social Media Platforms

We share necessary data with the following platforms as part of API integrations:

• Meta (Facebook, Instagram): Content sharing and analytics data
• LinkedIn: Professional network content management
• X (Twitter): Tweet and media sharing
• Google (YouTube): Video content management
• TikTok: Short video content sharing

6.3. Legal Obligations

We may share data with legal authorities in the following situations:

• Court orders and legal requests
• Personal Data Protection Authority requests
• Tax office and financial advisory obligations
• Cybersecurity and crime prevention activities

6.4. Business Transfers

In the event of a company merger, sale, restructuring, or bankruptcy, your personal data may be transferred as part of the transaction.

7. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to countries outside Turkey to provide our service:

7.1. Transfers Within the European Union

Data transfers may be made to countries with adequacy decisions under GDPR.

7.2. Third Country Transfers

For transfers to the US and other third countries:

• Standard Contractual Clauses (SCCs) are used
• Data Processing Agreements (DPA) are signed
• Appropriate security measures are taken
• Compliance with KVKK and GDPR provisions is ensured

8. DATA SECURITY AND PROTECTION MEASURES

8.1. Technical Security Measures

• Password Hashing: User passwords are hashed and never stored in plain text
• SSL/TLS: All data transmission is protected with HTTPS protocol and HSTS headers
• RSA-2048 Encryption: Billing data is encrypted using RSA-2048 OAEP
• Security Headers: X-Frame-Options, CSP, X-Content-Type-Options, and other security headers are enforced
• Bot Protection: Cloudflare Turnstile is used to protect against automated attacks
• Rate Limiting: Request rate limiting is applied to prevent abuse

8.2. Organizational Security Measures

• Role-based access control (RBAC) with workspace-level permissions
• Admin two-factor authentication (TOTP) requirement
• Activity and audit logging
• Session management with automatic expiration
• Data minimization principles

8.3. Data Storage Locations and Infrastructure

Your data is stored in secure data centers and cloud infrastructure:

• Application Hosting: Railway cloud platform
• Database: PostgreSQL database management system with Prisma ORM integration
• Cache & Queue: Upstash Redis and QStash for caching and background job processing
• Media Storage: Cloudflare R2 Storage with signed URLs for secure access
• CDN & Security: Cloudflare for content delivery and edge security
• Email: Resend for transactional email delivery

8.4. Data Retention Periods

We retain your personal data for the following periods:

• Active Account Data: As long as the account is active
• Invoice Records: 10 years as required by tax legislation
• Communication Records: 3 years
• Log Records: 1 year
• Marketing Consents: Until consent is withdrawn

9. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies on our platform to improve user experience and optimize our services. For detailed information, please review our Cookie Policy.

10. DATA SUBJECT RIGHTS (KVKK AND GDPR)

Under Article 11 of KVKK and Articles 15-22 of GDPR, you have the following rights:

10.1. Fundamental Rights

1. Right to Information: To learn whether your personal data is being processed
2. Right of Access: To request information about your processed data
3. Right to Rectification: To request correction of incomplete or inaccurate data
4. Right to Erasure: To request deletion or destruction of your data
5. Right to Object: To object to certain processing activities
6. Right to Data Portability: To receive your data in a structured format
7. Right to Restriction: To request restriction of data processing

10.2. Exercising Your Rights

To exercise your data subject rights:

• You can send an email to [email protected]
• You can use the "Account Settings" section within the platform
• You must apply with your identity verification documents

We will respond to your requests free of charge within 30 days at the latest. The response period may be extended up to 60 days depending on the complexity of the request.

11. DATA BREACH NOTIFICATION

In the event of a personal data security breach:

• KVKK: We will notify the Personal Data Protection Authority within 72 hours of becoming aware of the breach
• GDPR: We will notify the relevant Supervisory Authority within 72 hours of learning of the breach
• Data subjects will also be informed in high-risk situations
• Necessary security measures will be taken immediately

12. CHILDREN'S PRIVACY

The Sosyal Köprü platform is not designed for individuals under 18 years of age. We do not knowingly collect personal data from persons under 18. If we become aware that we have inadvertently collected information belonging to a child under 18, we will delete this information immediately.

For users under 16, parental/guardian consent is required as per GDPR.

13. POLICY CHANGES

We may update this Privacy Policy from time to time. Regarding significant changes:

• We will send email notifications
• We will publish prominent announcements on the platform
• We will announce significant changes at least 30 days in advance

You can always access the current version through the platform.

14. COMPLAINT RIGHTS

For complaints regarding personal data processing:

14.1. For Turkey

• Personal Data Protection Authority
• Website: kvkk.gov.tr
• Application system: VERBİS

14.2. For European Union

• Data Protection Authority of your country of residence
• European Data Protection Board (EDPB) website

15. CONTACT

For questions about this Privacy Policy or our personal data processing practices: