Autosify Beauty

Privacy Notice (TR — KVKK)

KVKK Privacy Notice

Version: 2026-04-25-v1

1. Data controller

This notice is prepared under Turkish Personal Data Protection Law No. 6698 ("KVKK") to fulfil the disclosure obligation of the operator of the Autosify Beauty platform ("Platform") towards data subjects.

During the pilot period the Platform is operated by Haluk Kaan Beşen as a natural person; the corporate entity is being incorporated. This notice will be updated and re-acceptance requested once incorporation is complete.

For patient data entered by a SALON into the Platform, the SALON is the "data controller"; Autosify Beauty acts only as the "data processor" for technical operations strictly necessary to the Platform.

2. Categories of personal data processed

The following categories may be collected, stored, and processed:

  • Identity data (name, email) — for user registration
  • Contact data (phone, email) — for account security and invitations
  • Salon membership data (role, clinic identifier) — for authorisation
  • Transaction security data (IP, browser fingerprint, session records) — for security
  • Patient data entered by the SALON — only as technical storage; the SALON is data controller
  • Inbound/outbound WhatsApp messages via Meta Cloud API — only as technical messaging infrastructure

3. Purposes of processing

Personal data is processed for the following purposes:

  • Providing, managing, and improving the Platform
  • Authentication and authorisation
  • Operating clinical workflows (booking, reminders, communication)
  • Compliance with legal obligations (tax, audit, court orders)
  • Ensuring service security and preventing abuse
  • Maintaining error logs and audit trails for system stability

4. Legal basis

Processing relies on one or more of the following grounds under KVKK Art. 5(2):

  • Necessary for the conclusion or performance of a contract
  • Necessary for compliance with a legal obligation
  • Made public by the data subject
  • Necessary for the establishment, exercise, or protection of a right
  • Necessary for the legitimate interests of the data controller, provided fundamental rights are not infringed

For special-category data such as health information, explicit consent is mandatory (Art. 6/3). The SALON must obtain this consent from its patient; the Platform technically records the consent timestamp.

5. Transfers

Data may be transferred to the following third parties without separate consent:

  • Authorised public bodies upon legal request
  • Infrastructure providers: independent VPS hosting (may be outside Türkiye), Resend (US) for email delivery, Meta Platforms (US/EU) for WhatsApp messaging

For cross-border transfers, undertakings required under KVKK Art. 9 are obtained from us or the infrastructure provider.

6. Retention

User and clinic data is retained while the account is active. After account closure:

  • Active data is soft-deleted for 30 days (can be erased earlier on request)
  • May persist in backups for up to 90 days, then auto-purged
  • Audit logs may be retained up to 10 years where required by law

7. Rights of the data subject

Under KVKK Art. 11 you may:

  • Learn whether your personal data is processed
  • Request information about such processing
  • Learn the purpose and whether data is used in line with that purpose
  • Know the third parties to whom data is transferred domestically or abroad
  • Request correction of incomplete or inaccurate data
  • Request erasure or destruction under Art. 7
  • Request notification of correction/erasure to relevant third parties
  • Object to outcomes solely produced by automated processing
  • Claim damages for harm arising from unlawful processing

To exercise these rights, write to clinic@autosify.io. Requests are answered within 30 days.

8. Security measures

The following technical and organisational measures are applied:

  • All traffic is encrypted via HTTPS (TLS 1.2+)
  • Passwords are hashed with argon2id; never stored in plain text
  • Sensitive values (WhatsApp access token, Meta App secret) are stored AES-256-GCM-encrypted
  • Multi-tenant isolation is enforced at DB level via PostgreSQL Row-Level Security
  • All changes are written to audit log
  • Daily backups with 7-day rolling retention
  • Least-privilege access management

KVKK requests: clinic@autosify.io