Kvkk Addendum (Türkiye Data Protection Addendum)
1. Roles of the Parties Under Kvkk
1.1 Provider As Data Controller
Provider is the Data Controller ("Veri Sorumlusu") for all Customer personal data processed through Suitespace. Provider is responsible for: Providing KVKK-compliant privacy notices (Aydınlatma Metni) Obtaining explicit consent when required Complying with KVKK Article 10 (Information Obligation) Complying with KVKK Article 11 (Data Subject Rights) Responding to Customer requests Determining retention periods for Customer data
1.2 Suitespace As Data Processor
Suitespace acts as a Data Processor ("Veri İşleyen") for Customer personal data processed on behalf of the Provider. Suitespace processes personal data only with the Provider's instructions and only for platform functionality.
1.3 Provider Obligations Toward Customers
Provider acknowledges that: Suitespace cannot collect KVKK consents on behalf of the Provider. Provider must supply their own KVKK-compliant policies to Customers. Provider is responsible for Customer data accuracy and lawfulness.
2. Personal Data Processed
Suitespace may process the following categories of personal data on behalf of the Provider: Customer name Customer contact details (email, phone) Booking details (date, time, service type) Notes or additional information submitted by Customers Device and session data (IP address, browser) Attendance or event-related information Suitespace does not process special categories of personal data unless the Provider voluntarily collects such data, in which case the Provider is fully responsible for obtaining explicit consent required by KVKK Article 6.
3. Purpose and Legal Basis of Processing
Personal data is processed for: Booking management Customer communication Service scheduling Platform operation Fraud prevention Security and logging Legal bases for processing under KVKK may include: Explicit consent (Açık Rıza) Performance of contract Legitimate interest Legal obligations The Provider determines the applicable legal basis.
4. Provider Obligations Under Kvkk
Provider accepts full responsibility for:
4.1 Aydınlatma Yükümlülüğü (article 10)
Provider must inform Customers about: Identity of data controller Purposes of processing Legal basis Data transfer conditions Retention periods Data subject rights
4.2 Open Consent Requirements
Provider must obtain explicit consent where required, including: Marketing communications Processing special categories of personal data Cross-border data transfers (if explicit consent is used as legal basis)
4.3 Data Subject Rights (article 11)
Provider must respond to Customer requests for: Access Correction Deletion Restriction Objection
4.4 Verbis Registration (when Applicable)
Providers must determine if they are obligated to register with VERBIS under Turkish regulations. Suitespace has no responsibility for Provider's VERBIS obligations.
5. Suitespace Obligations As Data Processor
Suitespace agrees to: Process data only on documented Provider instructions Implement technical and organizational security measures Ensure personnel are bound by confidentiality Assist Provider with data subject rights when possible Notify Provider of personal data breaches without undue delay Delete personal data after Provider account termination, except where legal retention applies Suitespace does not: Determine lawful basis Collect Customer consent Communicate with Customers regarding KVKK requests These are solely Provider responsibilities.
6. Data Transfers Outside Türkiye
Suitespace processes and stores data primarily in: AWS us-east-1 (N. Virginia, USA) This constitutes a cross-border data transfer under KVKK. Provider is responsible for ensuring a lawful transfer mechanism such as: Explicit consent from data subjects Adequate safeguards permitted by KVKK By using Suitespace, Provider acknowledges and approves the transfer of personal data outside Türkiye.
7. Security Measures
Suitespace maintains: Encryption at rest and in transit Access logging Firewall protection Backup and redundancy Authentication controls Regular security reviews Suitespace may update security measures as necessary.
8. Data Retention
Suitespace retains personal data according to the following: Customer booking data: 12 months after Provider account deletion Financial transaction records: 5 years System logs: 12 to 24 months for security and auditing Provider may request earlier deletion, subject to legal requirements.
9. Data Breach Response
Suitespace will notify the Provider without undue delay if a personal data breach occurs. Provider is responsible for: Notifying KVKK Authority (KVKK Kurumu) when required Notifying affected Customers Suitespace will assist Provider in assessing risks and consequences when possible.
10. Audit Rights
Upon reasonable request, Suitespace will provide documentation demonstrating compliance with this Addendum. Formal onsite audits require: Prior written approval Mutual scheduling Reasonable justification Cost covered by the Provider
11. Termination
Upon termination of Provider account: Access to Customer data is removed Remaining data is deleted after retention periods Provider may request final data export
12. Governing Law and Jurisdiction
This Addendum is governed by the laws of Türkiye insofar as KVKK obligations apply. For all other matters, the governing law and jurisdiction of Suitespace's main Terms apply: Ontario law and courts of Toronto, Canada.
13. Contact Information
Suitespace Inc. support@suitespace.app privacy@suitespace.app
Last updated: January 15, 2026
newsletter.title
newsletter.description