Information Society

Services

Privacy Policy

By using this website, you accept the processing of your personal data. Your security is important to us. Therefore, the personal data you share with us is protected with due care.

Data Controller

Kayaport Ödeme Kuruluşu A.Ş. (“Company”), https://www.kayaport.com/ as the data controller of the website (“Site”), aims to inform our users, within the scope of the website you are visiting, about which of your personal data will be processed for which purposes, with whom and for what reasons the processed data may be shared, our data processing methods and legal grounds, and what your rights are regarding your processed data.

Your Data Collected and Not Collected Within the Site

Your personal data collected by this website:

  • IP Address
  • Session Information
  • Computer Language
  • Computer Model

Your personal data not collected by this website:

  • Identification Information
  • Contact Information
  • Financial Information

Services Used

Infrastructure Services

Vodafone DC

The physical servers belonging to our Company are hosted in Vodafone corporate data centers for the purposes of data security and business continuity. In addition to the physical security and infrastructure measures provided in these data centers, administrative and technical measures for the protection of data are implemented by our Company.

Sectigo

In order to ensure the security of data communication on our Company’s websites and applications, SSL certificates provided by the international certificate authority Sectigo are used.

Purposes of Processing Data

Your personal data is processed by this website for the purposes of providing services in line with its purpose, fulfilling legal obligations, improving service quality, communication, security, and sharing information with legal authorities when necessary. Your personal data will not be used for purposes other than those listed.

Transfer of Data

Your personal data collected by this website is not shared with third parties and is not transferred abroad without your explicit consent, except for legal obligations. However, it may be shared to the extent necessary with our service providers, business partners, and legal authorities for the purposes of providing the service and fulfilling legal obligations.

Data Retention Period

Your personal data is retained for the periods stipulated in the relevant legislation or until the purpose of processing ceases to exist.

Data Security

Your personal data is handled in accordance with the legislation as a result of the administrative and technical measures taken. You can learn the measures we take as a Company in detail from our PDPL (KVKK) Notice.

Use of Cookies

This website uses cookies. Cookies are small rich-text formatted text files that allow certain information about users to be stored on users’ terminal devices when a web page is visited. Cookies may be stored on your device via your browser during your first visit to a website, and when you visit the same site again with the same device, your browser checks whether there is a cookie registered on your device for that site. If there is a record, it transmits the data in the record to the website you are visiting. In this way, the website recognizes your previous visit and determines the content to be delivered to you accordingly. For detailed information about cookies, please see

Your Legal Rights

Your Rights Under the PDPL (KVKK)

As a data subject, we inform you that you have the following rights pursuant to Article 11 of the Turkish Personal Data Protection Law No. 6698.

Contact

To exercise your rights regarding your personal data or to obtain more information about our privacy policy, you may contact us at.

PERSONAL DATA PROCESSING DISCLOSURE STATEMENT

As Kayaport Ödeme Kuruluşu A.Ş. (“Company”), incorporated in Turkey and located at Cumhuriyet Mah. Şimşek Sok. Kaya Milenyum İş Merkezi Floor:11 Beykent, Beylikdüzü / İstanbul, registered with the Trade Registry Gazette No. 742659, MERSIS No. 0537055148800001, tax number 5370551488 at Büyükçekmece Tax Office, and as the data controller of https://kayaport.com/ (“Site”); we would like to inform you, pursuant to Article 10 of the Turkish Personal Data Protection Law No. 6698 (“PDPL”), about the processing of your personal data obtained in the manners described below, the transfer of your processed personal data, the methods and legal grounds for collecting your personal data, and your other rights listed under Article 11 of the PDPL. We hereby state that we exercise utmost sensitivity regarding the confidentiality and security of all personal data you provide to us and that all necessary technical and administrative security measures have been taken to protect such data.

DATA CONTROLLER AND REPRESENTATIVE

As Kayaport Ödeme Kuruluşu A.Ş., in our capacity as data controller, we may process, record, store, classify, update your personal data in accordance with the law and the principles of good faith within the scope of the purposes described below, and disclose/transfer them to third parties where permitted by legislation and/or limited to the purpose for which they are processed.

YOUR PROCESSED PERSONAL DATA

Personal data relating to the relevant persons provided to us by themselves may be processed by our Company. The personal data subject to processing are as follows:

IP Address

Identifies the virtual address of the devices connecting your device to the internet.

Session Information

Defined as the process in which user information is stored on any page opened in a browser on your device.

Device Language

The language option of the country selected automatically or manually on your device.

Device Model

Brand and model information of your device.

DATA SUBJECT GROUP

Website Visitors

Individuals who have visited and/or accepted the site cookies of https://www.kayaport.com/ belonging to “Kayaport Ödeme Kuruluşu A.Ş.”.

PURPOSE OF PROCESSING PERSONAL DATA

Your personal data are processed in accordance with the fundamental principles set forth in the PDPL and relevant legislation, based on your explicit consent and/or the other conditions stipulated under Article 5/2 of the PDPL, primarily the legal obligations to which we are subject, in order to enable you to benefit from the services provided by Kayaport Ödeme Kuruluşu A.Ş. Considering the services provided by Kayaport Ödeme Kuruluşu A.Ş., your personal data are processed for the following purposes:

  • Conducting information security processes,
  • Ensuring system continuity,
  • Preventing unauthorized access,
  • Managing our legal processes and providing you with uninterrupted, better, and more reliable service, within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698.

PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED AND PURPOSE OF TRANSFER

Your personal data are not transferred domestically or abroad to third parties for the continuation of our company’s activities and business processes.

As Kayaport Ödeme Kuruluşu A.Ş. is required to retain records and documents related to transactions carried out with its customers for a certain period under legal regulations; in the event that you request the deletion, destruction, or anonymization of your personal data, such request may be fulfilled after the period determined by legal regulations. However, during this period, your personal data will not be processed by Kayaport Ödeme Kuruluşu A.Ş. and will not be shared with third parties except where required by national and international legal, regulatory, and contractual obligations.

RETENTION PERIOD OF YOUR PERSONAL DATA

If a retention period is stipulated in the law or relevant legislation, your personal data must be retained for at least such period. If no period is stipulated, your personal data are retained for reasonable periods determined in accordance with the purposes of processing, provided that they are relevant, limited, and proportionate. The retention period for personal data groups is during the legal relationship and for 10 (ten) years following the termination of such legal relationship.

You may contact us to obtain detailed information regarding the retention period and disposal of your personal data.

Contact

METHOD OF COLLECTION OF PERSONAL DATA AND LEGAL GROUNDS

Within the scope of the obligation to inform, your personal data, processed fully or partially by automated means or non-automated means provided that they are part of a data recording system, are collected by our Company electronically within the scope of the purposes listed above (electronically via the corporate website and internal company software).

We process your personal data collected through the above-mentioned methods based on one or more of the following legal grounds:

  • Your explicit consent,
  • The necessity of processing as required by the laws and regulations in force in the Republic of Turkey (Personal Data Protection Law, Law on the Regulation of Publications on the Internet, Consumer Protection Law, Electronic Communications Law, Technology Development Zones Law, etc.),
  • Where you are unable to give consent due to actual impossibility and processing is mandatory for the protection of your or another person’s life or physical integrity,
  • The necessity of processing to fulfill our legal obligations,
  • Your personal data having been made public by yourself,
  • The necessity of processing for our legitimate interests, provided that it does not harm your fundamental rights and freedoms.

All personal data we process are retained in accordance with the periods mandated by the PDPL and other legislation and, in any case, for as long as the legitimate purposes stated above continue to exist, by taking all necessary administrative and technical measures.

RIGHTS OF THE DATA SUBJECT

As a data subject, we inform you that you have the rights listed under Article 11 of the PDPL No. 6698.

[Personal Data Protection – Data Subject Rights] [Data Subject Application Form]

IF YOU WISH TO CONTACT US FOR YOUR REQUESTS

You may submit a signed copy of the “PDPL Application Form” available on our website, together with documents identifying your identity, in person, or through a notarized power of attorney demonstrating your authority to apply under Article 11, or send it via a notary to “Cumhuriyet Mah. Şimşek Sok. Kaya Milenyum İş Merkezi Floor:11 Beykent, Beylikdüzü / İstanbul”.

In addition, pursuant to Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller, you may send your request via registered electronic mail (KEP), secure electronic signature, mobile signature, or by using the e-mail address previously notified to our Company and registered in our systems.

Your requests submitted to our Company will be responded to in writing or electronically as soon as possible and within thirty days at the latest, depending on the nature of the request.

Cookie Policy

Introduction

As Kayaport Ödeme Kuruluşu A.Ş. (“Kayaport” or the “Company”), https://ww.kayaport.com/ we use cookies in order to ensure that the website (“Site”) is presented to you in the best possible way and to make your Site experience unique. In this Cookie Policy (“Policy”), we provide detailed information about the cookies used on the Site and related matters.

About Cookies

Cookies are small-sized text files downloaded to the “terminal equipment” (for example, a computer or smartphone) when a user accesses a website. Cookies enable websites to function effectively, remember user preferences (such as language preferences or site settings), keep the information on websites up to date, and improve user experience.

Cookies are categorized according to their parties, duration, and purposes of use.

Cookie Categories

Cookies by Party

Cookies are divided into first-party cookies and third-party cookies. First-party cookies are created by the website being visited. Third-party cookies are created by sites other than the website being visited.

Cookies by Duration

Based on their duration, cookies are divided into session cookies and persistent cookies. Session cookies are deleted when the internet browser is closed. Persistent cookies are not deleted when the browser is closed and are deleted after a certain period of time.

Cookies by Purpose of Use

These cookies are divided into four categories: technical (mandatory) cookies, performance/analytics cookies, marketing cookies, and functionality cookies.

Mandatory cookies are cookies required for the use of the site. If the use of these cookies is blocked, certain parts or the entire site may not be accessible.

Performance cookies are used to optimize the website. Through these cookies, insights can be obtained regarding which pages users prefer to visit most.

Marketing cookies are cookies used to display relevant advertisements and content and to provide a personalized experience.

Functionality cookies are cookies that remember your usage preferences during your next visit. Users may use the features necessary for the site to function more effectively.

Purposes, Legal Grounds, and Retention Periods of Cookies Used on the Site

The cookies used on the Site, their purposes of use, and the legal grounds under Article 5 of the Turkish Personal Data Protection Law No. 6698 (“Law”) are stated below. You can access detailed information about the cookies used on our Site, their purposes, legal grounds, and retention periods from the table below.

Cookie Category Legal Grounds Cookie Name Purpose of Use Provider Duration
Technical (Mandatory) Processing is mandatory for the legitimate interests of the data controller (Law Art. 5/2-f) ASP.NET_SessionId Used to maintain the user’s session. Ensures that your session information is preserved while navigating within the Site. Does not contain any personal data. www.kayaport.com During Session
Marketing and Functionality Law Art. 5/2-f, provided that it does not harm the fundamental rights and freedoms of the data subject, processing is mandatory for the legitimate interests of the data controller BT_CultureInfo Remembers the user’s preferred language. Thus, it enables the Site to be displayed in the selected language during the session and on subsequent visits. www.kayaport.com 10 Days
Technical (Mandatory) Processing is mandatory for the legitimate interests of the data controller (Law Art. 5/2-f) .aspxauth Indicates that the user’s identity has been authenticated. Preserves login information when a logged-in user navigates between pages. Does not contain any personal data. www.kayaport.com During Session
Marketing and Functionality Explicit consent of the data subject (Law Art. 5/1) BT_CultureInfo Remembers the user’s preferred language. Thus, it enables the Site to be displayed in the selected language during the session and on subsequent visits. www.kayaport.com During Session

Collection and Processing of Personal Data Through Cookies

Through cookies, your data such as transaction security (IP address), session information, device model, and language preference are processed.

The personal data mentioned above are collected automatically (without human intervention) through cookies. In personal data processing activities carried out via cookies, the legal grounds specified under the heading “Our Cookie Usage Purposes and Legal Grounds” are relied upon.

Parties with Whom Personal Data Are Shared

Your personal data collected through cookies are shared with third-party cookie providers located domestically, in line with the purposes and legal grounds specified under the heading “Our Cookie Usage Purposes and Legal Grounds” of this Cookie Policy. Compliance with Articles 8 and 9 of the Law is ensured in the sharing of your personal data.

Rejection/Blocking of Cookies

You may configure your browser to disable cookies. Most browsers offer different methods to protect your privacy. For example, you may allow first-party cookies and block third-party cookies.

Options for managing cookies in your browser can usually be found in the help section of your browser or in the settings section of your smartphone. You can access the cookie management instructions of the following browsers via the links below:

Click to Access the Relevant Browser Cookie Management Pages:

  • Microsoft Edge
  • Google Chrome
  • Opera
  • Firefox
  • Safari

Additionally, you may determine which cookies to use according to your preference by clicking on the Cookie Settings link.

Exercising Data Subject Rights

As a data subject, we inform you that you have the rights set forth in Article 11 of the Turkish Personal Data Protection Law No. 6698.

Personal Data Protection – Data Subject Rights

You may also submit your requests to us by using the other methods specified in the Communiqué on the Procedures and Principles of Application to the Data Controller.

Our Information Security Policy

As Kayaport Ödeme Kuruluşu A.Ş., we are committed to protecting both our own information and that of our stakeholders, and to ensuring the security of our corporate activities by adhering to the principles of confidentiality, integrity, and availability of information. This is of great importance in helping to ensure that the information of our customers and business partners remains secure.

As Kayaport Ödeme Kuruluşu A.Ş., we comply with laws, standards, and our corporate policies and procedures regarding information security. Therefore, all our employees and certain third parties defined within the ISMS are expected to comply with this policy and the ISMS implemented under it. Our employees and designated external parties receive appropriate training and awareness.

By operating an Information Security Management System in accordance with the ISO/IEC 27001 standard, we ensure that information security requirements are fulfilled. This standard includes best practices related to the information security management system. Taking these practices into consideration, we protect our information assets.

In order to fully implement and continuously improve the Information Security Management System, Kayaport Ödeme Kuruluşu A.Ş. conducts internal audits and shares the results with Senior Management. To ensure and enhance information security, we establish and operate in-process control mechanisms in accordance with the principle of segregation of duties.

We manage the storage, transfer, modification, and access activities of our information assets based on current best practices. In this way, we protect the information of our customers and business partners and ensure that it remains secure.

We raise awareness among our employees and stakeholders regarding information security, provide access to relevant policies and procedures, and offer sufficient resources and training opportunities. In this way, we increase information security awareness and take measures against security breaches.

We work with suppliers and business partners who meet specific information security standards. We maintain continuous communication and cooperation with public authorities and legal entities regarding information security and attach importance to ensuring information security throughout our entire supply chain.

We provide the necessary organizational structure, resources, and infrastructure required to detect and report information security breaches and to intervene in such breaches as quickly as possible, and we apply the necessary sanctions in cases of information security violations.

In this context, our fundamental information security principles and the measures we implement are as follows:

Core Principles

  • Confidentiality: Preventing unauthorized access
  • Integrity: Preventing incidents aimed at altering data
  • Availability: Keeping the system continuously operational and up to date

Implemented Measures

  • Access control mechanisms
  • Logging and monitoring activities
  • Network and system security measures

PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. INTRODUCTION

Within the framework of this Personal Data Protection and Processing Policy (“Policy”), the principles adopted in the personal data processing activities carried out by Kayaport Ödeme Kuruluşu A.Ş. (“Company”) through www.kayaport.com (“Site”) are explained in terms of compliance with the regulations set out in the Turkish Personal Data Protection Law No. 6698 (“Law”). Our Company processes personal data in accordance with this Policy and applicable legislation and protects it by taking the necessary administrative and technical measures.

2. PURPOSE OF THE POLICY

The main purpose of this Policy is to explain the fundamental principles regarding the processing of personal data by Kayaport Ödeme Kuruluşu A.Ş., to inform relevant persons within a general framework, and to present the Company’s approach to personal data security.

While carrying out its activities as a payment institution, the Company processes personal data in accordance with the principles of lawfulness, purpose limitation, and data minimization within the scope of applicable legislation, regulations in the field of payment services, and obligations related to the protection of personal data.

3. SCOPE OF THE POLICY

This Policy relates to the groups of data subjects whose personal data are processed, which we categorize under the headings “Our Customers, website visitors, and other third parties whose data we process.” This Policy does not aim to publish the entire detailed inventory or internal procedures related to all of the Company’s business processes; it is of a general informative nature.

4. DEFINITIONS

The definitions used in this Policy are provided below:

Explicit consent Consent that is specific, informed, and freely given Anonymization Rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data Personal data Any information relating to an identified or identifiable natural person Processing of personal data Any operation performed on personal data, wholly or partly by automated means or otherwise as part of a data filing system, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of such data PDPL (KVK) Law Turkish Personal Data Protection Law No. 6698 PDPL Board Personal Data Protection Board PDPL Authority Personal Data Protection Authority Special categories of personal data Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data Data subject A natural person whose personal data are processed, referred to as the “relevant person” under the PDPL Law Data controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system Data processor The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller Data Controllers’ Registry The data controllers’ registry (VERBİS) kept by the Presidency under the supervision of the Personal Data Protection Board Data Inventory The inventory created and detailed by “Kayaport Ödeme Kuruluşu A.Ş.” by associating its personal data processing activities carried out depending on its business processes with the purposes of processing personal data, the recipient group to which personal data are transferred, and the relevant data subject group

5. CATEGORIES OF PROCESSED PERSONAL DATA

IP Address

Identifies the virtual address of the devices connecting your device to the internet.

Session Information

Defined as the process in which user information is stored on any page opened in a browser on your device.

Device Language

The language option of the country selected automatically or manually on your device.

Device Model

Brand and model information of your device.

6. DATA SUBJECT GROUPS

Website Visitors

Natural persons who have requested or shown interest in using the products and services of “Kayaport Ödeme Kuruluşu A.Ş.”, or who are assessed, in accordance with commercial practice and the rules of good faith, as likely to have such interest.

7. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Our Company processes personal data in accordance with applicable legislation, primarily the Constitution and the Turkish Personal Data Protection Law No. 6698, and within the framework of lawfulness and the rules of good faith. Personal data are processed for explicit, specific, and legitimate purposes; in a manner that is relevant, limited, and proportionate to the purpose of processing; their accuracy is ensured and they are kept up to date when necessary; and they are retained only for the period stipulated in the legislation or required by the purpose of processing. When the retention period expires or the reasons for processing cease to exist, personal data are deleted, destroyed, or anonymized in accordance with our Company’s Data Disposal Policy.

8. TRANSFER OF PERSONAL DATA

Kayaport Ödeme Kuruluşu A.Ş. shall not transfer the personal data of data subjects to third parties and will share such data only with official authorities in case of force majeure.

8.1. Recipients to Whom Personal Data Are Transferred

Kayaport Ödeme Kuruluşu A.Ş. (“Company”) does not transfer personal data to any third party group. Personal data may be shared only with authorized public institutions and organizations within the scope of applicable legislation.

8.2. Domestic Transfer of Personal Data

In accordance with Article 8 of the PDPL Law, the domestic transfer of personal data shall be possible provided that one of the conditions specified in Section 8 of this Policy titled “Conditions for Processing Personal Data” is met.

8.3. Transfer of Personal Data and Special Categories of Personal Data Abroad

“Company” does not transfer any personal data or special categories of personal data abroad.

9. RIGHTS OF DATA SUBJECTS

Data subjects may apply to the Company to exercise their rights recognized under Article 11 of the PDPL Law regarding their personal data.

Data subjects may apply within the scope of Article 11 of the PDPL Law by submitting information and documents that will identify them and by using the methods specified below or other methods determined by the Personal Data Protection Board, through the PDPL application form available on the website. [Data Subject Application Form]

10. CONFIDENTIALITY AND DATA SECURITY MEASURES

All personal data processed within the Company are confidential, and the Company takes all necessary technical and administrative measures to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the safeguarding of personal data, as set out in Article 12 of the Law, in line with the purposes.

The security of personal data is the responsibility of employees, units, and the Company, respectively. Employees may carry out collection, processing, transfer, use, deletion, destruction, and anonymization activities on personal data only within the scope of the authority assigned to them.

10.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access

Kayaport Ödeme Kuruluşu A.Ş. takes all necessary technical and administrative measures to ensure the security of personal data and continuously improves these measures against current risks. In this context, network and application security is ensured, closed system networks are used, security measures are applied in the procurement, development, and maintenance processes of information technology systems, and the security of data stored in the cloud is ensured. Access rights are restricted within the framework of an authorization matrix; access and transaction logs are kept regularly in a manner closed to user intervention; and, where necessary, data masking and encryption methods are used. Up-to-date anti-virus software, firewalls, intrusion detection and prevention systems, and data loss prevention solutions are kept active; regular penetration tests are conducted; and cybersecurity measures are continuously monitored. Personal data are securely backed up; access to physical environments is controlled; and transfers are carried out via KEP (registered e-mail) or corporate e-mail accounts. Encryption is also applied to transfers made via portable media; service providers acting as data processors are regularly audited in terms of data security and their awareness is increased. Where access to data is provided through software, user authorizations are implemented; security tests of the relevant software are carried out regularly and recorded; and, in cases where remote access is required, at least two-factor authentication is used.

10.2. Measures to Be Taken in Case of Unlawful Disclosure of Personal Data

If processed personal data are obtained by others through unlawful means, our Company will notify the relevant data subject and the Board as soon as possible (within a maximum of 72 hours).

11. CONDITIONS FOR DISPOSAL OF PERSONAL DATA (DELETION, DESTRUCTION, AND ANONYMIZATION)

Personal data are retained for reasonable periods determined, provided that they are relevant, limited, and proportionate to the purposes of processing. If the reasons requiring the processing of personal data cease to exist, such data shall be deleted, destroyed, or anonymized ex officio or upon the request of the relevant person in accordance with the legislation.

12. EXECUTION

An organizational structure has been established by Kayaport Ödeme Kuruluşu A.Ş. to ensure that this Policy is implemented in compliance with the PDPL Law regulations.

Within Kayaport Ödeme Kuruluşu A.Ş., a Personal Data Protection Committee (“Committee”) has been established pursuant to the decision of the Company’s senior management to manage this Policy and other policies related to and associated with this Policy.

13. UPDATE AND EFFECTIVE DATE

The Company may update this Policy in line with legislation and operational needs. The current text shall be effective as of the date it is published on the Company’s website.

14. DATA SUBJECT RIGHTS

All rights under Article 11 of the PDPL are reserved.

Information Society Services

Company Information
Company Title: KAYAPORT ÖDEME KURULUŞU A.Ş.
MERSIS No: 0537055148800001
Tax Number: 5370551488
Tax Office: İSTANBUL- Büyükçekmece
Trade Registry Number: 742659-0
Trade Registry Office: İSTANBUL
Company Registration Date: 26-07-2023
Head Office: Cumhuriyet Mah. Gürpınar Yolu Cad. Kaya Milenyum İş Merkezi No:5 İç Kapı: 159 Büyükçekmece / İstanbul
Committed Capital: 10.000.000,00 TL
Paid-in Capital: 10.000.000,00 TL
Sole Shareholder: Payoox Teknoloji Hizmetleri San. Ve Tic. A. Ş.
Chairman of the Board: Çağdaş EMRE
Deputy Chairman of the Board: Mehmet ÖZTÜRK
Member of the Board: Hilal EREN TURHAN
Auditor's Title: KPMG Bağımsız Denetim ve Serbest Muhasebeci Mali Müşavirlik A.Ş
Auditor's Address: İş Kuleleri, Kule 3, Kat:2-9 Levent, İstanbul
Important Links
Contact
Copyright © 2026 Kayaport Ödeme Kuruluşu A.Ş. All rights reserved.