Legal

Personal Data Processing

Last updated · April 21, 2026

Written to explain plainly — under Turkey's KVKK Law No. 6698 and the EU GDPR — how your personal data is collected, processed and protected.

Data controller

The data controller is Merve Kansu (Göreme / Nevşehir, Türkiye). Data collected under this notice is processed only for the purposes listed below, on the legal bases listed below. Any request may be sent to the contact address at the bottom of this page.

Data we collect

The booking form captures your name, email, phone, preferred date and chosen package. Payment card data is handled directly by iyzico and never touches our servers. We also keep anonymous, cookieless visit statistics via Plausible.

Purpose and legal basis

Data is processed to form and perform a contract with you (KVKK Art. 5/2-c, GDPR Art. 6(1)(b)), on explicit consent for marketing messages, and on legitimate interest for service quality and security. Your data is never sold or shared with advertising third parties.

Transfers and processors

Bookings and galleries are stored with Supabase (EU — Frankfurt); payments are processed by iyzico (Türkiye); transactional emails go through Resend. All transfers are encrypted in transit via TLS and governed by processor agreements aligned with GDPR and KVKK.

Retention

Booking records are retained for two years after the session to meet tax and commercial obligations. At the end of that period, data is automatically anonymised or deleted. Consent to marketing messages can be withdrawn at any moment.

Your rights

Under KVKK Art. 11 and GDPR Arts. 15–22 you may access, correct, erase, object to processing, or request portability of your data. Submit a request to the email below and we will respond within 30 days.

Questions: hello@mervekansu.com