Privacy Policy and KVKK Disclosure

Last updated: April 29, 2026 Effective date: April 29, 2026

This document is prepared to fulfil the disclosure obligation of the Data Controller under Article 10 of Turkey's Personal Data Protection Law No. 6698 ("KVKK"). It explains what personal data QRbug processes, for what purpose, on what legal basis, and how you can exercise your rights under KVKK. KVKK rights broadly mirror the rights granted under the EU GDPR.

1. Data Controller


Legal entity	Mavipiksel İnternet Çözümleri ve Bilgisayar Sistemleri Ltd. Şti.
Address	Çınar Mahallesi 5003/3 Sokak No:3 Daire:319 Tokatlı Plaza Bornova / İZMİR, Turkey
MERSIS No	0613022730300018
Tax Office / No	Hasan Tahsin Tax Office — 6130227303
VERBİS	We fall below the annual employee count and financial-balance-sheet thresholds defined in the KVKK and the VERBİS Regulation, and are therefore not subject to VERBİS registration. We will register if and when those thresholds change.
KVKK contact	[email protected]

2. Categories of Personal Data Processed

QRbug processes the following categories of personal data to provide the Service:

2.1. Account and Membership Data

Name and surname (optional)
Email address
Password (irreversibly hashed via bcrypt; never stored in plain text)
Account creation and last login timestamps
Profile picture (if uploaded)

2.2. Billing and Payment Data

Billing name / company, tax ID, billing address
Payment reference returned by the payment processor (Stripe / iyzico ID)
Card number, CVV, and expiry date are never stored on QRbug servers — these are sent directly to PCI-DSS-certified payment processors.

2.3. Service and Content Data

QR codes you create (target URL, label, settings)
Images, PDFs, and other files you upload
QR menu and order content (if any)
QR design preferences

2.4. Scan Analytics Data

Scan timestamps
IP address → stored as a SHA-256 hash (raw IP is never stored)
Browser, OS, and device type (extracted from User-Agent)
Approximate location (country / city; not GPS-precision)
Referrer URL

2.5. Cookies and Session Data

Session cookie (NextAuth.js)
CSRF protection cookie
Locale preference cookie
Marketing cookies (only with explicit consent — see Section 5)

2.6. Communication Data

Content of emails sent to [email protected]
Support ticket records

3. Purposes of Processing

Purpose	Relevant Data Categories
Account creation and identity verification	2.1
Service delivery (QR generation, dynamic redirect, menu)	2.1, 2.3
Billing, payment processing, and financial obligations	2.1, 2.2
Scan analytics and reporting (for the User's own QRs)	2.4
Service quality improvement (anonymous aggregate)	2.4, 2.5
Compliance with legal obligations (tax, anti-money-laundering, etc.)	2.1, 2.2
Customer support and complaint handling	2.1, 2.6
Marketing communications (only with explicit consent)	2.1, 2.5
Security (rate limiting, abuse prevention)	2.1, 2.4, 2.5

4. Legal Basis for Processing (KVKK Article 5)

QRbug processes your personal data based on one or more of the following legal bases:

Legal Basis	Application
Performance of a contract (Art. 5/2-c)	Account creation, Service delivery, billing
Legal obligation (Art. 5/2-ç)	Tax law, commercial law, anti-money-laundering
Establishment / exercise / defence of a right (Art. 5/2-e)	Disputes and litigation
Legitimate interest (Art. 5/2-f)	Service security, abuse prevention, fraud detection
Explicit consent (Art. 5/1)	Marketing communications, optional cookies, profile picture

5. Cookies and Tracking Technologies

5.1. Strictly Necessary Cookies (no consent required)

Session cookie (NextAuth.js): to recognise logged-in users
CSRF token: for form submission security
Locale preference cookie (next-intl): to remember your language

5.2. Optional Cookies (consent required)

Analytics cookies (PostHog): for Service usage statistics
Error monitoring cookies (Sentry): to correlate error events
Marketing cookies: for ad personalisation (if any)

You can manage your preferences via the cookie consent banner shown on your first visit, and can change them later via your browser settings or your Account panel.

6. Data Transfers

6.1. Domestic Transfers (KVKK Article 8)

iyzico Ödeme Hizmetleri A.Ş. — payment processing for Turkey-based customers
Tax accountant / SMMM — fulfilment of legal obligations
Competent public authorities — upon valid legal request

6.2. International Transfers (KVKK Article 9)

Under KVKK Article 9, international data transfers generally require your explicit consent, unless one of the exceptions in Article 9/2 applies. QRbug transfers data to the following processors located outside Turkey:

Processor	Location	Data Transferred	Legal Basis
Stripe Inc.	USA	Payment data (international users)	Performance of contract + explicit consent
Cloudflare Inc.	USA / EU	Content and images (R2 storage)	Performance of contract
Resend	USA	Transactional email delivery	Performance of contract
Neon Inc.	USA / EU	Account and content database	Performance of contract
Sentry	USA	Error monitoring (anonymous)	Legitimate interest
PostHog	USA / EU	Analytics (only with consent)	Explicit consent

We have entered into standard contractual clauses and / or data processing agreements (DPAs) with all such providers. By creating an Account you are deemed to have granted explicit consent to such transfers; you may withdraw consent at any time (Section 11.6).

7. Retention Periods

Data	Retention Period	Reason
Account data	While the Account is active + 30 days after deletion request	KVKK Article 7
Billing and payment data	10 years	Tax Procedure Code Art. 253, Turkish Commercial Code Art. 82
QR and content data	While the Account is active	Performance of contract
Scan analytics (hashed IP)	12 months	Service improvement; auto-deleted after the period
Support email correspondence	3 years	Statute of limitations for consumer disputes
Marketing consent records	Until consent is withdrawn + 3 years	Burden of proof

At the end of the retention period, personal data is deleted, destroyed, or anonymised (KVKK Article 7).

8. Data Security

QRbug applies the following technical and organisational measures to protect your personal data:

End-to-end encryption with TLS 1.2+
Passwords hashed with bcrypt (irreversible)
Role-based access control (RBAC) for database access
IP addresses stored as SHA-256 hashes (raw IPs never stored)
Regular backups and a disaster recovery plan
NDAs with employees and service providers
Regular penetration testing and security audits
Least-privilege access management

9. Children's Privacy

The Service is not intended for children under the age of 16. If we discover that a user is under 16, we will delete the account and associated data without delay. Parents who suspect that their child's data is being processed may write to [email protected] to request deletion.

10. Your Rights under KVKK Article 11

Under KVKK Article 11, you have the following rights:

Be informed whether your personal data is being processed.
Request information about the processing if it is taking place.
Learn the purpose of processing and whether the data is used in accordance with that purpose.
Learn about transfers — to whom your data has been transferred, domestically and internationally.
Request correction of incomplete or inaccurate data.
Request deletion or destruction of your data under the conditions of KVKK Article 7.
Request notification to third parties of the actions in 5 and 6.
Object to automated analysis affecting you.
Compensation for damages caused by unlawful processing.

11. How to Exercise Your Rights (KVKK Article 13)

11.1. Channels for Requests

Email (preferred): [email protected]
Postal request: Mavipiksel İnternet Çözümleri ve Bilgisayar Sistemleri Ltd. Şti., Çınar Mahallesi 5003/3 Sokak No:3 Daire:319 Tokatlı Plaza Bornova / İZMİR, Turkey

11.2. Required Information

Per KVKK Article 13 and the "Communiqué on the Procedures and Principles of Application to the Data Controller", your request must include:

Name, surname, and signature (for postal requests)
Turkish ID number (for Turkish citizens) or passport number
Service or business address
Email, phone, and fax (if any)
Subject and rationale of the request

11.3. Response Time

Your request will be answered free of charge within at most 30 days, depending on its nature. If a fee is required, the rate determined by the Personal Data Protection Authority will apply.

11.4. Complaint to the Authority

If your request is denied, answered insufficiently, or not answered within 30 days, you may file a complaint with the Personal Data Protection Authority of Turkey (KVKK):

Web: www.kvkk.gov.tr

11.5. Self-Service in Account Panel

You can exercise the following rights directly via your Account panel:

Data export (portability): Account > Settings > "Download My Data" — downloads all your personal data in JSON format.
Account deletion: Account > Settings > "Delete Account" — soft-delete + permanent deletion after 30 days.

11.6. Withdrawal of Consent

You may withdraw consent for marketing communications, optional cookies, or international transfers at any time:

Email preferences: the "Unsubscribe" link at the bottom of every email
Cookie preferences: browser cookie settings or Account > Cookie Preferences
Withdraw all consent: by emailing [email protected]

12. Changes to This Policy

QRbug may update this Privacy Policy from time to time. Material changes will be notified 30 days in advance to the email registered with your Account. The current version of the Policy is always published at qrbug.com/privacy.

13. Contact

KVKK and personal data inquiries: [email protected]
Customer support: [email protected]
Postal address: Mavipiksel İnternet Çözümleri ve Bilgisayar Sistemleri Ltd. Şti., Çınar Mahallesi 5003/3 Sokak No:3 Daire:319 Tokatlı Plaza Bornova / İZMİR, Turkey