Personal Data Processing
YOUSIZER.COM PERSONAL DATA PROCESSING ACTIVITIES INVENTORY 04.01.2026
1. DATA CONTROLLER INFORMATION
| Trade Name | Yoursizer Technologies |
|---|---|
| No sinking | : 10274536334 |
| Address | Adnan Kahveci Neighborhood, Osmanlı Street, Yeşilkent 3 Site, Tanrıverdi Apartment, Floor: 15, Apartment: 64, Beylikdüzü/Istanbul |
| : contact@yoursizer.com |
Yoursizer Teknoloji acts as a data controller in accordance with the Law No. 6698 on the Protection of Personal Data (KVKK). This inventory clarifies our company's corporate identity and legal entity, while ensuring that our personal data processing activities are recorded in a transparent, systematic, and legally compliant manner. This information serves as a fundamental reference point for data subjects to exercise their rights and communicate with our company.
2. INVENTORY METHODOLOGY AND SCOPE
This Personal Data Processing Activities Inventory has been prepared to ensure Yoursizer Technology's personal data processing processes are fully compliant with the provisions of the Law No. 6698 on the Protection of Personal Data (KVKK) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, as well as other relevant secondary legislation. The inventory is based on the "General Principles" in Article 4 of the KVKK. These principles include the obligation for personal data to be processed in accordance with the law and rules of fairness, to be accurate and up-to-date when necessary, to be processed for specific, explicit and legitimate purposes, to be relevant, limited and proportionate to the purpose for which they are processed, and to be retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
Our inventory addresses all personal data processing activities carried out by our Company using an "activity-based approach". This methodology aims to systematically associate each business process (e.g., account management, algorithm development, customer support) as an activity, along with the data categories processed within that activity (e.g., Identity Information, Biometric Data, Transaction
Security Data), the purposes of processing, the legal basis, maximum retention periods, and the recipient groups to whom the data is transferred. In this way, transparency in our data processing processes is increased, risks are managed more effectively, and the rights of data subjects are better protected.
Data categorization, in accordance with the spirit of the KVKK (Turkish Personal Data Protection Law), is based on grouping personal data according to their common characteristics. For example, information such as name, surname, and email address are categorized as "Identity and Contact Information"; measurements such as height and waist circumference are categorized as "Biometric Data"; and technical records such as IP address and browser information are categorized as "Transaction Security Data". This detailed classification ensures the correct application of legal requirements and security measures specific to each data type. The inventory is a dynamic document and is regularly updated in line with changes that may occur in our company's operations or legislation.
3. ACTIVITY-BASED DATA PROCESSING MATRIX
Yoursizer Teknoloji's personal data processing activities are carried out across a wide range of areas, encompassing the core operation of our platform, the services it offers, and its operational processes. The matrix below details the scope of each activity, the categories of data processed, the legal basis,
maximum retention periods, and potential recipient groups. This matrix has been prepared in accordance with the principles of "processing for specific, explicit, and legitimate purposes" and "being relevant, limited, and proportionate to the purpose for which they are processed," as stated in Article 4 of the KVKK (Turkish Personal Data Protection Law).
| Processing Activity | Data Category | Purpose of Processing | Legal Basis (KVKK article) | Maximum Storage Time | Transferred Recipient Group |
|---|---|---|---|---|---|
| 1. Account Management and Service Delivery Creating, managing, and personalizing user accounts, and providing basic services. | Identity and Contact Information (Name, Surname, Email, Age, Gender, Phone) | Account management, communicati on, personalizati on, and tailored services. | 5/2-c (Establishme nt/Performa nce of the Contract) | The account remains active for + 10 years (Statute of limitations for possible disputes) | Internal Management Team, Technical Infrastructure Providers (Database, Server) |
| 2. 3D Avatar Creation and Body Size Suggestion Providing body size recommendation services, which is the core function of the platform. | Biometric Data (Measurements such as height, leg length, waist circumference, shoulder width) 3D Body Avatar (Digital avatar derived from measurements) | Personalized recommendat ions, core functionality, anonymous/b atch research, and algorithm optimization. | 6/3-a (Explicit Consent) | As long as the user continues to use the service and their consent remains valid, + 10 years (anonymized/pseud onymized for algorithm development) | Internal Management Team, Software Development Team, Technical Infrastructure Providers (Database, Server) |
| 3. Algorithm Improvement and Research Improving service quality, developing algorithms, and training machine learning models. | Biometric Data (Anonymized/Ps eudonymized) 3D Body Avatar (Anonymous/Pse udonymous) Usage Data (Anonymized) | Algorithm optimization, anonymous/a ggregate research, ML training. | 5/2-f (Legitimate Interest - for anonymous/ pseudonymi zed data); 6/3-a (Explicit Consent - for biometric data, continues after anonymizati on) | 10 years (Anonymous/pseud onym) | Internal Management Team, Software Development Team |
| 4. Payment and Billing Processes Managing payment processes for paid services and fulfilling legal obligations. | Payment Information (Last 4 digits of card, billing address) Identity and Contact Information (for invoicing) | Payment and billing processes, tax/accountin g liabilities. | 5/2-c (Establishme nt/performan ce of the contract); 5/2-ç (Legal obligation) | 10 years (according to the Tax Procedure Law and the Turkish Commercial Code) | Internal Management Team, Accounting/Financ e Department, Payment Service Providers |
|---|---|---|---|---|---|
| 5. Customer Communication and Support Requests Receiving, responding to, and resolving user support requests. | Identity and Contact Information Contact / Support Request Content | Support processes, monitoring service quality. | 5/2-c (Establishme nt/performan ce of the contract); 5/2-f (Legitimate interest) | Three years from the date the request is finalized (for possible appeals and audits) | Internal Management Team (Customer Support Unit) |
| 6. Platform Security and Performance Analysis Ensuring system security, optimizing performance, and improving user experience. | Device and Connection Information (IP address, browser type, operating system, language preferences, access timestamps) Usage Data (Pages visited, items clicked, in-service preferences) | Security, performance, user experience and behavioral analysis, fraud prevention. | 5/2-f (Legitimate Interest); 5/2-c (Legal Obligation - for cybersecurit y) | 2 years (for information security, fraud prevention and system integrity purposes) | Internal Management Team, Software Development Team, Technical Infrastructure Providers (Log Management, Security) |
| 7. Marketing and Commercial Communication Providing users with information about products, campaigns, and announcements. | Identity and Contact Information Marketing Permissions and Preference Records | Marketing, campaign announceme nts, personalized content delivery (excluding biometric data). | 5/1 (Explicit Consent) | While the permission remains in effect; communication will cease upon withdrawal of permission, and permission/rejection records are required for 3 years to serve as proof. | Internal Management Team, Marketing Department, Email/SMS Service Providers |
4. DATA STORAGE, BACKUP AND DESTRUCTION CRITERIA
Yoursizer Technology meticulously applies the principle of "retention only for the period necessary for the purpose for which they were processed," as stated in Article 4 of the Personal Data Protection Law (KVKK), and the provisions of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, in the processes of storing, backing up, and destroying personal data. These processes aim to ensure data security and confidentiality at every stage of the data lifecycle.
4.1. Determining Storage Times:The maximum retention periods specified in the Data Processing Matrix have been determined by considering the processing purpose of each data category, relevant legal obligations, and the need for proof in potential legal disputes. This is particularly true for financial and accounting records (invoices, payment/transaction records, contracts/delivery notes, and similar documents), which are governed by legislation such as the Turkish Commercial Code (TTK) and the Tax Procedure Law (VUK).10 years There is a legal retention obligation, and after a period of 10 years, the data is anonymized and can be used for algorithm feeding. If a deletion request is made, the data is encrypted and irreversibly destroyed in accordance with the legislation. These records are stored for a period exceeding the general period specified in the inventory, as stipulated by the relevant legislation, due to the obligation to maintain commercial ledgers and documents. Biometric data and 3D avatar parameters used for algorithm development and statistical analysis purposes are stored in an anonymized or pseudonymized form, within the legitimate interest of the system to increase its learning and accuracy rates.10 yearsIt is kept for a specified period. This period is implemented under technical and administrative measures that prevent direct identification of the person concerned.
4.2. Backup Policy and Rotation:Our company regularly backs up personal data to ensure business continuity and prevent potential data loss. Data stored in backup media is subject to the same security standards as data in the live system. Specifically, for data stored in backup media...72 daysA rotation
period has been established. This means that backups are stored for 72 days, after which they are automatically deleted and replaced with new backups. This period offers a balanced approach between data recovery needs and data minimization and destruction obligations. Backup retention periods are managed in such a way that they never exceed the maximum retention periods in the live system. Especially for backups of biometric datasets, access is strictly restricted and protected with encryption even within this 72-day rotation period.
4.3. Destruction Methods and Periodic Destruction:If the purpose of processing ceases to exist or the legal retention period expires, personal data shall be deleted, destroyed, or anonymized automatically or upon the request of the data subject, in accordance with Article 7 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data. Our company shall carry out these processes periodically, in any case...not exceeding six monthsIt is carried out at time intervals.
The destruction methods used are as follows:
- •Secure Erase (Permanent Erase):Making database records or data in file systems completely inaccessible and unusable for relevant users. This is achieved by overwriting the data with arbitrary information or by irreversibly deleting the database records.
- •Cryptographic Destruction:Encrypted data is rendered unreadable by irreversibly destroying its encryption keys. This method is particularly used in encrypted backup environments.
- •Anonymization:Anonymization is the process of rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data. This technique is particularly used in long-term data storage for algorithm development purposes. Methods such as aggregation, masking, spacing, and noise enhancement completely sever the link between the data and the individual. The irreversibility of the anonymization process is verified through technical reporting and independent audits.
- •Physical Destruction:The irreversible destruction of physical storage media (hard disk, USB flash drive, etc.).
All destruction processes are recorded, and these records are kept for at least three years, subject to other legal obligations.
5. DATA TRANSFER AND RECEIVER GROUPS
Yoursizer Technology meticulously adheres to the conditions stipulated in Articles 8 and 9 of the KVKK (Turkish Personal Data Protection Law) in the processes of transferring personal data. Data transfers are carried out only for defined and legitimate purposes, observing the principle of data minimization and taking the necessary security measures.
5.1. Domestic Transfers:Personal data processed within our company may be transferred primarily to the following domestic recipient groups:
- •Internal Management Team and Related Departments:Personal data is shared between relevant departments and authorized personnel on a "need-to-know" basis, in accordance with the processing purposes (e.g., customer service for account management, software team for algorithm development, accounting unit for billing). These transfers are necessary for the conduct of internal company operations and the provision of services.
- •Technical Infrastructure Providers:Personal data may be transferred to our domestic business partners who provide database services (e.g., PostgreSQL, MongoDB architectures), server hosting, log management, and other technical support services, as this is necessary for the performance of these services. These transfers are based on Article 5/2-c (Performance of Contract) of the Turkish Personal Data Protection Law (KVKK) for the purpose of fulfilling our contractual obligations and ensuring the uninterrupted operation of our platform.
- •Accounting/Finance Unit:Data relating to payment and billing processes is shared with our accounting and finance department to fulfill legal obligations.
- •Authorized Public Institutions and Organizations:Your personal data may be transferred to relevant public institutions and organizations in order to fulfill a legal obligation or at the request of authorized judicial/administrative authorities (KVKK Article 5/2-ç).
5.2. International Transfers:Our company currently does not have any direct international data transfers. All personal data is processed and stored in data centers within Turkey. However, in the future, should we collaborate with international service providers or if cloud infrastructure services are located in data centers abroad, full compliance with Article 9 of the KVKK (Personal Data Protection Law) and related legislation will be ensured. In the event of such a transfer, one or more of the following guarantees will be provided:
- •Transfer of data to countries that have been deemed competent by the Personal Data Protection Board,
- •In cases where no qualification decision is available, the standard contract clauses (SCC) announced by the Board shall be used and reported to the Institution.
- •The existence of a written undertaking containing provisions to ensure adequate protection, and authorization of the transfer by the Board.
In all cases, technical and administrative measures such as encryption, access restrictions, role-based authorization, and logging will be implemented to ensure the security of transmitted data; and the data recipient will be contractually guaranteed to provide the same level of protection.
6. TECHNICAL AND ADMINISTRATIVE MEASURES RELATED TO DATA SECURITY
Yoursizer Technology takes all necessary technical and administrative measures to ensure the security of personal data in accordance with Article 12 of the KVKK (Law on Protection of Personal Data) and continuously reviews these measures. Additional and stricter measures are applied, particularly for sensitive personal data such as biometric data.
6.1. Technical Measures:
- •Database Security:
- •Network Isolation (VPC Isolation):Databases (relational and document-based systems such as PostgreSQL and MongoDB) are located within private virtual networks (VPC – Virtual Private Cloud) that are completely isolated from the application layer. This ensures that databases can only be accessed through authorized application servers, preventing direct internet access.
- •Turkish Librarianship (TLS):All data communication between databases, application servers, and other authorized systems is end-to-end encrypted using the Transport Layer Security (TLS) protocol. This prevents unauthorized individuals from intercepting data during transmission.
- •Encryption at Rest:Personal data stored in databases is protected with strong encryption algorithms at the disk level (encryption-at-rest). Encryption keys are securely managed through a separate and restricted Key Management System (KMS).
- •Domain-Based Encryption:For sensitive areas such as biometric data, in addition to database-level encryption, field-based encryption techniques can be implemented at the application layer. This allows for a more granular level of data protection. ● Access Management and Authorization (RBAC/MFA):
- •Role-Based Access Control (RBAC):Access to personal data is strictly restricted according to the principle of role-based authorization (least privilege), in line with employees' job descriptions and authorization matrix. Each employee is only granted access to the data necessary to perform their job.
- •Multi-Factor Authentication (MFA):Multi-factor authentication (MFA) is mandatory for all systems that provide access to the production environment and sensitive data.
- •Access Logs:Access to personal data is logged in detail, including who accessed which data and when. These logs are regularly monitored and analyzed to detect anomalies.
- •Pseudonymization:Especially for biometric data (body measurements and 3D avatar parameters), it is separated from directly identifying information and associated with a token or user ID. This makes direct identification more difficult when analyzing datasets. This technique supports the principle of "being relevant to the purpose, limited and proportionate" as per Article 4/2-ç of the Turkish Personal Data Protection Law (KVKK).
- •Security Updates and Vulnerability Management:All systems and software are regularly updated with security updates and patches. Periodic vulnerability scans and penetration tests are conducted to identify and address potential security vulnerabilities.
- •Secrets Management:Sensitive secrets, such as database connection information and API keys, are managed through secure secret management systems (such as HashiCorp Vault, AWS Secrets Manager) and are not stored directly within the code.
6.2. Administrative Measures:
- •Staff Training and Awareness:All employees receive regular training on personal data protection, data security, and this Inventory, Storage, and Destruction Policy. Employee awareness levels are continuously increased.
- •Privacy Agreements:Confidentiality agreements are signed with all employees and business partners who have access to personal data.
- •Data Minimization:In collecting personal data, the principle adopted is to collect only the minimum necessary for the provision of the service. A separate information and explicit consent process is followed for optional data.
- •Inspection and Incident Response Plan:Data processing processes and security measures are regularly audited. An incident response plan is in place to ensure a rapid and effective response in the event of a data breach.
7. MANAGEMENT OF EXCEPTIONAL AND SPECIAL CIRCUMstances
As Yoursizer Technology, due to the nature of our service, we generally do not process special categories of personal data (KVKK Article 6). However, in exceptional circumstances, users may voluntarily share special categories of personal data (such as health data, union membership, religion/sect, political views, criminal convictions, etc.) that fall outside the purpose of the service, particularly in free text fields or during support requests. The management of such situations is carried out meticulously within the framework of the principles of "lawfulness and fairness" and "being relevant, limited and proportionate to the purpose" as stated in Article 4 of the KVKK.
7.1. Data Processing Principle:
- •Minimal Processing:Special categories of personal data shared by the user without their consent are processed only for the purpose of evaluating the relevant request and carrying out the support process, and strictly to a minimum extent. Since this data is not necessary for the provision of our platform's basic services, care is taken to ensure that it is not permanently stored in our systems.
- •Awareness and Warning:Support request forms or free text input fields include reminders and information advising users not to share sensitive personal data.
- •Legal Basis:The processing of such data may be based on legal grounds such as "performance of a contract" (provision of support services), "legitimate interest" (management and proof of the request), or "explicit consent" (will to share) of the data subject, depending on the nature of the request. However, these grounds do not legitimize the processing of data outside the primary purpose of the service; they only allow for the management of the current situation.
7.2. Rapid Destruction and Minimization:
- •This sensitive personal data, shared without consent, is retained for a short period, limited to completing the support request and providing proof in case of potential disputes. For example, following the completion of a support request, the relevant data is securely deleted or destroyed as soon as possible (e.g., within a few days or weeks).
- •If anonymizing the data is possible, this method is preferred. However, since such data is often unstructured, secure deletion or destruction methods are usually applied instead of anonymization.
- •Data transfer abroad and sharing with third parties is generally not permitted. If essential service providers (e.g., email transmission) are involved, this only occurs upon instruction, for a limited purpose, and under the necessary contractual/technical safeguards. Full compliance with Article 9 of the Personal Data Protection Law and related legislation is ensured in these processes.
Managing these exceptional circumstances reflects our company's commitment to data minimization and data security principles.
8. APPROVAL AND EFFECTIVE DATE
This Personal Data Processing Activities Inventory has been prepared to document Yoursizer Technology's personal data processing processes in a transparent and legally compliant manner. The inventory is a demonstration of our company's commitment to the protection of personal data and is binding on all relevant departments.
The inventory will be reviewed and updated regularly in line with any changes that may occur in applicable legislation or in our Company's business processes. The update period will be at least [number] years.every six monthsThis has been established. These periodic reviews aim to ensure that the inventory is always up-to-date, accurate, and complete.
This Inventory,04.01.2026It came into effect on [date] with the approval of the Board of Directors. Approved by:
| 8. Analytical Value Proposition for Brands Providing anonymous/pseu donymized "fit-related analytics" to integrated brands. | Usage Data (Anonymized/Ps eudonymous) Body Size Recommendation Outputs (Anonymous/Pse udonymous) | A presentation of "fit-related analytics" and "data-driven insights" for brands. | 5/2-f (Legitimate Interest - for anonymous/ pseudonymi zed data) | 5 years (Anonymous/pseud onym) | Internal Management Team, Business Development Unit, Integrated Brands/Retailers (anonymous/pseud onymized data) |
|---|---|---|---|---|---|
| Name Surnam e | : [Missing Information: Board Chairman's Name and Surname] | ||||
| Title | Chairman of the Board | ||||
| Signatur e | : _________________________ |
| Name Surnam e | : [Missing Information: Name and Surname of the Head of the GDPR Compliance Unit] |
|---|---|
| Title | Head of GDPR Compliance Unit |
| Signatur e | : _________________________ |
| Name Surnam e | : [Missing Information: Internal Audit Unit Manager's Name and Surname] |
|---|---|
| Title | Internal Audit Unit Manager |
| Signatur e | : _________________________ |