top of page


Website Cookie Clarification Text

Kreafin Consulting Inc. It is an institution that values the privacy and security of data. Website Cookie Clarification Text, Kreafin Danışmanlık A.Ş. 's corporate website ("website") explains the purposes and methods of use of technologies such as cookies, pixels, gifs ("cookies") used to improve the experience of users. The use of these technologies is primarily governed by the Law on Protection of Personal Data No. 6698 (“KVKK”) and Kreafin Danışmanlık A.Ş. It is carried out in accordance with the legislation to which it is subject. has the right to refuse to use the cookies used on the website, to change their types or functions, or to add new cookies to the site. Therefore, the right to change the provisions of this clarification text belongs to Kreafin Danışmanlık A.Ş. is preserved by Any changes made on the current lighting text will become effective after they are published on the site.

Method and Legal Reason for Personal Data Collection

Personal data is sent to Kreafin Danışmanlık A.Ş. via cookies in the electronic environment within the scope of the visitors' visit to the website. It is collected based on the legal reason for the legitimate interest of  . Collected personal data may be processed for the purposes specified in this Cookie Clarification Text within the scope of the personal data processing conditions and purposes specified in the “processing conditions of personal data” and “processing conditions of special quality personal data” of the KVKK.

To Whom Personal Data Can Be Transferred And For What Purpose?

Kreafin Consulting Inc. It may transfer the personal data within the scope of the Cookie Disclosure Text to its suppliers, legally authorized public institutions and private individuals, limited to the realization of the above-mentioned purposes and in accordance with the legislation. The parties to whom the data is transferred have the right to store the personal data on their servers all over the world.

For What Purposes Are Cookies Used?

The purposes of the cookies used on the website are:

  • To perform the basic functions necessary for the website to work (For example, the logged-in members do not need to enter passwords again when visiting different pages on the website).

  • Analyzing the website and increasing the performance of the website (For example, the integration of different servers on which the website is running, determining the number of visitors to the website and adjusting performance accordingly, or making it easier for visitors to find what they are looking for).

  • To increase the functionality of the website and to provide ease of use (For example, third-party

sharing on social media channels, remembering the user name information or search queries on the next visit of the visitor to the site).

Cookies Used on Website

The different types of cookies used on the website are listed below. The website uses both first-party cookies (placed by the site you visit) and third-party cookies (placed by servers other than the site you visit).

Mandatory Cookies

The use of certain cookies is essential for the website to function properly. For example, authentication cookies, which are activated when you log in to the website, ensure that the active session of the visitor continues when switching from one page to another.



application to enable communication, identify user session and/or exchange information with the content manager.

Acgroupswithpersist &

These cookies are used to ensure that certain areas of the website, such as page elements and user click links, are displayed correctly.

Acopendivids & maintab-home

They do not collect personally identifiable information and are deleted after the browser is closed.

Performance and Analytics Cookies

Thanks to these cookies, the use of the website by the visitors and the performance of the site are analyzed and the services offered to the visitors are improved. For example, thanks to these cookies, it is determined which pages the visitors view the most, whether the site is working properly and possible problems.


__utma, _utmb, utmc,__utmt, _utmz

Google Analytics cookies collect anonymous data about how users use the site. Information such as the number of visitors, which page the users came from are stored in these cookies.

How Can Visitors Control the Use of Cookies?

Visitors have the opportunity to customize their preferences for cookies by changing their browser settings.

Adobe Analytics


Google AdWords

Google Analytics

Google Chrome

Internet Explorer

Mozilla Firefox



What are the Rights of Visitors as Data Owners?

Pursuant to the “rights of the data subject” article of the KVKK, data owners;

  • Learning whether personal data is processed or not,

  • If personal data has been processed, requesting information about it,

  • Learning the purpose of processing personal data and whether they are used in accordance with its purpose,

  • Knowing the third parties to whom personal data is transferred at home or abroad,

  • Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

  • Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the KVKK and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

  • Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

  • To request the compensation of the damage in case of loss due to the unlawful processing of personal data,

has rights.

Claims regarding these rightsinfo@kreafin.comIf it is sent to the address in electronic form, the applications will be evaluated and finalized as soon as possible and within 30 (thirty) days at the latest. Although it is essential that no fee is charged for the requests, if the transaction requires an additional cost, Kreafin Danışmanlık A.Ş. The fee in the tariff determined by the Personal Data Protection Board will be charged.

The data owner is the owner of any personal data Kreafin Danışmanlık A.Ş. accepts that he/she may not be able to fully benefit from the operation of the website if he/she makes a request that will result in its inability to use it and declares that any responsibility arising in this context will belong to him.

Personal Data Management Policy


1.1. Aim

Kreafin Consulting Inc. (“Kreafin” as used in the rest of the text with its trademark name) manages the personal data it uses and processes in business processes within the scope of this umbrella policy document.

1.2. Scope

The document consists of the following policies:

  • Personal Data Protection and Processing Policy (KVKIP)

  • Personal Data Retention and Disposal Policy (KVSIP)

  • Policy on Private Personal Data (ÖNKVIP)


Explicit Consent: Consent about a specific subject, based on information and expressed with free will.

Anonymization: It is the making of personal data that cannot be associated with an identified or identifiable natural person in any way by matching with other data. Kreafin Danışmanlık A.Ş.

Relevant User: Kreafin Danışmanlık A.Ş., which is responsible for technical storage, protection and backup of personal data. Persons who process personal data within the organization of the Data Controller or in line with the authorization and instruction received from the Data Controller, excluding the employee or unit of .

Destruction: It is the deletion, destruction or anonymization of personal data.

Law: The Law No. 6698 on the Protection of Personal Data.

Recording Environment: Any environment in which personal data is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.

Registered Electronic Mail (KEP): It is a qualified form of electronic mail that provides legal evidence regarding the use of electronic messages, including their sending and delivery.

Personal Data Processing Inventory: Personal data processing activities; It is the inventory created by associating the personal data processing purposes, data category, transferred recipient group and data subject group and detailing the maximum time required for the purposes for which personal data is processed, the personal data foreseen to be transferred, and the measures taken regarding data security.

Personal Data Retention and Disposal Policy (KVSIP): It is the policy that includes the steps to be taken for deletion, destruction and anonymization, as well as the process of determining the maximum period required for the purpose for which personal data is processed.

Personal Data Retention and Disposal Procedure: It is the procedure prepared to regulate the processing rules in detail as specified in the Personal Data Retention and Disposal Policy.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, It is all kinds of operations performed on data such as classification or prevention of use.

Principles of Protection and Processing of Personal Data: Kreafin Danışmanlık A.Ş. These are the principles prepared by us and specify the general principles regarding the protection and processing of personal data.

Personal Data Protection and Processing Policy (KVKIP): Kreafin Danışmanlık A.Ş. It is the policy that contains explanations about the content, categories, usage and processing methods of the personal data processed by .

Cryptographic Methods: Cryptographic methods or "encryption" are all the methods used to transform the information contained in a readable data into a form that cannot be understood by undesirable parties. Cryptography is a set of mathematical methods and is intended to provide the necessary conditions for the security of important information such as confidentiality, authenticity, authentication and prevention of false rejection. These methods aim to protect the information (therefore, the interests of the sender, receiver, carrier of the information, the persons it is subject to, and any other party) from active attacks or passive perceptions that may be encountered during the transmission and storage period of an information.

Board: It is the Personal Data Protection Board.

Policy Regarding Special Quality Personal Data (ÖNKVIP): It is the policy that defines the rules for the security of sensitive personal data and covers all activities that will provide management in this area.

Periodic Destruction: It is the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the Personal Data Retention and Destruction Policy, in case all the conditions for processing personal data in the Law are no longer valid.

Policy: It is the Personal Data Management Policy.

Secure Socket Layer (SSL): SSL is a security protocol that provides personal privacy and reliability, allows the communication between the server and the client to be encrypted for the integrity and confidentiality of information during information transfer over the network, thus ensuring the protection of confidentiality and integrity.

sFTP: It stands for secure file transfer protocol. It is a secure way to transfer files online between machines.

Data Registration System: It is the registration system in which personal data is processed and structured according to certain criteria.

Data Owner: Kreafin Danışmanlık A.Ş. It is the unit responsible for the data at the database and application levels of the systems, responsible for preventing unauthorized access by restricting access to the relevant data, and helping other employees to comply with the procedures.

Data Controller: Kreafin Danışmanlık A.Ş.

VPN: VPN stands for “virtual private network”. It is an internet technology that enables connecting to different networks via remote access.

Board of Directors: Kreafin Danışmanlık A.Ş. is the Board of Directors.


3.1. Purpose and Scope

3.1.1. Aim

Kreafin Consulting Inc. For  , the issue of confidentiality and privacy of personal data is of great importance. Taking necessary security measures and implementing controls for the protection of personal data Kreafin Danışmanlık A.Ş. 's primary goal. Purpose of Personal Data Protection and Processing Policy Kreafin Danışmanlık A.Ş. It is to ensure that the personal data managed by .

3.1.2. Scope

At the beginning of the protection of personal data, Kreafin Danışmanlık A.Ş. Determining the personal data in written, printed or electronic media transmitted to the Company and establishing appropriate controls, preparing the necessary secure environments for the storage of these data and ensuring that access to these data is carried out by a limited number of authorized persons.

Kreafin Consulting Inc. 's primary goal is to ensure that the rapidly developing service network and business processes with today's technology are in a reliable, legal and transparent structure thanks to this governance system.

Kreafin Danışmanlık A.Ş. is responsible for taking and applying appropriate security measures during the protection and processing of personal data. All employees of the institution, especially the management, are responsible.

In addition to the technical improvements necessary to manage the risks that personal data may face, KVKİP includes a governance system in which business processes and procedures are developed. Continuous development and updating of this system is the responsibility of Kreafin Danışmanlık A.Ş. management and employees.

“Regulation on the Protection and Management of Personal Data” will also be prepared in order to increase the dynamism of KVKİP, which is one of the cornerstones of the governance system established for the protection of personal data, with its business processes.

Within the scope of these studies, Kreafin Danışmanlık A.Ş. 's employees are obliged to show maximum effort to show full compliance by acting in accordance with the policies and procedures and business processes established to ensure the confidentiality and security of personal data.


4.1. Purpose and Scope

4.1.1. Aim

The purpose of the Personal Data Retention Disposal Policy; Kreafin Consulting Inc. It is the determination of the processes of deletion, destruction or anonymization of the processed personal data, with the maximum periods required for the purpose for which they are processed, and to define the roles and responsibilities of the persons who will take part in these processes.

4.1.2. Scope

KVSIP scope; Maximum storage periods of personal data and technical and administrative measures taken for the legal storage and destruction of personal data, Kreafin Danışmanlık A.Ş. It creates the following recording environments with the employees involved in the execution of the related processes:

  • Electronic Recording Media: Kreafin Danışmanlık A.Ş. Logo accounting software server used by Microsoft is any cloud and physical server such as One Drive.

  • Physical Recording Media: Archive room is the environment where personal data such as files, folders and cabinets are physically stored.

4.2. Responsibility

Within the scope of KVSIP, Kreafin Danışmanlık A.Ş. Responsible for fulfilling the following duties and responsibilities:

  • To comply with the retention periods included in the Personal Data Inventory and which are legally required,

  • To manage the personal data destruction process during the periodical destruction period,

  • To review the KVSIP at least once a year,

  • To arrange and publish the Personal Data Storage and Disposal Procedure and other procedures deemed necessary, which will regulate the transaction rules in detail based on the KVSIP,

  • To distribute the necessary tasks for the KVSIP, to authorize the appropriate persons and to organize the necessary trainings on compliance with the Law,

  • To follow up the implementation of all kinds of technical and administrative measures taken in accordance with the data security obligations of the law and to plan the audit,

  • To determine the issues that need to be done in order to ensure compliance with the law and the relevant legislation, to oversee its implementation and to ensure the necessary coordination,

  • To follow up the processes related to the applications and requests made by real persons whose personal data are processed and to take necessary actions to solve the problems that may arise regarding the implementation of the Law and/or the relevant policy and procedure,

  • Managing relations with the Board.

4.3. Security Principles Regarding Data Storage and Unlawful Processing and Prevention of Access

Kreafin Consulting Inc. The data provided by   under the Personal Data Protection and Processing Policy are classified within the framework of the rules listed in the Personal Data Processing Inventory and specified in the Law.

In this framework, the following personal data definitions in the Law have been used as the classification methodology that forms the basis of KVSIP:

  • Group 1/Personal Data: Any data relating to an identified or identifiable natural person.

  • Group 2/Special Quality Personal Data: People's race, ethnicity, political thought, philosophical belief, religion, sect and other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and biometric and genetic are data.

  • Group 3/Other Data: It refers to data that is not within the scope of the definition of personal data.

Kreafin Consulting Inc. Limiting access to personal data, encrypting/masking, taking privacy and information security measures, within the framework of technological possibilities, including but not limited to those listed here, in order to securely store the data belonging to the 1st and 2nd groups, and to prevent their unlawful processing and access. All technical and administrative measures are taken, such as preparing a "Personal Data Processing Inventory", providing training to employees on the subject, preparing and keeping technical policies and procedures up to date.

4.4. Reasons Requiring Storage and Destruction of Data

personal data,

  • Kreafin Consulting Inc.  to contact the relevant people,

  • Providing the services envisaged within the scope of the relevant legislation,

  • Kreafin Consulting Inc. To conclude and fulfill the requirements of contracts to which   is a party,

  • Kreafin Consulting Inc.  products and services of  to provide information about products and services or to offer solutions within the scope of complaint management,

  • Kreafin Danışmanlık A.Ş. To be able to give references about the services and projects of

  • Kreafin Consulting Inc. Establishing the database deemed necessary for .

  • Ensuring proper internal communication,

  • Compliance with the regulations in the relevant legislation,

  • Complying with information storage, reporting, informing and other obligations stipulated by official institutions,

  • Informing the public through printed or visual news or bulletins,

Kreafin Danışmanlık A.Ş. as Data Controller based on the legal reasons mentioned with processed by. Termination of the purpose of processing or related legislation and/or Kreafin Danışmanlık A.Ş. In the event that the storage periods determined by .

4.5. Retention Periods of Data Under the Relevant Legislation

Kreafin Consulting Inc. Retention periods are determined for all personal data stored within the company. When determining the retention periods, first of all, if there is no period stipulated by the relevant legislation, the period required for the purpose of personal data processing is taken into account and the relevant periods are included in the Personal Data Inventory.

Other Related Legislation

Until the time stipulated in the relevant legislation

Pursuant to Article 146 of the Code of Obligations, which regulates the general litigation statute of limitations.

10 years

In case the relevant personal data is subject to a crime or is related to a crime within the scope of the Turkish Penal Code or other penal provisions, in accordance with Articles 66 and 68 of the Turkish Penal Code.

During the statute of limitations and the statute of limitations

The personal data mentioned in the Personal Data Processing Inventory are stored in accordance with the legal regulations in the table above and are destroyed on the first periodic destruction date following the storage period, unless there is any legal situation that interrupts or stops the statute of limitations.

4.6. Security Principles Regarding Data Disposal

Kreafin Consulting Inc. Personal data provided by the Company within the scope of the Personal Data Protection and Processing Policy and stored as specified in the Personal Data Inventory, if the purpose of processing has expired or the storage periods specified in the relevant legislation and/or policy have been reached, at the request of the natural person whose personal data is processed, Data Owner at the request of the unit or ex officio, in accordance with the recording media; It is subject to deletion, destruction or anonymization processes to be determined in accordance with the nature of the personal data, and the details are destroyed as shown in the Personal Data Retention and Destruction Procedure.

Kreafin Consulting Inc. The following destruction methods are used by:

4.6.1. Deletion of Data

It is the process of making personal data inaccessible and unusable for the relevant users in any way.

4.6.2. Data Destruction

It is the process of making personal data inaccessible, irretrievable and reusable by anyone in any way.

4.6.3. Anonymization of Data

It is the process of rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

4.6.4. Operation of the Disposal Process

Kreafin Consulting Inc. Personal data stored in  are subject to the destruction process by protecting the confidentiality of the data when the storage period expires.

  • Kreafin Danışmanlık A.Ş. to operate the destruction process when the reasons for processing the data belonging to the 2nd group disappear. 's responsibility. The destruction method to be determined for these data will be determined by Kreafin Danışmanlık A.Ş. determined by.

  • The destruction process of the data belonging to the 2nd group Kreafin Danışmanlık A.Ş. It is started by . Kreafin Danışmanlık A.Ş. informs the owner of the relevant data about the operation of the destruction process.

  • All transactions regarding the deletion, destruction and anonymization of personal data are recorded with a report signed by two authorized signatories, and these records are kept for at least 3 (three) years, excluding other legal obligations.

  • Kreafin Consulting Inc. The following periods are taken into account within the scope of the obligation to delete, destroy or anonymize personal data. Within the scope of the storage period specified in the data inventory, personal data is deleted, destroyed or anonymized in the first periodical destruction process following the date on which the destruction obligation arises.

  • The time interval of the periodical destruction process is maximum 6 (six) months.

  • Kreafin Consulting Inc. Persons with personal data within   have the right to request the destruction of such data via the "Personal Data Contact Form" published on the website. If this right is exercised:

    • If all the conditions for processing personal data have disappeared; personal data subject to the request Kreafin Danışmanlık A.Ş. deleted, destroyed or anonymized by Deletion or destruction requests of the persons concerned are finalized by the Data Controller within 30 (thirty) days at the latest, and the person requesting the deletion of their personal data is informed about the transaction in writing or electronically.

    • If all the processing conditions of personal data have been removed and the data requested to be deleted has been transferred to third parties before, Kreafin Danışmanlık A.Ş. , informs the third party that the deletion process is carried out within 30 (thirty) days following the request date and requests feedback from third parties regarding the destruction process and then follows this notification.

    • If all the conditions for processing personal data have not been eliminated, this request may be rejected by explaining the reason and the refusal will be notified to the relevant person in writing or electronically within 30 (thirty) days at the latest.


5.1. Purpose and Scope

5.1.1. Aim

The purpose of the Policy on Special Categories of Personal Data; Kreafin Consulting Inc. It is the determination of the principles regarding the protection and processing of special categories of personal data in Turkey.

5.1.2. Scope

The scope of ONKVIP; Kreafin Consulting Inc. Data on the race, ethnic origin, political opinion, belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures presented or obtained by is the process of processing and protecting biometric and genetic data (“special quality personal data”).

5.2. Practices and Measures Regarding the Protection and Processing of Private Personal Data

5.2.1. Within the scope of the processing of special quality personal data, Kreafin Danışmanlık A.Ş. Measures to be applied to its employees:

  • Employees are regularly provided with trainings on the law and related regulations and special quality personal data security,

  • Kreafin Consulting Inc. Necessary confidentiality agreements covering this issue are signed between the company and its employees,

  • The scope and duration of authorization of users who have access to data are clearly defined,

  • Periodic authorization checks are carried out,

  • Employees who have a change of job or quit their job are immediately removed from their authority in this field and the data inventory allocated to them by the data controller is returned.

5.2.2. Measures for electronic environments where sensitive personal data is processed, stored and/or accessed:

  • Data is stored using cryptographic methods (Secret Key Cryptography, Public Key Cryptography, Digital Signature, Encryption Algorithms, Secure Socket Layer-SSL),

  • Cryptographic keys are kept in secure environments,

  • Transaction records of all movements performed on the data are securely recorded,

  • The processes of constantly monitoring the security updates of the environments where the data is located, performing / having the necessary security tests performed regularly, and recording the test results are operated,

  • If the data is accessed through a software, the processes of making user authorizations for this software, regularly performing / having security tests of these software and recording the test results are carried out,

  • If remote access to data is required, at least two-stage authentication system is provided.

5.2.3. Measures for physical environments where sensitive personal data is processed, stored and/or accessed:

  • Adequate security measures (against electricity leakage, fire, flood, theft, etc.)

  • By ensuring the physical security of these environments, Kreafin Danışmanlık A.Ş. Unauthorized entries and exits are blocked by  .

5.3. The Basic Principle for the Processing of Private Personal Data

Kreafin Consulting Inc. The basic principle observed by   in the processing of sensitive personal data is to control whether the explicit consent of the data subject is obtained and whether the measures determined by the Personal Data Protection Board are taken in the processing of the data.

5.4. Basic Principles Regarding the Transfer of Sensitive Personal Data

Kreafin Danışmanlık A.Ş. The basic principles observed by the company are as follows:

  • If the data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account,

  • If the data needs to be transferred via media such as portable memory, CD, DVD, these data are encrypted with cryptographic methods and the cryptographic key is kept in different media,

  • If data is transferred between servers in different physical environments, this transfer is technically secure,

  • If it is necessary to transfer the data via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in the form of "confidential documents" (documents with the inscription top secret, confidential, private and service specific).


This Personal Data Management Policy entered into force with the date of 01.04.2023.

bottom of page