Privacy Policy

This Privacy Notice has been prepared by KC TEK ARGE Bilisim ve Egitim Teknolojileri San. ve Tic. A.S. ("Company") in order to inform data subjects about the personal data processed within the scope of the QProctor Platform, in accordance with Article 10 of the Turkish Personal Data Protection Law No. 6698 ("KVKK") and related legislation. This notice explains the identity of the data controller, the data processed, the purposes of processing, transfer information, the method of collection, legal basis, and the rights of data subjects.

1. Identity of the Data Controller

Under the KVKK, the "Data Controller" is the legal entity that determines the purposes and means of processing personal data. The data controller within the scope of the QProctor Platform is KC TEK ARGE Bilisim ve Egitim Teknolojileri Sanayi ve Ticaret A.S.

2. Personal Data Processed and Purposes of Processing

Various types of personal data belonging to Users and their guardians are processed within the scope of the QProctor Platform. The categories of data processed and their purposes are outlined below:

• Identity Information: Name, surname, date of birth, school and class information (for students), information indicating guardian status (for guardians). Purpose: Identifying the user in the system, creating profiles, and issuing invoices to the correct person during billing processes.
• Contact Information: Email address, phone number, address (where required). Purpose: Account verification, delivery of notifications and updates, conducting customer service and support activities.
• Payment Information: Purchased package/subscription type, payment amount, payment date, payment method; (in case of credit card payment, limited information such as the first and last four digits of the card and the cardholder name — full card number and CVV are not stored by the Company but are collected by the payment institution). Purpose: Processing payment transactions so users can benefit from paid services, maintaining accounting records, and billing.
• Transaction Security Information: User ID, password (cryptographically protected), login/logout logs, IP address, device information, operating system and application version, usage history. Purpose: Ensuring account security, detecting possible unauthorized access, system improvements and debugging, and preventing misuse.
• Session and Usage Data: Mentor appointment records (date, time, duration, selected mentor information), session notes (notes made by the User or Mentor), documents or messages shared during sessions, automatically generated statistics of sessions (number of sessions, total duration, etc.). Purpose: Providing and improving the service, enabling users to view their own history, and maintaining logs for dispute resolution when needed.
• Visual/Audio Data: As a rule, QProctor sessions are not recorded. However, if the recording service is used upon the User's request and explicit consent, video and audio recordings of that session are processed. In this case, recordings are stored in an encrypted and secure manner. Purpose: Enabling users who request the recording service to watch their sessions again later.

The above data is processed for the following purposes: (i) Providing and operating the Platform and services; (ii) Creating and managing User accounts; (iii) Processing payment transactions and managing subscriptions; (iv) Customer relationship management, evaluating user complaints and requests; (v) Analyzing the usage of the application and developing new features to improve service quality; (vi) Sending marketing communications with User consent; (vii) Fulfilling the Company's legal obligations (e.g., financial audits, regulatory compliance, responding to court orders).

3. Method of Collecting Personal Data and Legal Bases

Your personal data is collected electronically through the QProctor Platform and related digital platforms. For example, data you share when filling out the membership form in the application, entering your profile information, performing transactions on the platform, or contacting customer service is collected directly from you. Additionally, some technical data may be collected automatically during your use of the application (such as obtaining device and usage information through cookies and similar tracking technologies).

Your data is processed based on the following legal grounds:

• Necessity for the establishment and performance of a contract (KVKK Art. 5/2-c): Data necessary for the provision of services is processed within the scope of the Terms of Use agreement concluded between the User and the Company. For example, processing your payment information for paid services falls within this scope. Such processing is legally permissible and necessary without explicit consent.
• Expressly provided for by law (KVKK Art. 5/2-a) & Fulfillment of legal obligation (Art. 5/2-c): The Company may be required to process and retain certain data under applicable legislation (e.g., tax legislation, commercial bookkeeping obligations, consumer legislation). Transactions such as maintaining identity and invoice information for billing and making legal notifications to official authorities are based on this legal ground.
• Legitimate interest (KVKK Art. 5/2-f): Certain data may be processed within the scope of the Company's legitimate interests, such as improving its services, increasing user satisfaction, and ensuring platform security, provided that this does not harm your fundamental rights and freedoms. For example, examining log records to detect fraudulent accounts, processing IP and device information for system security, or anonymizing and analyzing user behavior to develop new features may be considered within the scope of legitimate interest.
• Explicit consent (KVKK Art. 5/1 and Art. 9): In situations that do not fall within the scope of the above legal grounds and depend on the data subject's preference, your data is only processed with your explicit consent. Explicit consent is obtained particularly for the transfer of your personal data to servers abroad (see Section 4) and for optional session recordings. If marketing/communication consent is requested in the future, this will also be done only with your explicit consent. Your refusal to give explicit consent will not prevent the provision of basic services; however, you may not benefit from certain optional features (e.g., session recording).

4. Transfer of Personal Data

The Company transfers your personal data to third parties only in line with the purposes stated in this Privacy Notice and in compliance with Articles 8 and 9 of the KVKK.

Domestic Transfers

• Your data may be shared with Organizations that we cooperate with for the performance of services (e.g., data such as name and school information). Organizations are independent data recipients in a third-party capacity and are obligated to use this shared data solely for the purpose of providing services to you.
• Your financial data is shared with payment institutions (banks, electronic payment service providers) with which we have agreements for payment transactions. These institutions process your data within the scope of their own obligations as data controllers under Law No. 6493 on Payment and Securities Settlement Systems and related legislation.
• For the fulfillment of legal obligations, data sharing may be made with relevant official institutions and authorities (such as courts, enforcement offices, regulatory bodies) upon request or due to legal requirements.

International Transfers

Data collected within the scope of QProctor services is stored on servers abroad due to the cloud infrastructure used by the Company. In particular, Amazon Web Services (AWS) is used, and your data may be transferred abroad. Pursuant to Article 9 of the KVKK, the transfer of personal data abroad requires that the relevant country has adequate protection, or that the necessary permissions have been obtained from the Data Protection Authority in Turkey, or that the data subject's explicit consent exists. Since there is not yet an adequate protection decision for the relevant countries, the Company relies on the legal basis of explicit consent for international transfer activities. In this context, explicit consent is requested from the User during the registration process or at the time of initial data entry regarding the transfer of their data abroad. If the User does not give explicit consent, data will not be stored on servers abroad, and there may be limitations in the provision of certain functions of the service.

The international service providers to which your data may be transferred are as follows:

• Amazon Web Services, Inc. (AWS): Your personal data may be stored on AWS's international servers as it provides a secure infrastructure. Under the agreement with the Company, AWS is obligated to process your data solely for the purposes of storage and cloud service provision; it cannot use it for its own purposes.

5. Data Retention Periods

The Company retains your personal data for the period prescribed by the relevant legislation or for the period necessary for the purpose for which they are processed.

• Basic membership information will be retained as long as your user account is active. In the event of account deletion or termination of service, data will generally be deleted or anonymized. However, data that must be retained due to legal obligations (e.g., financial records, log records) may continue to be stored for the periods specified in the relevant legislation.
• Records (text-based data, etc.) are retained as long as the user account remains active or until the purpose of use ceases. Users may request the deletion of this data; however, they are informed that access to past session information will no longer be available in this case.
• Video recordings obtained with explicit consent are stored for a reasonable period so that the user can watch them later. At the end of this period, recordings are deleted or anonymized unless the user requests longer retention. If the user wishes to have the recording deleted at an earlier date, they may request deletion by contacting the Company.
• After the deletion of a user account, the Company may continue to retain anonymous statistical data (e.g., total number of sessions held — data that does not personally identify you).

6. Rights of the Data Subject

Pursuant to Article 11 of the KVKK, users as personal data subjects have the following rights (subject to the exceptions provided in the relevant article):

• To learn whether your personal data is being processed,
• To request information about your personal data if it has been processed,
• To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom your personal data has been transferred domestically or abroad,
• To request correction of your personal data if it has been processed incompletely or incorrectly,
• To request deletion or anonymization of your personal data under the conditions stipulated in Article 7 of the KVKK,
• To request that the operations carried out pursuant to the above two articles (correction and deletion) be notified to third parties to whom your data has been transferred,
• To object to the emergence of a result against you through analysis of your processed data exclusively by automated systems,
• To claim compensation for damages in case your personal data is processed in violation of the law.

You may submit your requests regarding these rights to KC TEK ARGE Bilisim ve Egitim Teknolojileri A.S. as the data controller, in accordance with the KVKK and related legislation. You may make your application by sending a written petition to the Company's address or by sending an email with a secure electronic signature to the Company's registered electronic mail (KEP) address (if available). Additionally, other application methods determined by the Personal Data Protection Authority (e.g., use of an application form) will also be accepted when announced.

In your application, you must clearly and understandably state your request and include your identity and address information. The Company will conclude your request free of charge within 30 days at the latest from the date your application reaches the Company, depending on the nature of your request. However, if the transaction requires additional cost, the fee specified in the tariff determined by the Board may be charged.

For more detailed information about the processing of your personal data, you may review this Privacy Notice and the Privacy Policy within the application, and you may also contact us at any time with your questions.