Privacy Policy

Last updated: March 25, 2025

1. Data Controller

This privacy policy is prepared by Kartial in accordance with Turkish Personal Data Protection Law No. 6698 ("KVKK").

• Address: Anittepe, Cankaya, Ankara / Turkey
• Email: destek@kartial.com

2. Personal Data We Collect

The following personal data is collected during your use of Kartial:

2.1. Identity and Contact Data

• Name, surname
• Email address
• Google account information (when signing in with Google)

2.2. Account and Session Data

• Firebase Authentication user ID (UID)
• Sign-in method and timestamp
• Email verification status

2.3. Business Data (User-Entered)

• Order records, product information, material and inventory data
• Expense and income records
• Shop, channel, and marketplace configurations
• Accounting calendar data
• Shipping and commission settings

2.4. Marketplace API Credentials

• API keys and access credentials for marketplaces such as Trendyol, Hepsiburada, Amazon, and Etsy
• These credentials are encrypted client-side using AES-GCM-256; the decryption key is derived solely on the user's device and is never transmitted to our servers

2.5. Data Obtained from Marketplaces

• Marketplace order data (order number, product details, amounts, status)
• Product catalog information
• Shipping provider information
• Commission and service fee data

Important: Kartial does not collect, store, or process personal data of marketplace buyers (such as name, address, or phone number). Only the seller's own business transaction data is retrieved from marketplace APIs.

2.6. Technical Data

• Browser type and version
• Device information
• IP address
• Cookie data (see our Cookie Policy for details)

3. Purposes of Data Processing

• Creating and authenticating user accounts
• Providing application services (profit calculation, accounting tracking, inventory management)
• Enabling marketplace integrations (order retrieval, product matching)
• Synchronizing user data across devices
• Improving application performance and error detection
• Fulfilling legal obligations
• Providing user support

4. Legal Basis for Processing

Your personal data is processed under the following legal grounds as defined by KVKK Article 5:

• Explicit consent: Google sign-in, marketplace API connections, and cookie usage
• Performance of contract: Data processing necessary for providing the application services
• Legitimate interest: Application security, performance improvement, and error detection
• Legal obligation: Compliance with applicable regulations

5. Data Storage and Security

5.1. Storage Infrastructure

• Local storage: Application data is primarily stored in the user's browser via IndexedDB
• Cloud synchronization: Data of signed-in users is stored in Google Firebase Firestore (EU — europe-west1 region)
• Authentication: Firebase Authentication infrastructure is used

5.2. Security Measures

• Marketplace API credentials are encrypted client-side with AES-GCM-256; key derivation uses PBKDF2 with 100,000 iterations
• The decryption key is generated solely on the user's device and is never transmitted to the server
• All data transmission occurs over TLS 1.2+ (HTTPS)
• Firebase Security Rules ensure each user can only access their own data
• Firebase App Check prevents unauthorized client access
• Marketplace API calls are executed server-side (Firebase Cloud Functions); API keys are sent encrypted from the client and are not retained in memory after processing

5.3. Data Retention Periods

• Account data: As long as the account is active
• Business data: Until deleted by user or account closure
• Marketplace data: Used only for in-app display and calculation; no long-term caching
• Session and log data: Maximum 90 days

5.4. Marketplace Data Caching

Data retrieved from marketplace APIs is cached in compliance with respective platform policies:

• Product listing data: Maximum 6 hours
• Other data (order status, etc.): Maximum 24 hours

6. Data Transfers

6.1. Domestic Transfers

Your personal data may be transferred to authorized public institutions and organizations as required by law.

6.2. International Transfers

Your data may be transferred internationally through the following service providers:

• Google Firebase (US-based, EU region servers) — Authentication, data storage, and cloud functions
• Marketplace APIs — Order and product data exchange with marketplaces authorized by the user (Trendyol, Hepsiburada, Amazon, Etsy)

6.3. Third-Party Sharing

Kartial never sells, rents, or shares user data with third parties for marketing purposes. Data is shared only with the technical service providers listed above, to the extent necessary for providing the service.

7. Account Deletion and Data Destruction

• Users can delete their account from Settings > Account within the application
• Upon account deletion, all personal data (Firestore, Authentication record) is immediately queued for permanent deletion
• Local browser data (IndexedDB) is isolated per user; after account deletion, this data can be cleared from browser settings or from the Data Management page within the application
• When a marketplace API connection is removed, the associated encrypted credentials are deleted immediately
• You may also submit deletion requests to destek@kartial.com

8. Marketplace Integration Disclosures

8.1. General Principles

• Kartial uses marketplace APIs only for operations explicitly authorized by the user
• API access is established using the user's own account credentials for each marketplace
• Kartial does not interfere with marketplace checkout processes
• Buyer personal data (name, address, phone) is not collected or stored

8.2. Etsy

The term "Etsy" is a trademark of Etsy, Inc. This application uses the Etsy API but is not endorsed or certified by Etsy, Inc.

8.3. Amazon

Data accessed through the Amazon Selling Partner API is processed in compliance with Amazon's Data Protection Policy (DPP) and Acceptable Use Policy (AUP). This data is not shared with third parties and is used solely for profit calculation and accounting purposes.

8.4. Trendyol and Hepsiburada

Order, product, and financial data accessed through these marketplaces' APIs belongs solely to the seller's own account and is processed in accordance with platform policies and Turkish legislation.

9. Your Rights

Under KVKK Article 11, you have the following rights:

• To learn whether your personal data has been processed
• To request information regarding the processing of your personal data
• To learn the purpose of processing and whether the data is used in accordance with that purpose
• To know the third parties to whom your personal data has been transferred, domestically or abroad
• To request correction of your personal data if it has been processed incompletely or inaccurately
• To request deletion or destruction of your personal data under the conditions specified in KVKK Article 7
• To request notification of correction and deletion operations to third parties to whom your personal data has been transferred
• To object to any result that is against you arising from the analysis of your processed data exclusively through automated systems
• To claim compensation if you suffer damage due to unlawful processing of your personal data

How to Submit a Request

• Email: Submit your request to destek@kartial.com along with documents verifying your identity
• In-app: You can export and delete your data from Settings > Data Management

Your requests will be resolved free of charge within 30 days at the latest.

10. Changes

This privacy policy may be updated in accordance with legal regulations or application changes. The current text is always published on this page.