01. Introduction and data controller
This privacy policy explains how beynart Pazarlama Yazılım Teknolojileri A.Ş. ("beynart", "we", "data controller") processes personal data on beyn.art and its sub-pages. It is published under Turkish Law No. 6698 on the Protection of Personal Data ("KVKK") and the EU General Data Protection Regulation ("GDPR").
Identity of the data controller
- Legal name: beynart Pazarlama Yazılım Teknolojileri A.Ş.
- Registered address: Esentepe, Kolektif House Levent, Talatpaşa Cd. No: 5/1 Office No: 8, 34394 Şişli, Istanbul, Türkiye
- Contact: [email protected] (also valid for personal data requests)
02. Personal data we collect
We collect the following categories of personal data on beyn.art:
- Contact forms: name, work email, company name, message content, optional phone. We also store which form a submission came from (contact, discovery, lead magnet, newsletter) and the submission timestamp.
- Newsletter subscription: email, language preference, opt-in timestamp, IP address (briefly retained for anti-spam verification).
- Lead magnet (guide) requests: name, email, optional company; the requested guide identifier.
- Analytics data: Plausible — cookieless page-view data (URL, referer, country-level location, anonymous device type). PostHog — only if you opted in, anonymized product analytics.
- Security data: Cloudflare Turnstile bot verification; server logs may briefly retain IP and user-agent for abuse prevention.
Cookie usage is kept to a minimum; we do not use marketing or targeting cookies.
03. Purposes of processing
We process the data only for the following purposes:
- Responding to your inquiries
- Sending the proposal, meeting invite, or guide you requested
- Managing newsletter subscriptions (delivery, confirmation, opt-out)
- Measuring and improving site performance
- Meeting legal obligations
- Securing our services (anti-spam, anti-abuse)
We do not use your data for profiling, credit scoring, or automated decision-making. We do not sell your data to third parties for advertising or marketing without your consent.
04. Legal bases
Under KVKK Article 5 and GDPR Article 6, we rely on the following bases:
- Performance of a contract: proposal preparation, meeting scheduling, service delivery.
- Explicit consent: newsletter subscription, lead magnet request, optional product analytics (PostHog).
- Legitimate interest: site security, abuse prevention, cookieless page-view analytics, service improvement.
- Legal obligation: commercial law, tax law, or requests from competent authorities that mandate retention.
06. Retention periods
We retain data only as long as necessary for the purpose:
- Contact form messages: up to 24 months
- Discovery call requests: up to 24 months
- Newsletter subscription: while your subscription is active, plus up to 30 days after unsubscribe (for deletion confirmation)
- Lead magnet requests: 12 months (a window for legitimate business follow-up)
- Analytics: Plausible 24 months; PostHog 12 months (anonymized)
- Server logs (IP + user-agent): up to 14 days
- Legal/accounting records: as long as required by applicable law (typically 10 years)
At the end of the retention period, data is permanently deleted or anonymized.
07. Sharing with third parties
We rely on the following data processors for specific technical functions. None of them use your data for advertising or marketing; each is bound by a Data Processing Agreement (DPA) or service terms that guarantee equivalent protection.
- Resend (US-based, EU processing region used) — transactional email delivery (form notifications, confirmation emails, newsletter).
- Cloudflare Turnstile (US/Global) — bot verification; cookieless.
- PostHog (eu.posthog.com — Frankfurt, EU) — anonymized product analytics, only with your consent.
- Plausible Analytics (Germany/EU) — cookieless anonymous page views.
- Cloudflare (US/Global) — CDN, DDoS protection, edge security.
We may share data with competent authorities when legally compelled (court order, prosecutor's request, etc.). Outside of those cases, we do not share your data with third parties.
08. International transfers
Some of our processors above may handle data in the EU or the US. Under KVKK Article 9 and GDPR Chapter V, the following safeguards apply:
- EU processing: directly covered by GDPR.
- US transfers: Standard Contractual Clauses (SCCs) and/or Data Privacy Framework as applicable.
- For PostHog we prefer the EU region (eu.posthog.com); your data is processed in Frankfurt.
For scenarios that explicitly require consent for transfer (e.g. newsletter subscription), we state this on the form and record your consent.
09. Security measures
We apply reasonable technical and organisational measures to protect your data:
- HTTPS/TLS encrypted communication (HSTS enforced)
- Server-side rate limiting and bot verification (Turnstile)
- Role-based authorisation for database access
- Secret manager + rotation for sensitive API keys
- Vendor selection prioritising GDPR/SOC2 compliance
- Regular backups and disaster recovery testing
In case of a data breach, we comply with the notification duties under KVKK Article 12/5 and GDPR Article 33.
10. Your rights under GDPR / KVKK
Under KVKK Article 11 and GDPR Articles 15–22, you have the following rights:
- To learn whether your personal data is being processed
- To request information about that processing
- To learn the purpose and whether the data is used appropriately
- To learn about third parties (in or outside Türkiye) the data is shared with
- To request correction of incomplete or inaccurate data
- To request erasure or destruction
- To request notification of corrections/erasures to recipients
- To object to processing decisions analysed automatically
- To claim damages if you suffer harm from unlawful processing
- Right to data portability (GDPR Article 20)
To exercise these rights, write to [email protected] with "Privacy Request" in the subject line; this speeds up processing. We respond within 30 days at the latest.
If unsatisfied, you may file a complaint with the Turkish Personal Data Protection Authority (kvkk.gov.tr). EU residents may lodge a complaint with their relevant supervisory authority (GDPR Article 77).
11. Children's data
beyn.art is a corporate services site; it does not target children under 16. We do not knowingly collect personal data from users under 16. If we discover such data has been collected unintentionally, we delete it without delay.
12. Changes to this policy
We may update this policy from time to time; the "Last updated" date is refreshed on every revision. For material changes, we display a prominent notice on the site and/or send an email to newsletter subscribers.
13. Contact
For questions about this policy or for KVKK Article 11 / GDPR Articles 15–22 requests:
- Email: [email protected] (also valid for personal data requests)
- Postal: beynart Pazarlama Yazılım Teknolojileri A.Ş., Esentepe, Kolektif House Levent, Talatpaşa Cd. No: 5/1 Office No: 8, 34394 Şişli, Istanbul, Türkiye
We may ask for additional information to verify your identity; this step exists solely for your security.