Informational translation — the Turkish original (Aydınlatma Metni) governs.
UrClimate Tailor — Disclosure Notice on the Processing of Personal Data
Last Updated: 4 May 2026 Effective Date: 4 May 2026 Version: 1.0
This Disclosure Notice has been prepared, pursuant to Article 10 of the Law No. 6698 on the Protection of Personal Data (KVKK) (the "KVKK" or the "Law") and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Disclosure Obligation published in the Official Gazette No. 30356 dated 10.03.2018, in order to inform data subjects regarding the personal data processed within the scope of the UrClimate Tailor (tailor.urclimate.com) software service provided by Alkazar Teknoloji A.Ş. in its capacity as Data Controller.
1. Identity of the Data Controller
In the capacity of "data controller" as defined in Article 3 of the KVKK, your personal data is processed by the legal entity whose identifying information is set out below:
| Heading | Information |
|---|---|
| Full Trade Name | Alkazar Teknoloji A.Ş. |
| Address | Reşitpaşa Mh. Katar Cd. No:2/50/6 İTÜ ARI Teknokent Sarıyer/İstanbul |
| Telephone | 0212 270 40 57 |
| destek@urclimate.com | |
| Website | https://tailor.urclimate.com |
| VERBİS Registration No. | Application process ongoing |
The commercial name of the product is "UrClimate Tailor", and it provides a cloud-based (SaaS — Software as a Service) software service for asset investors (energy companies, insurance institutions, bank risk management teams) directed at physical climate risk monitoring, operational weather forecasting, seasonal projection, and financial impact (FIRF) reporting. In this Disclosure Notice, the term "Platform" refers to the UrClimate Tailor software, and the term "data subject" or "User" refers to the natural persons who, as employees of corporate customers, access the Platform.
2. Categories of Personal Data Processed
The following categories of personal data are processed through the Platform. Special Categories of Personal Data within the scope of Article 6 of the KVKK (health, belief, biometric, criminal conviction, etc.) are not processed within the scope of the Platform.
2.1. Identity Information
- Name, surname
- Corporate title / position (e.g., Site Manager, Operations Manager, Risk Manager)
2.2. Contact Information
- Corporate e-mail address (e.g., name.surname@company.com.tr)
- Telephone number (landline and/or mobile)
- Name of the affiliated company
2.3. Transaction Security Information
- Account creation and update dates
- Last login date, login/logout logs
- KVKK consent timestamps (disclosure acceptance, terms of use acceptance, optional consent preferences)
- User activity records (
audit_log) — which screen was opened and when, which site was reviewed and when, records of role changes and tenant assignments - Password reset requests (passwords are stored as cryptographic hashes — bcrypt/argon2 — and are not stored in plain text)
2.4. Location and Technical Information
- IP address (for the purpose of login security and detection of anomalous access)
- Browser information (user agent), operating system, device type
- Session cookies and security cookies
2.5. Corporate Relationship Information
- Affiliated company / institution (tenant information)
- Role on the Platform (e.g., super_admin, tenant_admin, user)
- Site assignment (saha_atamalari) and authorization matrix information
- Map / site preferences (display settings on the homepage asset map, dark theme flag, etc.)
2.6. Data Generated as Platform Content
- Site (location) information, threshold definitions, alert preferences, and operational forecast queries defined on behalf of the company's legal entity (such data are in the nature of the company's legal entity assets and may acquire the nature of personal data insofar as they are directly associated with a specific natural person; in this respect they are protected with due regard to the KVKK chain of responsibility)
For detailed information regarding the use of cookies, a separate Cookie Policy / Privacy Policy has been published.
3. Purposes of Processing Personal Data
The personal data specified above is processed for the following purposes, in accordance with the general principles set out in Article 4 of the KVKK (being processed lawfully and in compliance with the rules of good faith; being accurate and up to date; being processed for specified, explicit, and legitimate purposes; being relevant, limited, and proportionate to the purposes for which they are processed; and being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed):
- Performance of Contractual Obligations: Within the scope of the SaaS service agreement concluded between Alkazar Teknoloji and the company to which the data subject is affiliated, providing the User with Platform access and carrying out license management and invoicing processes.
- User Account and Authorization Management: Account creation, password reset, multi-factor authentication (MFA), role definition, tenant assignment, and granting/revoking authorizations.
- Ensuring Information Security: Detection of unauthorized access, account takeover, and data leakage; monitoring of anomalous login behavior; maintenance of audit logs; and implementation of the necessary technical and administrative measures within the scope of Article 12 of the KVKK.
- Fulfillment of Legal Obligations: Maintaining audit records and responding to requests from official authorities within the scope of the Tax Procedure Law No. 213, the Turkish Commercial Code No. 6102, the Law No. 5651 on the Regulation of Publications on the Internet, and other relevant legislation.
- Development and Improvement of the Platform: Improving the performance, usability, and functionality of the Platform through anonymized and aggregated usage analytics. (In this context, no data processing is carried out in a manner that would render the data subject identifiable.)
- User Support Services: Receiving and responding to support requests (tickets) and evaluating User feedback.
- Sending Service-Related Notifications: Delivering operational notifications to the User regarding maintenance, outages, security, version upgrades, and legal changes; transmitting daily forecast/alert e-mails (within the scope of the agreement). The sending of electronic messages for marketing purposes is carried out only where Explicit Consent is obtained, pursuant to the Law No. 6563 on the Regulation of Electronic Commerce and Article 5(1) of the KVKK.
- Resolution of Legal Disputes and Establishment of Rights: Retention of data for use as evidence in potential disputes and for the establishment, exercise, or protection of rights.
4. Legal Grounds for Processing Personal Data
Your personal data is processed without seeking Explicit Consent based on the following legal grounds set out in Article 5(2) of the KVKK. The mapping of the processing purpose with the legal ground is shown in the table below:
| Processing Purpose | Legal Ground Relied Upon Under the KVKK |
|---|---|
| SaaS access, account creation, invoicing | Art. 5(2)(c): Being directly related to the conclusion or performance of a contract |
| Authorization, tenant assignment, role management | Art. 5(2)(c): Performance of the contract; Art. 5(2)(f): Legitimate interest |
| Information security, audit log, IP/browser records | Art. 5(2)(f): Legitimate interest of the data controller (provided that it does not harm the fundamental rights and freedoms of the User) |
| Tax/commercial ledger and invoicing records | Art. 5(2)(ç): Being mandatory for the data controller to fulfill its legal obligation |
| Requests of judicial authorities / official correspondence | Art. 5(2)(a): Being expressly stipulated in the laws; Art. 5(2)(e): Data processing being mandatory for the establishment, exercise, or protection of a right |
| Platform development (anonymized) | Outside the scope of the KVKK as it loses the nature of personal data; until anonymization, Art. 5(2)(f) legitimate interest |
| Operational notifications (outages, releases, daily forecast/alert) | Art. 5(2)(c): Performance of the contract |
| Marketing e-mails | Art. 5(1): Explicit Consent |
| Product analytics (optional) | Art. 5(1): Explicit Consent together with Art. 5(2)(f) legitimate interest (defence-in-depth) |
5. Method of Collecting Personal Data
Your personal data is collected by electronic means and through automated methods via the channels listed below:
- Information entered directly by the User or by the authorized manager of your affiliated company through the Platform registration form and the user invitation e-mail,
- Technical data such as the IP address, user agent, and session cookie automatically transmitted by your browser during login to the Platform,
- Data transferred from your information systems within the scope of additional integrations carried out on the company side (e.g., SSO, corporate account transfer),
- Information you transmit through e-mail, a contact form, or in-Platform notification mechanisms within the scope of support requests,
- Cookies (see Privacy Policy).
6. Transfer of Personal Data
6.1. Domestic Transfer
Since a separate data space is used for each company (tenant isolation — tenant_id-based row-level security / RLS policies), your personal data is, as a rule, not shared with other companies, private persons, or third-party institutions. However, domestic transfer may occur in the following limited cases:
- Lawful requests of authorized public institutions and organizations (Chief Public Prosecutor's Offices, courts, the Information and Communication Technologies Authority, the KVKK Authority (Personal Data Protection Authority), etc.),
- Independent audit organizations (only with necessary and proportionate data),
- Authorized professionals within the scope of financial consultancy and legal advisory services (under a confidentiality undertaking).
6.2. Cross-Border Transfer
Since the Platform is a cloud-based service, cross-border transfer takes place through the following service providers (in their capacity as data processors). All transfers are made within the scope of Article 9 of the KVKK and the Regulation on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data published in the Official Gazette No. 32598 dated 10.07.2024, by ensuring the necessary safeguards through a standard contract and/or data processing agreements (DPA — Data Processing Agreement):
| Service Provider | Type of Service | Data Location | Legal Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | Frankfurt / Germany (EU) | DPA + GDPR compliance + KVKK standard contract (TODO — signature and KVKK notification) |
| Vercel Inc. | Application hosting, CDN | EU (Frankfurt) region | DPA + GDPR compliance + KVKK standard contract (TODO) |
| Brevo (Sendinblue) | Transactional and bulk e-mail delivery (daily forecast/alert bulletins) | EU (Paris / France) | DPA + GDPR compliance + KVKK standard contract (TODO) |
| Resend | Backup transactional e-mail delivery (registration confirmation, password reset) | EU (eu-west-1 / Ireland) | DPA + GDPR compliance + KVKK standard contract (TODO) |
| OpenStreetMap (OSM) | Map tiles — homepage asset map | EU-based CDN | No personal data transfer is made (only coordinate queries, anonymous) |
The standard contracts will be notified to the KVKK Authority within five business days following their signature. Up-to-date information on the status of these notifications may be requested from destek@urclimate.com.
7. Retention Period of Personal Data
Your personal data is retained, pursuant to Article 7 of the KVKK and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, for the periods necessary for the purposes for which they are processed and in compliance with the minimum periods stipulated by the relevant legislation.
| Data Category | Retention Period | Basis |
|---|---|---|
| Identity/contact data of active User account | For as long as the account is active | Performance of the contract |
| Deactivated / deleted account | 30 days soft delete, followed by hard delete (permanent deletion) | Principle of data minimization |
| Audit log (transaction security records) | 3 years | Statute of limitations under Art. 146 of the Turkish Code of Obligations, legitimate interest |
| IP / session / technical log | 6 months | Compliance with Law No. 5651, information security |
| Support requests (tickets) | 3 years after closure | General statute of limitations under Art. 146 of the Turkish Code of Obligations |
| Invoicing / accounting records | 10 years | Art. 253 of the Tax Procedure Law, Art. 82 of the Turkish Commercial Code |
| Company legal entity site/threshold data | Indefinite — returned/deleted upon the company's request | The data is the company's own asset |
| KVKK consent record (timestamp) | Until consent is withdrawn + 3 years for evidentiary purposes | Burden of proof under Art. 12 of the KVKK, Art. 6 of the Law on Electronic Commerce |
Data for which the retention period has expired is erased by means of the periodic erasure methods (deletion, destruction, or anonymization) stipulated in the relevant regulation. The periodic erasure period has been set as 6 months.
8. Rights of the Data Subject (Art. 11 of the KVKK)
Pursuant to Article 11 of the Law, as a data subject, by applying to the data controller, you may exercise the following rights concerning yourself:
- To learn whether personal data is being processed,
- To request information if personal data has been processed,
- To learn the purpose of processing personal data and whether they are used in accordance with that purpose,
- To know the third parties to whom personal data is transferred domestically or abroad,
- To request the rectification of personal data in the event they are processed incompletely or inaccurately,
- To request the deletion or destruction of personal data within the framework of the conditions set out in Article 7 of the Law,
- To request that the operations carried out pursuant to rights (5) and (6) be notified to the third parties to whom the personal data is transferred,
- To object to the emergence of a result against the person themselves through the analysis of the processed data exclusively by means of automated systems,
- To request the compensation of the damage in the event of suffering damage due to the unlawful processing of personal data.
In addition to these rights, in the event that you are not satisfied with the decision and practice of the data controller, or you do not receive a response within the thirty-day response period, your right to file a complaint with the KVKK Authority is also reserved (Art. 14 of the Law).
9. Method of Application
You may submit the applications you will make to exercise your above rights, pursuant to the Communiqué on the Procedures and Principles of Application to the Data Controller published in the Official Gazette No. 30356 dated 10.03.2018, by one of the following methods:
9.1. Minimum Information That Must Be Included in Your Application (Art. 5 of the Communiqué)
- Name, surname, and, if the application is in writing, signature,
- Turkish Republic identity number for citizens of the Republic of Türkiye; nationality, passport number, or identity number, if any, for foreigners,
- Residence or workplace address for the purpose of notification,
- Electronic mail address, telephone, and fax number for the purpose of notification, if any,
- Subject matter of the request,
- Information and documents relevant to the matter.
9.2. Application Channels
| Method | Address / Information |
|---|---|
| E-mail (from an address previously registered in our system) | destek@urclimate.com |
| Telephone | 0212 270 40 57 |
| Mail / In-person written application (wet-signed) | Alkazar Teknoloji A.Ş. — Reşitpaşa Mh. Katar Cd. No:2/50/6 İTÜ ARI Teknokent Sarıyer/İstanbul |
| In-Platform "Data Requests" form | tailor.urclimate.com/kvkk-basvuru (coming soon) |
9.3. Response Time and Fee
Your application is concluded, pursuant to Article 13(2) of the Law, as soon as possible according to the nature of the request and in any event within thirty days at the latest. Where the response is provided in writing, no fee is charged for the first ten pages. For each page exceeding ten pages, a processing fee may be charged based on the tariff determined by the KVKK Authority (the amount in force on the date of application). Where the response is provided on a recording medium such as a CD or flash memory, the fee that may be requested by the data controller may not exceed the cost of the recording medium.
10. Change Notifications
This Disclosure Notice may be unilaterally updated by Alkazar Teknoloji due to legislative changes, changes in the features of the Platform, or updates in data processing procedures. The updated text is announced through the Platform (tailor.urclimate.com) and by means of a notification to your registered corporate e-mail address. The "Last Updated" date appearing at the beginning of the text is revised with each change. Your continued use of the Platform after a change means that you accept the current text (however, consent is separately obtained for operations subject to Explicit Consent).
11. Effectiveness and Contact
This Disclosure Notice entered into force on 4 May 2026 and is kept continuously accessible on the Platform homepage. For any questions, opinions, and applications:
- E-mail: destek@urclimate.com
- Web: https://tailor.urclimate.com/kvkk
Prepared by: Alkazar Teknoloji — Product and Compliance Team Last updated: 04.05.2026 Next review date: 04.11.2026 or immediately in the event of a legislative change