Back to sign in
This is an informational translation. The legally binding version is the Turkish original.

Disclosure Notice

Data Controller:
Alkazar Teknoloji A.Ş.
Version:
v1.0
Effective Date:
2026-05-04

Informational translation — the Turkish original (Aydınlatma Metni) governs.

UrClimate Tailor — Disclosure Notice on the Processing of Personal Data

Last Updated: 4 May 2026 Effective Date: 4 May 2026 Version: 1.0

This Disclosure Notice has been prepared, pursuant to Article 10 of the Law No. 6698 on the Protection of Personal Data (KVKK) (the "KVKK" or the "Law") and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Disclosure Obligation published in the Official Gazette No. 30356 dated 10.03.2018, in order to inform data subjects regarding the personal data processed within the scope of the UrClimate Tailor (tailor.urclimate.com) software service provided by Alkazar Teknoloji A.Ş. in its capacity as Data Controller.


1. Identity of the Data Controller

In the capacity of "data controller" as defined in Article 3 of the KVKK, your personal data is processed by the legal entity whose identifying information is set out below:

HeadingInformation
Full Trade NameAlkazar Teknoloji A.Ş.
AddressReşitpaşa Mh. Katar Cd. No:2/50/6 İTÜ ARI Teknokent Sarıyer/İstanbul
Telephone0212 270 40 57
E-maildestek@urclimate.com
Websitehttps://tailor.urclimate.com
VERBİS Registration No.Application process ongoing

The commercial name of the product is "UrClimate Tailor", and it provides a cloud-based (SaaS — Software as a Service) software service for asset investors (energy companies, insurance institutions, bank risk management teams) directed at physical climate risk monitoring, operational weather forecasting, seasonal projection, and financial impact (FIRF) reporting. In this Disclosure Notice, the term "Platform" refers to the UrClimate Tailor software, and the term "data subject" or "User" refers to the natural persons who, as employees of corporate customers, access the Platform.


2. Categories of Personal Data Processed

The following categories of personal data are processed through the Platform. Special Categories of Personal Data within the scope of Article 6 of the KVKK (health, belief, biometric, criminal conviction, etc.) are not processed within the scope of the Platform.

2.1. Identity Information

2.2. Contact Information

2.3. Transaction Security Information

2.4. Location and Technical Information

2.5. Corporate Relationship Information

2.6. Data Generated as Platform Content

For detailed information regarding the use of cookies, a separate Cookie Policy / Privacy Policy has been published.


3. Purposes of Processing Personal Data

The personal data specified above is processed for the following purposes, in accordance with the general principles set out in Article 4 of the KVKK (being processed lawfully and in compliance with the rules of good faith; being accurate and up to date; being processed for specified, explicit, and legitimate purposes; being relevant, limited, and proportionate to the purposes for which they are processed; and being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed):

  1. Performance of Contractual Obligations: Within the scope of the SaaS service agreement concluded between Alkazar Teknoloji and the company to which the data subject is affiliated, providing the User with Platform access and carrying out license management and invoicing processes.
  2. User Account and Authorization Management: Account creation, password reset, multi-factor authentication (MFA), role definition, tenant assignment, and granting/revoking authorizations.
  3. Ensuring Information Security: Detection of unauthorized access, account takeover, and data leakage; monitoring of anomalous login behavior; maintenance of audit logs; and implementation of the necessary technical and administrative measures within the scope of Article 12 of the KVKK.
  4. Fulfillment of Legal Obligations: Maintaining audit records and responding to requests from official authorities within the scope of the Tax Procedure Law No. 213, the Turkish Commercial Code No. 6102, the Law No. 5651 on the Regulation of Publications on the Internet, and other relevant legislation.
  5. Development and Improvement of the Platform: Improving the performance, usability, and functionality of the Platform through anonymized and aggregated usage analytics. (In this context, no data processing is carried out in a manner that would render the data subject identifiable.)
  6. User Support Services: Receiving and responding to support requests (tickets) and evaluating User feedback.
  7. Sending Service-Related Notifications: Delivering operational notifications to the User regarding maintenance, outages, security, version upgrades, and legal changes; transmitting daily forecast/alert e-mails (within the scope of the agreement). The sending of electronic messages for marketing purposes is carried out only where Explicit Consent is obtained, pursuant to the Law No. 6563 on the Regulation of Electronic Commerce and Article 5(1) of the KVKK.
  8. Resolution of Legal Disputes and Establishment of Rights: Retention of data for use as evidence in potential disputes and for the establishment, exercise, or protection of rights.

4. Legal Grounds for Processing Personal Data

Your personal data is processed without seeking Explicit Consent based on the following legal grounds set out in Article 5(2) of the KVKK. The mapping of the processing purpose with the legal ground is shown in the table below:

Processing PurposeLegal Ground Relied Upon Under the KVKK
SaaS access, account creation, invoicingArt. 5(2)(c): Being directly related to the conclusion or performance of a contract
Authorization, tenant assignment, role managementArt. 5(2)(c): Performance of the contract; Art. 5(2)(f): Legitimate interest
Information security, audit log, IP/browser recordsArt. 5(2)(f): Legitimate interest of the data controller (provided that it does not harm the fundamental rights and freedoms of the User)
Tax/commercial ledger and invoicing recordsArt. 5(2)(ç): Being mandatory for the data controller to fulfill its legal obligation
Requests of judicial authorities / official correspondenceArt. 5(2)(a): Being expressly stipulated in the laws; Art. 5(2)(e): Data processing being mandatory for the establishment, exercise, or protection of a right
Platform development (anonymized)Outside the scope of the KVKK as it loses the nature of personal data; until anonymization, Art. 5(2)(f) legitimate interest
Operational notifications (outages, releases, daily forecast/alert)Art. 5(2)(c): Performance of the contract
Marketing e-mailsArt. 5(1): Explicit Consent
Product analytics (optional)Art. 5(1): Explicit Consent together with Art. 5(2)(f) legitimate interest (defence-in-depth)

5. Method of Collecting Personal Data

Your personal data is collected by electronic means and through automated methods via the channels listed below:


6. Transfer of Personal Data

6.1. Domestic Transfer

Since a separate data space is used for each company (tenant isolation — tenant_id-based row-level security / RLS policies), your personal data is, as a rule, not shared with other companies, private persons, or third-party institutions. However, domestic transfer may occur in the following limited cases:

6.2. Cross-Border Transfer

Since the Platform is a cloud-based service, cross-border transfer takes place through the following service providers (in their capacity as data processors). All transfers are made within the scope of Article 9 of the KVKK and the Regulation on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data published in the Official Gazette No. 32598 dated 10.07.2024, by ensuring the necessary safeguards through a standard contract and/or data processing agreements (DPA — Data Processing Agreement):

Service ProviderType of ServiceData LocationLegal Safeguard
Supabase Inc.Database, authentication, file storageFrankfurt / Germany (EU)DPA + GDPR compliance + KVKK standard contract (TODO — signature and KVKK notification)
Vercel Inc.Application hosting, CDNEU (Frankfurt) regionDPA + GDPR compliance + KVKK standard contract (TODO)
Brevo (Sendinblue)Transactional and bulk e-mail delivery (daily forecast/alert bulletins)EU (Paris / France)DPA + GDPR compliance + KVKK standard contract (TODO)
ResendBackup transactional e-mail delivery (registration confirmation, password reset)EU (eu-west-1 / Ireland)DPA + GDPR compliance + KVKK standard contract (TODO)
OpenStreetMap (OSM)Map tiles — homepage asset mapEU-based CDNNo personal data transfer is made (only coordinate queries, anonymous)

The standard contracts will be notified to the KVKK Authority within five business days following their signature. Up-to-date information on the status of these notifications may be requested from destek@urclimate.com.


7. Retention Period of Personal Data

Your personal data is retained, pursuant to Article 7 of the KVKK and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, for the periods necessary for the purposes for which they are processed and in compliance with the minimum periods stipulated by the relevant legislation.

Data CategoryRetention PeriodBasis
Identity/contact data of active User accountFor as long as the account is activePerformance of the contract
Deactivated / deleted account30 days soft delete, followed by hard delete (permanent deletion)Principle of data minimization
Audit log (transaction security records)3 yearsStatute of limitations under Art. 146 of the Turkish Code of Obligations, legitimate interest
IP / session / technical log6 monthsCompliance with Law No. 5651, information security
Support requests (tickets)3 years after closureGeneral statute of limitations under Art. 146 of the Turkish Code of Obligations
Invoicing / accounting records10 yearsArt. 253 of the Tax Procedure Law, Art. 82 of the Turkish Commercial Code
Company legal entity site/threshold dataIndefinite — returned/deleted upon the company's requestThe data is the company's own asset
KVKK consent record (timestamp)Until consent is withdrawn + 3 years for evidentiary purposesBurden of proof under Art. 12 of the KVKK, Art. 6 of the Law on Electronic Commerce

Data for which the retention period has expired is erased by means of the periodic erasure methods (deletion, destruction, or anonymization) stipulated in the relevant regulation. The periodic erasure period has been set as 6 months.


8. Rights of the Data Subject (Art. 11 of the KVKK)

Pursuant to Article 11 of the Law, as a data subject, by applying to the data controller, you may exercise the following rights concerning yourself:

  1. To learn whether personal data is being processed,
  2. To request information if personal data has been processed,
  3. To learn the purpose of processing personal data and whether they are used in accordance with that purpose,
  4. To know the third parties to whom personal data is transferred domestically or abroad,
  5. To request the rectification of personal data in the event they are processed incompletely or inaccurately,
  6. To request the deletion or destruction of personal data within the framework of the conditions set out in Article 7 of the Law,
  7. To request that the operations carried out pursuant to rights (5) and (6) be notified to the third parties to whom the personal data is transferred,
  8. To object to the emergence of a result against the person themselves through the analysis of the processed data exclusively by means of automated systems,
  9. To request the compensation of the damage in the event of suffering damage due to the unlawful processing of personal data.

In addition to these rights, in the event that you are not satisfied with the decision and practice of the data controller, or you do not receive a response within the thirty-day response period, your right to file a complaint with the KVKK Authority is also reserved (Art. 14 of the Law).


9. Method of Application

You may submit the applications you will make to exercise your above rights, pursuant to the Communiqué on the Procedures and Principles of Application to the Data Controller published in the Official Gazette No. 30356 dated 10.03.2018, by one of the following methods:

9.1. Minimum Information That Must Be Included in Your Application (Art. 5 of the Communiqué)

9.2. Application Channels

MethodAddress / Information
E-mail (from an address previously registered in our system)destek@urclimate.com
Telephone0212 270 40 57
Mail / In-person written application (wet-signed)Alkazar Teknoloji A.Ş. — Reşitpaşa Mh. Katar Cd. No:2/50/6 İTÜ ARI Teknokent Sarıyer/İstanbul
In-Platform "Data Requests" formtailor.urclimate.com/kvkk-basvuru (coming soon)

9.3. Response Time and Fee

Your application is concluded, pursuant to Article 13(2) of the Law, as soon as possible according to the nature of the request and in any event within thirty days at the latest. Where the response is provided in writing, no fee is charged for the first ten pages. For each page exceeding ten pages, a processing fee may be charged based on the tariff determined by the KVKK Authority (the amount in force on the date of application). Where the response is provided on a recording medium such as a CD or flash memory, the fee that may be requested by the data controller may not exceed the cost of the recording medium.


10. Change Notifications

This Disclosure Notice may be unilaterally updated by Alkazar Teknoloji due to legislative changes, changes in the features of the Platform, or updates in data processing procedures. The updated text is announced through the Platform (tailor.urclimate.com) and by means of a notification to your registered corporate e-mail address. The "Last Updated" date appearing at the beginning of the text is revised with each change. Your continued use of the Platform after a change means that you accept the current text (however, consent is separately obtained for operations subject to Explicit Consent).


11. Effectiveness and Contact

This Disclosure Notice entered into force on 4 May 2026 and is kept continuously accessible on the Platform homepage. For any questions, opinions, and applications:


Prepared by: Alkazar Teknoloji — Product and Compliance Team Last updated: 04.05.2026 Next review date: 04.11.2026 or immediately in the event of a legislative change