UrClimate Tailor — Privacy Policy
Informational translation — the Turkish original (Gizlilik Politikası) governs.
Effective Date: 4 May 2026 Version: 1.0 Platform: https://tailor.urclimate.com Data Controller: Alkazar Teknoloji A.Ş. Contact: destek@urclimate.com
Notice: This Privacy Policy explains, in a holistic manner, the personal data processing activities of the UrClimate Tailor platform. A separate Disclosure Notice is available for the short and technical information required under Article 10 of Law No. 6698 (KVKK); this policy is complementary to it, and in the event of a conflict, the specific provisions of the Disclosure Notice shall prevail.
1. Introduction
1.1. Scope
This Privacy Policy covers all personal data processed on the UrClimate Tailor platform (tailor.urclimate.com) operated by Alkazar Teknoloji A.Ş. (hereinafter "we", "Alkazar", or "Service Provider"). The policy applies to:
- Employees of corporate customers registered on the Platform (site managers, operations teams, risk managers, senior management).
- Prospective customers requesting a demo/pilot.
- Every user visiting the Platform's website.
- Anyone contacting destek@urclimate.com.
1.2. Legal Basis
- Law No. 6698 on the Protection of Personal Data (KVKK)
- Law No. 5651 on the Regulation of Publications Made on the Internet
- Law No. 6563 on the Regulation of Electronic Commerce (ETK)
- Communiqués and guidelines of the Personal Data Protection Authority
1.3. Data Controller
Alkazar Teknoloji A.Ş. acts in the capacity of Data Controller within the meaning of Article 3/1-ı of Law No. 6698 (KVKK). In scenarios where corporate customer companies enter into the Platform data belonging to their own personnel, Alkazar may acquire the capacity of data processor (Art. 3/1-ğ); this situation may be regulated by a separate Data Processing Agreement (VİS / DPA).
2. Information We Collect
2.1. Account Information (Registration Form)
We collect the following information during registration:
- First name, last name
- Corporate e-mail address
- Phone number (landline and/or mobile)
- Affiliated company name
- Password (stored as a one-way hash; plain text is never retained)
- KVKK consent timestamps (acceptance of the disclosure, acceptance of the terms of use, optional marketing/analytics consent preferences)
2.2. Usage Data
Information about your activities on the Platform:
- Login/logout times and durations.
- Defined site information (location, threshold settings, alert preferences) — this data is generally of a corporate/operational nature; exceptionally, it may contain personal data such as "site manager name".
- Uploaded files (site photo, location CSV list, etc.).
- Reports you create (FIRF, seasonal), notes, and comments.
- Tenant assignment and display preferences on the homepage asset map.
- Support requests and the responses provided to them.
2.3. Technical Data
- IP address (recognized as personal data under KVKK).
- Browser type and version (User-Agent).
- Operating system.
- Screen resolution (for UX statistics).
- Referrer URL.
- Cookie identifiers (see Art. 6).
- Timestamp-based access logs (mandatory under Law No. 5651).
2.4. Automatically Collected Information
- Error logs (stack trace, request identifier). These logs are deleted or anonymized after 30 days.
- Performance measurements (page load time, API response time).
2.5. Information We Do Not Collect
- We do not process sensitive personal data (Art. 6 of KVKK — health, sexual life, religion, political opinion, biometrics).
- Payment card information is not stored on our servers; for paid plans, payment is made via bank transfer or a PCI-DSS compliant third party (after integration).
- Data belonging to users under the age of 18 is not knowingly collected (see Art. 7).
- Location data (the user's GPS) is not collected; site locations are explicitly entered by the User, and the Platform processes only the entered site coordinates, not the user's own device location.
3. Purposes of Information Use
The collected information is processed for the following purposes:
3.1. Service Provision (Art. 5/2-c of KVKK, performance of a contract)
- Account creation and management.
- User authentication.
- Operating the site-based forecast/alert engine and delivering the results.
- Sending daily forecast/alert e-mails.
- Generating FIRF and seasonal reports.
- Data backup and restore.
3.2. Communication (Art. 5/2-c and Art. 5/2-f of KVKK)
- System notifications (password reset, account alerts).
- Subscription period-end reminders.
- Service outage/maintenance announcements.
- Responding to support requests.
3.3. Service Improvement (Art. 5/2-f of KVKK, legitimate interest)
- Usage statistics (aggregate).
- Debugging and performance improvement.
- A/B tests and UX research (without personal identifiers).
3.4. Legal Obligations (Art. 5/2-a of KVKK)
- Tax and commercial record obligations (VUK 253 — 5-year invoice retention).
- Retention of access logs for 6 months under Law No. 5651.
- Providing information to competent authorities (public prosecutor's office, court, BTK, KVKK Authority).
3.5. Marketing (With explicit consent — Art. 5/1 of KVKK and Art. 6 of ETK)
Only in cases where the User has given explicit consent:
- Product update announcements.
- Webinar/training invitations.
- New feature notifications.
- Sectoral climate risk reports.
Explicit consent can be withdrawn at any time; via the "unsubscribe" link in the e-mail or through destek@urclimate.com.
4. Sharing with Third Parties
We share your personal data only in the following cases. Under no circumstances do we sell your data to third parties.
4.1. Infrastructure Service Providers (Data Processors)
| Provider | Service | Location | Data Processed |
|---|---|---|---|
| Supabase | Database + authentication + file storage | Frankfurt, EU | Account data, site definitions, audit log |
| Vercel | Application hosting | EU (Frankfurt region) | Request logs, technical data |
| Brevo (Sendinblue) | Bulk/transactional e-mail (daily newsletter, alert) | EU (Paris) | E-mail address, sending log, newsletter content |
| Resend | Backup transactional e-mail (registration confirmation, password reset) | EU (eu-west-1) | E-mail address, sending log |
| OpenStreetMap (OSM) | Homepage asset map tiles | EU-based CDN | No personal data is sent (only anonymous coordinate query) |
All infrastructure providers are located in the EU; transfers are made under standard contract and DPA safeguards within the scope of Article 9 of KVKK.
4.2. Legal Obligation
- Upon a court order, public prosecutor's request, or written notice from BTK or the KVKK Authority.
- Unless legally prohibited, we inform the User of such notices.
4.3. Business Transfer / Merger
In the event that Alkazar becomes the subject of a merger, demerger, acquisition, sale, or similar corporate transaction, personal data may be transferred to the acquiring company under the same confidentiality standards; in such a case, Users are informed by e-mail.
4.4. Anonymous/Aggregate Data
Aggregate statistics that do not contain identity identifiers (for example, "total number of registered sites on the platform in 2026 Q2", "most frequently used threshold type") may be shared with research institutions, the media, or in investor presentations.
5. Security Measures
The technical and administrative measures we take within the scope of Article 12 of KVKK:
5.1. Technical Measures
- Encryption in transit: All data traffic is encrypted with TLS 1.3 (HTTPS).
- Encryption at rest: AES-256 encryption in the database.
- Password security: User passwords are hashed with bcrypt (work factor 10+); plain text is never recorded.
- Row-Level Security (RLS): Each tenant (company) sees only its own site and data; data isolation is enforced at the database level.
- Backup: Automatic daily backup; 30-day retention; backups are also encrypted.
- Multi-Factor Authentication (MFA): Will be offered to the user in a future release; mandatory for team accounts.
- Security patches: Dependency scanning (Dependabot) and critical CVEs are patched within 7 days.
- Rate limiting and bot protection: Against DoS and brute-force attacks.
- Audit log: All critical operations (login, deletion, export, authorization change) are logged.
5.2. Administrative Measures
- Personnel confidentiality undertaking.
- Data minimization principle (only what is necessary is collected).
- "Least privilege" principle for access authorization.
- Annual privacy and cybersecurity training.
- Incident response procedure.
- Regular risk analysis.
5.3. Data Breach Process
When a security breach is detected:
- The breach is immediately detected and contained.
- Notification is made to the KVKK Authority within 72 hours (Art. 12/5 of KVKK).
- Affected Users are informed by e-mail as soon as possible.
- An incident report is prepared and preventive measures are taken.
6. Cookies
The Platform uses cookies for the purposes of basic functionality, security, and preference storage. UrClimate Tailor currently does not use third-party analytics or marketing cookies; when analytics infrastructure is added, this text will be updated and the User's separate explicit consent will be obtained.
6.1. Cookies Used (Phase 1)
| Cookie | Purpose | Type | Duration | Legal Basis |
|---|---|---|---|---|
sb-access-token, sb-refresh-token | Supabase session management (user authentication) | Mandatory | Session duration | Art. 5/2-c of KVKK (performance of a contract) |
theme | Light/dark theme preference (light/dark mode) | Mandatory | 1 year | Art. 5/2-f of KVKK (legitimate interest — preserving user preference) |
darkMode | Dark mode flag (persistent UI preference) | Mandatory | 1 year | Art. 5/2-f of KVKK (legitimate interest — preserving user preference) |
csrf-token | Cross-Site Request Forgery protection | Mandatory | Session duration | Art. 5/2-c of KVKK (performance of a contract) + Art. 12 of KVKK (security measure) |
6.2. Cookies Not Used
- Third-party analytics cookies (Google Analytics, PostHog, etc.) — NOT USED within the scope of Phase 1.
- Marketing / advertising cookies (Meta Pixel, LinkedIn Insight, Google Ads, etc.) — NOT USED.
- Social media cookies — NOT USED.
If the above three categories of cookies are implemented in the future, separate explicit consent will be obtained from the User and this text will be updated.
6.3. Cookie Management
- Browser settings: In all modern browsers, cookies can be deleted or blocked from the settings. If mandatory cookies are blocked, login to the Platform cannot be performed.
- Account logout: The "Log Out" button invalidates the session cookies on both the server and browser side.
7. Children and Age Limit
UrClimate Tailor is a B2B product not directed at users under the age of 18. If it is determined that a person under the age of 18 has opened an account, the account is immediately deleted. Employees of corporate customers are assumed to be adults and authorized to act on behalf of the company.
8. User Rights (Article 11 of KVKK)
Pursuant to Article 11 of KVKK, the User has the following rights:
- To learn whether their personal data is being processed.
- To request information if it has been processed.
- To learn the purpose of processing and whether it is used in accordance with its purpose.
- To know the third parties to whom it is transferred domestically or abroad.
- To request rectification if it has been processed incompletely or incorrectly.
- To request its erasure or destruction when the conditions are met (right to be forgotten).
- To request that rectification/erasure operations be notified to the third parties to whom the data has been transferred.
- To object to a result arising against the person as a consequence of analysis carried out through automated systems.
- To request compensation for damages in the event of suffering damage due to unlawful processing.
8.1. Application Method
To exercise your rights, you may submit your applications via:
- E-mail: destek@urclimate.com
- Phone: 0212 270 40 57
- In writing: Alkazar Teknoloji A.Ş., Reşitpaşa Mh. Katar Cd. No:2/50/6 İTÜ ARI Teknokent Sarıyer/İstanbul
In the application, for identity verification you must state your first name and last name, T.C. identity number or passport number (for foreigners), notification address, and the subject of the request.
8.2. Response Time
Applications are answered free of charge within a maximum of 30 days. If the request requires a special cost, the current tariff determined by the KVKK Board is applied.
9. Data Retention Periods
| Data Type | Retention Period | Basis |
|---|---|---|
| Account information | Subscription period + 90 days | Performance of a contract |
| Site definitions and threshold settings | Subscription period + 90 days (then hard-delete) | Performance of a contract + User request |
| Access logs | 6 months | Law No. 5651 |
| Audit log | 3 years | Statute of limitations under Art. 146 of TBK, legitimate interest |
| Invoice/accounting | 5 years (minimum), 10 years (Art. 82 of TTK) | VUK 253, Art. 82 of TTK |
| Support correspondence | 3 years | Legitimate interest (defense in disputes) |
| Backups | 30-day rolling window | Technical requirement |
| KVKK consent record | Until consent is withdrawn + 3 years for evidentiary purposes | Art. 12 of KVKK, Art. 6 of ETK |
| Marketing explicit consent | Until consent is withdrawn + 3 years for evidentiary purposes | Art. 6 of ETK |
When the legal retention period expires, the data is automatically deleted or anonymized.
10. Changes
This Privacy Policy may be updated over time.
- Substantial changes (collecting a new data type, a new third party, a change in cross-border transfer) are announced 30 days in advance by e-mail and panel notification.
- Minor corrections (typography, link updates) may be made by updating the effective date.
- Previous versions of the policy are kept as an archive; they are shared upon request.
After each update, the User is deemed to have accepted the new policy by continuing to use the Platform. In the event of non-acceptance, the provisions of Article 10 (Termination) of the Terms of Use apply.
11. Contact and Complaints
11.1. First Step — Alkazar Support
For any questions, requests, and complaints regarding privacy, please contact us first:
Alkazar Teknoloji A.Ş. — Data Controller
- E-mail: destek@urclimate.com
- Web: https://tailor.urclimate.com
- Address: Reşitpaşa Mh. Katar Cd. No:2/50/6 İTÜ ARI Teknokent Sarıyer/İstanbul
- Phone: 0212 270 40 57
- VERBIS Registry No: (application process ongoing)
11.2. Second Step — KVKK Authority
In the event that your application to Alkazar is rejected, you find the response provided insufficient, or you do not receive a response within 30 days:
Personal Data Protection Authority
- Address: Nasuh Akar Mah. 1407. Sok. No: 4, 06520 Balgat — Çankaya / Ankara
- Web: https://www.kvkk.gov.tr
- Phone: 0 312 216 50 50
you may file a complaint within 30 days from the date of application, within 60 days from the date you learned the subject of the complaint, and in any event within a maximum of 2 years (Art. 14 of KVKK).
Effective Date: 4 May 2026 Version: 1.0
This Privacy Policy has been prepared in accordance with KVKK, ETK, and all relevant legislation. It is updated in line with legislative changes. The current version is always available at https://tailor.urclimate.com/gizlilik-politikasi.