KVKK Disclosure
Disclosure on personal data processing under KVKK Article 10
Note: This is an explanatory translation. The Turkish version of the KVKK Disclosure is legally binding under the Turkish Personal Data Protection Law (KVKK No. 6698).
Under Article 10 of the Turkish Personal Data Protection Law (KVKK No. 6698), as the "data controller", ExScore provides the following disclosure about personal data processing activities.
1. Identity of the Data Controller
Data controller: ExScore ([email protected])
Contact: [email protected]
Website: https://exscore.app
Note: Legal entity is being established; trade name, tax number, and VERBIS info will be added once complete.
2. Categories of Personal Data Processed
| Category | Data |
|---|---|
| Identity | X (Twitter) handle, X user ID, display name |
| Contact | Email address, phone number (optional) |
| Visual | Profile photo URL |
| Transaction | Ratings given/received, comments written/received, promo code usage, membership type |
| Legal action | Consent acceptances, account deletion requests, moderation decisions |
| Transaction security | IP address, browser info, session tokens, OTP hashes |
| Marketing | Not applicable — no data collected for marketing |
3. Purposes of Processing
- Providing the service: profile creation, rating, commenting, card sharing
- Calculating and displaying the social reputation score
- Detection / prevention of fake accounts, harassment, spam, and abuse
- Automated moderation of comment content (regex + OpenAI Moderation API)
- Operation of the membership system (VIP / promo code)
- Handling support requests
- Compliance with legal obligations (KVKK, ETK, BTK)
4. Legal Basis
Your data is processed under KVKK art. 5/1 based on your explicit consent. Consent is deemed given when you accept the "Consent Text" shown while using the application. Additionally:
- art. 5/2-c formation and performance of a contract (membership)
- art. 5/2-ç legal obligation (KVKK, ETK, tax)
- art. 5/2-f legitimate interest (fake account prevention, security)
5. Parties to Whom Data Is Transferred
Your data may be transferred to the following data processors:
| Recipient | Transfer purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication | Ireland (EU) |
| Cloudflare, Inc. | Hosting, CDN, security | Global |
| X Corp. (Twitter) | OAuth sign-in | USA |
| OpenAI, L.L.C. | Comment moderation (AI classification) | USA |
| SMS Operator | OTP verification (only during verification flow) | TR / global |
| İyzico Payment Services | Payment processing (VIP — coming soon) | TR |
| Authorized institutions | In case of legal request (court, prosecutor's office) | TR |
When transferring to US-based providers, security standards in the list of "countries providing adequate protection" announced by the Personal Data Protection Authority are observed; the transferred data is the minimum required.
6. Data Collection Method
Data is collected automatically / semi-automatically via:
- X (Twitter) OAuth API (profile info)
- User input via the web application (rating, comment, phone)
- HTTP request headers (IP, browser info — temporary)
- Automated moderation systems (analysis of comment content)
7. Retention Periods
| Data | Period |
|---|---|
| Account data | As long as the account is active |
| When account is deleted | 30-day waiting + irreversible deletion |
| Consent records | Until account deletion + extra 6 months |
| OTP records (verified) | 7 days |
| OTP records (expired) | 1 day |
| IP / access logs | 90 days |
| Moderation records | With the related comment |
| Anonymous aggregate statistics | Indefinite (KVKK art. 28) |
8. Rights Under KVKK Article 11
As the data subject, you have the right to:
- Learn whether your personal data is being processed
- Request information if it has been processed
- Learn the purpose of processing and whether it is used for its intended purpose
- Know third parties to whom data has been transferred domestically or abroad
- Request correction if processed incompletely / incorrectly
- Request deletion or destruction under KVKK art. 7
- Request that correction / deletion / destruction operations be notified to third parties to whom data was transferred
- Object to consequences that arise against you solely from automated processing
- Demand compensation for damages caused by unlawful processing
9. Application Method
You may apply to the Data Controller in writing or via the methods determined by the KVK Authority to exercise your rights.
Email: [email protected]
The application must contain information to verify your identity (X handle, email linked to your account). Requests are concluded within 30 days at the latest under KVKK art. 13/2.
10. Right to Complain
If the data controller's response is found insufficient or no response is received within 30 days, you may file a complaint with the Personal Data Protection Board.
KVKK web: www.kvkk.gov.tr
Disclosure version: v1.0
İletişim
Bu metinle ilgili soruların ya da KVKK kapsamında talep oluşturmak için:
E-posta: [email protected]