PRIVACY POLICY

Last Updated: 2026-04-21 Version: 2026.05

PURPOSE

This Privacy Policy sets out how personal data is collected, processed, transferred, and protected in connection with the activities carried out through the Company's website and digital platform.

This Privacy Policy is drawn up in accordance with Turkish Law No. 6698 on the Protection of Personal Data (KVKK), the European Union General Data Protection Regulation (GDPR), and all other applicable legislation.

DATA CONTROLLER

Company Name: MERS YAZILIM VE TEKNOLOJİ HİZMETLERİ LİMİTED ŞİRKETİ

Address: Karaman Mah. Ceylan(170) Sk. No: 1 İç Kapı No: 1 Nilüfer/Bursa Turkey

MERSIS No: 0618090558600001

Email: info@digitable.ai

2. PERSONAL DATA PROCESSED AND PURPOSES OF PROCESSING

Within the scope of this Privacy Policy, the Company may process the following categories of personal data:

Data Category	Examples	Purpose of Processing
Identity Information	Name, surname, email address	Account creation and management
Social Login Data	OAuth account identifier (social login)	Authentication
Financial Data	Tokenised card information (last 4 digits, expiry date, cardholder name)	Payment transactions
Business Data	Business name, address, telephone, tax information, logo	Service provision
Menu Content	Product names, descriptions, prices, images, videos	Digital menu creation
Usage Data	AI request logs, credit usage, session information	Service provision and improvement
Analytics Data	IP address, browser information, country, city	QR scan analysis
Communication Preferences	Telegram chat ID, email marketing preferences	Notification delivery
Location Data	IP-based approximate location (country, city level)	Analytics and regional services

The Company processes such personal data for the purposes of providing and developing products and services, processing payments and invoicing through the website and digital platform, improving customer service processes, fulfilling legal obligations under applicable regulations, conducting marketing activities with the user's explicit consent, and ensuring the security of the website and digital platform.

3. SOFTWARE DEVELOPMENT KIT (SDK) USE

Software Development Kits (SDKs) may be used on our digital platform, integrated solutions, and third-party services to enhance performance quality and security for our users. Where a mobile application is developed, certain personal data may be collected, processed, or shared with third-party service providers through such SDKs.

3.1. Data Collected and Processing Purposes

The principal data that may be collected through SDKs include:

Device Information: Operating system, model, screen resolution, language preference, application version, etc.
Usage Data: In-app actions, clicks, navigation paths, session duration, etc.
Identifiers: Session identifiers, user-specific anonymous identifiers, etc.
Performance and Error Logs: Crash reports, error logs, loading times, etc.
Location Data (optional): GPS or IP-based location data (only with explicit consent)

Data obtained through SDKs is processed in accordance with applicable legislation for the purposes of measuring and improving the performance of the website and digital platform, detecting errors and security vulnerabilities, enhancing the user experience, advertising, marketing, and user profiling (only where explicit consent has been obtained), and analysing and reporting user behaviour.

3.2. Third-Party SDK Providers

SDKs may be developed by third-party service providers. The legal responsibility for the processing of personal data through third-party SDKs rests with the respective third party; the Company bears no responsibility. Third-party SDKs are subject to the respective third party's privacy policy.

Where the transfer of personal data abroad is involved, the Company takes the necessary legal and security measures in accordance with the KVKK and GDPR, and processes data within the scope of the user's explicit consent.

3.3. Data Security

All data collected through SDKs is protected using methods such as encryption, access control, and anonymisation. Data sharing with third parties takes place only within the framework of contractual security measures and legal obligations.

4. WEB TRACKING POLICY

Our Company uses various web tracking technologies on its website and digital platform to enhance the user experience, measure performance, and ensure security. These technologies are only activated in compliance with the KVKK and GDPR and with the user's explicit consent.

4.1. Tracking Technologies Used

Cookies: Small text files placed on the browser. Session cookies, persistent cookies, essential cookies, analytics cookies, and advertising cookies may be used.
Pixel Tags: Small visual code fragments that track page views and advertising interactions.
Analytics Tools: Technologies used to analyse and report user behaviour.
Advertising and Retargeting Tools: Technologies used to optimise marketing for users.
Log Files: Technologies used to collect data such as IP addresses, browser information, and access dates and times through server logs.

Personal data collected through web tracking technologies mirrors the types of personal data collected through SDKs, and the purposes of processing, conditions for transferring data to third-party service providers, and data security measures are subject to the same systems and legal frameworks as those applicable to SDKs.

4.2. `menu_view_session` Cookie

When a visitor scans a QR code and opens a digital menu, the Platform sets a strictly necessary first-party cookie named menu_view_session. This cookie holds an opaque random identifier and is used exclusively for deduplication — it ensures that the same visitor is counted only once per venue within a 30-minute window, so that menu-view analytics are not inflated by page refreshes.

Type: Essential / strictly necessary (no consent required under GDPR Art. 6(1)(f) and the ePrivacy Directive Art. 5(3))
Lifetime: 24 hours from the time it is set
Flags: HttpOnly, SameSite=Lax — not accessible to JavaScript, not sent on cross-site requests
Deduplication window: 30 minutes per (venue, visitor) pair
Content: Random opaque identifier; no personal data, no tracking across third-party sites

The cookie is not used for advertising, profiling, or cross-site tracking and is not shared with any third party.

5. LEGAL BASIS

Our Company processes users' personal data within the scope of this Privacy Policy in accordance with the KVKK, GDPR, and relevant legislation.

5.1. Processing of Personal Data under the GDPR and KVKK

The processing of personal data is regulated under Article 5 of the KVKK and Article 6 of the GDPR. In accordance with these provisions:

Explicit Consent: Obtained specifically for operations not legally required, such as marketing, profiling, SDKs, and web tracking technologies.
Legal Obligation: Records required to be maintained under tax, commercial, or consumer legislation.
Actual Impossibility: Where processing is necessary for the protection of the life or physical integrity of a person who is unable to express consent due to actual impossibility or whose consent is not legally valid.
Performance of a Contract: Where processing of personal data belonging to the parties to a contract is necessary for the establishment or performance of that contract.
Legal Obligation: Where processing is necessary for the data controller to fulfil its legal obligations.
Data Made Public: Where the data subject has made their personal data publicly available.
Establishment, Exercise, or Protection of Rights: Where data processing is necessary for the establishment, exercise, or protection of a right.
Legitimate Interest: Where data processing is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

Under Article 6 of the KVKK and Article 9 of the GDPR, special categories of data such as race, health, and biometric data may only be processed with explicit consent or in exceptional cases provided for by law. As a rule, our Company does not process special categories of personal data. Where the processing of special categories of personal data is necessary, additional security measures determined by the relevant authority shall be applied.

6. INTERNATIONAL DATA TRANSFERS

The Platform transfers personal data to the following sub-processors in connection with service provision. Transfers to providers located outside Turkey / the EEA are carried out in accordance with Article 9 of the KVKK (as amended by Law No. 7499 of 12 March 2024) and Article 46 of the GDPR on the basis of standard contractual clauses (SCCs) and, where required by law, the user's explicit consent.

Provider	Country	Purpose	Data transferred
OpenRouter, Inc.	United States	AI text generation, translation, menu enrichment	Menu text, product names and descriptions
fal.ai, Inc.	United States	AI image and video generation	Product images, prompt text
Postmark (ActiveCampaign, LLC)	United States	Transactional email delivery (verification, notifications)	Email address, recipient name, message body
Paddle.com Market Ltd.	United Kingdom	International payment processing	Email, company name, subscription data, card last-4
iyzico Ödeme Hizmetleri A.Ş.	Turkey	Domestic payment processing	Email, company name, tokenised card data
Hetzner Online GmbH	Germany (EU)	Object storage of user-uploaded media	Images, videos, logos, exports

Transfers to United States-based sub-processors (OpenRouter, fal.ai, Postmark) rely on the user's explicit consent under KVKK Article 9, captured separately at signup for users established in Turkey. Consent may be withdrawn at any time by writing to info@digitable.ai; withdrawal does not affect the lawfulness of processing carried out before withdrawal, but may disable features that require the transfer (AI generation, transactional email).

Transfers to providers inside the European Economic Area (Paddle UK, Hetzner DE) or within Turkey (iyzico) do not trigger cross-border transfer rules under KVKK Article 9 or GDPR Chapter V.

7. DATA RETENTION PERIODS

Personal data is retained only for as long as necessary for the purposes set out in this Privacy Policy and in accordance with applicable legislation. The table below lists the retention periods actually enforced by the Platform's automated cleanup mechanisms. Retention periods may be shorter in practice where the underlying data is no longer needed.

Data category	Retention period	Legal basis
Account data (name, email, password)	For the duration the account is active; hard-deleted 30 days after the account deletion request	Performance of contract; GDPR Art. 17, KVKK Art. 7
Invoice and payment data	10 years	Turkish Commercial Code Art. 82, Tax Procedure Law Art. 253
Legal acceptance records (Terms, Privacy Policy, explicit consents)	Retained for the lifetime of the account as an immutable audit log; not deleted on account deletion	Legal obligation, evidentiary purposes (GDPR Art. 7(1))
QR scan analytics (raw records: IP, user agent, referrer)	6 months, after which records are aggregated monthly and the raw detail is deleted. Aggregated counts (no personal data) are retained indefinitely for business analytics	Storage limitation (GDPR Art. 5(1)(e)), legitimate interest for aggregates
AI request logs (prompt metadata, model, cost)	90 days	Service quality, cost reconciliation
Customer feedback (IP address, contact email, session key)	90 days, then personal fields are anonymised; rating and comment retained for business analytics	Storage limitation
Data-export download links	7 days	Technical necessity
Lead-prospecting search logs (coordinates, zone metadata)	90 days	Storage limitation
Menu-preview page views (IP address, user agent, referrer)	90 days	Storage limitation
Automated outreach email logs (recipient address, delivery status)	365 days	Deliverability disputes, legitimate interest (SPF/DKIM 12-month window)
Prospect contact data (email, phone, WhatsApp identifiers) for leads in a terminal state (rejected, churned, converted)	540 days after the final status change, then anonymised	Storage limitation, legitimate interest for re-engagement window
Data-subject request (DSR) records	Retained while the request is open and for a period thereafter for audit purposes (subject to ongoing legal review; minimum 2 years)	Audit trail for regulator inquiries
Company records anchored to financial data (Invoices, Subscriptions, Credit Transactions)	Anonymised on owner deletion; retained as long as the underlying financial records are retained	Turkish Commercial Code Art. 82

After the retention period expires or where there is no longer a lawful basis to retain the data, personal data is deleted, anonymised, or destroyed automatically by the Platform. Details of the automated cleanup mechanisms are maintained internally and reviewed quarterly.

7.1. User-Uploaded Images

Images uploaded by users through the Platform (food photographs, restaurant logos, etc.) are processed for the purpose of display on digital menu pages. These images are collected and stored within the scope of the Platform's service provision.

The following data relating to uploaded images may be processed:

Image files (in JPEG, PNG, and similar formats)
Image metadata (EXIF data, upload date, file size, etc.)
AI-generated image descriptions

Images and videos generated by artificial intelligence (product photographs, promotional videos, etc.) are also stored by the Platform and displayed on digital menu pages. During the generation process, the user's existing product images may be transferred to third-party artificial intelligence service providers.

7.2. AI Content Moderation

Images uploaded by users may be processed through AI-based moderation systems to verify compliance with the Content Policy. During this process, images may be transferred to third-party artificial intelligence service providers.

Data transfers to third-party service providers are carried out with the necessary security measures in accordance with the KVKK and GDPR.

7.3. Public Display on Menu Pages

Images uploaded by users are displayed on the relevant restaurant's publicly accessible digital menu pages. These images can be accessed by anyone who visits the menu page. By uploading images, the User provides explicit consent to this public display.

7.4. Image Deletion Rights

Users have the right to request the deletion of images they have uploaded. Deletion requests also encompass data deletion rights under the KVKK and GDPR.

Image deletion requests may be submitted to info@digitable.ai and shall be processed within no more than 30 days. Deleted images shall also be removed from backup systems within a reasonable timeframe.

8. USER RIGHTS

Our Company is committed to the principles of transparency and accountability in the protection of personal data. In this context, the rights of our users arising from the KVKK and GDPR are safeguarded.

8.1. Rights under the KVKK

Under the KVKK, users are granted the following rights in relation to personal data:

The right to learn whether personal data has been processed,
The right to request information if personal data has been processed,
The right to learn the purpose of processing personal data and whether it has been used in accordance with its purpose,
The right to know the third parties to whom personal data has been transferred domestically or abroad,
The right to request correction of inaccurate or incomplete personal data and notification of this to third parties,
The right to request deletion or destruction of personal data under the conditions set out in Article 7 of the KVKK and notification of this to third parties,
The right to object to a result arising against the individual through the analysis of processed data exclusively by automated means,
The right to request compensation for damages arising from the unlawful processing of personal data.

8.2. Rights under the GDPR

Users located in the EU/EEA also have the following rights:

Right of Access: The right to request access to personal data and to learn the purposes for which it is used,
Right to Rectification: The right to request correction of inaccurate or incomplete data,
Right to Erasure: The right to request deletion of data under certain conditions,
Right to Restriction of Processing: The right to request that processing of data be halted in certain circumstances,
Right to Data Portability: The right to receive personal data in a structured, commonly used format or to transfer it to another data controller,
Right to Object: The right to object to processing based on legitimate interests, including direct marketing,
Rights Relating to Automated Decision-Making: The right not to be subject to decisions based solely on automated processing, including profiling.

8.3. Exercising Rights

Users may exercise their rights by contacting our Company in writing or by email.

Applications made under the KVKK shall be responded to within no more than 30 days. However, this period may be extended as permitted by law in necessary or force majeure situations; in such cases, the user shall be informed of the expected duration.

Applications made under the GDPR shall, as a rule, be concluded within one month. However, an additional two-month extension may be taken where necessary, in which case the user shall be informed.

Applications made by users in the exercise of their rights are free of charge; however, where the process incurs additional costs, a fee may be charged in accordance with the KVKK and relevant legislation.

Requests for deletion of data or cessation of processing may only be fulfilled to the extent that legal obligations do not prevent it. Our Company reserves the right to refuse requests that constitute misuse or that would infringe the rights and freedoms of third parties.

9. DATA BREACH NOTIFICATION

In the event of unauthorised access to personal data, data loss, disclosure, or a similar security breach, the Company shall apply the following procedure:

Supervisory Authority Notification: In accordance with applicable legislation (KVKK Art. 12, GDPR Art. 33), the Turkish Personal Data Protection Board and/or the competent EU supervisory authority shall be notified within 72 hours of becoming aware of the breach.
User Notification: Where it is determined that the breach poses a high risk to the data subjects, affected users shall be notified promptly and clearly.
Content: The notification shall include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.
Record-Keeping: All security breaches shall be recorded, together with their nature, impact, and the measures taken.

DISCLOSURE TEXT (AYDINLATMA METNİ)

This section has been prepared pursuant to Article 10 of Turkish Law No. 6698 on the Protection of Personal Data (KVKK) and the Communiqué on the Procedures and Principles to Be Observed in Fulfilling the Obligation to Inform, in order to fulfil the obligation to inform data subjects.

Identity of the Data Controller

MERS YAZILIM VE TEKNOLOJİ HİZMETLERİ LİMİTED ŞİRKETİ

Address: Karaman Mah. Ceylan(170) Sk. No: 1 İç Kapı No: 1 Nilüfer/Bursa Turkey

MERSIS No: 0618090558600001

Email: info@digitable.ai

Personal Data Processed and Purposes

Your personal data is processed for the purposes of service delivery, account management, payment transactions, fulfilment of legal obligations, and ensuring platform security. For details of the data categories and purposes, please refer to the "Personal Data Processed and Purposes of Processing" section above.

Transfer of Personal Data

Your personal data may be transferred to domestic and international third parties in the context of legal obligations, payment infrastructure, cloud services, and AI service providers. For transfer details, please refer to the "International Data Transfer" section above.

Method and Legal Basis of Data Collection

Your personal data is collected electronically through the website and digital platform, on the basis of the legal grounds set out in KVKK Articles 5 and 6 and GDPR Articles 6 and 9.

Your Rights Under the KVKK

To exercise your rights under Article 11 of the KVKK, you may submit a request using the methods set out in the "User Rights" section above.

I have read and accepted the disclosure text regarding the processing of my personal data.

EXPLICIT CONSENT TEXT (AÇIK RIZA METNİ)

This section has been prepared pursuant to Turkish Law No. 6698 on the Protection of Personal Data (KVKK), for the purpose of obtaining your explicit consent for data processing activities that are carried out solely on the basis of your consent.

Processing Activities Requiring Explicit Consent

The following personal data processing activities are only carried out with your explicit consent:

Marketing and communications: Sending you personalised campaigns, promotions, and informational messages via email, SMS, or push notifications.
AI-powered content generation: Processing of your uploaded images and menu data by third-party AI service providers (content generation, description creation, translation).
Analytics and profiling: Analysis of your website and platform usage data for the purpose of improving service quality and user experience.
Cross-border data transfer: Transfer of your personal data to service providers located abroad for the purposes stated above.

Withdrawal of Consent

You may withdraw your explicit consent at any time without providing any reason. Withdrawal shall not affect the lawfulness of processing carried out prior to the withdrawal. You may submit your withdrawal request to info@digitable.ai.

I have read the explicit consent text; I give my explicit consent for the processing and transfer of my personal data for the purposes stated above.

10. AMENDMENTS

This Privacy Policy may be updated in accordance with legislative changes and/or legal requirements. Updates shall take effect from the moment they are announced on our Company's website or digital platform.

11. CONTACT