Table of Contents
This privacy notice has been prepared in accordance with Article 10 of the Turkish Personal Data Protection Law No. 6698 ("KVKK"). Its purpose is to inform you about the processing of your personal data.
1. Identity of the Data Controller
Company: Aykete Digital
Trade Name: Bütçe Gardiyanı
Address: Bilecik, Turkey
Email: [email protected]
2. Scope of This Notice
Bütçe Gardiyanı is a click fraud protection service that helps advertisers protect their Google Ads campaigns from invalid and fraudulent clicks.
This privacy notice covers two distinct categories of data subjects:
- Customers: Individuals who register on the Bütçe Gardiyanı platform and use our services
- Visitors: Individuals who visit our customers' websites and whose data is processed through our tracking technology
3. Customer Personal Data
3.1 Personal Data Processed
| Data Category | Personal Data |
|---|---|
| Identity Information | First name, last name |
| Contact Information | Email address, mobile phone number (collected during checkout; stored in our systems for recurring payment processing, also transmitted to payment service provider) |
| Customer Transaction Data | Company/organization name, domain information, subscription details |
| Financial Information | Billing information, payment records; payment card last 4 digits and card type (stored in our systems); recurring payment token information (stored encrypted); optional billing details (identity number, address, city, postal code — transmitted to payment service provider, not stored in our systems) |
| Legal Transaction Data | Pre-Information Form and Distance Sales Contract acceptance records (agreement content copy, acceptance date, IP address, browser information, agreement number) |
| Transaction Security Data | Password (securely stored), login information, IP address |
3.2 Processing Purposes and Legal Bases
| Processing Purpose | Legal Basis (KVKK Art. 5) |
|---|---|
| Account creation and management | Performance of a contract (Art. 5/2-c) |
| Providing click protection services | Performance of a contract (Art. 5/2-c) |
| Invoicing and payment tracking | Expressly prescribed by law (Art. 5/2-a), legal obligation (Art. 5/2-ç) |
| Payment processing and subscription management | Performance of a contract (Art. 5/2-c) |
| Email notifications and communication | Performance of a contract (Art. 5/2-c) |
| Email address verification | Performance of a contract (Art. 5/2-c) |
| Real-time suspicious click alerts | Performance of a contract (Art. 5/2-c) |
| Account and platform security | Legitimate interest (Art. 5/2-f) |
| Fulfillment of legal obligations (tax, accounting) | Legal obligation (Art. 5/2-ç) |
| Maintaining distance sales contract and pre-information form acceptance records | Legal obligation (Art. 5/2-ç) — Distance Contracts Regulation Art. 20 |
| Pre-sales communication via contact form | Establishment of a contract (Art. 5/2-c) |
4. Visitor Personal Data
Note: This section covers the data of individuals who visit our customers' websites. This data is processed automatically for the purpose of detecting and preventing fraudulent clicks.
4.1 Personal Data Processed
| Data Category | Personal Data |
|---|---|
| Network Information | IP address, geolocation (country/city level) |
| Device and Browser Information | Browser type and version, operating system, screen dimensions, device type |
| Device Recognition Data | Device-specific technical identifiers (does not enable direct identification) |
| Traffic Information | Referring page URL, visited page, ad campaign parameters |
| Behavioral Data | Click patterns, visit information, automated traffic indicators |
| Timestamp | Visit date and time |
4.2 Processing Purposes and Legal Bases
| Processing Purpose | Legal Basis (KVKK Art. 5) |
|---|---|
| Detection of fraudulent and invalid ad clicks | Legitimate interest (Art. 5/2-f) |
| Exclusion of suspicious IP addresses from ad campaigns | Legitimate interest (Art. 5/2-f) |
| Automated bot and automation tool detection | Legitimate interest (Art. 5/2-f) |
| Statistical analysis of click patterns | Legitimate interest (Art. 5/2-f) |
4.3 Legitimate Interest Explanation
The detection and prevention of ad fraud constitutes a legitimate interest both for protecting the financial rights of advertisers and for the healthy functioning of the digital advertising ecosystem.
- Purpose: Protecting advertisers' ad budgets from fraudulent clicks
- Necessity: Fraud detection is technically impossible without IP addresses and device information
- Proportionality: Only the minimum data required for detection is processed; no special categories of personal data are processed; data is automatically deleted after 90 days
5. Data Collection Methods
Customer Data
- Through registration and contact forms (partially automatic, partially provided by the data subject)
- Automatically during platform interactions
Visitor Data
- Automatically through tracking code embedded on customer websites
- Automatically through server-side redirect tracking
- Automatically through server-side detection mechanisms for visitors who do not execute JavaScript
6. Data Transfers
Your personal data may be transferred to domestic and international third parties for the purposes stated below, in accordance with KVKK Articles 8 and 9:
6.1 Domestic Transfers
- To authorized public institutions and organizations within the scope of legal obligations
- To a domestic payment service provider for payment processing and subscription management (name, email, phone number, billing information)
6.2 International Transfers
| Transfer Purpose | Data Transferred | Transfer Region |
|---|---|---|
| Server hosting and data storage | All processed personal data | European Union |
| Blocking suspicious IPs on ad platform | IP address, campaign information | USA |
| Email delivery service | Email address, name | USA |
| Real-time notification service (at customer's discretion) | IP address, domain, device info summary | Various |
| CDN and security services | IP address, network traffic data | Global |
International transfers are made to countries with adequate protection or where the data controller has committed to providing adequate protection, in accordance with KVKK Article 9. Data processing agreements have been signed with all service providers.
7. Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Visitor records (IP, device, click data) | 90 days | Legitimate interest |
| Suspicious IP records | 90 days (if no active block) | Legitimate interest |
| Device identification data | 90 days | Legitimate interest |
| Customer account information | Duration of active account + 2 years | Contract |
| Contact form data | 2 years | Pre-contractual |
| Invoice and payment records | 10 years | VUK/TTK legal obligation |
| Agreement acceptance records | 3 years | Distance Contracts Regulation Art. 20 |
| Payment token information | Duration of active account; automatically deleted when account is deleted | Contract |
| Server access logs | 2 years | Law No. 5651 |
Personal data whose retention period has expired is deleted, destroyed, or anonymized through an automatic periodic destruction process in compliance with KVKK and relevant legislation. Destruction operations are logged, and these logs are retained for a minimum of 3 years.
8. Automated Decision Making
Our service uses automated decision-making mechanisms for the purpose of detecting fraudulent clicks.
Automated Processing
- Visitors' IP addresses, device information, and click patterns are analyzed according to predefined rules
- Bot and automation tool usage is automatically detected
- IP addresses found to be suspicious are automatically excluded from the customer's ad campaigns
This automated assessment is based solely on technical parameters and does not aim to create individual profiles. Under KVKK Article 11/1-g, you have the right to object if the analysis of your processed data exclusively through automated systems produces a result to your detriment.
9. Your Rights Under KVKK Article 11
Pursuant to Article 11 of the KVKK, you have the following rights:
- To learn whether your personal data is being processed
- To request information about the processing if your personal data has been processed
- To learn the purpose of processing your personal data and whether it is used in accordance with its purpose
- To know the third parties to whom your personal data is transferred domestically or abroad
- To request correction of your personal data if it has been processed incompletely or inaccurately
- To request deletion or destruction of your personal data under KVKK Article 7
- To request that correction and deletion operations be notified to third parties to whom your personal data has been transferred
- To object to any result produced against you through the exclusive analysis of your processed data via automated systems
- To claim compensation for damages arising from the unlawful processing of your personal data
10. How to Submit a Request
To exercise the rights listed above, you may contact us through the following methods:
Email: [email protected]
Subject line: With the phrase "KVKK Information Request"
Your request must include information to verify your identity along with a clear and understandable description of your request. Your requests will be concluded within 30 days at the latest. If the process requires additional costs, fees determined by the Personal Data Protection Board may apply.
Right to Complaint
If your request is rejected, the response is deemed insufficient, or no response is provided within the specified period, you may file a complaint with the Personal Data Protection Board within 30 days of learning the response and in any case within 60 days of the application date.