Privacy Policy

Last updated: July 3, 2026

Overview

This Privacy Policy applies to the butcegardiyani.com website and platform, operated by Aykete Digital ("we", "us", "our", or "Company").

Bütçe Gardiyanı is a click fraud protection service that helps advertisers protect their Google Ads campaigns from invalid clicks. We provide tracking technology that monitors visitor behavior and automatically blocks suspicious IP addresses.

This policy describes how we collect, use, and protect personal information when you use our website and services. We comply with the EU General Data Protection Regulation (GDPR) and Turkish Personal Data Protection Law (KVKK).

1. Compliance (GDPR & KVKK)

GDPR Compliance

Bütçe Gardiyanı complies with the General Data Protection Regulation (GDPR) and its data transfer requirements. We rely on appropriate safeguards when transferring personal data to third countries.

KVKK Compliance

We also comply with the Turkish Personal Data Protection Law No. 6698 (KVKK) for our users in Turkey. Your personal data is processed in accordance with the principles set out by KVKK.

Legal Bases for Processing

Legal Basis Processing Activity
Consent
GDPR Art. 6(1)(a)
Marketing communications, non-essential cookies
Contract Performance
GDPR Art. 6(1)(b)
Account creation, service delivery, customer support
Legitimate Interest
GDPR Art. 6(1)(f)
Fraud detection and prevention, security monitoring
Legal Obligation
GDPR Art. 6(1)(c)
Tax and accounting records, legal requests

2. Data Controller & Processor Roles

As Data Controller

We act as data controller for data we collect directly from you when you:

  • Create an account on our platform
  • Visit our website
  • Contact our support team
  • Submit requests through the contact form

As Data Processor

We act as data processor when processing visitor data on behalf of our clients:

  • Click tracking on client websites
  • IP address analysis
  • Fraud detection services
  • Google Ads integration

3. Data We Collect

3.1 Account Information

When you register for our services:

  • Full name
  • Email address
  • Company/organization name
  • Domain name you wish to protect
  • Google account identifier (if registering via Google)

3.2 Payment and Billing Information

When you purchase a paid subscription, the following information is collected:

  • Mobile phone number (stored in our systems for recurring payment processing and billing purposes)
  • Payment card last 4 digits and card type (stored in our systems for subscription management)
  • Recurring payment token information (stored encrypted in our systems; full card numbers are not stored)
  • Billing address (optional: identity number, address, city, postal code — transmitted to payment service provider, not stored in our systems)
  • Payment card details (transmitted directly to payment service provider; full card numbers are not stored in our systems)

Legal basis: Contract performance (GDPR Article 6(1)(b)), legal obligation (GDPR Article 6(1)(c))

3.3 Agreement Acceptance Records

During the checkout process, in compliance with our legal obligations (Turkish Consumer Protection Law No. 6502 and Distance Contracts Regulation), acceptance records for the Pre-Information Form and Distance Sales Contract are maintained:

  • Content copy of the accepted agreement
  • Acceptance date and time
  • IP address at the time of acceptance
  • Browser information at the time of acceptance
  • Agreement number and version

Legal basis: Legal obligation (GDPR Article 6(1)(c))

3.4 Email Verification

To ensure account security, email verification is performed during registration. A one-time verification code is sent to your email address. Verification codes are stored in hashed form and automatically deleted upon successful verification. Accounts that are not verified within the designated period are automatically deleted.

Legal basis: Contract performance (GDPR Article 6(1)(b))

3.5 Automatically Collected Information

When you visit our website:

  • IP address
  • Browser type and version
  • Device and browser technical information (operating system, device type, screen size)
  • Traffic source
  • Visited page URL

3.6 Google Ads Integration

If you connect your Google Ads account, we access campaign data and IP exclusion lists through the Google Ads API. This data is used solely to provide our click fraud protection services.

3.7 Google Sign-In

If you register or sign in using your Google account, we receive your name, email address, and Google account identifier through the Google OAuth 2.0 protocol. This information is used solely for account creation and authentication purposes. We do not have access to your Google password.

Legal basis: Consent and performance of a contract (GDPR Article 6(1)(a) and Article 6(1)(b))

3.8 Contact Form Data

Information you submit through our contact form:

  • First and last name
  • Email address
  • Phone number (optional)
  • Message content
  • Selected service package
  • Number of websites

This data is processed for pre-sales communication and quote preparation purposes.

Legal basis: Pre-contractual measures (GDPR Article 6(1)(b))

4. Data Processed for Clients (Click Tracking)

Important: Bütçe Gardiyanı acts as a data processor when collecting visitor data on behalf of our clients. Our clients are the data controllers for this information.

4.1 Data Collected by Our Tracking System

Our tracking system collects the following data on client websites:

Data Description Purpose
IP Address IP address Suspicious traffic detection and blocking
Browser Information Browser type and version Browser and device detection
Device Information Browser and device technical information (operating system, device type, screen size) Device type and browser detection
Traffic Source Where the visitor came from Source analysis
Website URL Visited page address Domain matching
Campaign ID Google Ads advertising parameters Ad click attribution
Automation Signals Automated traffic detection mechanisms Automated bot detection
Page Interaction Data Technical information about page view behavior Detecting valid visits
Timestamp Visit date and time Time-based analysis

4.2 Data Collection Sources

Data is collected through our tracking technology (client-side code, server-side detection, and a WordPress plugin) integrated into client websites. Ad visits are detected via Google Ads advertising parameters.

4.3 Legal Basis for Processing

  • Legitimate Interest (GDPR Article 6(1)(f)): Fraud protection is a recognized legitimate interest
  • Contractual Necessity (GDPR Article 6(1)(b)): Processing is necessary to fulfill our service agreement with clients

Legitimate Interest Assessment (LIA)

Fraud detection and prevention falls under legitimate interest (GDPR Recital 47). Processed data is kept to a minimum, no sensitive personal data is processed, and data is automatically deleted after 90 days. A detailed assessment is available upon request.

5. Cookies and Tracking Technologies

Cookies are small text files placed on your device by your browser when you visit a website. In addition to essential cookies required for site functionality, our website uses analytics cookies to help us improve service quality. You can decline or delete these cookies through your browser settings at any time.

Cookie Type Category Purpose
Session cookie Essential Session management and authentication
Security cookie Essential Form security and cross-site attack protection
Preference cookie Functional "Remember Me" feature (only when enabled)
Consent cookie Essential Cookie preference storage
PostHog (analytics) Analytics Page view and feature usage statistics

About our click fraud protection on client websites: Solely to detect and prevent fraudulent clicks, this protection may store limited technical data on the visitor's device:

  • Device-recognition cookie: To count repeat ad clicks from the same device (even when its IP address changes), a first-party cookie holding a random, pseudonymous identifier is set on the client's domain. It lasts about 90 days and is renewed on each ad visit; a device not seen for 90 days is forgotten. It does not identify the person.
  • Block cookie: If blocking mode is enabled and a visit is found suspicious, a signed, short-lived (approximately 30 minutes) first-party cookie is set on the client's domain. Its purpose is to keep the same device blocked for a short period even if its IP address changes.
  • Local storage markers: Technical markers stored in the browser to detect suspicious click behavior (click timestamps from the last hour and a suspicious-behavior flag).

This data is first-party and used only for fraud prevention; it is not used for marketing, profiling, or cross-site tracking. For this processing, our client (the advertiser) is the data controller and Bütçe Gardiyanı is the data processor.

Third-Party Cookies

Our website uses CDN and security services. These service providers may set their own cookies for bot protection and security purposes.

Managing Cookies

You can manage cookies through your browser settings:

  • View and delete existing cookies
  • Block all or third-party cookies
  • Clear all cookies when you close the browser

Warning: Disabling essential cookies may prevent our website from functioning properly. Login and security features require cookies.

6. Data Sharing

We do not sell your personal information. To provide our services, we may share data with certain service providers. These include advertising platform integration, authentication service (Google Sign-In), payment processing service, instant notification service, email delivery service, CDN/security services, and server hosting.

For the current list of our sub-processors, please visit the Sub-processors page.

Legal Requirements

We may disclose personal information when required by law, court order, or government request.

7. International Data Transfer

To provide our services, your personal data may be transferred to countries outside the EU/EEA. Our server infrastructure is hosted on servers located within the European Union.

For transfers outside the EU/EEA:

  • All providers are subject to Standard Contractual Clauses (SCCs, 2021/914/EU) approved by the European Commission or equivalent safeguards
  • Your data is only transferred for fraud protection and service delivery purposes

For a detailed list of providers involved in data transfers, please visit the Sub-processors page.

8. Data Retention

Data Category Retention Period Deletion Method Legal Basis
Visitor logs 90 days Automatic (daily) Legitimate interest
Suspicious IP records 90 days (if no active block) Automatic Legitimate interest
Device/browser information 90 days Automatic Legitimate interest
Device-recognition cookie (on visitor's device) ~90 days (renewed each visit; expires if unseen) Automatic Legitimate interest
Block cookie (on visitor's device) ~30 minutes (automatic on expiry) Automatic Legitimate interest
Blocked device records Until the customer removes the block Manual (customer) Legitimate interest
Email verification codes Until verification is completed (unverified accounts are automatically deleted) Automatic Contract
Account information Account active + 2 years Manual/automatic Contract
Contact form (completed) 2 years Automatic Pre-contractual
Invoice/payment records 10 years Retention required Legal obligation
Refund records (amount, refund method, IP address, status) 10 years Retention required Legal obligation (VUK/TTK)
Agreement acceptance records 3 years Retention required Legal obligation (Distance Contracts Regulation Art. 20)
Payment token information Duration of active subscription Automatically deleted upon refund or when account is deleted Contract
Server log files 2 years Automatic Legal obligation (Law No. 5651)
Cookie data Per cookie duration Automatic ePrivacy

Automatic deletion is performed by a daily scheduled task. All deletion operations are logged in accordance with applicable data protection regulations, and these logs are retained for a minimum of 3 years.

9. Security Measures

We implement industry-standard technical and organizational measures to protect your personal data:

  • Encryption: Industry-standard encryption methods for password protection and strong encryption standards for data encryption
  • Transit Security: All data communications are transmitted over encrypted connections
  • Session Security: Secure session management
  • Form Security: Security verification for all form submissions
  • Access Control: Role-based authorization
  • Network Security: Automated attack detection and prevention systems

Data Breach Notification

In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours in accordance with GDPR Article 33.

10. Automated Decision Making

Our service uses automated decision-making mechanisms for the purpose of fraud detection.

Evaluated Parameters

  • IP addresses, device/browser information, and visitor behavior patterns are analyzed according to detection rules
  • Automated traffic detection mechanisms evaluate bot signals
  • Visit frequency, behavioral analysis, and IP history are examined
  • IP addresses flagged as suspicious are automatically excluded from Google Ads campaigns
  • A device the customer has blocked cannot access the site while the WordPress plugin is in blocking mode (until the block is removed)

This automated assessment is based solely on technical parameters and does not aim to create individual profiles.

Under GDPR Article 22, you have the right to contest automated decisions, request human intervention, and express your point of view.

Contact: [email protected]

11. Your Privacy Rights

Under GDPR (Articles 15-22):

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing (Art. 18): Limit how we use your data
  • Right to Data Portability (Art. 20): Receive your data in a structured format
  • Right to Object (Art. 21): Object to processing based on legitimate interests

Under KVKK (Article 11):

Turkish residents also have the right to learn whether their data has been processed, request information about processing activities, learn the purpose of processing, know the third parties to whom data has been transferred, request correction of incomplete or inaccurate data, request deletion, and claim compensation for damages.

To exercise your rights, contact us at [email protected]. We will respond within 30 days.

Supervisory Authorities

  • Turkey: KVKK (Personal Data Protection Authority)
  • EU: Your local Data Protection Authority

13. Data Breach Notification

In accordance with GDPR Articles 33 and 34:

  • The relevant supervisory authority will be notified within 72 hours of becoming aware of a breach
  • If the breach is likely to result in high risk to your rights, you will be notified without undue delay

Notification Process

  • 1. Bütçe Gardiyanı (Processor) → Customer (Data Controller): Notification within 48 hours
  • 2. Customer (Data Controller) → Supervisory Authority: Notification within 72 hours (GDPR Art. 33)
  • 3. Customer → Affected Data Subjects: Without undue delay in case of high risk (GDPR Art. 34)

14. Changes to This Policy

We may update this policy. Material changes will be announced at least 30 days before they take effect.

15. Contact

Data Controller

Aykete Digital

Bilecik, Turkey

Email: [email protected]

Related Documents