Personal Data Protection

Personal Data Protection Law (KVKK) Information Text

04.01.2026

This Privacy Notice is provided in accordance with the Law No. 6698 on the Protection of Personal Data (KVKK) and related legislation.www.yoursizer.comThis document has been prepared to provide transparency regarding the processing of personal data of users of our platform (website, mobile application, and widget) operating at [address]. As the data controller, we provide you with detailed information below regarding the purposes and methods of collection of your personal data, to whom it is transferred, and your rights.

IDENTITY OF THE DATA CONTROLLER

Trade NameYOURSIZER TECHNOLOGIES
No sinking10274536334
AddressAdnan Kahveci Neighborhood, Ottoman Street. NO: 36 İÇ KAPI NO: 64 BEYLİKDÜZÜ/ ISTANBUL
E-mailcontact@yoursizer.com

As the data controller, we are responsible for determining the purposes and means of processing your personal data, and for establishing and managing the data recording system. In accordance with Article 10/a of the KVKK (Law on Protection of Personal Data), this information clearly identifies the data controller and serves as the notification address in legal proceedings.

YOUR PERSONAL DATA PROCESSED AND COLLECTION METHODS

Our platform collects your personal data in various categories to provide you with the most accurate size recommendations and a personalized experience. This data falls under three main categories: information obtained directly from you, data derived during your use of our services, and data collected automatically. Our data collection methods are carried out through our website, mobile applications, and integrated widgets.

1. Data Provided Directly by You:This category includes information you provide directly to us when you begin using our services or when contacting us.

  • Account Registration Information (A1):Basic information such as your name, surname, email address, age, and gender is collected to help you create a membership and manage your account on our platform. This data is critical for us to communicate with you, personalize services, and provide services tailored specifically to you.
  • Body Measurements (Biometric Data) (A2):Your physical measurements, such as height, leg length, waist circumference, and shoulder width, are collected to enable us to provide our size recommendation service, which is a core function of our platform. These measurements are considered "biometric data" under Article 6 of the Personal Data Protection Law and are special categories of personal data that uniquely identify your body shape.*In collecting this data, the focus is solely on the minimum set of measurements necessary for size recommendations, and raw images (photos, videos, depth data, etc.) are not permanently stored. Even when features such as camera-based scanning are of ered, raw data is only processed temporarily and for the specific purpose of producing measurements/3D representations; it is not permanently stored.*
  • Payment Information (A3):When you use the paid portions of our services, we collect limited payment information, such as the last four digits of your card and your billing address, to process your payment. Your full card information is processed directly by our payment service provider for your security and is not stored by us.
  • Communication and Support Requests (A4):When you use our customer support services or contact us about any matter, the content of your request and the personal data you share in this context (e.g., details of your problem, screenshots, etc.) are collected. This data is processed to effectively manage your requests and provide you with the best support.
  • Contact Form Data (A5):When you contact us through the contact forms on our website, we collect your name, surname, email address, and optionally your phone number, along with the content of your message. This data is used to respond to your communication requests and get back to you.

2. Derived Data:This category includes data generated by our algorithms from the data you provide, but which can still be linked to you.

  • 3D Body Avatar (B1):Based on the body measurements you provide, a personalized "digital 3D avatar" is created for you. This avatar is a unique digital representation formed by processing your biometric data. The primary purpose of the avatar is to provide personalized body size suggestions and fulfill the core function of our platform. These avatars are also used in anonymous and aggregate research and algorithm improvement processes.*If any future developments such as changes/customizations to the face portion of the model are considered, the raw data related to the face will only be evaluated with explicit information and consent, with the minimum possible amount of data, and preferably without permanent storage (with temporary processing or on-device processing priority).*
  • Size Recommendations (B2):Your 3D avatar is compared with brand size data to generate personalized size recommendations. These recommendations are provided to facilitate your shopping experience and help you find the right size.
  • Possible Inferences / Profiling (B3):Our system can make inferences such as "body shape types" when generating body size recommendations and can perform profiling activities in this process. Aware of this, we aim for high transparency in our data processing processes and take all necessary measures to protect the rights of data subjects. The principle of "processing for specific, explicit and legitimate purposes" as stated in Article 4 of the KVKK (Personal Data Protection Law) is our fundamental guide in this process.

3. Data Collected Automatically (Usage Data and Cookies):When you use our services or visit our website, certain technical and usage data is automatically collected.

  • Device and Connection Information (C1):Information such as your IP address, browser type and version, device type, operating system, language preferences, and access timestamps is automatically recorded to ensure the security of our services, optimize their performance, and improve the user experience.
  • Usage Data (C2):Usage data, such as the pages you visit, the time you spend on our platform, the items you click on, and your in-service preferences, is collected to understand how you use our services and to provide you with a better experience.
  • Cookies and Similar Technologies (C3):Our website and applications use cookies and similar technologies. These technologies are used for purposes such as remembering your

preferences, session management, performance analysis, personalized content delivery, and measuring the effectiveness of advertising campaigns. For detailed information about our cookie policy, please see our cookie policy.yoursizer.com/cookie policy You can reach us at this address.

All this data is collected and processed within the framework of the principles stated in Article 4 of the KVKK (Law on Protection of Personal Data), namely "compliance with the law and rules of fairness," "processing for specific, explicit and legitimate purposes," and "being relevant, limited and proportionate to the purpose for which they are processed."

PURPOSES OF PROCESSING PERSONAL DATA

Your personal data collected by our platform is processed in accordance with the general principles stated in Article 4 of the KVKK (Law on Protection of Personal Data), for the specific, explicit and legitimate purposes detailed below:

  • Account Management and Communication:Your personal data is processed for the purposes of creating, managing, and updating your user accounts, providing information about services, offering technical support, and answering your questions. This is necessary for the establishment and fulfillment of the contractual relationship between you and our platform.
  • 3D Avatar Creation and Body Size Suggestion (Core Function):To provide personalized size recommendations, which is the core function of our platform, we aim to generate a digital 3D avatar from your body measurements and compare this avatar with brand size data to create the most suitable size recommendations for you. This process forms the essence of our services and requires the processing of biometric data you provide.
  • Algorithm Improvement and Anonymous/Aggregation Research:To continuously improve our service quality, develop our body size recommendation algorithms, and train our machine learning models, your personal data is used in an anonymized or pseudonymized form. This includes body measurements/ratios, parameters derived from these measurements for 3D body representation, body size recommendation outputs, and anonymous usage/performance signals for verification purposes (e.g., accuracy feedback on the recommendation, in-session error/success metrics). This process is free from directly identifying information and is based on our legitimate interest in maintaining the innovative nature of our platform.*If a development is implemented in the future that allows for changes to the facial portion of the model, facial-related data will only be included in training processes to the extent necessary, in a discrete dataset, and with explicit consent/information updates.*
  • Payment and Billing Processes:When you use our paid services, your payment information is processed to ensure secure payment transactions, manage billing processes, and fulfill related financial obligations.
  • Support Processes:Your personal data relating to communication and support requests is processed in order to receive, evaluate, resolve, and provide feedback on your support requests.
  • Security, Performance, User Experience, and Behavioral Analysis:Your device, connection, and usage data are processed to ensure the security of our platform, prevent malicious use, optimize its technical performance, continuously improve the user experience, and tailor our services to your needs by analyzing your usage habits. This analysis is
  • conducted within our legitimate interests to maintain and improve the operation of our platform.
  • Analytical Value Proposition for Brands (Fit-Related Analytics / Data-Driven Insights):For the brands and retailers we integrate with, we offer "fit-related analytics" and "data-driven insights" based on anonymized and/or pseudonymized data. These analyses help brands optimize processes such as product development and inventory management, and are conducted using aggregated and statistical data without directly disclosing your identity. Behavioral data used for this purpose is collected via cookies and pixels, and store customers are informed (in compliance with the merchant's own GDPR texts).

All these processing purposes have been determined in accordance with the principle of "processing for specific, explicit and legitimate purposes" set forth in Article 4 of the KVKK (Law on Protection of Personal Data).

LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

The processing of your personal data is based on the legal grounds specified in Articles 5 and 6 of the Law No. 6698 on the Protection of Personal Data (KVKK). The appropriate legal basis for each data category and processing purpose has been meticulously determined:

  • Explicit Consent (KVKK Article 5/1, Article 6/3-a):
  • Especially Your body measurements (biometric data) and the 3D avatar derived from them.In accordance with Article 6 of the KVKK (Law on Protection of Personal Data), the processing of your special categories of personal data is carried out.your explicit consentThis consent is obtained in relation to a specific matter, is based on informed consent, and is given freely. You have the right to withdraw this consent at any time.
  • For additional uses, such as marketing or personalized campaign notifications, separate explicit consent is also required.*According to Article 5 of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, in transactions based on the condition of explicit consent, the obligation to inform and the process of obtaining explicit consent are carried out separately.*
  • Establishment or Performance of the Contract (KVKK Article 5/2-c): ● The processing of your account registration information (name, surname, email, etc.), the creation of 3D avatars, and the provision of core platform services such as personalized size recommendations are all part of the communication between you and us.directly related to the establishment and performance of the service contractThis is based on a legal reason. Without this data, our platform cannot perform its basic functions.
  • Fulfillment of Legal Obligation (KVKK Article 5/2-c):
  • The processing (to a limited extent) of your payment information and the management of billing processes are carried out in accordance with tax regulations and other relevant legal provisions.mandatory for the data controller to fulfill its legal obligations.This is done because of the nature of the act. Furthermore, fulfilling legal requests from official authorities is also included within this scope.
  • Legitimate Interest (KVKK Article 5/2-f):
  • Our activities include ensuring the security of our platform, preventing fraud, improving our services, conducting algorithm optimization studies (using

anonymized/pseudonymized data), personalizing user experience, and performing behavioral analysis.Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.This is based on legal grounds. In these processes, utmost care is taken to adhere to the principle of data minimization (KVKK Article 4/2-ç) and to balance the rights and interests of the data owner.

  • Establishment, Exercise, or Protection of a Right (KVKK Article 5/2-e): ● Your personal data may be collected if necessary for potential legal disputes, legal proceedings, or the protection of our rights.data processing is necessary for the establishment, exercise or protection of a right.It can be committed based on a legal ground.

The general principles stated in Article 4 of the KVKK (Law on Protection of Personal Data) (compliance with the law and rules of honesty, accuracy and timeliness when necessary, processing for specific, explicit and legitimate purposes, being relevant, limited and proportionate to the purpose, and retention for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed) are always adhered to.

TO WHOM AND FOR WHAT PURPOSE THE PROCESSED PERSONAL DATA MAY BE TRANSFERRED

Your personal data may be transferred to certain third parties within the framework of the conditions specified in Articles 8 and 9 of the KVKK (Law on Protection of Personal Data) and limited to the purposes described below. We take utmost care to uphold data security and confidentiality principles in our data transfer processes.

1. Domestic Transfers:

  • Service Providers:Your personal data may be transferred to our business partners who act as data processors, such as companies providing the technical infrastructure of our platform, hosting, software development, and security services, in order to provide these services. These transfers are carried out to fulfill our contractual obligations and within the scope of our legitimate interests.
  • Payment Service Providers:Your limited payment information is shared with payment service providers who manage the payment processes for our paid services, in order to ensure that payment transactions are completed securely.
  • Authorized Public Institutions and Organizations:Your personal data may be transferred to relevant public institutions and organizations in order to fulfill a legal obligation or at the request of authorized judicial/administrative authorities.

2. International Transfers:

  • Cloud Infrastructure Providers:Our platform's data storage and processing infrastructure is provided through international cloud service providers. In this case, your personal data may be transferred to these providers located abroad. These international transfers are carried out in accordance with Article 9 of the KVKK (Law on Protection of Personal Data) and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, to countries with established suitability decisions or where sufficient safeguards (standard contracts, binding company rules, undertakings, etc.) are provided.*Particularly in transfers to cloud infrastructure providers, standard contracts or undertakings announced by the Board*

are used, and the technical and administrative measures to be taken by the data recipient are secured by these contracts.

  • Sharing with Brands/Retailers:Data sharing with the brands and retailers we integrate with is only permitted if our algorithm is used on the relevant brand's own channel (web/app) and is limited to the purposes defined in the contract. Data that may be shared in this context does not contain directly identifying information (name, email, phone, etc.).The pseudonymized user ID/token, the minimum size/measurement parameters required to generate the size recommendation, or the technical parameters of the 3D body representation derived from these, and the size recommendation outputs.These are examples of such data.*This data is not shared with other brands; it is only provided to the relevant brand with which the integration is being made.*To prevent re-identification, in our contractsprohibition of re-identification and merging with different datasetsThe regulations include technical and administrative measures such as data minimization, encryption during transmission and storage, role-based access, and logging. Requiring written consent for the use of sub-processors and applying the same obligations to them are also among these measures.*If a future development regarding the model's facial features becomes necessary, facial data will, as a rule, not be included in the scope of sharing with the brand/retailer; if an exceptional need arises, this will only be evaluated with explicit consent and a separate/additional protocol, subject to much stricter minimization and security measures.*

In all data transfer processes, the principle of "being relevant, limited and proportionate to the purpose for which they are processed" as stated in Article 4 of the KVKK (Personal Data Protection Law) is taken as the basis, and all necessary technical and administrative measures are taken to ensure the security of the transferred data.

STORAGE AND DESTRUCTION OF PERSONAL DATA

Your personal data is retained for the duration required by our processing purposes and for the statutory retention periods stipulated in the relevant legislation. If the processing purpose ceases to exist or the statutory retention period expires, your data will be securely deleted, destroyed, or anonymized in accordance with the provisions of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

1. Storage Times:

  • Account Information:Your account registration information, such as name, surname, and email address, is stored for as long as your membership on the platform remains active. Upon termination of your membership, and without prejudice to legal obligations, this data will be deleted or anonymized.
  • Body Measurements and 3D Avatar:Your body measurements and the resulting 3D avatar are stored for as long as you continue to use the platform service and require personalized size recommendations.If you withdraw your explicit consent after using the service, or if you request its deletion, this data will be securely destroyed.
  • Payment and Billing Data:Your data regarding payment and billing processes is subject to relevant legal regulations.For example, tax legislationThey are stored for the foreseen periods (usually 5 to 10 years).
  • Contact and Support Requests:Data relating to your support requests may be stored for a certain period (e.g., 2 years) from the date the request is finalized, for the purpose of potential disputes or service quality audits.
  • Device, Connection and Usage Data:This automatically collected data is stored for as long as it is necessary for the security, performance, and analysis of the service (typically 6 months to 2 years).
  • Backups:Backups of collected personal data (especially biometric data and usage/log data) are stored for limited periods to ensure business continuity and data integrity. As a general practice, backups for biometric data sets are kept on a short-cycle basis (e.g., daily/weekly rotation).Between 30 and 90 daysBackups of usage/log data are similarly adjusted according to operational needs.Between 30 and 180 daysThe data is maintained; deadlines are reviewed periodically based on the infrastructure used and risk assessment.*Backup retention periods are determined according to the "minimum requirement" principle, so as not to exceed retention periods in the live system.*
  • Legal Obligations:In situations where legal obligations need to be fulfilled (e.g., legal investigations, litigation processes), the relevant data may be stored for longer periods than legally mandated.

2. Disposal Methods:The methods specified in the Regulation on the Deletion, Destruction or Anonymization of Personal Data are used in the processes of deleting, destroying or anonymizing personal data.

  • Secure Erase:Personal data deletion is the process of rendering personal data completely inaccessible and unusable for the relevant users. This is achieved through methods such as deleting data and overwriting it with other data through software.
  • Cryptographic Destruction:Encryption is the process of rendering data unreadable and unusable by irreversibly destroying the encryption keys of encrypted data. This method is particularly used for encrypted backups.
  • Anonymization:Personal data is processed in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data. This method is particularly preferred for data used for algorithm development and batch research purposes. Techniques such as aggregation, range splitting/bucketing, noise injection, and the use of only the "minimum set of variables necessary for training" are employed.
  • Physical Destruction:Data loss is the irreversible destruction of physical media containing data (hard disk, CD, etc.).

For data used in model training, this policy is applied if it's possible to remove the deleted user's data from the model, and the dataset is tracked through versioning processes.*When destroying backups, methods such as automatic rotation for deletion when the backup period expires and irreversible anonymization when necessary are applied.*If facial data of the model is processed in the future, even if this data is included in the backup, it will be managed with shorter retention cycles, separate access restrictions, and additional security controls.

RIGHTS OF THE DATA SUBJECT (Personal Data Protection Law, Article 11)

As a data subject, you have the following rights pursuant to Article 11 of the Law No. 6698 on the Protection of Personal Data:

  • To find out whether your personal data is being processed,
  • The right to request information regarding the processing of personal data. ● To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.
  • Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
  • Requesting the correction of personal data if it has been processed incompletely or inaccurately.
  • Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK (Law on Protection of Personal Data).
  • Requesting that the actions taken pursuant to clauses (d) and (e) be notified to third parties to whom personal data has been transferred,
  • The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.
  • The right to claim compensation for damages incurred as a result of the unlawful processing of personal data.

To exercise these rights, you can submit your applications in writing or via registered electronic mail (KEP) using a secure electronic signature, mobile signature, or the email address you previously provided and registered in our system to contact@yoursizer.com, in accordance with the "Notification on the Procedures and Principles for Applications to the Data Controller". In your application, you must clearly state your identity verification information and the matters you are requesting. Your applications will be processed free of charge within a maximum of thirty days. However, if the process requires additional costs, a fee may be charged according to the tariff determined by the Personal Data Protection Board.

DATA SECURITY MEASURES

As the data controller, we take all necessary technical and administrative measures in accordance with Article 12 of the KVKK (Law on Protection of Personal Data) to ensure the security of your personal data. These measures aim to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.

1. Technical Measures:

  • Encryption:Your personal data is protected using strong encryption algorithms, especially during transmission and storage.
  • Role-Based Access Control (RBAC):Access to sensitive data, including biometric data, is restricted to authorized personnel only, and each employee is granted access based on a minimum authorization principle appropriate to their job description (least privilege).
  • Multi-Factor Authentication (MFA):Multi-factor authentication methods are used for accessing sensitive systems and data.
  • Firewalls and Intrusion Detection Systems (IDS/IPS):Network security is ensured through up-to-date firewalls and intrusion detection/prevention systems.
  • Penetration Testing and Security Audits:Our systems undergo regular penetration testing and security audits to identify and address potential vulnerabilities.
  • Data Masking/Anonymization:In algorithm development and testing environments, masked or anonymized data is used instead of real personal data.

2. Administrative Measures:

  • Data Minimization:Personal data is collected for the provision of the service.only the minimum necessary measurements are takenThis principle is adopted. A separate

information and explicit consent process is implemented for optional data.*Optional data generally includes additional body measurements/ratios (e.g., shoulder width, arm length, inseam, neck circumference), fit preference (slim/regular/loose), clothing usage habits/feedback (recommendation satisfaction, return reason, etc.), and technical usage preferences (language, interface settings) aimed at improving the accuracy of the recommendation or enhancing the user experience. This data is not mandatory, is clearly marked as "optional" if possible, and the basic functionality of the service continues even if the user does not provide it.*

  • Education and Awareness:All our employees receive regular training on personal data protection and data security, and their awareness levels are increased.
  • Privacy Agreements:Confidentiality agreements are signed with all our employees and business partners who have access to personal data.
  • Control:Our data processing processes and security measures are regularly audited and improved.
  • Contracts with Data Processors:Our contracts with data processors clearly state our data security obligations and responsibilities in accordance with the provisions of the Turkish Personal Data Protection Law (KVKK).

Our platform takes the utmost care in protecting your personal data and continuously works to ensure full compliance with legal regulations.

Best regards,

YOURSIZER TECHNOLOGIES