隐私政策
1. Data Controller
This Policy has been prepared by Meetverse as the data controller in accordance with Article 10 of the Turkish Personal Data Protection Law No. 6698 ("DPL"), the Communiqué on Procedures and Principles for Fulfilling the Obligation to Inform, and (for users in the EEA) the EU General Data Protection Regulation ("GDPR").
| Data Controller | Meetverse |
| Tax Office / Tax ID | Yakacık T.O. / 9520868950 |
| Address | Yakacık Çarşı Mahallesi, Akra Sokak No: 8/A, 34876 Kartal / Istanbul, Türkiye |
| Phone | +90 (539) 946 62 58 |
| Data Protection E-mail | kvkk@meetverse.org |
| General Support | destek@meetverse.org |
2. Categories of Personal Data Processed
2.1. Identity Data
First name, last name, username, date of birth, gender, profile picture.
2.2. Contact Data
E-mail address, phone number, billing/shipping address, country, approximate location derived from IP.
2.3. Account and Security Data
Hashed password, registration date, session information (token, IP, user-agent), device information (model, operating system, version), push notification token (FCM), language preference, application version, traffic information under Article 5 of Law No. 5651.
2.4. Financial Data
- Card data: Stored in PCI-DSS certified PayTR / iyzico infrastructure; Meetverse does not store the full card number (PAN), expiry date or CVV.
- Saved-card preference is held only via the tokenization of the payment institution.
- Invoice information (national ID or tax ID, tax office, billing address), payment history, refund records, BIN, installment data.
2.5. Transaction and Usage Data
Viewed events, purchased tickets, favorites, follow lists, search/filter preferences, messaging content, review records, course progress data.
2.6. Content Data
Event information, images, videos, course materials, certificate requests, message content, stories and posts uploaded by the User.
2.7. Location Data
- Approximate location: Estimated city/country derived from IP (default).
- Precise location: Obtained from the device's GPS only with the user's explicit consent for purposes such as nearby event recommendations, map display and event location verification. The setting may be revoked at any time.
2.8. Host/Creator Verification (KYC) Data
- Natural persons: National ID, identity document image, selfie/facial verification (via Didit), IBAN, tax status information.
- Legal entities: Trade registry document, tax certificate, signature circular, identity details of the authorized representative.
2.9. Video Call / Live Event Data
For WebRTC calls, media streams are transmitted peer-to-peer; signaling data (room ID, ICE information) is processed. Audio/video recordings are made only when the Host explicitly starts recording and notifies the participants.
2.10. AI Processing Data
User content may be transmitted to AI providers for translation, transcription (OpenAI Whisper), content moderation and recommendation systems. Principles of this processing are set out in Section 10.
3. Purposes of Processing
- Membership registration, identity verification and account management,
- Provision of platform services (events, reservations, payments, messaging, video calls, transcription),
- Performance of contractual and statutory obligations (invoicing, tax, Law No. 5651 log retention),
- Customer support and complaint management,
- Security, fraud prevention and abuse mitigation,
- KYC (Didit integration),
- Measuring service quality, statistics and analytics (Firebase, Sentry),
- Marketing and commercial electronic messages with consent (Law No. 6563 + İYS),
- Compliance with legal obligations and competent authority requests.
4. Legal Bases for Processing
Pursuant to DPL Art. 5/2 and Art. 6/3 (and GDPR Art. 6/9 where applicable):
| Legal Basis | Example Processing |
|---|---|
| Necessary for the conclusion or performance of a contract (DPL 5/2-c, GDPR 6/1-b) | Membership, reservation, payment |
| Compliance with a legal obligation (DPL 5/2-ç, GDPR 6/1-c) | Invoicing, tax, Law No. 5651, Law No. 6563 |
| Legitimate interests without prejudice to the data subject's fundamental rights (DPL 5/2-f, GDPR 6/1-f) | Fraud prevention, security, service improvement |
| Establishment, exercise or defense of a right (DPL 5/2-e, GDPR 6/1-f) | Dispute resolution, legal proceedings |
| Explicit consent (DPL 5/1, GDPR 6/1-a) | Marketing communications, precise location, AI-driven personalization |
| Explicit consent for special category data (DPL 6/2, GDPR 9/2-a) | Biometric data within KYC (Didit) |
5. Data Transfers
5.1. Domestic Transfers (DPL Art. 8)
- Payment institutions: PayTR Ödeme ve Elektronik Para Hizmetleri A.Ş. and/or iyzico Ödeme Hizmetleri A.Ş. — card transactions, BKM Express, installments, 3DSv2.
- E-invoice integrators: Authorized private integrators designated by tax legislation.
- Cloud service providers: Domestic certified data centers (where applicable).
- Legal counsel, independent auditors and, where required, competent public authorities.
5.2. International Transfers (DPL Art. 9 — 10 July 2024 Regulation; GDPR Chapter V)
Limited data is transferred internationally to the following recipients:
| Recipient | Country | Purpose | Transfer Mechanism |
|---|---|---|---|
| AWS (S3, CloudFront, Secrets Manager) | USA / Ireland | Cloud infrastructure, media storage, CDN | Standard Contractual Clauses + appropriate safeguards |
| Google Firebase (FCM, Analytics, Crashlytics) | USA / EU | Push notifications, analytics | Standard Contractual Clauses |
| OpenAI / Whisper | USA | Transcription, translation | Standard Contractual Clauses + data minimization |
| Google Gemini | USA / EU | Content generation, translation | Standard Contractual Clauses |
| Sentry | USA / EU | Error tracking | Standard Contractual Clauses |
| Apple Sign-In | USA | SSO | Adequate protection commitment |
| Google Sign-In | USA | SSO | Standard Contractual Clauses |
Pursuant to the "Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad" published in the Official Gazette No. 32598 dated 10 July 2024, standard contracts have been notified to the Authority; additionally, explicit consent is obtained where required.
6. Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Membership data | Active membership + 3 years | Code of Obligations Art. 146 |
| Financial records, invoices | 10 years | Tax Procedure Law Art. 253, Commercial Code Art. 82 |
| Payment transaction records | 10 years | TPL + Law No. 6493 |
| Customer support and complaint records | 3 years | General limitation period |
| Traffic / access logs | Minimum 2 years | Law No. 5651 Art. 5/3 |
| KYC and verification documents | 10 years after termination of membership | MASAK + contractual evidentiary need |
| Marketing data processed on consent | Until consent is withdrawn | DPL + Law No. 6563 |
| Cookie data | Per cookie, max 13 months | ePrivacy / EDPB guidance |
| Anonymized data after account deletion | Indefinite (anonymous) | — |
7. Rights of the Data Subject (DPL Art. 11 / GDPR Arts. 15–22)
As a data subject, you have the right to:
- Learn whether your personal data is processed,
- Request information regarding the processing,
- Learn the purpose of processing and whether it is used for that purpose,
- Know the third parties to whom data is transferred domestically or internationally,
- Request correction of incomplete or inaccurate data,
- Request erasure or destruction subject to DPL Art. 7,
- Request notification of correction/erasure to the third parties to whom data has been transferred,
- Object to a result analyzed exclusively by automated systems that adversely affects you,
- Claim compensation for damages caused by unlawful processing.
Additionally, EEA-located users may exercise GDPR rights including data portability (Art. 20) and the right to withdraw consent at any time.
7.1. How to Apply
Under the Communiqué on Procedures and Principles for Application to the Data Controller:
- E-mail: kvkk@meetverse.org (from the e-mail registered in the system)
- Post: Yakacık Çarşı Mahallesi, Akra Sokak No: 8/A, 34876 Kartal / Istanbul (signed)
- In person or via notary public to the above address.
The application must include name, national ID (passport/nationality for foreign nationals), service address or e-mail, and the subject of the request.
Your application will be concluded free of charge within 30 days at the latest depending on the nature of the request. Where the process incurs additional costs, the fee schedule of the DPL Communiqué applies.
If Meetverse rejects the request, the response is deemed insufficient, or no response is given within 30 days, you may submit a complaint to the Personal Data Protection Authority (DPL Art. 14) or, where applicable, your local EEA supervisory authority.
8. Cookie Policy (Web)
| Cookie Type | Purpose | Consent Required? |
|---|---|---|
| Strictly necessary | Session management, security, CSRF | No |
| Performance/analytics | Visit statistics (Google Analytics etc.) | Yes (banner) |
| Functional | Language/theme preferences | Yes |
| Marketing | Targeted ads, retargeting | Yes (explicit consent) |
You can manage your cookie preferences at any time via the "Cookie Preferences" link in the site footer or through your browser settings.
9. Mobile Application Data Processing
9.1. App Tracking Transparency (iOS)
On iOS 14.5+ devices, explicit consent is required for IDFA. Without consent, only anonymous aggregated measurement is performed. The setting can be changed at any time under iOS Settings > Privacy & Security > Tracking.
9.2. Apple App Privacy (App Store) — Declared Categories
Identity (e-mail, name, username, photo), Contact (e-mail, phone), User Content (messages, photos, event content), Identifiers (user/device ID), Usage Data, Diagnostics (crash/performance), Purchases.
9.3. Google Play Data Safety (Android) — Declared Purposes
App functionality, account management, developer communications, advertising/marketing (with consent), analytics, fraud prevention.
9.4. Third-Party SDKs and Services
| Service | Provider | Purpose | Data |
|---|---|---|---|
| Firebase Cloud Messaging | Push notifications | Device token, user ID | |
| Firebase Analytics / Crashlytics | Usage analytics, crash | Anonymous events, device, stack trace | |
| Sentry | Sentry | Error tracking | Stack trace, user ID |
| PayTR / iyzico | PayTR / iyzico | Payment infrastructure (PCI-DSS) | Card data, BIN, IP |
| AWS S3 / CloudFront | Amazon | Media storage / distribution | User content, IDs |
| OpenAI / Whisper | OpenAI | Transcription, translation | Content (anonymized where possible) |
| Google Gemini | Content / translation | Content (anonymized where possible) | |
| Didit | Didit | KYC identity verification | ID document, biometric |
| Google Sign-In | SSO | E-mail, name | |
| Apple Sign-In | Apple | SSO | E-mail (relay), name |
| react-native-webrtc | WebRTC | Video calls (P2P) | Media streams, ICE |
9.5. Easy Account Deletion (Apple 5.1.1(v) / Google Play)
- In-app path: Profile > Settings > Delete My Account
- Web:
https://meetverse.org/delete-account - Deletion time: 30 days (except data subject to legal retention)
- The action is irreversible.
9.6. Apple Sign-In E-mail Relay
Users signing in with Apple may provide an Apple-assigned relay e-mail address; this preference is respected under DPL/GDPR.
9.7. Not Intended for Children
Meetverse is intended for users aged 18 and over; no data is knowingly collected from users under 13 (COPPA compliance). Where detected, the account is closed and data is deleted.
10. AI and Automated Decision-Making
- AI-powered recommendation systems, ranking, content moderation and transcription may amount to profiling.
- Under DPL Art. 11/1-g and GDPR Art. 22, you may object to decisions taken solely by automated means producing legal effects on you. Important decisions (account closure, refund denial, etc.) are finalized subject to human review.
- Data transferred to AI services is kept to the minimum necessary for the service and is anonymized where possible.
11. Data Security
Technical and organizational measures (DPL Art. 12):
- In transit: TLS 1.2+, HSTS,
- At rest: AES-256, field-level encryption, bcrypt password hashing,
- Access: Role-based access control (RBAC), 2FA, least privilege principle,
- Logging: Audit logs, anomaly detection, IP rate limiting,
- Operations: Regular penetration tests, vulnerability scanning, backup and disaster recovery (DR), DPIA, third-party risk audits,
- People: NDAs with employees and service providers, regular awareness training.
12. Data Breach Notification
Pursuant to DPL Art. 12/5 and Authority decisions (and GDPR Arts. 33–34 where applicable), in the event of a serious data breach, the Authority will be notified within the shortest time possible and at the latest within 72 hours, and affected data subjects will be informed via the fastest available channel.
13. Children
The Platform is intended for users aged 18+. Users under 18 may join with guardian consent; otherwise the account is closed and data is deleted.
14. Policy Changes
This Policy may be updated. Material changes will be announced at least 30 days in advance via e-mail and in-app notification. The current version is always published at https://meetverse.org/privacy.
15. Contact
- DPL Requests: kvkk@meetverse.org
- General Support: destek@meetverse.org
- Phone: +90 (539) 946 62 58
- Address: Yakacık Çarşı Mahallesi, Akra Sokak No: 8/A, 34876 Kartal / Istanbul, Türkiye