Roam Bébé Personal Data Protection and Privacy Policy (KVKK)

Domain: https://www.roambebe.com ("Site")

This Policy explains how Roam Bébé processes personal data in accordance with the Law on the Protection of Personal Data No. 6698 (KVKK). It complements our Privacy Notice and Cookie Policy.

1. Definitions
   Personal Data: Any information relating to an identified or identifiable natural person.
   Special Category (Sensitive) Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion/sect or other beliefs, clothing and attire, association/foundation/union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data.
   Data Subject: Any natural person whose data are processed (customers, prospective customers, website visitors, suppliers’ employees, etc.).
   Data Controller: The natural or legal person who determines the purposes and means of processing personal data. For data processed in Roam Bébé operations, the data controller is [Company Name].
   Data Processor: Any person or entity processing personal data on behalf of the data controller (e.g., hosting, CRM, payment, logistics providers).
   Processing: Any operation performed on data, such as obtaining, recording, storing, retaining, organizing, altering, transferring, disclosing, deleting or destroying.
2. Method and Channels
   As the data controller, we may collect personal and/or special category personal data by automated or non‑automated means via our website, mobile interfaces, account/checkout forms, cookies and similar technologies, email, call center, WhatsApp and other messaging tools, social media pages, delivery and return processes (including proof‑of‑handover photos where necessary), and integrations with payment, hosting, analytics, logistics and customer support providers.
3. Collection, Processing and Purposes
   We collect and process data to perform services such as rental and booking, delivery and installation, return and after‑sales support, invoicing and accounting, customer and product safety, customer communications, campaign notifications subject to consent, handling suggestions and complaints, improving service standards, conducting analytics and reporting, and determining and implementing our commercial and business strategies. Personal data are processed in line with the procedures and principles of the Law and this Policy.
4. Fundamental Principles
   Lawfulness and fairness: Data are processed in accordance with legal rules and good faith.
   Accuracy and up‑to‑dateness: Reasonable steps are taken to ensure data accuracy and currency.
   Purpose limitation: Data are processed for specific, explicit and legitimate purposes.
   Data minimisation: Data are relevant, limited and proportionate to the purposes.
   Storage limitation: Data are retained for the period required by law or for the purpose, then deleted, destroyed or anonymised.
5. Legal Bases for Processing Personal Data
   We do not process personal data without explicit consent unless one of the following legal bases applies: processing is clearly provided for by law; necessary to protect life or physical integrity where the data subject cannot give consent; directly related to the conclusion or performance of a contract; necessary to fulfil the controller’s legal obligation; the data have been made public by the data subject; necessary for the establishment, exercise or protection of a right; or necessary for the legitimate interests of the controller provided that fundamental rights and freedoms are not harmed.
6. Special Category Personal Data
   As a rule, we do not process special category personal data. If submitted for identity verification (e.g., old Turkish ID image), visible fields such as blood type or religion may be processed solely for verification and based on explicit consent. Special category data relating to health may only be processed by persons under confidentiality or authorised institutions for purposes explicitly permitted by law (e.g., incident reporting), with adequate safeguards defined by the Board.
7. Cases Where Consent Is Not Required
   Under Article 5/2 of the KVKK, personal data may be processed without explicit consent where any of the legal bases listed in Section 5 applies. Disclosures and transfers required to meet our legal obligations or to respond to lawful requests from competent authorities are carried out within the limits of the law and are not subject to additional consent.
8. Transfer of Personal Data (Domestic and International)
   Subject to appropriate confidentiality and security measures and limited to the stated purposes, data may be transferred to: hosting/infrastructure and security providers; software/CRM and customer support providers; payment service providers; logistics/delivery/installation and service partners; auditors, accountants, insurers and legal advisors; and competent public authorities and courts when required by law. International transfers may occur where hosting, backup, email or marketing infrastructures are located abroad and will be performed in accordance with Article 9 of the KVKK, based on explicit consent or other lawful mechanisms approved by the Personal Data Protection Board. Details will be aligned with our actual hosting footprint.
9. Retention, Deletion, Destruction and Anonymisation
   If a mandatory retention period is set by law, we comply with that period. Otherwise, personal data are retained for as long as necessary for the processing purpose in accordance with good faith and commercial customs. When the purpose ceases and/or the applicable period expires, data are deleted, destroyed or anonymised. If needed solely for the establishment, exercise or defence of legal claims, data may be retained for the statute‑of‑limitations period and are accessed only for that purpose.
10. Information Obligation
    At the time of data collection, we inform data subjects about the identity of the data controller and (if any) its representative, purposes of processing, recipients and purposes of transfer, method and legal grounds of collection, and their rights under the Law.
11. Data Subject Rights and Application Procedure
    Under Article 11 of the KVKK, you may request to learn whether data are processed, to obtain information, to learn processing purposes and whether used accordingly, to learn domestic/foreign recipients, to request correction, to request deletion or destruction under the law, to request notification of such actions to third parties, to object to results arising to your detriment from analysis exclusively by automated systems, and to claim compensation for damages. You may submit your applications:
    • By email (with wet‑signed or registered attachment): [email protected]
    • By post/notary: Antalya
    Applications must comply with the Communiqué on the Procedures and Principles of Application to the Data Controller and include documents necessary for identity verification. Requests are concluded within 30 days depending on their nature. A fee may be charged in cases permitted by the Communiqué.
12. Contact and Controller Details
    Data Controller: AKG TEKNOLOJİ TURİZM TİCARET LİMİTED ŞİRKETİ
    MERSIS No:12345678901
    Address: Antalya
    Email: [email protected]
    Changes: This Policy may be updated due to legal or operational needs and becomes effective upon publication on the Site.