Privacy Policy

Last Updated: April 10, 2025

1. INTRODUCTION

1.1 Controller Information

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Turkish Personal Data Protection Law No. 6698 (“KVKK”), and all other applicable data protection legislation, Alaattin Koral, trading as “Metkart” (hereinafter referred to as the “Controller”) is the designated controller of personal data collected and processed pursuant to this Privacy Notice.

Controller Details:

• Name: Alaattin Koral
• Address: YAKUPLU MAH. HÜRRİYET BLV. SKYPORT Skyport Residence NO: 1 İÇ KAPI NO: 151 BEYLİKDÜZÜ/İSTANBUL, TURKEY
• Email: alaattin@metk.art
• Telephone: +90 850 360 0031
• Website: www.metk.art

1.2 Purpose and Scope

This Privacy Notice sets forth, in a transparent and comprehensive manner, the purposes and legal bases for which personal data obtained within the scope of services provided by the Controller is processed, the categories of personal data collected, the categories of recipients to whom such data may be disclosed, international data transfer mechanisms employed, data retention periods, technical and organizational security measures implemented, and the rights of data subjects together with the procedures for exercising such rights.

This Privacy Notice applies to all processing activities conducted by the Controller in relation to the provision of services through the website www.metk.art and other associated platforms, specifically pertaining to the design, manufacture, and delivery of customized metal cards to individual customers.

2. COLLECTION AND PROCESSING OF PERSONAL DATA

2.1 Categories of Personal Data Collected

The Controller collects and processes the following categories of personal data, with specific data elements listed under each category:

• Identity information: Full name, passport number, national identification number;
• Contact information: Physical address including country, city, postal code and street details, telephone number, email address;
• Financial information: Bank account details, invoicing information, credit card information (limited to transaction processing and not stored beyond the requirements of payment processing);
• Transaction information: Products purchased, order history, order specifications, pricing information, delivery arrangements;
• Technical data: IP address, browser type and version, operating system, device information, cookies, usage data, time and date of website visits;
• Communications data: Customer service inquiries, correspondence records, customer preferences, feedback information.

2.2 Special Categories of Personal Data

The Controller does not intentionally collect or process special categories of personal data as defined in Article 9 of the GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation) unless such processing is:

• Explicitly consented to by the data subject for one or more specified purposes; or
• Necessary for the establishment, exercise, or defense of legal claims; or
• Otherwise permitted by applicable law.

2.3 Processing of Data for Metal Card Design

At the explicit request of our customers, and solely for cosmetic and aesthetic purposes in the design of metal cards, certain card information (card number, full name, expiration date) may be collected on the basis of explicit consent. The Controller hereby affirms that:

1. Such information is transmitted through a secure form completed by the user, with explicit consent obtained through the affirmative action of checking the clearly labeled consent box at the bottom of the form;
2. The accuracy of card information is not verified, validated, or required, and this data is never used for payment processing, financial verification, banking systems, or any purpose other than the purely cosmetic appearance of the metal card as explicitly requested by the customer;
3. The relevant data is collected solely for use during the design process, and upon submission by the user, the data is encrypted in the user’s browser using RSA 4096-bit encryption before transmission to the Controller’s servers;
4. The data is temporarily stored in encrypted form on the Controller’s servers located within the European Economic Area, specifically in Lithuania, with access restricted to a single authorized person within the company who may access the relevant account only with a secure cryptographic key;
5. The data is permanently deleted after the order is delivered to the customer, and as an additional security measure, all data collected through the form is automatically purged from the Controller’s servers after 14 days from submission, regardless of order status.

All processing operations related to card design information are conducted in accordance with the GDPR, KVKK, and other applicable data protection legislation, implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia:

• The pseudonymization and encryption of personal data;
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

2.4 Design Data Transferred Outside the EEA

During the metal card design process, certain basic personal data that will appear on card designs (such as first and last name) is collected through a design editor provided by Kickflip, a third-party service provider based in Canada, a country for which the European Commission has not issued an adequacy decision pursuant to Article 45 of the GDPR.

The Controller hereby expressly confirms that payment information or sensitive financial data such as card numbers, CVV codes, and expiration dates are never collected during this process. Only text-based information related to visual design (name, surname, etc.) is processed through the system.

Such personal data is collected and transferred outside the EEA based on explicit consent obtained in accordance with Article 49(1)(a) of the GDPR, when the user checks the relevant consent box while completing the form, having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards. The data is processed solely for the purpose of creating the card design in the service provider’s system.

Notwithstanding the foregoing reliance on explicit consent, the Controller has implemented additional appropriate safeguards to ensure that data subjects’ rights and effective legal remedies remain available, including the execution of standard contractual clauses approved by the European Commission pursuant to Article 46(2)(c) of the GDPR with the aforementioned third-party service provider.

2.5 Website Infrastructure and Server Location

The Controller’s website is hosted on technical infrastructure provided by Hostinger International Ltd., and user data is stored on servers physically located in Lithuania, a Member State of the European Union and therefore within the European Economic Area (EEA).

Accordingly, personal data provided by data subjects while using the Controller’s website is processed on servers within the EEA, subject to the comprehensive protections afforded by the GDPR. Such processing occurs in full compliance with the requirements set forth in Chapter V of the GDPR regarding data transfers, and satisfies the conditions established in Article 44 thereof, as the processing takes place within a jurisdiction deemed to provide an adequate level of protection for personal data by virtue of its status as an EU Member State.

3. PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA

3.1 Primary Processing Purposes and Legal Bases

The Controller processes personal data for the following purposes, each with its corresponding legal basis under Article 6 of the GDPR:

Where the Controller relies on legitimate interests as a legal basis for processing, a legitimate interest assessment has been conducted to ensure that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. Data subjects may request information about these assessments by contacting the Controller using the contact details provided in Section 8.

3.2 Marketing and Communication Purposes

Subject to obtaining explicit consent where required by applicable law pursuant to Article 6(1)(a) of the GDPR, the Controller may also process personal data for the following secondary purposes:

• Advertising, promotional communications, and campaign notifications;
• Organization of sweepstakes and promotional campaigns;
• Targeted marketing activities and customer classification;
• Improvement of website user experience;
• Cookie analysis and traffic monitoring;
• Market research and statistical analysis.

The Controller hereby affirms that for all processing activities conducted for marketing and communication purposes that rely on consent as the legal basis, such consent shall be:

• Freely given, specific, informed, and unambiguous;
• Expressed through a clear affirmative action;
• Separately obtained for each distinct processing purpose;
• As easy to withdraw as it is to give.

4. DISCLOSURE OF PERSONAL DATA

4.1 Categories of Recipients

The Controller may disclose personal data to the following categories of recipients, subject to appropriate contractual safeguards where applicable:

The Controller ensures that all third-party recipients of personal data are subject to appropriate data protection obligations through contractual arrangements, including, where applicable, data processing agreements that comply with the requirements of Article 28 of the GDPR.

4.2 International Data Transfers

The Controller may transfer personal data outside the European Economic Area (EEA) only in strict accordance with the requirements set forth in Chapter V of the GDPR and Article 9 of KVKK, employing one or more of the following safeguards:

• Transfers to countries, territories, or sectors within a country that are subject to an adequacy decision adopted by the European Commission pursuant to Article 45 of the GDPR;
• Transfers subject to appropriate safeguards pursuant to Article 46 of the GDPR, including:
  • Standard contractual clauses approved by the European Commission;
  • Binding corporate rules approved in accordance with Article 47 of the GDPR;
  • An approved code of conduct pursuant to Article 40 of the GDPR together with binding and enforceable commitments of the recipient;
  • An approved certification mechanism pursuant to Article 42 of the GDPR together with binding and enforceable commitments of the recipient;
• Transfers based on explicit consent pursuant to Article 49(1)(a) of the GDPR, after the data subject has been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards.

The Controller maintains a record of all categories of processing activities involving international data transfers, including documentation of the appropriate safeguard mechanism employed for each transfer.

4.3 Data Transfer via Communication Channels

To facilitate effective communication with customers, the Controller utilizes third-party platforms such as WhatsApp and Instagram. These messages are managed through Meta Inc. and SendPulse Inc., which operate on servers located outside the EEA.

In this context, the following personal data may be processed:

• Full name;
• Message contents;
• Contact information (telephone, email, etc.).

Such data may be processed and stored on servers outside the EEA during communications conducted through these platforms. The Controller hereby affirms that:

1. This data is used exclusively for the purpose of facilitating communication and fulfilling service requests and is not shared with other persons, institutions, or for other purposes;
2. When a data subject initiates contact through these platforms, they are promptly informed that their personal data will be processed outside the EEA;
3. Continued communication after receiving this notification constitutes explicit consent pursuant to Article 49(1)(a) of the GDPR and Article 9 of KVKK;
4. The Controller has executed appropriate contractual safeguards with these service providers to the extent possible, including standard contractual clauses where applicable.

5. DATA RETENTION AND ERASURE POLICY

5.1 Retention Periods

The Controller processes and retains personal data only for the period necessary to fulfill the purposes for which it was collected, to satisfy legal and regulatory requirements, or to protect the Controller’s legitimate interests. Specific retention periods for categories of personal data are as follows:

5.2 Erasure, Destruction, and Anonymization Procedures

Upon expiration of the applicable retention period or when the purpose of processing has been fulfilled, personal data shall be:

• Permanently erased from electronic systems through secure deletion methods that prevent reconstruction;
• Physically destroyed in the case of paper records, using methods such as shredding or incineration;
• Anonymized through techniques that irreversibly prevent the identification of the data subject, in accordance with Recital 26 of the GDPR.

The Controller maintains a record of all erasure, destruction, and anonymization operations, including the date, method, and authorization of such operations.

5.3 Security Measures

In accordance with Article 32 of the GDPR, the Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing of personal data, taking into account:

• The state of the art;
• The costs of implementation;
• The nature, scope, context, and purposes of processing;
• The risk of varying likelihood and severity for the rights and freedoms of natural persons.

Such measures include, but are not limited to:

• Encryption of sensitive personal data during transmission and storage;
• Regular testing, assessment, and evaluation of security measures;
• Implementation of access controls and authentication requirements;
• Regular backup procedures and disaster recovery capabilities;
• Staff training on data protection and security;
• Physical security measures for premises and equipment;
• Network and system security, including firewalls, intrusion detection, and anti-malware protection;
• Incident response procedures.

6. DATA SUBJECT RIGHTS

In accordance with Articles 15-22 of the GDPR and Article 11 of KVKK, data subjects have the following rights in relation to the processing of their personal data:

The Controller shall not discriminate against data subjects who exercise their rights under the GDPR or other applicable data protection laws, and shall facilitate the exercise of data subject rights to the fullest extent possible.

7. PROCEDURE FOR EXERCISING RIGHTS

Data subjects may submit requests regarding the exercise of their rights through the following channels:

Data Controller: Alaattin Koral

• Postal Address: YAKUPLU MAH. HÜRRİYET BLV. SKYPORT Skyport Residence NO: 1 İÇ KAPI NO: 151 BEYLİKDÜZÜ/İSTANBUL, TURKEY
• Email: alaattin@metk.art
• Telephone: +90 850 360 0031

All requests shall be processed in accordance with the following procedure:

1. The Controller shall acknowledge receipt of the request without undue delay.
2. The Controller shall verify the identity of the person making the request through appropriate means.
3. If the request is made by a third party on behalf of a data subject, the Controller shall verify the authorization of such third party to act on behalf of the data subject.
4. The Controller shall assess the request to determine whether it can be fulfilled and what actions need to be taken.
5. The Controller shall respond to the request without undue delay and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, in which case the data subject shall be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.
6. If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests shall be processed free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either:

• Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
• Refuse to act on the request.

The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Data subjects located within the European Union also have the right to lodge a complaint with their local data protection supervisory authority if they believe that the Controller has not complied with applicable data protection laws.

8. COOKIES AND TRACKING TECHNOLOGIES

8.1 Types of Cookies Used

The Controller’s website uses cookies and similar tracking technologies to distinguish users from other users of the website, to analyze usage patterns, and to provide enhanced functionality. The Controller uses the following types of cookies: