GDPR Disclosure Notice

Personal Data Protection and Processing Policy

Last Updated: December 9, 2025

Data Controller

In accordance with the Personal Data Protection Law No. 6698 ("GDPR"), your personal data may be processed by Toucan Foreign Trade as the data controller within the scope explained below.

Toucan Foreign Trade
Merkez Mahallesi, Sanayi Caddesi No:123
34000 Istanbul, Turkey
Email: kvkk@toucanticaret.com
Tel: +90 542 641 40 41

1. Processed Personal Data

1.1 Identity Information

First name, last name, national ID number (if legally required), signature

1.2 Contact Information

Email address, phone number, address information, fax number

1.3 Customer Transaction Information

Order information, quote requests, product/service preferences, communication history, complaint and request records

1.4 Marketing Information

Commercial electronic message consent, marketing preferences, areas of interest

1.5 Transaction Security Information

IP address, cookie records, browser information, operating system, visit time and date, clicked pages

1.6 Financial Information

Bank account number, IBAN, invoice information, payment history (for commercial customers only)

2. Personal Data Processing Purposes

Your personal data is processed for the following purposes:

  • Conducting product and service sales processes
  • Quote preparation and order management
  • Customer relationship management and customer satisfaction
  • Providing after-sales support services
  • Processing invoice and payment transactions
  • Managing logistics and shipping processes
  • Conducting marketing and promotional activities (with your consent)
  • Conducting statistical analysis and market research
  • Improving website user experience
  • Security and fraud prevention activities
  • Fulfilling legal obligations
  • Internal audit and risk management processes
  • Ensuring business continuity

3. To Whom and For What Purpose Processed Personal Data May Be Transferred

Your personal data may be transferred to the following persons and institutions in accordance with the conditions specified in Articles 8 and 9 of the GDPR:

🏢 Business Partners and Suppliers

Logistics companies, cargo companies, IT infrastructure providers, payment institutions - for order delivery and service provision purposes

⚖️ Legal Obligations

Courts, prosecutors' offices, tax offices, Social Security Institution, Ministry of Trade and other authorized public institutions and organizations - due to legal requirements

💼 Consultants

Legal, financial advisory, audit firms - for professional service procurement purposes (under confidentiality agreement)

🏦 Financial Institutions

Banks, financing institutions - for payment transactions and collection processes

Important: Your personal data is transferred in accordance with the basic principles stipulated by the GDPR and with the necessary security measures taken. No data transfer is made abroad.

4. Method of Collection and Legal Basis for Personal Data

4.1 Collection Methods

  • Via website (contact forms, quote requests)
  • By email
  • Phone calls
  • Physical forms and documents
  • Business meetings and trade fair participation
  • Social media channels
  • Cookies and similar technologies

4.2 Legal Basis (GDPR Art. 5 and Art. 6)

  • Establishment or performance of the contract: Fulfillment of order and service contracts
  • Legal obligation: Tax, trade, accounting legislation requirements
  • Legitimate interest: Business development, customer satisfaction, internal audit
  • Explicit consent: Special permissions obtained for marketing communication
  • Legitimate interests of the data controller: Security, fraud prevention

5. Your Rights Under GDPR

In accordance with Article 11 of the GDPR, you have the following rights:

1️⃣ Request Information

Learn whether your personal data is being processed

2️⃣ Right of Access

Request information about your processed data

3️⃣ Learn Purpose

Learn the purpose of processing and appropriate usage

4️⃣ Transfer Information

Know 3rd parties to whom data is transferred domestically/abroad

5️⃣ Right to Correction

Request correction of incomplete or inaccurate data

6️⃣ Right to Deletion/Destruction

Request deletion/destruction within GDPR framework

7️⃣ Right to Notification

Request notification to 3rd parties of correction/deletion operations

8️⃣ Right to Object

Object to results of analysis by automated systems

9️⃣ Right to Compensation

Request remedy for damages due to unlawful processing

6. Application Methods

You can apply using the following methods to exercise your rights arising from GDPR:

📝 Application Channels

1. Written Application (Wet Signature)

Address: Merkez Mahallesi, Sanayi Caddesi No:123, 34000 Istanbul
Subject: "Information Request Under GDPR" or relevant right title
Note: Attach copy of national ID for identity verification

2. Registered Electronic Mail (KEP)

KEP Address: toucan@hs03.kep.tr
Note: Send only from your own KEP address

3. Email with Secure Electronic Signature

Email: kvkk@toucanticaret.com
Note: Must be signed with mobile signature or e-signature

4. By Completing Application Form

Application Form to Data Controller (Can be downloaded from Personal Data Protection Board website)
Complete the form and submit via any of the above channels

⏱️ Response Time:

Your application will be finalized free of charge within 30 days at the latest depending on the nature of the request. If the transaction requires additional cost, the fee specified in the tariff determined by the Personal Data Protection Board may be charged.

7. Data Security Measures

In order to ensure the security of your personal data, we take the necessary technical and administrative measures in accordance with Article 12 of the Personal Data Protection Law:

  • Compliance with ISO 27001 Information Security Management System standards
  • Data transfer with SSL/TLS encryption protocols
  • Strong password policies and multi-factor authentication
  • Regular security tests and vulnerability scans
  • Access authorization and log recording systems
  • Data leakage prevention (DLP) solutions
  • Regular backups and disaster recovery plans
  • Employee training and confidentiality agreements
  • Physical security measures (cameras, access control)

8. Data Retention and Destruction

8.1 Retention Periods

  • Commercial Records: 10 years (Turkish Commercial Code Art. 82)
  • Accounting Documents: 5-10 years (Tax Procedure Law)
  • Employment Contracts: 10 years after the end of the relationship
  • Marketing Permissions: Until the permission is revoked or 3 years
  • Website Log Records: 2 years (E-Commerce Law)
  • Contact Form Data: 2 years after the resolution of the request

8.2 Destruction Methods

When the reasons requiring processing cease to exist, your data is destroyed using the following methods:

  • Physical Destruction: Incineration, disintegration, chemical melting.
  • Destruction in the Electronic Environment: Deletion, secure formatting, cryptographic destruction
  • Anonymization: Masking to make identification impossible

9. Cookie Policy

For detailed information about the cookies used on websites, please review our Privacy Policy page.