Last Updated: June 8, 2026
Privacy Policy
This Privacy Policy describes how MITRAS ("we," "us," or "our") collects, uses, discloses, and protects personal data when you visit mitras.org, purchase digital products or services, or otherwise interact with our global digital organization. We are committed to compliance with the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law No. 6698 (KVKK), and other applicable data protection laws.
1. Data Controller
The data controller responsible for your personal data is:
- Organization: MITRAS — Global Digital Organization
- Website: https://mitras.org
- General Inquiries: hello@mitras.org
- Privacy Inquiries: privacy@mitras.org
- Legal Inquiries: legal@mitras.org
For KVKK-related applications, you may submit requests to privacy@mitras.org with the subject line "KVKK Application."
2. Scope
This policy applies to personal data processed in connection with:
- Our website, digital storefront ("The Vault"), and related online services;
- Custom development, automation, SEO, and consulting engagements;
- Digital product purchases, downloads, and license management;
- Customer support, billing, and contractual communications;
- Marketing communications where you have opted in or where permitted by law.
3. Categories of Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Identity & Contact Data | Name, email address, phone number, company name, billing address | Provided by you during checkout, inquiry, or project onboarding |
| Account & Transaction Data | Order history, payment status, invoices, license keys, project briefs | Generated through your use of our services |
| Technical & Usage Data | IP address, browser type, device identifiers, pages visited, referral URLs | Collected automatically via cookies and server logs |
| Communications Data | Emails, support tickets, chat messages, feedback, testimonials | Provided by you during correspondence |
| Payment Data | Partial card details, transaction IDs (processed by payment providers) | Payment processors; we do not store full card numbers |
4. Legal Bases for Processing (GDPR Article 6)
We process personal data only where a lawful basis applies:
- Contract Performance (Art. 6(1)(b)): To fulfill orders, deliver digital products, execute custom services, and manage your account.
- Legitimate Interests (Art. 6(1)(f)): To improve our website, prevent fraud, ensure security, and analyze aggregated usage — balanced against your rights.
- Legal Obligation (Art. 6(1)(c)): To comply with tax, accounting, consumer protection, and regulatory requirements.
- Consent (Art. 6(1)(a)): For non-essential cookies, marketing emails, and optional analytics where required. You may withdraw consent at any time.
5. KVKK Compliance (Law No. 6698)
Under KVKK, personal data is processed in accordance with the principles of lawfulness, fairness, accuracy, purpose limitation, data minimization, retention limitation, and security. Processing conditions include:
- Explicit consent, where required under Article 5;
- Necessity for establishment or performance of a contract (Article 5(2)(c));
- Compliance with legal obligations (Article 5(2)(ç));
- Legitimate interests of the data controller, provided fundamental rights are not harmed (Article 5(2)(f)).
Sensitive personal data (special categories under KVKK Article 6) is not intentionally collected. If such data is inadvertently provided, it will be deleted unless a specific legal exception applies.
6. How We Use Your Data
- Process and fulfill purchases of digital products and custom services;
- Communicate regarding orders, milestones, deliverables, and support requests;
- Authenticate users and manage licenses for digital products;
- Process payments and issue invoices in compliance with financial regulations;
- Improve website performance, user experience, and service quality;
- Detect, investigate, and prevent fraudulent or unauthorized activity;
- Send marketing communications where you have opted in (you may unsubscribe at any time);
- Comply with legal obligations and respond to lawful requests from authorities.
7. Data Sharing and Recipients
We do not sell your personal data. We may share data with trusted third parties strictly as necessary:
- Payment Processors: Stripe, PayPal, or equivalent PCI-DSS compliant providers;
- Hosting & Infrastructure: Cloud hosting, CDN, and email delivery services;
- Analytics (with consent): Privacy-respecting analytics tools;
- Professional Advisors: Lawyers, accountants, and auditors bound by confidentiality;
- Legal Authorities: When required by applicable law, court order, or governmental request.
All processors are bound by data processing agreements (DPAs) ensuring GDPR Article 28 and KVKK-compliant safeguards.
8. International Data Transfers
MITRAS operates globally. Where personal data is transferred outside the European Economic Area (EEA) or Turkey, we implement appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Binding Corporate Rules or equivalent mechanisms where applicable;
- Adequacy decisions recognized under GDPR or KVKK Board decisions.
You may request details of transfer safeguards by contacting privacy@mitras.org.
9. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
- Transaction & Contract Records: Up to 10 years for tax and legal compliance;
- Support Communications: Up to 3 years after resolution of the inquiry;
- Marketing Data: Until you unsubscribe or withdraw consent;
- Server Logs: Typically 90 days, unless required for security investigations;
- Cookie Data: As specified in our Cookie Policy.
Upon expiry of retention periods, data is securely deleted or anonymized.
10. Your Rights
Under GDPR (EU/EEA Residents)
- Right of Access (Art. 15): Obtain confirmation and a copy of your personal data;
- Right to Rectification (Art. 16): Correct inaccurate or incomplete data;
- Right to Erasure (Art. 17): Request deletion where legally applicable;
- Right to Restriction (Art. 18): Limit processing under certain circumstances;
- Right to Data Portability (Art. 20): Receive data in a structured, machine-readable format;
- Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing;
- Right to Withdraw Consent: At any time, without affecting prior lawful processing;
- Right to Lodge a Complaint: With your local supervisory authority.
Under KVKK (Turkish Residents)
Pursuant to Article 11 of KVKK, you have the right to:
- Learn whether personal data is being processed;
- Request information if data has been processed;
- Learn the purpose of processing and whether data is used accordingly;
- Know third parties to whom data is transferred domestically or abroad;
- Request correction of incomplete or inaccurate data;
- Request deletion or destruction of data under Article 7 conditions;
- Request notification of correction or deletion to third parties;
- Object to adverse results from automated analysis;
- Claim compensation for damages arising from unlawful processing.
Submit requests to privacy@mitras.org. We respond within 30 days (GDPR) or 30 days as required under KVKK, extendable where permitted by law.
11. Security Measures
We implement technical and organizational measures appropriate to the risk, including:
- TLS/SSL encryption for data in transit;
- Encryption at rest for sensitive stored data where applicable;
- Role-based access controls and principle of least privilege;
- Regular security assessments and vulnerability management;
- Employee confidentiality obligations and security awareness training;
- Incident response procedures with breach notification as required by GDPR Articles 33–34 and KVKK.
12. Children's Privacy
Our services are not directed to individuals under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact privacy@mitras.org and we will promptly delete it.
13. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you without human oversight, except where permitted by law and with appropriate safeguards.
14. Third-Party Links
Our website may contain links to third-party websites. We are not responsible for the privacy practices of external sites. We encourage you to review their privacy policies before providing personal data.
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in law, technology, or our practices. Material changes will be communicated via website notice or email where appropriate. The "Last Updated" date at the top indicates the current version.
16. Contact Us
For privacy-related questions, data subject requests, or KVKK applications:
- Email: privacy@mitras.org
- General: hello@mitras.org
- Legal: legal@mitras.org