Privacy & Personal Data Policy
Privacy & Personal Data Policy
This Privacy & Personal Data Policy is meant to provide information on the personal data collected, retained, processed, shared and transferred by iyzico. Any person who visits iyzico website, or uses any service provided by iyzico (e.g. makes a payment with his/her credit card to a merchant that receives payments via iyzico) is covered by this Privacy & Personal Data Policy
When the term "iyzico" is used, it covers both iyzico Turkey and iyzico Europe as they share the same privacy principles and policy. iyzico might be referred to as "we", "us" or "our" in this policy. Legal titles and contact information of iyzico companies can be found at the end of this document.
The terms "personal data", "personal information" and "your information" are used interchangeably and they mean any information than can be associated to an identified or identifiable natural person (e.g. name, e-mail address, birth date, national ID number)
We are aware that personal data is important for our clients as well as end users and we endeavor to undertake all necessary measures to ensure this policy is complied with by everyone within iyzico and that your personal data is kept safe.
Purpose of this Privacy & Personal Data Policy is:
• To explain, in the most transparent and readable way possible, our ways and purposes of using the data we collect about you;
• To clarify the types of information we collect upon your permission and the purposes and methods for processing of them;
• To inform you on the third parties we transfer this information to as well as our purpose and method in doing so;
• To let you know your choices and legal rights with respect to your personal data;
• To describe the extent of our responsibility for protection of your rights and privacy.
This policy applies to products and services of iyzico only. On websites and mediums that do not belong to iyzico, the policies and rules of the respective person or organization. Sometimes, in addition to iyzico's policies and rules, e.g. on a checkout form placed on a merchant's website, but transmits payment data to iyzico) both iyzico and the merchant's privacy policies shall apply.
The type of personal data processed by iyzico depends on which services you benefit (some of them may not be available according to your region and legal status) and how you benefit from them.
2. Personal Data Collected by iyzico
We collect different types of personal data about you when you visit our website or use our services.
When you visit our websites, send or receive a payment via iyzico, or register to open an account you may use for receiving or sending funds and similar purposes; we will collect information necessary to offer and fulfill your request in an efficient and secure way. This information may include:
• Your contact details (e.g. your name, address, e-mail address, ID number).
• Payment details (e.g. your credit card number, expiry date, instalment choice).
• When someone sends funds to, or enters into any transaction that requires them to provide personal information about third persons, we collect personal data about those third persons.
• Information obtained from third-party sources, such as our clients from whom we receive category and name of the products or services you wish to purchase from the merchant, details on your membership with the merchant, your IP address and past transactions. We also receive information about your purchase from delivery companies to monitor your transaction's status.
• If you are applying to use the services of iyzico, your business details (e.g. your business name and category, tax ID, bank account details) some of the information requested may be related to a legal person and therefore outside the scope of personal data, however, as far as these details contain information related to a real person, you declare that you are authorized to share these pieces of personal information.
• If you are a seller utilizing a platform (e.g. a marketplace) which uses our services, the platform may transfer your personal data such as contact details and bank account number.
• Additional details you provide to us when you make use of optional services provided by iyzico or when you contact iyzico (e.g. via the contact us form located on our website or e-mail).
3. Use of Personal Data by iyzico and Legal Basis for Processing
We use your personal data for various purposes permitted under data protection laws in Turkey and the European Union. Our purposes in using your personal data are explained with some examples below and are justified by lawfulness criteria stipulated in data protection regulations of the European Union and Turkey, such as performance of contractual obligations, our legitimate interests, and legal obligations.
• To operate our sites and provide our services,
We need to use your information to initiate payments, transfer funds, store your credit cards for your future use, and enable you to create, access and modify your account.
• To improve our services and manage our business needs,
We monitor usage of our sites and services by you and analyze usage data to enhance our performance.
• To mitigate and manage risk and protect our platform and customers from harm,
We detect and prevent fraud by identifying customers and measuring their risk level. These decisions may be made by automatic algorithms as well as human effort under set rules. If you learn that your application or a transaction you want to make has been rejected as a result of those procedures, you may contact us at the contact information provided at the end of this document.
• To contact you when needed,
We may contact you regarding the status of your transaction. Also, when there is an issue related to your account or a payment you make, we may use your personal information to reach out to you so that we can resolve the issue. You may be contacted by iyzico employees, or by employees of our business partners, in which case we need to share your personal data with those business partners.
• To meet our legal obligations or resolve disputes,
Some regulations in the jurisdictions require us to use and retain your information in certain ways. As a payment services provider, we are obliged to keep and inspect records of all transactions we facilitate for various reasons including data retention, anti-money laundering and taxation.
When there is a legal dispute between iyzico and you, or between parties of a transaction facilitated by iyzico, your information may be used to resolve the dispute and presented to courts and other authorized dispute resolution authorities.
We may also use your information in additional ways that you have consented to. For instance, we may seek your consent for sending you marketing material, receiving your feedback or other processing activities. In those cases, you can always withdraw your consent by contacting us at the addresses provided at the end of this Policy. You should include information that enable us to recognize you in that notification. Your notification of withdrawal of your consent will be effective in the future and therefore will not make our prior processing unlawful but it will make us cease to process that information from the receipt of your notification onwards.
When you use the iyzico website, access information related to you, such as your ISP's (Internet Sevice Provider) name, your IP Address, your browsing information and geolocation may be collected by iyzico. This information is used for improvement of iyzico's infrastructure, statistical evaluations, and better targeting of marketing material. Cookies and other tracking technologies (e.g. web beacons) that are operated by iyzico or third party service providers may also be used for collecting information on your usage to enable the website's functionalities such as customization, to mitigate risk (e.g. by prevent fraud), manage our infrastructure, and to promote our services.
Our website uses a web analytics tool named Google Analytics developed by Google, Inc. ("Google"). Google Analytics utilizes cookies and other identifiers to help website owners analyze the use of their website by their visitors and for rendering of the services provided by Google. Information related to your use of the website may be transferred to Google's servers located in various countries and be processed by Google at those locations. Google shall use this information for analyzing your use of the web, drafting reports on the usage of website for website owners and providing other services related to internet use (e.g. creating user segmentations). Google may transfer this information to third parties upon legal obligation and when third parties process this information on behalf of Google. For more information on privacy practices of Google with respect to Google Analytics, please visit this website: https://www.google.com/policies/privacy/partners/ If you do not wish your information to be used by Google Analytics, you may use the following link to opt out: https://tools.google.com/dlpage/gaoptout/
Our website utilizes a service provided by Hotjar Ltd. ("Hotjar") that identifies users' experiences on a website and evaluates the ease of use of the website and receives anonymous feedback from users. Cookies are placed on your computer for the provision of this service.
Our website utilizes a service provided by Optimizely Inc. ("Optimizely") that helps find out which version of the website is more suitable for use by showing different versions to different users. Cookies are placed on your computer for the provision of this service.
This website and iyzico merchant control panel utilize a service provided by Sosyo Plus Bilgi Bil. Tekn. Dan. Hiz. Tic. A.Ş. ("Insider") that helps merchants to find out the features they were not able to use before. Cookies are placed on your computer for the provision of this service.
This website utilizes a service provided by Doğan İnternet Yayıncılığı ve Yatırım A.Ş. ("Medyanet") that analyses user behavior. Cookies are placed on your computer for the provision of this service.
5. Retainment and Erasure of Personal Data
iyzico retains your personal data in an identifiable format for the shortest period of time necessary to fulfil our legal obligations and for our business needs.
When the period during which we retain your personal data ends, we will erase or anonymize your personal data so that they can no longer be associated with you, in line with our internal procedures that aim to ensure safety of your personal data.
When you close your account or request erasure of your personal data, we will erase or anonymize parts of it that we are not legally obliged to reject your erasure request or to keep even if your account is deleted.
The cookies we use have defined expiration times; unless you visit our sites or use our services within that time, the cookies are automatically disabled and retained data is deleted. You may also manually delete those cookies through your web browser's settings.
6. Transfer of Personal Data to Third Parties
While providing our services, we sometimes share your personal information with third persons for purposes explained in this section.
We utilize services of other companies as necessary and we may need to share your personal data with some of them. For example, when we receive your payment details (either directly from you or via the merchant you wish to make a payment to) we need to transfer them to respective financial institutions to initiate the payment. Or when the transaction you have made requires some additional steps to be taken (e.g. if it is an international purchase and customs procedures are to be completed) we may share your personal data with relevant service providers (e.g. customs brokers). We may also transfer personal data to third persons (e.g. anti-fraud processing companies) in order to ensure safety and convenience of our users and business.
When you use our services, we notify the other parties to the transaction you have made, such as other users and merchants and this might include transfer of a portion of your personal data.
Law enforcement agents and other authorities may request information from us. We will share your information only when there is a legal obligation to do so; or when it is deemed necessary to prevent and/or prosecute a crime.
We may also need to share personal data with third parties for other business purposes (e.g. for audits, corporate governance, or executing our legal rights). We will always comply with the law when doing so.
7. Personal Data Transfers to Other Countries
Due to nature of our services, we might need to transfer some personal data internationally. A big part of our information technology infrastructure (the all infrastructure of iyzico Turkey) is located within Turkey and this means that if you are using our services or reaching out to our website from another country, your personal data will be transferred to Turkey. This transfer takes place within a lawful framework that ensures safety of your personal information. We rely on model contractual clauses issued by the European Commission for transfers between iyzico Europe and iyzico Turkey.
In addition to the transfers between iyzico group companies, other transfers to third parties mentioned above, may require your personal data to be transferred to different countries. However we guarantee that your personal data is only transferred to countries regarded to be providing adequate safeguards or to parties that guarantee to ensure the safety of your personal information.
8. Choices Available to You
You have choices available with respect to our privacy practices. You may always decline to provide personal data requested by iyzico. However, if the information you have declined to provide is mandatory for provision of our services, you may not use our services. For instance, if you decline to enter your credit card number on the checkout form for a merchant who accepts credit card payments via iyzico, we cannot initiate the payment.
You may review and modify some of the personal data we have about you in the settings section of our mobile or web application when you log in to your account. If you want to review or modify other pieces of information than available on the website, please contact us using the contact information at the end of this document.
From time to time, we communicate with you. These communications may be for marketing purposes or notifications related to a transaction you have been a party to. You can opt-out of all marketing related communications by following the instructions at the end of messages we send. However, you cannot opt-out of transactional messages, but you may only choose the methods and addresses you receive them to.
9. Your Rights
We want you to know that you have following rights with respect to your personal data, as per the regulations governing use of personal data within EEA or Turkey:
(a) To learn if we process your personal data, the types of data we process, sources we get your personal data from, third parties we transfer your personal data to within the country or internationally, the period for which we keep the personal data or how we determine that period;
(b) To access your personal data and to request the data provided by you to be given to you or another data controller in a structured, commonly used and machine readable format,
(c) To learn the purposes for which your personal data is processed and to query if they are used in a compatible manner with those purposes,
(d) To object to and request restriction of processing of your personal data,
(e) To request rectification of inaccurate and incomplete personal data about you,
(f) To request erasure of your personal data when there is no legal basis for further processing,
(g) To request notification of procedures such as erasure and rectification to other third parties to whom your personal data has been transferred,
(h) To object to any negative consequences arising from automatic analysis of your personal data,
(i) To request indemnification for any damages arising from unlawful processing of your personal data.
You can exercise these rights by contacting us at the addresses provided at the end of this Policy. Your application should include the information you have given to us while registering or making use of our services as well as a photo ID, so that we may identify you.
10. Protection of Personal Data
All personal data collected by iyzico is transmitted and stored in compliance with reasonable security standards as adopted by the industry. The security of payment data is ensured with our PCI DSS Level 1 Compliant infrastructure and all connections where personal data is transmitted are protected with encryption. Even though we take all reasonable measures to protect your information, you are responsible for securing and maintaining your account information, including your password.
Our services and websites are not directed to children, i.e. people who are not legal adults. We do not collect personal data from children or other individuals who are not legally able to use our services. If we find out that we have collected Personal Data from a child, we will promptly delete it, unless we are legally obligated to retain such data. If you believe that we have mistakenly or unintentionally collected information from a child, please contact us immediately at the addresses below.
12. Contact Information
For iyzico Turkey:
Company Title: iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş.
MERSIS (Central Registration System) Number: 0483034315700019
Address: Burhaniye Mahallesi Atilla Sokak No:7 Üsküdar İstanbul
E-Mail: [email protected]
Phone: +90 216 599 01 00
For iyzico Europe:
Company Title: Iyzi Payments, UAB
Registration Code: 304782968
Address: Mėsinių g. 5, LT-01133 Vilnius LITHUANIA
E-Mail: [email protected]
Phone: +90 216 599 01 00