Turkiye / KVKK Jurisdiction Annex (Primary Regime)

Important — KVKK is Gila's primary data-protection regime because the controller, Sezen Soykut, is a natural-person sole-trader (şahıs şirketi) registered in Turkiye. Every Gila user — regardless of location — is processed by a controller subject to KVKK. EU/EEA, UK, and Swiss users are additionally protected by their own regimes (see ./eu-uk.md and ./switzerland.md). This document is the controller's KVKK aydinlatma metni (information notice) and consolidates KVKK Madde 10 transparency obligations.

This document also incorporates, by reference, the acik riza metni (explicit-consent text) shown to users at the LegalConsentGate step of onboarding.

1. Veri sorumlusu (Data controller)

Alan / Field	Deger / Value
Veri sorumlusu / Data controller	Sezen Soykut
Sirket turu / Entity type	Sahis sirketi (natural-person sole-trader registered in Turkiye)
Ticari isim / Trade name	Gila
MERSIS / vergi numarasi	On file with the Turkish tax authority; provided to supervisory authorities on request via `dpo@gila.coach`
Tescilli adres / Registered address	Disclosed on request via `dpo@gila.coach`
Genel iletisim / General contact	`hello@gila.coach`
KVKK iletisim / KVKK contact mailbox	`dpo@gila.coach`
Veri sorumlusu temsilcisi / Controller representative	Sezen Soykut (the controller acts personally)
Iletisim dilleri / Languages of contact	Turkce, English, Espanol

1.1 VERBIS (Veri Sorumlulari Sicil Bilgi Sistemi) status

VERBIS is the public Data Controllers Registry maintained by the Kisisel Verileri Koruma Kurumu. Registration is required for data controllers above thresholds set by Kurul decisions. The controller's current VERBIS position is:

Field	Value
VERBIS registration number	[VERBIS NO — to be confirmed if threshold met. Sole-traders with fewer than 50 employees and below TRY 100 million annual turnover are currently exempt from VERBIS registration provided their core activity is not the processing of special-category data, per Kurul Decision 2018/32 and subsequent revisions.]
Threshold assessment	Sezen Soykut, as a sole-trader, currently has zero employees and is below the turnover threshold. However, the "core activity is special-category data processing" carve-out arguably applies to Gila because the service is materially organised around health data (weight, GLP-1 medication, mood, calorie tracking). The controller therefore re-assesses VERBIS registration at every 6-month RoPA review and proactively registers if either threshold is crossed or if the Kurul publishes guidance clarifying that a consumer health app falls within the special-category-core-activity test.
If registered, the VERBIS entry includes:	The controller identity, contact details, processing purposes, data subject categories, personal data categories, recipient categories, cross-border transfer countries and safeguards, maximum retention periods, and security measures described in this document.

2. Kisisel veri kategorileri (Personal data categories)

KVKK distinguishes between general personal data (Madde 5) and ozel nitelikli kisisel veri (special-category personal data, Madde 6). Gila processes both. The table below maps our internal data-inventory tiers (Tier 1-6) to KVKK categories.

Internal tier	KVKK kategorisi / Category	Ornek alanlar / Example fields
Tier 1	Saglik bilgisi (health data — Madde 6 special category)	Vucut agirligi (body weight), olcumler, GLP-1 ilaci adi ve dozu (GLP-1 medication name and dose), enjeksiyon bolgesi (injection zone), yan etki ciddiyeti (side-effect severity), kalori alimi (calorie intake), uyku ve adim sayisi (sleep, steps), kalp atim hizi
Tier 1	Saglik ve cinsel hayat bilgisi (mental-state subset — Madde 6 special category)	Ruh hali (mood), gunluk yazilari (journal entries — free-text may incidentally contain sensitive disclosure)
Tier 1 (potential)	Biyometrik veri (biometric — Madde 6 special category)	Profil fotograflari ve aliskanlik kanit fotograflari (avatar and habit-evidence photos). Note: photos are not processed for unique identification purposes; biometric special-category status is therefore not engaged, but the photos remain sensitive and are treated under explicit-consent flow.
Tier 2	Kimlik bilgisi (identity)	Ad-soyad (name), takma ad (display name), dogum yili (year of birth, derived age)
Tier 2	Iletisim bilgisi (contact)	E-posta adresi (email), bildirim tokeni (push token), tercihler (locale, time zone)
Tier 3	Musteri islem bilgisi (customer transaction / inferred)	Aliskanlik takibi (habit tracking), tamamlanma orani (completion rate), AI tarafindan onerilen hedefler (AI-suggested goals)
Tier 4	Islem guvenligi bilgisi (transaction security / technical)	Cihaz tipi (device type), OS surumu, app surumu, IP adresi (transient), hata izleri (error breadcrumbs)
Tier 5	Musteri islem bilgisi (commercial / subscription)	Abonelik durumu (subscription state), RevenueCat app_user_id (paywall etkin oldugunda / when paywall enabled)
Tier 6	Pazarlama bilgisi (marketing)	E-bulten kayit kaynagi (newsletter signup source), UTM parametreleri (UTM parameters), acik / tiklama durumu (open / click status)

Free-text fields (journal entries, habit notes, side-effect notes) may incidentally contain additional special-category disclosures (e.g., religious belief, sexual orientation, mental-health context). Because we cannot pre-screen such disclosures we apply the most protective Madde 6 explicit-consent treatment uniformly across all free-text fields linked to a Tier 1 activity.

3. Isleme amaclari (Processing purposes)

The purposes for which we process personal data follow the categories of activities described in our internal Record of Processing Activities. Mapped to KVKK Madde 4(2) islenme amaclari ile bagli ve sinirli olma (limitation to purposes) and Madde 10 transparency, the purposes are:

Hizmet sunma / Service provision — to create and maintain the user account; to display the user's tracked data over time; to enable the user to log medication, weight, food, mood, and habits.
Kisisellestirme / Personalisation — to adapt content, suggestions, and AI-generated coaching to the user's stated medication, goals, lifestyle, and history.
AI destekli ozellikler / AI-supported features — to operate food-vision (Google Gemini primary; Anthropic Claude + OpenAI A/B opt-in paths, default off), AI coaching (Google Gemini, 12+ features), the Habit Lab playground (Anthropic Claude + Google Gemini), grounded research (Perplexity), and other AI-enabled outputs at the user's request and with the user's explicit consent. Acik riza (explicit consent) tum AI saglayicilarini ortak olarak kapsar (provider-agnostic consent).
Iletisim / Communications — to send transactional emails (welcome, password reset, deletion verification), milestone celebrations, onboarding nudges, and — separately, with consent — marketing emails and newsletters.
Guvenlik ve dolandiriciligi onleme / Security and fraud prevention — to protect public forms with bot challenges, to capture and triage application errors, to maintain row-level access controls in the database.
Yasal yukumluluk / Legal obligation — to honour data-subject rights requests (KVKK Madde 11) within statutory time limits; to maintain tax and accounting records.
Iyilestirme / Product improvement — to analyse pseudonymised product-usage telemetry (PostHog) so that we can improve features and fix UX issues.
Yedekleme ve felaket kurtarma / Backups and disaster recovery — to restore service in the event of data loss or corruption, per KVKK Madde 12 veri guvenligi obligations.

We do not process personal data for purposes incompatible with those for which it was collected. Any new purpose triggers a fresh transparency event (updated aydinlatma metni and, where the new purpose is special category, a fresh acik riza).

4. Hukuki sebep (Lawful basis)

KVKK Madde 5 sets out the lawful bases for processing general personal data, and KVKK Madde 6 sets out the lawful bases for special-category personal data. Gila relies on:

4.1 Madde 5 — general personal data

Purpose	Madde 5 dayanagi / Basis
Account creation, authentication, maintenance	Madde 5(2)(c) — bir sozlesmenin kurulmasi veya ifasiyla dogrudan dogruya ilgili olmasi kaydiyla (necessary for the establishment or performance of a contract)
Transactional email, push notifications, in-app messaging where service-critical	Madde 5(2)(c) — contract performance
Marketing email and newsletter	Madde 5(1) — acik riza (explicit consent), separately collected at signup and one-click revocable
Product analytics (PostHog)	Madde 5(1) acik riza (where consent collected) OR Madde 5(2)(f) mesru menfaat (legitimate interest) for non-TR users where consent is not the operative basis. For TR users, default is consent.
Error tracking (Sentry)	Madde 5(2)(f) mesru menfaat (legitimate interest) — purpose is service reliability and security, balanced against minimal risk to data subjects (pseudonymisation + scrubbing + 90-day retention)
Bot protection (Cloudflare Turnstile)	Madde 5(2)(f) mesru menfaat — fraud and spam prevention
Subscription management (RevenueCat, when paywall is active)	Madde 5(2)(c) contract
DSAR fulfilment	Madde 5(2)(a) — kanunlarda acikca ongorulmesi (expressly provided by law — KVKK Madde 11 itself imposes the duty to respond)
Tax and accounting record retention	Madde 5(2)(a) — kanunlarda acikca ongorulmesi (Vergi Usul Kanunu, Turk Ticaret Kanunu)
Backups and disaster recovery	Madde 5(2)(f) mesru menfaat

4.2 Madde 6 — special-category personal data (health)

Health data is processed only on the basis of Madde 6(2) acik riza (explicit consent).

The alternative bases in Madde 6(3) — processing by persons or authorised institutions under secrecy obligations for purposes of public health, preventive medicine, medical diagnosis, treatment, care, or health service management — do not apply to Gila because the controller is neither a healthcare professional under Turkish law nor an authorised health institution. Madde 6(3) is therefore unavailable as a fallback. Explicit consent is the sole lawful basis for the processing of health data by Gila and the legitimacy of the entire Gila health-data programme depends on the validity of that consent.

This makes the LegalConsentGate step of onboarding load-bearing. The consent surface:

Is separate from the Terms-acceptance checkbox (Kurul Decision 2019/78 explicit-consent guideline: consent for special-category processing must be granular and not bundled with general terms).
Identifies the categories of health data to be processed (medication, dose, weight, mood, calorie intake, journal content, HealthKit / Health Connect sync where granted).
Identifies the purposes (service provision, personalisation, AI-supported features).
Identifies the recipients and cross-border transfer destination (Supabase US, Google Gemini US, see § 5 and § 6).
Includes the Turkish-language disclosure required by Madde 10.
Records the consent in public.consent_log with policy version, accepted categories, locale tr-TR where applicable, timestamp, and source.
Allows revocation at any time (KVKK does not include an explicit Art-7(3)-style equivalent but Kurul guidance under Decision 2019/78 expects revocation to be as easy as giving).

5. Aktarilan ucuncu taraflar (Third parties to whom data is transferred)

Personal data is shared with the following processors and recipients for the purposes identified in § 3. Each is bound by a written data-processing agreement (where the recipient is a veri isleyen under KVKK Madde 12(2)) or operates as an independent controller for its own platform purposes.

5.1 Yurt ici (domestic recipients in Turkiye)

Alici / Recipient	Sifat / Role	Amac / Purpose
Sezen Soykut (Veri sorumlusu)	Controller	Operations, support, debugging, DSAR fulfilment (sole-operator model)

We currently have no Turkiye-resident processors. The controller's own operations from within Turkiye are documented in our RoPA as a TR-resident-controller-accessing-US-stored-data flow (see § 6 below).

5.2 Yurt disi (cross-border recipients — all in the United States)

Alici / Recipient	Sifat / Role	Veri / Data	Amac / Purpose
Supabase Inc.	Veri isleyen	Tier 1-5 user data	Veritabani, kimlik dogrulama, dosya depolama, edge function calistirma (database, authentication, storage, edge runtime — primary host)
Google LLC (Firebase Cloud Messaging)	Veri isleyen	Cihaz push tokeni, push payloadi	Push bildirim teslimi
Google LLC (Gemini API)	Veri isleyen	Istek basina ozellestirilmis baglam (per-request curated context), gorseller (images)	AI gorme (food vision), AI koculuk (AI coaching, 13 ozellik / 13 features — birincil saglayici / primary provider)
Anthropic PBC (Claude API)	Veri isleyen	Istek basina ozellestirilmis baglam (per-request curated context)	Habit Lab oyun alani (user-facing), QA degerlendirme (eval-score, not user-facing), food-vision A/B opt-in path (default off)
OpenAI L.L.C. (GPT API)	Veri isleyen (sartli / conditional)	Istek basina gorsel + yemek baglam (image + meal context)	food-vision A/B opt-in path only — default OFF in production
Perplexity AI Inc.	Veri isleyen	Kimliksizlestirilmis konu sorgulari (anonymised topical queries)	habit-signal agent kaynak topraklama (source grounding) + food-vision arastirma yedek yolu (research fallback path)
FatSecret Inc.	Veri isleyen	Yemek arama sorgulari (food name only, no user identifier)	Beslenme veritabani sorgulari
Resend Inc.	Veri isleyen	E-posta adresi, sablon degiskenleri	Transactional ve marketing e-posta
Beehiiv Inc.	Veri isleyen	E-posta, ad, kayit kaynagi, abonelik durumu	Bulten yayini
Vercel Inc.	Veri isleyen	Istek basliklari, gecici IP, edge function izleri	Landing site hosting, edge functions
Cloudflare Inc. (Turnstile)	Veri isleyen	Tarayici dogrulama tokeni, gecici sinyaller	Bot koruma
PostHog Inc.	Veri isleyen	Sozde-anonim kullanici kimligi, ekran/event isimleri	Urun analitik
Functional Software Inc. (Sentry)	Veri isleyen	Sozde-anonim kullanici kimligi, stack trace, breadcrumbs	Hata izleme
RevenueCat Inc.	Veri isleyen	Hashlenmis app_user_id, abonelik durumu	Abonelik yonetimi (paywall etkin oldugunda)
Apple Inc. (HealthKit)	Veri kaynagi (data source, not processor for uploaded data)	iOS cihaz icinde saglik verisi	OS-iletilmis on-device saglik kaynagi
Google LLC (Health Connect, Android)	Veri kaynagi	Android cihaz icinde saglik verisi	OS-iletilmis on-device saglik kaynagi

Apple and Google additionally act as independent controllers for their App Store / Play Store transactional records and OAuth identity-relay services. Where they are independent controllers their own privacy policies apply.

5.3 Bilgi paylasimi (Other disclosures)

We do not sell personal data. We do not share personal data for behavioural-advertising purposes. We may disclose personal data in response to:

Lawful requests from Turkish judicial or administrative authorities under Turkish law;
Lawful requests from supervisory authorities (Kurul) in the exercise of their KVKK functions;
Requests from data subjects exercising KVKK Madde 11 rights, or authorised agents acting on their behalf;
Requests from foreign authorities, only where the request meets the milletlerarasi adli yardim (international mutual legal assistance) standard applicable under Turkish law and only following internal review.

6. Yurt disina aktarim (Cross-border transfer)

KVKK Madde 9 governs the transfer of personal data abroad. The relevant facts are:

The United States is not on the Kurul's adequate-countries list. As of the effective date of this notice, the Kurul has not published any list of countries with adequate protection. Until such a list is published, the yeterli koruma (adequate protection) path is unavailable. We re-verify this position at every publish cycle.
No Kurul authorisation for written-undertaking transfer is in place. Madde 9 permits transfer where the controller and recipient sign a written undertaking and obtain Kurul permission. We have not applied for or received such permission.
No Binding Corporate Rules (BCR) approval is in place. Madde 9 permits transfer under Kurul-approved BCR for intra-group transfers; this is inapplicable to Gila as a non-group sole-trader.
Standard Contractual Clauses introduced by the 2024 Amendment (Law No. 7499) — the March 2024 amendment to KVKK introduced new transfer mechanisms more closely aligned with GDPR Chapter V, including SCC-style standard data-protection contracts and adequacy-decision mechanisms. The transitional period expired on 1 September 2024; the post-transition regime now applies. The Kurul has published the relevant standard contracts. Gila has reviewed these clauses and intends to execute them with each US-domiciled processor as the operational framework, but until each processor signs the Turkish-Kurul standard clauses, those clauses are not in place as a transfer mechanism on a per-processor basis. The per-processor execution status is tracked internally and refreshed at every publish cycle.

Therefore the only KVKK-valid lawful basis for our existing US transfers, with respect to the cross-border transfer leg specifically, is Madde 9(1)(a) acik riza — explicit consent of the data subject to the international transfer.

6.1 The Turkish-language cross-border-transfer consent statement

The following Turkish-language disclosure (or its equivalent translated content) is presented to TR users at the LegalConsentGate step and persisted in public.consent_log:

Yurt disina veri aktarimi acik rizasi (Explicit consent to cross-border data transfer)

Gila uygulamasini ve hizmetlerini kullanabilmeniz icin, hesap bilgileriniz, saglik verileriniz (vucut agirligi, GLP-1 ilaci, doz, yan etkiler, ruh hali, kalori alimi vb.), uygulama kullanim verileriniz ve teknik verileriniz Amerika Birlesik Devletleri'nde bulunan veri isleyenlere (Supabase, Google Gemini, Anthropic Claude [Habit Lab + QA], OpenAI [yalnizca food-vision A/B opt-in yolu — varsayilan kapali], Firebase, Perplexity, Resend, Beehiiv, Vercel, Cloudflare, PostHog, Sentry, RevenueCat, FatSecret) aktarilacaktir. ABD, Kisisel Verileri Koruma Kurulu tarafindan yeterli korumaya sahip ulkeler listesinde yer almamaktadir ve veri sorumlusunun ABD'ye aktarim icin Kurul izni veya baglayici sirket kurallari bulunmamaktadir. Bu nedenle yurt disina aktarim icin KVKK Madde 9(1) uyarinca acik rizaniz alinmaktadir. Acik rizaniz tum AI saglayicilarini (Gemini, Claude, OpenAI, Perplexity) ortak olarak kapsar. Acik rizanizi vermediginiz takdirde Gila'nin AI destekli ozellikleri (yapay zeka kocluk, kalori taraması, AI habit onerileri, AI raporlar) ve bulut tabanli senkronizasyon ozellikleri sizin icin etkin olmayacaktir; ancak yerel veri girisi ve temel takip ozelliklerini KVKK Madde 5(2)(c) (sozlesmenin kurulmasi icin gerekli olma) kapsaminda kullanabilirsiniz. Acik riza, yalnizca yurt disi aktarim gerektiren ozellikler icin alinmaktadir. Acik rizanizi her zaman geri cekme hakkina sahipsiniz; geri cekme islemi dpo@gila.coach adresine bildirim ile veya uygulama ayarlarindan gerceklestirilebilir. Geri cekme islemi, daha onceki donemde gerceklestirilmis islemlerin hukuka uygunlugunu etkilemez.

English equivalent:

Explicit consent to cross-border data transfer

To enable you to use Gila's app and services, your account information, health data (body weight, GLP-1 medication, dose, side-effects, mood, calorie intake, etc.), application usage data, and technical data will be transferred to processors located in the United States (Supabase, Google Gemini, Anthropic Claude [Habit Lab + QA], OpenAI [food-vision A/B opt-in path only — off by default], Firebase, Perplexity, Resend, Beehiiv, Vercel, Cloudflare, PostHog, Sentry, RevenueCat, FatSecret). The United States is not on the list of adequate-protection countries published by the Personal Data Protection Board, and the controller does not have a Board permission or binding corporate rules for transfer to the United States. Your explicit consent is therefore being collected under KVKK Article 9(1) for the cross-border transfer. Your consent covers all AI providers (Gemini, Claude, OpenAI, Perplexity) collectively. If you do not give explicit consent, Gila's AI-powered features (AI coaching, calorie scanning, AI habit suggestions, AI reports) and cloud-sync features will not be active for you; you may still use local data entry and basic tracking features under KVKK Article 5(2)(c) (necessary for performance of contract). Explicit consent is collected only for features that require cross-border transfer. You have the right to withdraw your explicit consent at any time; withdrawal can be performed by sending a notice to dpo@gila.coach or via the in-app Settings. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.

6.2 Supplementary safeguards in place

Even though the legal basis for the transfer is explicit consent rather than an adequacy or written-undertaking mechanism, we apply technical and organisational measures to reduce the cross-border risk to the user. These measures are documented in our Transfer Impact Assessment (tia-supabase-us.md) and include: TLS 1.3 in transit, AES-256 encryption at rest (AWS RDS managed), row-level security in PostgreSQL scoped to auth.uid(), contractual "no training" flag on Google Gemini, FatSecret OAuth1 with no user identifier transmitted, Perplexity queries stripped of user identifier, sole-operator access governed by documented red-lines, and 30-day backup roll-off.

We are committed to (a) executing the Kurul-published standard data-protection contracts with each processor as they become operational under the 2024 Amendment, and (b) re-evaluating the transfer position annually and on each material change.

7. Ilgili kisinin haklari (Data subject rights — KVKK Madde 11)

KVKK Madde 11 grants every ilgili kisi (data subject) the following rights. We honour each right within the statutory time limit and free of charge, except where the request is manifestly unfounded or excessive (Madde 13(2) — in which case we may charge a fee within the limits set by Kurul tariff).

Hak / Right	Aciklama / Description
Kisisel verilerin islenip islenmedigini ogrenme	Learn whether personal data is being processed
Islenmisse buna iliskin bilgi talep etme	Request information about processing if data has been processed
Isleme amacini ve bunlarin amacina uygun kullanilip kullanilmadigini ogrenme	Learn the purpose of processing and whether the data is used in accordance with its purpose
Yurt ici veya yurt disinda kisisel verilerin aktarildigi ucuncu kisileri ogrenme	Learn the third parties to whom personal data is transferred domestically or abroad
Kisisel verilerin eksik veya yanlis islenmis olmasi halinde duzeltilmesini isteme	Request rectification of incomplete or inaccurate data
Madde 7'de ongorulen sartlar cercevesinde kisisel verilerin silinmesini veya yok edilmesini isteme	Request erasure or destruction of personal data under the conditions of Madde 7
Duzeltme / silme islemlerinin ucuncu kisilere bildirilmesini isteme	Request notification of rectification/erasure to third parties
Islenen verilerin munhasiran otomatik sistemler vasitasiyla analiz edilmesi suretiyle kisinin kendisi aleyhine bir sonucun ortaya cikmasina itiraz etme	Object to a result that is against them produced by analysis of processed data exclusively through automated systems
Kisisel verilerin kanuna aykiri olarak islenmesi sebebiyle zarara ugramasi halinde zararin giderilmesini talep etme	Claim compensation for damages arising from unlawful processing

For our position on the munhasiran otomatik sistemler (solely-automated) right and Gila's AI features, see ./eu-uk.md § 6 — the analysis is materially identical: Gila's AI produces suggestions you can accept, edit, or ignore, not solely-automated decisions, but we treat the safeguards as applying out of an abundance of caution.

8. Hak kullanimi (Exercising your rights)

8.1 Basvuru kanallari (Application channels)

The following channels are available to exercise KVKK Madde 11 rights, in accordance with the Kurul's Veri Sorumlusuna Basvuru Usul ve Esaslari Hakkinda Teblig (Communique on the Application Procedures to Data Controllers) published 10 March 2018:

Self-service web form: https://gila.coach/[locale]/dsar — the form requires email verification (Cloudflare Turnstile + email-link token) before any destructive or disclosive action is taken.
E-posta: dpo@gila.coach — written application by email.
Posta: written application by registered mail to the controller's address (provided on request).
Noter (notary): written application via a Turkish notary, as the Communique permits.

8.2 Basvuru icerigi (Application content)

The Communique requires the application to contain:

Ad, soyad ve basvuru yazili ise imza — Name, surname, and signature if the application is in writing.
T.C. kimlik numarasi, yabancilar icin uyrugu, pasaport numarasi veya varsa kimlik numarasi — Identification number (T.C. Kimlik No), or for non-Turks, nationality, passport number, or identification number where available.
Teblige esas yerlesim yeri veya is yeri adresi — Address of residence or place of business for service of notice.
Varsa bildirime esas elektronik posta adresi, telefon ve faks numarasi — Email, phone, fax for notice.
Talep konusu — Subject of the request.

We will not refuse a request that lacks one of these elements if we can otherwise reasonably verify the applicant's identity and contact details from the existing account; however, we may request the missing elements where verification is otherwise impossible.

8.3 Yanit suresi (Response time)

We respond to the request within 30 days at the latest (Madde 13(2)). Where the request is complex or numerous and the 30-day window cannot be met, we will inform the applicant of the extension and the reasons. The response is provided in writing or electronically in the channel through which the applicant contacted us.

The response is free of charge. If the action requested entails a cost (e.g., paper-based reproduction of large data exports), we may charge a fee within the limits of the Veri Sorumlusuna Basvuru Ucret Tarifesi Hakkinda Teblig (Communique on the Fee Tariff for Applications to Data Controllers, 2018).

9. Kurul sikayeti (Board complaint — Madde 14)

If the controller's response is unsatisfactory or if the applicant does not receive a response within 30 days, the applicant may submit a complaint to the Kisisel Verileri Koruma Kurulu (Personal Data Protection Board) within:

30 days of the controller's response, OR
60 days of the date of application to the controller (if no response was received).

Field	Value
Authority	Kisisel Verileri Koruma Kurumu — Kurul
Website	kvkk.gov.tr
Online complaint portal	kvkk.gov.tr/sikayet
Address	Kisisel Verileri Koruma Kurumu, Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4, 06520 Balgat-Cankaya / ANKARA

The complaint must be in writing, in Turkish, and accompanied by the controller's response (if any) and supporting evidence. The Kurul reviews the complaint, may request additional information, and issues a decision. The Kurul has the power to impose administrative fines under Madde 18 (TRY 5,000 to TRY 1,000,000 per breach, adjusted annually).

The right to lodge a Kurul complaint is in addition to any private-law remedy the data subject may pursue in the Turkish courts, including the compensation claim under Madde 11(g).

10. Cocuklarin verileri (Children's data)

Turkish civil law sets full contractual capacity at age 18 (Turk Medeni Kanunu Madde 13). The Kurul has expressed in Decision 2020/65 and related guidance that valid acik riza for special-category data from a minor below the age of majority generally requires the authorisation of the parental holder of responsibility.

Gila's policy is:

The minimum age for using Gila is 16. This is enforced by the LegalConsentGate self-attestation. See ../child-safety-notice.md for the full procedure.
For TR users aged 16 or 17, the gate accepts their use of the service for general processing (Madde 5 contract basis) but the explicit-consent prompts (health-data consent, AI-features consent, cross-border-transfer consent, marketing consent) carry an additional self-attestation that the user has reached the local age at which they may give valid acik riza under Turkish law, or that they hold their parent's or guardian's authorisation. We rely on the user's affirmation; we do not require uploaded proof of parental authority.
Where we discover (via report or evidence) that a TR user is below 16, or that a 16- or 17-year-old's account contains special-category data without effective consent, we follow the procedure in ../child-safety-notice.md § 3: suspend within one business day, delete within seven days, notify the email on file, and refund any active subscription as a goodwill measure.
Parents and guardians may report concerns about a minor's account to dpo@gila.coach. Reports are acknowledged within 72 hours.

This position will be revisited if the Kurul publishes specific guidance on the digital-consent age for information-society services, or if Turkish civil-law amendments alter the age of capacity for valid consent.

11. Veri saklama ve imha (Retention and destruction — KVKK Madde 7)

Personal data is retained only for as long as necessary for the purposes for which it was collected. Once the retention purpose is exhausted, the data is destroyed in accordance with the Kurul's Kisisel Verilerin Silinmesi, Yok Edilmesi veya Anonim Hale Getirilmesi Hakkinda Yonetmelik (Regulation on the Erasure, Destruction, or Anonymisation of Personal Data).

Veri kategorisi	Saklama suresi	Tetikleyici
Aktif hesap kisisel ve saglik verisi	Hesap aktif oldugu surece (indefinite while account active)	Hesap silme talebi 30 gunde tamamlanir, alt tablolar cascade ile silinir, yedekler 30 gun icinde duser
E-posta teslim kaydi	12 ay	Rolling
Hesap silme talep tokenleri	1 saat TTL	Token uretimi
Riza kayitlari	Sureli degil (audit kaniti olarak suresiz tutulur, KVKK Madde 12 hesap verilebilirlik)	Otomatik silinmez; user_id silinen kullanici icin NULL'a cekilir
Anonim toplu analitik	Sureli degil	Re-identification riski yok
Vergi kaydi gerektiren urun islem verileri	10 yil (Vergi Usul Kanunu)	Yasal yukumluluk
Yedekler	30 gun	Rolling

The Regulation requires a written Kisisel Veri Saklama ve Imha Politikasi (Personal Data Retention and Destruction Policy) for VERBIS-registered controllers. If the controller's VERBIS status moves to registered (see § 1.1), we publish and maintain such a policy and link it from this annex.

12. Guvenlik onlemleri (Security measures — Madde 12)

KVKK Madde 12 requires the controller to take all necessary technical and organisational measures to ensure the security of personal data. Our measures include:

Teknik onlemler (Technical measures):

TLS 1.3 in transit between client and server.
AES-256 encryption at rest (PostgreSQL on AWS RDS).
Row-level security in PostgreSQL scoped to auth.uid() so that a user can only access their own data.
Bcrypt password hashing managed by Supabase Auth; passwords never leave the Supabase Auth boundary.
OAuth state + PKCE for Google and Apple Sign-In flows.
Cascade delete on auth.users(id) ON DELETE CASCADE for all child tables.
Signed, short-lived URLs for storage objects (avatars, habit-evidence photos).
Webhook signature verification (Beehiiv, push-notifications).
"No training" contractual flag on Google Gemini requests.
"No user identifier" design for FatSecret and Perplexity queries.
Multi-factor authentication on the Supabase dashboard and CLI used by the sole operator.
Comprehensive audit logging in Supabase + Sentry breadcrumbs.

Organizasyonel onlemler (Organisational measures):

Sole-operator access governed by a documented purposes list (see RoPA § 3.20) — controller access for anything other than the disclosed operational purposes is a documented red-line.
6-month review cycle of the RoPA, DPIA, TIA, and this annex.
72-hour breach-notification SLA aligned to the Kurul's Madde 12(5) obligation to notify "as soon as possible".
Data-minimisation enforced at the AI-prompt boundary (curated context snapshot, never the full user record).
Free-text-PII detection flag for backup-retention-boundary review.
Granular consent revocation in app Settings and via dpo@gila.coach.

13. Aydinlatma yukumlulugunun ifasi (Fulfilment of the duty to inform — Madde 10)

This document, together with the main Privacy Policy, the in-app LegalConsentGate flow, the aydinlatma metni shown at signup, and the website cookie banner, jointly fulfil the controller's aydinlatma yukumlulugu under KVKK Madde 10. The Turkish-language equivalents of the most material disclosures (controller identity, processing purposes, categories of data, third-party recipients, cross-border transfer destination, lawful basis, rights, application channels) are surfaced at the points of collection in the user interface as well as in this annex.

14. Degisiklikler (Changes)

We may revise this annex when (a) the KVKK is amended, (b) the Kurul publishes new decisions or guidelines affecting our processing, (c) the Kurul publishes an adequacy list or finalises the 2024-amendment standard contracts, (d) our processors or processing materially change, (e) our VERBIS status changes. Material changes are notified to account-holders by email at least 30 days before they take effect, accompanied by an in-app banner and a website-banner notice. The version number, effective date, and changelog are recorded in the YAML frontmatter at the top of this document.

15. Iletisim (Contact)

Channel	Address
Data Protection Officer	`dpo@gila.coach`
Turkce destek (Turkish-language support)	`support@gila.coach`
Self-service rights request	`https://gila.coach/tr/dsar`
Web	`https://gila.coach/tr/privacy/turkey`
Posta (Mail)	Available on request from the DPO
Kurul sikayet (Board complaint)	kvkk.gov.tr/sikayet