Effective Date: [01.10.2025]
Data Controller: CACHET KOZMETIK ITHALAT IHRACAT SANAYI VE TICARET LIMITED SIRKETI – 0195089978500001
Address: Esenkent Mahallesi Nail Bey Sokak Anadolu Park Sitesi No:1/9E D:19 Maltepe İSTANBUL • E-mail: info@cachetcosmetics.co • Phone: 05385509678
KVKK Contact/Officer: Damla Dinçer – info@cachetcosmetics.co

1) Purpose and Scope

This Privacy Notice is provided under Law No. 6698 on the Protection of Personal Data (KVKK), Article 10 and secondary legislation. It explains how CACHET KOZMETIK processes personal data in connection with e-commerce (perfume/cosmetics sales), customer relations, marketing and after-sales services.

2) Categories of Personal Data

• Identity: name–surname, (optional) T.R. ID No., (optional) date of birth

• Contact: e-mail, mobile phone, billing/shipping address, city/district

• Customer Transaction / Order: basket/order details, invoices/dispatch notes, returns/exchanges, requests/complaints

• Finance/Payment: payment amount, transaction/slip reference (card details are processed by the PSP and are not stored by the Company)

• Marketing: preferences and profiling with explicit consent, campaign participation, sample/gift choices

• Online Identifiers: IP, device/browser data, cookies/SDKs, session IDs, logs

• Audio/Visual (if any): call center recordings; CCTV footage in physical premises (if applicable)

• Special Categories: only where necessary and lawful—e.g., health/allergy information with explicit consent and reinforced safeguards.
  * Do not collect T.R. ID/DoB unless strictly necessary.

3) Purposes of Processing (KVKK Arts. 5–6)

• Contract performance: order intake, preparation, shipping, returns/exchanges, warranty, support

• Legal obligations: invoicing, bookkeeping and retention, responses to authorities

• Legitimate interests: fraud/abuse prevention, IT/security logging, service quality and improvement, customer satisfaction measurement

• Explicit consent (where required): commercial electronic messages (SMS/e-mail), personalized marketing/retargeting, analytics/ads cookies

• Special categories (if any): processing of allergy/health data strictly with explicit consent and necessity

4) Legal Bases for Processing & Transfer

Processing relies on KVKK Art. 5/2 (a) explicitly prescribed by law, (c) contract, (ç) legal obligation, (e) data made public by the data subject, (f) legitimate interest; and where needed, Art. 5/1 explicit consent.
Special categories follow Art. 6 and Board (Kurul) decisions.

5) Methods of Collection

• Digital: website/mobile site, checkout, live chat/call center, e-mail/SMS, social messaging

• Physical: return parcels, invoices/dispatch notes, store/operations (if any)

• Technical: cookies/SDKs, logs, security systems

6) Recipients and Purposes of Transfer

• Service providers / processors: hosting & cloud, maintenance, payment service provider (PCI-DSS/3D Secure), cargo/logistics, call center/CRM, e-mail/SMS gateways, IYS integrator, analytics/ad platforms

• Suppliers/Business partners: authorized distributors/suppliers (authenticity, batch/stock), accountants, legal advisors

• Public authorities: MASAK, Revenue Administration, courts/bailiffs, law enforcement, as required by law
  Cross-border transfers (e.g., cloud, analytics, e-mail) are carried out under KVKK Art. 9 based on adequacy, undertakings/agreements, or explicit consent, as applicable.

7) Retention Periods (Maximum)

• Orders/accounting: 10 years (TTK/VUK)

• Customer support / requests–complaints: 3 years

• Contracts/warranty: contract term + limitation period (up to 10 years)

• Call recordings: 3 years

• CCTV (if any): 30–90 days

• Marketing lists: until consent withdrawal or up to 3 years (minimal “do-not-contact” record may be retained for proof after opt-out)

• Security logs/IP: 2 years
  When periods expire and legal bases no longer apply, data are destroyed per the Data Retention & Destruction Policy.

8) Your Rights (KVKK Art. 11)

• To learn whether your data are processed; to obtain information on purposes and use

• To learn domestic/overseas recipients

• To request correction if incomplete/incorrect

• To request deletion/destruction where grounds no longer apply (Art. 7)

• To object to results against you arising from exclusively automated processing

• To claim compensation for damages

9) How to Apply (KVKK Art. 13)

Submit the Data Subject Application Form via:

• KEP: [Company KEP address]

• E-mail (secure e-signature/scanned signed form): [kvkk@…]

• Post: [Full Address – “KVKK Application”]
  We will respond within 30 days. If the transaction requires additional cost, the fee set by the Board may apply.

10) Security Measures (KVKK Art. 12)

• Organizational: access control & role matrix, confidentiality undertakings, processor contracts/addenda, staff awareness training

• Technical: TLS/HTTPS, PCI-DSS-compliant PSP, encryption/masking, logging, backups, DLP, WAF, IDS/IPS, MFA, vulnerability mgmt., periodic pentests
  In case of a breach, notifications to the Board and data subjects are made as required.

11) Updates

We may update this Notice and publish the latest version at [https://yourdomain.com/privacy-kvkk]. The last update date appears at the top.

---

CACHET KOZMETIK Data Retention & Destruction Policy

Effective Date: [01.10.2025] • Version: v1.1

1) Purpose & Scope

Sets forth retention and destruction rules under KVKK and the Regulation on Deletion, Destruction or Anonymization of Personal Data. Applies to all physical/digital media and systems.

2) Roles & Responsibilities

• Data Controller: CACHET KOZMETIK ITHALAT IHRACAT SANAYI VE TICARET LIMITED SIRKETI
  

• KVKK Committee/Officer: Damla Dinçer — inventory, (if applicable) VERBIS, audits

• Department Leads: compliance with retention times; trigger periodic destruction

• IT/Security: backups, secure deletion/anonymization, destruction logs

3) Inventory & Retention Schedule

See Annex-1: Processing Inventory listing data category, purpose, legal basis, recipients, retention, and destruction method.

4) Destruction Methods

• Deletion (digital): access revocation, irreversible delete commands, index/pointer purge

• Destruction (physical): shredding; physical destruction/sanitization for storage media (HDD/SSD/NVMe)

• Anonymization: masking, aggregation, perturbation, k-anonymity; re-identification risk checks

5) Periodic Destruction

Periodic destruction is performed every 6 months (at least twice a year). Data whose retention period has expired and that no longer have a processing ground are destroyed in the next cycle.

6) Exceptions / Legal Holds

If there is an ongoing dispute, official request, or statutory retention duty, destruction is suspended and the reason is recorded.

7) Recording & Audit

Every destruction action is documented by a Destruction Report. Effectiveness of this Policy is checked via internal/external audits.

---

CACHET KOZMETIK Cookie Policy

Effective Date: [01.10.2025]

1) What Are Cookies?

Small text files stored on your device during your visit. We use them to maintain your session and basket, improve performance, and conduct analytics/retargeting (with consent).

2) Types of Cookies We Use

• Strictly Necessary (first-party): session management, basket persistence, security (e.g., session_id, __cf_bm)

• Analytics/Performance: page views, navigation, error tracking (e.g., Google Analytics, Hotjar)

• Functional: language/region preferences, UX helpers

• Advertising/Marketing: interest-based ads and measurement (e.g., Meta Pixel, Google Ads) — enabled only with explicit consent

3) Managing Preferences & Consent

• A Cookie Preferences Panel is shown on first visit with Accept / Reject / Customize options.

• All non-essential cookies operate on an opt-in basis.

• You can delete/block cookies in your browser; some features may not function properly afterwards.

4) Third Parties & Transfers

Analytics and ad providers may involve cross-border data transfers. Such transfers are carried out in line with KVKK Art. 9 based on adequacy, contractual safeguards, or explicit consent.

5) Retention

• Session cookies: until the browser is closed

• Persistent cookies: 1 day to 24 months (see cookie table)

6) Cookie Table (Sample)

Manage your preferences anytime at: [yourdomain.com/cookie-settings].

---

Commercial Electronic Messages & Marketing Consent (Sample)

I agree / do not agree to receive promotional communications about discounts/campaigns/news to my contact details. I can change my preferences anytime via IYS and the unsubscribe link. Upon withdrawal of consent, marketing communications stop immediately.

---

Data Subject Application Form (KVKK Art. 13)

A. Applicant Details
Name–Surname: … • T.R. ID (opt.): … • Phone: … • E-mail: … • Address: …

B. Relationship to Company: ☐ Customer ☐ Visitor ☐ Supplier ☐ Job Applicant ☐ Other: …

C. Request (tick one/more):
☐ Learn whether my data are processed
☐ Learn purposes/recipients of processing
☐ Learn cross-border transfers
☐ Rectification of incomplete/incorrect data
☐ Deletion/Destruction under Art. 7
☐ Objection to results from automated processing
☐ Compensation for damages
Explanation: …

D. Notification Method: ☐ E-mail ☐ Post ☐ KEP

E. Attachments: ID for verification, power of attorney (if any), etc.

F. Declaration: “The information provided is accurate.”
Signature/Date: …

Submission Addresses: [KEP / e-mail / postal address]
Timeline: Your request will be answered within 30 days. A fee per the Board’s tariff may apply if costs occur.

---

Annex-1: Processing Inventory (Example)

---

Practical Implementation Tips

• PSP: never store raw card data; transaction IDs suffice.

• Consent flows: separate checkboxes for IYS marketing consent; log timestamp/source.

• Cookie banner: category-based opt-in (Strictly Necessary / Analytics / Functional / Marketing).

• Data minimization: make T.R. ID and DoB optional/off by default unless legally required.

• Cross-border tools: document Art. 9 basis (adequacy/contractual safeguards/consent).

• Evidence: keep inventory, consent logs, and destruction reports.