Privacy Policy

Effective Date: [01.10.2025]
Data Controller: CACHET KOZMETIK ITHALAT IHRACAT SANAYI VE TICARET LIMITED SIRKETI – 0195089978500001
Address: Esenkent Mahallesi Nail Bey Sokak Anadolu Park Sitesi No:1/9E D:19 Maltepe İSTANBUL • E-mail: info@cachetcosmetics.co • Phone: 05385509678
Data Protection Contact / DPO (if appointed): Damla Dinçer – info@cachetcosmetics.co

1) Purpose and Scope

This Privacy Policy explains how CACHET KOZMETIK collects, uses, shares, stores, transfers, and protects personal data when you visit cachetcosmetics.co, create an account, place an order, contact support, or interact with our marketing. It applies to website visitors, customers, account holders, job applicants, suppliers/partners, and other data subjects.

2) Key Definitions

  • Personal data: Any information relating to an identified or identifiable natural person.

  • Processing: Any operation on personal data (collection, storage, transfer, deletion, etc.).

  • Controller / Data Controller: The entity deciding the purposes and means of processing CACHET KOZMETIK.

  • Processor: A third party processing personal data on our behalf (e.g., hosting, payment gateway).

  • KVKK / GDPR / CCPA: Turkish Law No. 6698; EU/UK data protection laws; California privacy laws.

3) What Data We Collect

3.1 Data you provide to us

  • Identity & contact: name, surname, e-mail, phone, billing/shipping address, country/region.

  • Account: username, hashed password, preferences, saved addresses.

  • Order & customer service: order details, invoices, returns/exchanges, tickets/complaints, communications.

  • Surveys & marketing: newsletter opt-ins, campaign participation, reviews, wishlists.

  • Job applications (if applicable): CV/resume, cover letter, references.

3.2 Data collected automatically

  • Device & usage: IP address, device/browser type, language, operating system, referring URLs, pages viewed, time stamps, error logs.

  • Cookies/SDKs/pixels: please see Cookie Policy and Section 10.

3.3 Sensitive or special category data (rare)

  • We do not seek to collect sensitive data. If you voluntarily share allergy/skin sensitivity information for product suitability, we process it only with your explicit consent and with reinforced safeguards.

3.4 Payment data

  • Payments are processed by a PCI-DSS-compliant payment service provider (PSP) with 3-D Secure. We receive payment confirmations and transaction references, not full card numbers/CVV.

4) Why We Process Your Data (Purposes) & Legal Bases

Depending on your jurisdiction, processing relies on the following legal bases:

  • Contract performance / steps before entering a contract (GDPR Art. 6(1)(b); KVKK 5/2-c):
    Creating/managing your account, processing your order, shipping, returns/exchanges, warranties, customer support.

  • Legal obligations (GDPR Art. 6(1)(c); KVKK 5/2-ç):
    Invoicing, accounting/tax retention, responding to lawful requests by authorities.

  • Legitimate interests (GDPR Art. 6(1)(f); KVKK 5/2-f):
    Site security and fraud prevention, service quality, analytics for product improvement, customer satisfaction measurement. We balance our interests against your rights.

  • Consent (GDPR Art. 6(1)(a); KVKK 5/1; CCPA/CPRA where applicable):
    Newsletters and promotional messages, personalized ads/retargeting, analytics cookies beyond strictly necessary, processing of allergy data. You can withdraw consent at any time (see Section 14).

  • Special category data (GDPR Art. 9; KVKK 6):
    Only processed with explicit consent or where permitted by law.

We do not use solely automated decision-making that produces legal or similarly significant effects without human involvement. If this ever changes, we will inform you and explain your rights (see Section 14).

5) Sources of Personal Data

  • Directly from you (checkout, forms, support).

  • Automatically via your device and cookies.

  • From processors (e.g., payment gateway’s confirmation), carriers (status/tracking), or lawful third-party sources (e.g., anti-fraud services).

6) Sharing Your Data (Categories of Recipients)

We share personal data only as necessary and under contracts that impose confidentiality and security obligations:

  • Service providers / processors: hosting/cloud, security/CDN, payment gateway (PSP), shipping/logistics, CRM/helpdesk, e-mail/SMS and push providers, analytics/advertising platforms, reviews/UGC tools.

  • Business partners / suppliers: authorized distributors/fulfillment partners (e.g., authenticity/batch checks), accountants/auditors, legal advisors.

  • Public authorities: courts, law enforcement, tax and regulatory bodies, where legally required.

We do not sell your personal data. If we “sell” or “share” data as defined by CCPA/CPRA, we will provide a “Do Not Sell or Share My Personal Information” link and honor opt-out rights (see Section 14).

7) International Transfers

Your data may be stored or accessed in Türkiye, the EEA/UK, the US, or other countries where our providers operate. Where required, we use lawful transfer mechanisms (e.g., adequacy decisions, Standard Contractual Clauses (SCCs), and supplementary measures). Under KVKK, cross-border transfers follow Article 9 and the Turkish Data Protection Authority’s requirements (e.g., explicit consent or approved undertakings) when applicable.

8) Data Retention

We keep personal data only as long as necessary for the purposes stated above or to comply with legal retention periods. Typical maximum periods:

  • Orders & accounting: up to 10 years (per commercial/tax laws).

  • Customer support & complaints: up to 3 years.

  • Contracts/warranty: contract term + limitation period (up to 10 years).

  • Call recordings (if used): up to 3 years.

  • CCTV (if used): 30–90 days.

  • Marketing lists: until you withdraw consent or up to 3 years (a minimal “do-not-contact” record may be kept to evidence your opt-out).

  • Security logs/IP: up to 2 years.

When retention ends and no lawful basis remains, we securely delete, anonymize, or destroy data per our Data Retention & Destruction Policy.

9) Security Measures

We implement appropriate technical and organizational measures to protect personal data, including TLS/HTTPS in transit, encryption and pseudonymization where appropriate, access controls and role-based permissions, MFA for admin access, secure development practices, vulnerability management and periodic penetration tests, backups, monitoring/logging, and supplier due diligence.
If we detect a data breach that may affect your rights and freedoms, we will notify the competent authority and, where required, affected individuals without undue delay.

10) Cookies, Analytics & Advertising

We use cookies and similar technologies:

  • Strictly necessary cookies: session management, basket, security (no consent required).

  • Analytics/performance: traffic and usage measurement, error diagnostics (consent-based in the EU/UK; opt-out where applicable).

  • Functional: remembering preferences (consent where required).

  • Advertising/retargeting: personalized ads and measurement (consent in the EU/UK; opt-out choices elsewhere).

On first visit, we display a Cookie Preferences banner/panel with Accept / Reject / Customize. You can change settings anytime via cachetcosmetics.co/privacy-policy and through browser controls. For full details, see our Cookie Policy.

11) Children’s Privacy

Our services are not directed to children under 16 (or lower age where allowed by local law). We do not knowingly collect data from children. If you believe a child has provided personal data, please contact us to request deletion.

12) Third-Party Links & Social Plug-ins

Our site may include links to third-party websites or embedded content. Those sites operate under their own privacy policies; we are not responsible for their practices. Please review their policies before providing data.

13) Your Responsibilities

Please ensure your information is accurate and up to date (e.g., shipping address). Maintain your account credentials securely and notify us of any suspected unauthorized use.

14) Your Privacy Rights

Your rights depend on your location. We honor requests in accordance with applicable law and within statutory deadlines.

14.1 KVKK (Türkiye) & GDPR/UK GDPR (EU/UK)

  • Access: learn whether we process your data and obtain a copy.

  • Rectification: correct incomplete or inaccurate data.

  • Erasure: request deletion when legal grounds no longer apply (“right to be forgotten”).

  • Restriction: request processing limits in certain cases.

  • Portability (GDPR): receive data in a structured, commonly used, machine-readable format.

  • Objection: object to processing based on legitimate interests and to direct marketing.

  • Withdraw consent: at any time for activities based on consent (e.g., newsletters, advertising cookies).

  • Complain: to your local authority (e.g., Türkiye: KVKK/Kurul, EU: Supervisory Authority, UK: ICO).

14.2 CCPA/CPRA (California, if applicable)

  • Right to know/access: categories and specific pieces of personal information collected, sources, purposes, and disclosures.

  • Right to deletion: request deletion of personal information (subject to exceptions).

  • Right to correction: correct inaccurate personal information.

  • Right to opt-out of sale/share: opt-out of data “sale” or “sharing” for cross-context behavioral advertising.

  • Right to limit use of sensitive info (if applicable).

  • Non-discrimination: we will not discriminate for exercising rights.

You (or your authorized agent) can exercise rights using the methods below.

15) How to Exercise Your Rights

Submit a request using our Data Subject Request channels:

  • E-mail: cachetcosmetics.co/privacy-policy 

  • Mersin No: 0195089978500001

  • Web form: cachetcosmetics.co/privacy-policy (if available)

We respond within 30 days under KVKK/GDPR (may extend where permitted) and within statutory timelines under CCPA/CPRA. Some requests may be restricted by legal obligations (e.g., tax retention). If fees apply (where permitted), we will inform you in advance.

16) Marketing Communications & Preferences

We send newsletters and promotions only with your consent (or as otherwise permitted by law). You can unsubscribe at any time via the footer link in our emails, SMS instructions, your account settings, or by contacting us. Unsubscribing from marketing does not affect essential service messages (e.g., order updates).

17) Profiling & Automated Decisions

We may use limited profiling to segment audiences (e.g., frequent buyers, abandoned basket reminders) to provide relevant offers. You can opt-out of direct marketing at any time (Section 16) and withdraw consent for advertising cookies (Section 10). We do not make decisions with legal/similar significant effects solely by automated means.

18) Data Minimization & Storage Location

We collect only what we need, keep it only as long as necessary, and restrict access to authorized staff and processors. Data may be stored in Türkiye and/or other countries where our vetted providers operate; appropriate transfer safeguards apply (Section 7).

19) Changes to This Policy

We may update this Policy to reflect legal or operational changes. We will post the updated version at cachetcosmetics.co/privacy-policy and revise the Effective date. If changes are material, we will provide a more prominent notice.

20) Contact Us

Questions, concerns, or complaints about privacy?
E-mail: cachetcosmetics.co/privacy-policy
Address: CACHET KOZMETIK ITHALAT IHRACAT SANAYI VE TICARET LIMITED SIRKETI
Phone: 05385509678