Last updated: June 30, 2026

Privacy Policy

Comprehensive privacy policy on how Kordevo Soft Sp. z o.o. processes personal data under the EU General Data Protection Regulation (GDPR/RODO) and Turkish KVKK.

1. Purpose and Scope

This Privacy Policy explains how personal data is collected, processed, stored, and protected through the website at https://kordevoyazilim.com and its associated communication channels. The website is operated by KORDEVO SOFT Sp. z o.o. (KRS 0001251108, NIP 7272902217, REGON 54512385800000), Łąkowa 7A, 90-562 Łódź, Polska, a company established in Poland. The primary legal framework is the European Union General Data Protection Regulation (GDPR — "RODO" in Poland). For visitors accessing from Türkiye, the Turkish Personal Data Protection Law No. 6698 (KVKK) applies as a complementary framework.

2. Data Controller

The data controller is KORDEVO SOFT Spółka z ograniczoną odpowiedzialnością (in short, KORDEVO SOFT Sp. z o.o.), a limited liability company established under Polish law. • Registered address: Łąkowa 7A, 90-562 Łódź, Polska • KRS: 0001251108 · NIP: 7272902217 · REGON: 54512385800000 • Email: info@kordevoyazilim.com • Phone: +48 793 701 398 Any privacy-related questions, requests, or complaints may be sent to info@kordevoyazilim.com. The company has not appointed a separate Data Protection Officer (DPO); data protection requests are handled directly via the contact channels above.

3. Personal Data Processed

Data may be processed in the following categories: a) Data you provide directly • Contact form: Full name, email address, phone number, company name, project/service request, message content, budget range. • Direct communication: Information shared via email, phone, or WhatsApp. b) Automatically collected data • Technical data: IP address, browser type and version, operating system, referring URL. • Server access logs: Date/time of access, page requested, response code. • Cookies and local storage: Essential cookies (always active) and analytics cookies (active only with consent). c) Special category (sensitive) data Special category data under GDPR Article 9 (health, biometric, ethnic origin, political opinion, criminal records, etc.) is not requested or processed. If transmitted via forms, it is deleted immediately without processing.

4. Purposes and Legal Bases (GDPR Art. 6)

Your data is processed for the following purposes and legal bases: • Contact and proposal requests (GDPR Art. 6(1)(b) — steps taken at your request prior to entering a contract): Evaluating your request, responding, arranging preliminary meetings and proposals. • Performance of a contract (GDPR Art. 6(1)(b)): Establishing and performing the service agreement. • Legal obligations (GDPR Art. 6(1)(c)): Tax, accounting, and retention obligations under Polish/EU law. • Legitimate interests (GDPR Art. 6(1)(f)): Website security, fraud/abuse prevention, establishment and defense of legal claims. • Consent (GDPR Art. 6(1)(a)): Analytics cookies and optional marketing communications rely solely on your explicit consent, which you may withdraw at any time. Under KVKK, the corresponding bases for Turkish visitors are: Art. 5/2(c) (contract), Art. 5/2(ç) (legal obligation), Art. 5/2(f) (legitimate interest), and Art. 5/1 (explicit consent).

5. Analytics and Tracking (consent only)

Google Analytics 4 (GA4) is loaded only if you accept analytics cookies in the cookie consent dialog. If you decline or make no choice, the GA4 script is not loaded and no tracking occurs (opt-in principle). GA4 is configured with IP anonymization enabled, and the collected data is not used to identify individuals. No advertising or retargeting cookies are used. You can update your cookie choices at any time via the "Change my cookie preferences" button on the Cookie Policy page.

6. Recipients and International Transfers

Data may be transferred to the following processors/recipients, limited to the processing purpose: • Vercel Inc. (USA): Hosting and content delivery network. • Resend Inc. (USA): Contact form email delivery infrastructure. • Google LLC (USA): reCAPTCHA v3 (bot protection) and optional Google Analytics 4. Transfers to the USA are carried out with appropriate safeguards under Chapter V of the GDPR, via EU Standard Contractual Clauses (SCC) and/or the EU-US Data Privacy Framework. A Data Processing Agreement (DPA) governing the processing is in place with each provider; these agreements incorporate the SCC: • Vercel — Data Processing Agreement: https://vercel.com/legal/dpa • Google (Google Analytics) — Processor Terms and SCC: https://business.safety.google/adsprocessorterms/ • Resend — Data Processing Agreement: https://resend.com/legal/dpa These providers process data only on our instructions and within their own privacy policies. Where legally required, data may be shared with competent public authorities and judicial bodies. Data is not sold or rented to third parties.

7. Data Security

Technical and organizational measures are applied to protect your personal data against unauthorized access, loss, alteration, or disclosure: • Encrypted transmission via HTTPS/TLS. • Access restriction on a need-to-know basis. • Storage limitation and secure destruction after the retention period. • Prevention of form abuse via Google reCAPTCHA v3. • Selection of service providers with industry-standard security measures. No system is 100% secure; in the event of a data breach, notification will be made to the supervisory authority and, where required, to affected individuals under GDPR Articles 33-34.

8. Retention Periods

Data is deleted, destroyed, or anonymized when the purpose ceases or the legal retention period expires: • Contact and proposal records: Up to 3 years after the request is resolved; if it becomes a contract, for the applicable limitation period after contract termination. • Accounting/tax records: At least 5 years under Polish law. • Server access logs: Maximum 2 years. • Cookie preferences: Maximum 1 year or until updated. • Analytics data: Limited to GA4 retention settings; processing stops upon withdrawal of consent.

9. Your Rights (GDPR Art. 15-22)

As a data subject, you have the following rights: • Right of access (Art. 15). • Right to rectification (Art. 16). • Right to erasure / to be forgotten (Art. 17). • Right to restriction of processing (Art. 18). • Right to data portability (Art. 20). • Right to object (Art. 21) — particularly to processing based on legitimate interests. • Right not to be subject to solely automated decisions (Art. 22). • Right to withdraw consent at any time for consent-based processing (without affecting the lawfulness of processing before withdrawal). To exercise your rights, contact info@kordevoyazilim.com. Requests are generally free of charge and answered within one month under GDPR Art. 12.

10. Complaint to a Supervisory Authority

If you believe the processing of your data is unlawful, you have the right to lodge a complaint with the competent supervisory authority: • Poland / EU: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw — uodo.gov.pl. • Türkiye: Personal Data Protection Authority (KVKK) — kvkk.gov.tr (for Turkish visitors).

11. Children's Privacy

The website is not directed at individuals under the age of 16, and personal data of such individuals is not knowingly collected. If such a situation is discovered, the data is deleted immediately.

12. Policy Changes

This Privacy Policy may be updated in line with changes in legal regulations or data processing activities. The current version is always published at https://kordevoyazilim.com/gizlilik, and the "Last updated" date at the top of the page is revised accordingly.