Quotation Pipeline

PRIVACY POLICY AND DATA PROCESSING AGREEMENT (GDPR/KVKK) Last Updated: March 8, 2026 Data Controller: Fatih Gündoğan Location: Istanbul, Türkiye Contact Email: gundoganfa@gmail.com Application Name: Quotation Pipeline Application (hereinafter referred to as the "Application" or "Platform") 1. INTRODUCTION AND SCOPE This comprehensive Privacy Policy and Data Processing Agreement governs the collection, processing, storage, protection, and destruction of personal and commercial data of all visitors, registered users, and clients (hereinafter referred to as the "User" or "Data Subject") utilizing the Quotation Pipeline Application infrastructure. In order to ensure full compliance with current national and international data protection legislation, primarily the European Union General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK), our data processing activities are explained transparently and in detail below. By registering and accepting this Policy during the account creation process, you acknowledge that you have read and understood the terms described in this Privacy Policy. Where required by law, we will obtain your explicit consent before processing personal data for purposes beyond those described in this Policy. 2. DATA CATEGORIES AND METHOD OF COLLECTION Method of Collection: Data is collected automatically via Google OAuth 2.0 integration during sign-up, manually via explicit user inputs within the Application's forms, and automatically via system and security logs. Due to the nature of the quotation management and sales pipeline services it provides, our Platform collects the following data categories, adhering strictly to the principle of data minimization: Identity and Contact Data: Name, surname, email address, and (if available) profile picture provided during integration via Google Authenticator (OAuth 2.0). Client and Account Data: Titles of third-party companies to whom quotations are submitted, and where voluntarily entered by the User, names of relevant contact persons, email addresses, and phone numbers. Sales and Financial (Quotation) Data: Product names, unit prices, discount rates, total quotation amounts, quotation statuses, and pipeline stage information entered into the system to manage the sales process. Transaction Security and Audit Log Data: IP addresses, browser information (User-Agent), operating system details, login/logout timestamps, and technical records of data creation/update/deletion actions. 3. PURPOSES AND LEGAL BASIS FOR PROCESSING The collected data is processed strictly for specific, explicit, and legitimate purposes. Our legal bases under GDPR Article 6 and KVKK Article 5 are as follows: Performance of a Contract (Article 6(1)(b)): Providing the Application's services seamlessly, generating and calculating quotations, and managing the sales pipeline. Legitimate Interests (Article 6(1)(f)): Ensuring system security, debugging, optimizing performance, and improving service quality. Legal Obligation (Article 6(1)(c)): Responding to legal requests from authorized public institutions and meeting information security standards. Explicit Consent (Article 6(1)(a)): Communicating with users, setting non-essential cookies, or transferring data across borders. 4. DATA RETENTION AND DESTRUCTION POLICY Your personal and commercial data is retained in our systems for the duration required by the processing purposes or until the legal retention periods prescribed by relevant legislation expire. Account Deletion and 30-Day Grace Period: CRM and quotation data are retained as long as your account remains active. Upon submitting a "Delete My Data" request, your account and associated data will be immediately suspended and marked for deletion. To prevent accidental data loss, these records are securely retained in a frozen state for a grace period of 30 days, during which they can be recovered by the system administrator upon your request. After exactly 30 days, all your account and quotation data will be permanently and irreversibly destroyed (Hard Delete). Audit Logs: System and security records (such as login/logout timestamps and IP addresses) collected for accountability are automatically and permanently destroyed via algorithms exactly 180 days after their creation date. These logs cannot be deleted prior to the 180-day period, even if an account deletion request is submitted, due to legal and security obligations. 5. DATA TRANSFER AND THIRD-PARTY SHARING Your quotation data is confidential. As the Data Controller, no personal data or financial information belonging to the Users will under any circumstances be sold, rented, or transferred to advertising agencies or data brokers. 5.1. International Data Transfers & Server Location The Application is accessible globally. The data is stored on EU-based server infrastructure (Hostinger VPS, Paris, France). Users accessing the Application from outside the European Economic Area (EEA) are informed that their data may be transferred to and processed within the EU. The Data Controller operates from Turkey and processes data in compliance with both GDPR and KVKK obligations. By registering and accepting this Policy, you explicitly consent to the cross-border transfer and hosting of your data in the aforementioned locations. 5.2. Google API Services User Data Policy Compliance The Application's use and transfer to any other app of information received from Google APIs will strictly adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to develop, improve, or train generalized AI and/or machine learning models. 6. DATA SECURITY AND TECHNICAL MEASURES Our system is built upon the "Privacy by Design" principle. The core security measures include: Encryption: All data transmissions over the internet are end-to-end encrypted using industry-standard SSL/TLS (HTTPS) protocols. Access Control: The database server is completely closed to general internet (public) access and is configured with Firewalls to accept authorized requests only from the application server. Cookies: The Application strictly uses essential session cookies required for secure authentication. By using the Application, you consent to these strictly necessary operational cookies. Data Breach Notification: In the highly unlikely event of a data breach, the Data Controller will notify the relevant data protection authorities and affected users within 72 hours of becoming aware of the incident, in compliance with GDPR and KVKK requirements. 7. RIGHTS OF THE DATA SUBJECT In accordance with GDPR Chapter 3 and KVKK Article 11, all our users may exercise the following rights at any time: Right of Access: The right to learn what personal data concerning you is being processed. Right to Rectification: The right to request the correction of incomplete or inaccurately processed data. Right to Erasure (Right to be Forgotten): The right to permanently delete your account and all quotation history via the "Account Settings" or "My Data" tab. Right to Data Portability: The right to request that your self-generated CRM data be delivered to you in a structured, machine-readable format (e.g., JSON). Right to Object and Restrict: The right to object to the processing of your data under legitimate interests. 8. SERVICE CONTINUITY, TERMINATION, AND LIMITATION OF LIABILITY The Application is provided on an "as-is" and "as-available" basis. The Data Controller reserves the right to modify, suspend, restrict, or permanently terminate the operation of the Application at any time, for any reason, at their sole discretion. In the event of a permanent shutdown or service discontinuation, while reasonable efforts may be made to notify active users to export their data, the Data Controller bears no legal, commercial, or financial liability for the loss, deletion, or inaccessibility of any CRM, quotation, or account data. Users are strongly advised and encouraged to regularly utilize the Application's "Data Portability" (e.g., JSON export) features to back up their critical business records locally. By actively using the Platform, you acknowledge that you understand and explicitly accept the risk of potential data loss upon service termination. 9. UPDATES AND CONTACT This Privacy Policy may be updated in line with legal requirements or new features added to our system. In the event of significant changes, users will be notified via in-app notifications or email. To exercise your rights stated above, you can always reach me as the Data Controller via the following channel: Contact Email: gundoganfa@gmail.com USER EXPLICIT CONSENT DECLARATION: I declare that I have read and understood the Comprehensive Privacy Policy and Data Processing Agreement presented above; and I freely and explicitly consent to the processing of the data I enter into the Quotation Pipeline Application (Google Auth information, quotation details, and log records) within the stated conditions, purposes, and 180-day retention periods, and to its cross-border transfer and hosting on the Hostinger infrastructure in France.