Cookie Policy

Last Updated: March 2026

Effective Date: March 2026

1. Introduction

This Cookie Policy ("Policy") explains how TABA TASARIM İNŞAAT A.Ş. ("Company," "we," "us," "our," or "Extrais") uses cookies and similar tracking technologies on the Extrais Platform, including our website and mobile application.

This Policy complies with:

• GDPR (Regulation 2016/679)
• ePrivacy Directive (2002/58/EC)
• Turkish Electronic Commerce Law (Law No. 6563)
• Cookie Consent Requirements

Contact Information:

• Email: support@tabaglobal.com
• Address: Şehit Şakir Elkovan cad. No:3 Ataşehir Istanbul Türkiye

2. What Are Cookies?

2.1 Definition

Cookies are small text files stored on your device (computer, tablet, or mobile phone) when you visit a website or use an application. Cookies contain:

• A unique identifier
• Information about your preferences
• Data about your browsing behavior
• Session information

2.2 Cookie Types by Duration

Session Cookies

• Automatically deleted when you close your browser
• Used for temporary session management
• Do not persist on your device

Persistent Cookies

• Remain on your device for a specified duration
• Continue to work across multiple sessions
• Enable "remember me" functionality

2.3 Similar Tracking Technologies

Beyond cookies, we use:

• Local Storage: Browser storage similar to cookies but with larger capacity
• Session Storage: Temporary storage during your session
• Web Beacons (Pixels): Invisible tracking images that measure activity
• Mobile Ad IDs: Device identifiers for mobile app tracking
• SDK Tracking: Software libraries that track mobile app usage

3. Cookies We Use

3.1 Essential/Necessary Cookies (Always Active)

These cookies are essential for the Platform to function. They enable:

• Core functionality and session management
• Authentication and login systems
• Security and fraud prevention
• Account preference preservation
• Payment processing

Cookie Examples:

| Cookie Name | Purpose | Duration | Provider | |---|---|---|---| | extrais_session_id | Session management | Session | Extrais | | auth_token | User authentication | Persistent (30 days) | Extrais | | csrf_token | Cross-site request forgery protection | Session | Extrais | | user_preferences | Stored user settings | 1 year | Extrais | | payment_token | Payment processing | Session | İyzico | | security_flag | Security verification | Session | Cloudflare |

Legal Basis: Contract performance (GDPR Article 6(1)(b)); Necessary for Platform operation Opt-out: Cannot be disabled; Platform will not function without these cookies

3.2 Performance/Analytics Cookies (Opt-in)

These cookies help us understand how you use the Platform:

• Measuring page performance and load times
• Identifying errors and technical issues
• Understanding feature usage patterns
• Analyzing user journey and navigation
• Measuring conversion rates

Cookie Examples:

| Cookie Name | Purpose | Duration | Provider | |---|---|---|---| | ga_session | Google Analytics session | Session | Google Analytics | | _ga | User identification | 2 years | Google Analytics | | _gat | Request throttling | 1 minute | Google Analytics | | intercom_hash | User identification | 1 year | Intercom (support) | | hotjar_id | Session recording ID | 365 days | Hotjar | | amplitude_id | Event tracking | Persistent | Amplitude |

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)); Platform improvement Opt-in Required: Yes, for EU/EEA users

3.3 Marketing/Advertising Cookies (Opt-in)

These cookies enable personalized advertising and marketing:

• Displaying relevant ads based on your interests
• Tracking ad campaign performance
• Retargeting users who visited but didn't convert
• Building audience profiles for advertising
• Measuring ROI on advertising spend

Cookie Examples:

| Cookie Name | Purpose | Duration | Provider | |---|---|---|---| | fb_pixel | Facebook tracking and retargeting | Session | Facebook | | _fbp | Facebook audience building | 3 months | Facebook | | goog_id | Google advertising ID | Session | Google Ads | | li_sugr | LinkedIn audience segmentation | 90 days | LinkedIn | | uetq | Microsoft Bing tracking | Persistent | Microsoft Bing | | ttclid | TikTok conversion tracking | Session | TikTok | | pinterest_id | Pinterest audience building | 1 year | Pinterest |

Legal Basis: Consent (GDPR Article 6(1)(a)) Opt-in Required: Yes, explicit consent required

3.4 Preference/Functional Cookies (Opt-in)

These cookies remember your choices and preferences:

• Language and region preferences
• Theme preferences (dark mode, light mode)
• Notification preferences
• Default settings and filters
• Saved search filters and sorting preferences

Legal Basis: Consent or legitimate interest Opt-in Required: User preference

3.5 Third-Party Cookies

Our partners may set their own cookies:

Payment Processor (İyzico)

• Purpose: Payment processing and fraud detection
• Cookies: Payment-related session and security cookies
• Retention: Session-based

Security Provider (Cloudflare)

• Purpose: DDoS protection, security scanning, analytics
• Cookies: Security tokens, bot detection
• Retention: Based on Cloudflare's policy

AI Service (OpenRouter)

• Purpose: API usage tracking and rate limiting
• Cookies: Session and authentication tokens
• Retention: Session-based

Email Service (Resend)

• Purpose: Email tracking and engagement metrics
• Cookies: Email open/click tracking pixels
• Retention: Based on email tracking requirements

Analytics (Google Analytics, Hotjar, Amplitude)

• Purpose: User behavior analysis and session recording
• Cookies: User ID, session ID, event tracking
• Retention: Varies by service (2 years typical)

Advertising Networks

• Purpose: Ad delivery, targeting, and retargeting
• Platforms: Facebook, Google Ads, LinkedIn, Microsoft, TikTok, Pinterest
• Retention: Varies by platform (90 days to 1+ year)

4. Cookie Consent and Management

4.1 Consent Mechanism

For EU/EEA Users:

When you first visit the Extrais Platform, you will see a cookie consent banner with options to:

• Accept All: Accept all cookies, including marketing and analytics
• Reject Non-Essential: Accept only essential cookies
• Manage Preferences: Access detailed cookie settings
• Learn More: Link to this Cookie Policy

4.2 Consent Documentation

Your cookie preferences are:

• Stored securely in your Account
• Associated with your user profile
• Retained for as long as your Account is active
• Updated whenever you change your preferences

4.3 Withdrawing Consent

You can withdraw cookie consent at any time:

In Your Account:

1. Go to Settings → Privacy & Cookies
2. Adjust your cookie preferences
3. Save changes

Via Email:

• Send request to support@tabaglobal.com with "Cookie Preference Update" in subject
• Specify which cookies to accept/reject
• Changes processed within 3 business days

Browser Controls:

• Use browser settings to delete cookies
• Disable cookies entirely (may affect Platform functionality)
• Use private/incognito browsing to avoid persistent cookies

4.4 Cookie Settings by Region

EU/EEA Users

• Opt-in required for non-essential cookies
• Explicit consent required for marketing and analytics
• Right to withdraw consent at any time
• Easy opt-out mechanisms provided

Non-EU Users

• Essential cookies active by default
• Non-essential cookies active with implied consent
• Can opt-out through privacy settings
• No explicit consent required

Turkish Users (KVKK Compliance)

• Informed consent required for tracking technologies
• Right to object to data processing
• Can request tracking data deletion
• Data retained only as necessary

5. How to Control Cookies

5.1 Browser-Level Controls

Google Chrome

1. Click menu icon (three dots)
2. Select Settings → Privacy and security
3. Click Cookies and other site data
4. Choose your preference: All, Third-party, or None

Mozilla Firefox

1. Click menu icon (hamburger)
2. Select Settings → Privacy & Security
3. Under Cookies and Site Data, choose: All, Third-party, or None

Apple Safari

1. Click Safari menu
2. Select Preferences → Privacy
3. Under Cookies and website data, choose your preference
4. Select "Always Block" to disable cookies

Microsoft Edge

1. Click menu icon (three dots)
2. Select Settings → Privacy, search, and services
3. Under Cookies and other site data, choose your preference

5.2 Blocking Specific Cookies

You can block cookies from specific websites:

Chrome: Settings → Privacy → Site Settings → Cookies → Blocked sites Firefox: Preferences → Privacy → Exceptions Safari: Preferences → Privacy → Manage Website Data Edge: Settings → Privacy → Manage exceptions

5.3 Clearing Cookies

To delete all cookies from your browser:

Chrome: Settings → Privacy and security → Clear browsing data → Cookies Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data Safari: Preferences → Privacy → Manage Website Data → Remove All Edge: Settings → Privacy → Clear browsing data → Cookies and other site data

5.4 Third-Party Cookie Management

Opt out of tracking by third-party advertisers:

• Google: Visit Google Ads Settings at www.google.com/settings/ads
• Facebook: Go to www.facebook.com/ads/preferences
• LinkedIn: Visit LinkedIn ad preferences
• IAB Transparency and Consent Framework: Visit www.youronlinechoices.eu

5.5 Browser Privacy Tools

Use browser privacy settings or third-party tools:

• Do Not Track (DNT): Enable in browser settings; we honor DNT signals
• Privacy Extensions: uBlock Origin, Privacy Badger, Ghostery
• VPN Services: Hide IP address and encrypt connection
• Incognito/Private Mode: No persistent cookies during session

6. Mobile App Cookies and Tracking

6.1 Mobile App Cookies

Mobile applications use similar technologies:

• App Storage: Similar to browser cookies but specific to app
• Ad IDs: Device identifiers for ad tracking (IDFA, AAID)
• SDK Tracking: Software libraries integrated in app

6.2 Mobile App Tracking

The Extrais mobile app uses:

• Firebase Analytics: User behavior and app performance
• Mixpanel: Event tracking and funnel analysis
• Adjust/AppsFlyer: App installation and campaign attribution
• Mobile Ad Networks: Ad impressions and clicks

6.3 Controlling Mobile App Tracking

iOS:

1. Settings → Privacy → Apple Advertising
2. Disable "Personalized Ads"
3. Reset "Advertising ID" to limit tracking

Android:

1. Settings → Google → Manage your Google Account
2. Go to Data & Privacy
3. Scroll to "Ad settings"
4. Turn off "Personalized advertising"

7. Specific Tracking Technologies

7.1 Web Beacons (Pixels)

We use web beacons (invisible tracking images) for:

• Measuring email open rates
• Tracking clicks in marketing emails
• Measuring ad impressions
• Analyzing user interactions

Pixel Providers:

• Email Tracking: Resend, HubSpot
• Ad Tracking: Facebook, Google, LinkedIn
• Analytics: Google Analytics, Hotjar

7.2 Session Replay Technology

We use Hotjar for session replay:

• What It Records: Cursor movements, clicks, scrolling, form inputs
• What It Doesn't Record: Text in password fields, input fields marked as private
• Privacy: Data encrypted and anonymized where possible
• Opt-out: Disable in cookie preferences; contact support@tabaglobal.com

7.3 Cross-Domain Tracking

We track users across:

• Multiple subdomains of extrais.com
• Extrais website and mobile app
• Email click-throughs to website
• Ad platforms back to our website

This enables:

• Comprehensive user journeys
• Campaign attribution
• Personalization across properties

7.4 Retargeting and Remarketing

We show ads to users who:

• Visited our Platform but didn't sign up
• Visited specific project pages
• Added items but didn't purchase
• Left projects unfinished

Retargeting Platforms:

• Google Ads
• Facebook/Instagram
• LinkedIn
• TikTok
• Pinterest

You can opt out through platform ad preferences or our cookie settings.

8. Legal Basis for Cookies

8.1 GDPR Compliance

Under GDPR, we use cookies on these legal bases:

Article 6(1)(b) - Contract Performance

• Essential cookies necessary for Platform operation
• Payment processing cookies
• Security cookies

Article 6(1)(f) - Legitimate Interest

• Performance and analytics cookies (Platform improvement)
• Preference cookies (user experience)
• Security monitoring cookies

Article 6(1)(a) - Consent

• Marketing and advertising cookies
• Advanced analytics and session recording
• Third-party advertising pixels
• Behavioral profiling

8.2 ePrivacy Directive Compliance

Under the ePrivacy Directive, we:

• Obtain prior informed consent for all cookies (except essential)
• Provide clear opt-out mechanisms
• Honor browser Do Not Track (DNT) signals
• Respect user privacy preferences
• Allow easy withdrawal of consent

9. Third-Party Services and Their Cookies

9.1 Google Analytics

• Purpose: User behavior analysis, traffic sources, conversion tracking
• Data Collected: Pages visited, time spent, device type, referrer
• Retention: 26 months (customizable)
• Opt-out: Google Analytics Opt-out Browser Add-on
• Privacy: Subject to Google's Privacy Policy

9.2 Hotjar

• Purpose: Session recording, heatmaps, user feedback
• Data Collected: Cursor movements, clicks, form interactions, page recordings
• Retention: 90 days
• Opt-out: Hotjar opt-out page or our cookie preferences
• Privacy: Subject to Hotjar's Privacy Policy

9.3 Facebook Pixel

• Purpose: Ad delivery, retargeting, audience building
• Data Collected: Page visits, purchases, user events, device ID
• Retention: 90 days
• Opt-out: Facebook ad preferences
• Privacy: Subject to Facebook's Data Policy

9.4 LinkedIn Insight Tag

• Purpose: Ad campaign tracking, audience segmentation
• Data Collected: Page visits, job titles, company information
• Retention: 90 days
• Opt-out: LinkedIn ad preferences
• Privacy: Subject to LinkedIn's Privacy Policy

9.5 Other Third-Party Services

Google Ads, Microsoft Bing, TikTok, Pinterest, and other advertising networks each set cookies for tracking and ad delivery. Each is subject to that service's privacy policy and opt-out procedures.

10. Updates to Cookie Usage

10.1 Policy Changes

We may update this Cookie Policy:

• Material Changes: 30 days' notice via email or Platform notification
• Non-Material Changes: Effective immediately
• New Cookies: Will be added to the cookie list and disclosed to users

10.2 Cookie List Updates

We maintain an updated list of cookies currently used on the Platform. The list may change based on:

• New features and analytics
• Third-party integrations
• Security enhancements
• Testing and experimentation

11. Children's Privacy and Cookies

• Extrais is not intended for children under 13
• We do not knowingly set cookies for children
• If we discover child usage, we disable tracking
• Parents/guardians can request cookie deletion

12. Contact and Support

12.1 Cookie-Related Questions

For questions or concerns about cookies:

• Email: support@tabaglobal.com
• Subject: "Cookie Policy Question"
• Response Time: Within 3 business days

12.2 Cookie Preference Updates

To update your cookie preferences:

1. Log into your Account
2. Go to Settings → Privacy & Cookies
3. Adjust selections
4. Save changes

Changes take effect immediately.

13. International Cookie Standards

13.1 IAB Europe Transparency and Consent Framework (TCF)

For EU/EEA users, we participate in IAB Europe's TCF:

• Transparent disclosure of cookie purposes
• Consent management through approved vendors
• User control over each purpose and vendor
• Compliance with GDPR consent requirements

13.2 Global Privacy Control (GPC)

We honor the Global Privacy Control signal:

• GPC signal received and respected
• Treated as consent withdrawal for non-essential cookies
• No retargeting or selling of data when GPC active

14. Cookie Security

14.1 Secure Transmission

All cookies are transmitted over:

• HTTPS/TLS Encryption: Protects cookies in transit
• Secure Flag: Prevents access via unencrypted HTTP
• HttpOnly Flag: Prevents access by JavaScript (XSS protection)
• SameSite Attribute: Prevents cross-site request forgery

14.2 Data Protection

Cookies containing sensitive data:

• Are encrypted in storage
• Have short expiration times
• Are invalidated on logout
• Cannot be accessed by unauthorized parties

15. Related Policies

This Cookie Policy is part of our privacy framework:

• Privacy Policy: Comprehensive data protection and GDPR compliance
• Terms of Service: General terms governing Platform use
• Acceptable Use Policy: Rules for user conduct

We are committed to transparency in our use of cookies and respect for your privacy. Thank you for visiting Extrais.

Last Updated: March 19, 2026