Privacy Policy

Last Updated: March 2026

Effective Date: March 2026

1. Introduction

This Privacy Policy ("Policy") describes how TABA TASARIM İNŞAAT A.Ş. ("Company," "we," "us," "our," or "Extrais") collects, uses, processes, and protects your personal data when you use the Extrais Platform, including our website, mobile application, and related services.

This Policy is designed to comply with:

• General Data Protection Regulation (GDPR) (EU Regulation 2016/679)
• Turkish Data Protection Law (Law No. 6698)
• Turkish Personal Data Protection Authority (KVKK) regulations
• ePrivacy Directive (2002/58/EC, as amended)

Data Controller Information:

• Name: TABA TASARIM İNŞAAT A.Ş.
• Email: support@tabaglobal.com
• Address: Şehit Şakir Elkovan cad. No:3 Ataşehir Istanbul Türkiye
• Governing Law: Republic of Türkiye

2. Data We Collect

2.1 Information You Provide Directly

Account Registration Data

• Full name
• Email address
• Phone number
• Mailing address and country
• Business name and tax identification number (if applicable)
• Profile picture or avatar
• Professional qualifications and certifications
• Work history and portfolio information
• Payment method and banking details (processed via İyzico)

Project and Service Information

• Project descriptions and specifications
• Bid/proposal content
• Messages and communications with other users
• File uploads and attachments
• Delivery confirmations and project completion records
• Ratings and reviews submitted by or about you
• Dispute resolution submissions and evidence

Payment Information

• Credit card details (tokenized and processed by İyzico)
• Bank account information (if applicable)
• Payment transaction history
• Billing address
• Invoices and receipts

Communication Data

• Direct messages and chat history with other users
• Support tickets and correspondence with customer service
• Feedback, surveys, and user research responses
• Email notifications and preferences

Voluntary Information

• Professional background and expertise
• Languages spoken
• Time zone and availability
• Links to external profiles (LinkedIn, GitHub, etc.)
• Educational background

2.2 Information Collected Automatically

Technology and Usage Data

• IP address
• Device identifiers (MAC address, device ID)
• Browser type and version
• Operating system
• Device specifications (processor, memory, screen resolution)
• Referrer URL
• Pages visited and time spent on each page
• Links clicked
• Search queries
• Features used and functionality interactions
• Error logs and technical issues encountered
• Cookies and similar tracking technologies (see Section 2.4)

Analytics Data

• Session duration and frequency
• Feature adoption and usage patterns
• User flow and navigation paths
• Download and upload activity
• Search and filter behavior
• Project and proposal creation frequency
• Payment transaction frequency

Location Data

• Country from IP address
• GPS location (if you explicitly enable location services)
• Region/city derived from IP address

AI Processing Data

• Text inputs for AI freelancer services
• Output and results generated by AI systems
• Interaction patterns with AI tools
• Feedback on AI-generated content

2.3 Information from Third Parties

Payment Processor (İyzico)

• Payment status and transaction records
• Fraud detection information
• Identity verification data
• Payment method confirmation

Third-Party Integrations

• OpenRouter: AI model usage logs and API interactions
• Cloudflare: Security and bot detection data
• Resend: Email delivery status and engagement metrics
• Analytics providers: Usage patterns and behavior analysis

External Data Sources

• Background check providers (if identity verification is required)
• Public databases and business registries (for business verification)
• Credit reporting agencies (for financial assessment, where applicable)

Other Users

• Information provided in reviews and ratings
• Information in disputes or complaints about you
• Profile mentions and references

2.4 Cookies and Tracking Technologies

We use the following tracking technologies:

Essential Cookies

• Session management and authentication
• Security and fraud prevention
• Preference storage
• Platform functionality

Analytics Cookies

• User behavior analysis
• Feature usage tracking
• Performance monitoring
• Conversion tracking

Marketing Cookies

• Advertising effectiveness measurement
• Audience segmentation
• Remarketing campaigns
• Partner marketing programs

Third-Party Cookies

• Analytics services
• Advertising networks
• Social media platforms
• AI service providers

See our Cookie Policy for detailed information on cookie management.

3. Legal Basis for Processing

Under GDPR Article 6 and Turkish Data Protection Law, we process your personal data based on:

3.1 Contract Performance (Article 6(1)(b))

• Processing necessary to perform the Terms of Service
• Processing necessary to complete projects and process payments
• Processing necessary to provide the Platform's services

3.2 Legitimate Interests (Article 6(1)(f))

• Platform improvement and feature development
• User experience optimization
• Fraud prevention and security
• Business analytics and research
• Marketing and service promotion
• Legal compliance and dispute resolution
• Portfolio building for freelancers

3.3 Legal Obligation (Article 6(1)(c))

• Anti-money laundering (AML) compliance
• Know Your Customer (KYC) regulations
• Tax law compliance
• Child protection laws
• Law enforcement cooperation
• Financial regulations

3.4 Consent (Article 6(1)(a))

• Marketing communications and newsletters
• Behavioral analytics and tracking
• Non-essential cookies
• Additional data processing beyond contract necessity

3.5 Vital Interests (Article 6(1)(d))

• Protection of safety and health
• Prevention of crime or harm

4. How We Use Your Data

4.1 Service Delivery

• Creating and maintaining your Account
• Connecting clients with freelancers
• Processing payments and handling escrow
• Delivering project services and support
• Managing project communications
• Resolving disputes and complaints

4.2 Platform Operations

• Maintaining Platform security and preventing fraud
• Detecting and preventing unauthorized access
• Monitoring for policy violations
• Verifying user identity and business details
• Managing technical infrastructure

4.3 Communication

• Sending service notifications and updates
• Responding to user inquiries and support requests
• Notifying you of policy changes
• Sending transaction confirmations
• Project-related communications

4.4 Marketing and Business Development

• Sending promotional emails and newsletters (with consent)
• Displaying targeted advertisements
• Conducting user surveys and research
• Analyzing market trends
• Business analytics and reporting
• Growth initiatives and platform improvements

4.5 Analytics and Improvement

• Understanding user behavior and preferences
• Improving Platform functionality and user experience
• Optimizing service delivery
• Developing new features and services
• Training AI models (anonymized data only)
• Technical support and debugging

4.6 Legal and Compliance

• Complying with laws and regulations
• Responding to lawful requests from authorities
• Enforcing Terms of Service
• Protecting intellectual property rights
• Resolving disputes
• Maintaining audit trails and records

4.7 AI Freelancer Operations

• Processing inputs to AI systems
• Storing and analyzing AI-generated outputs
• Training and improving AI models
• Monitoring AI system performance
• Detecting AI system misuse

5. Data Processing and Recipients

5.1 Internal Processing

Within Extrais, your data may be accessed by:

• Customer Support Teams: To resolve issues and disputes
• Technical Teams: To maintain Platform infrastructure
• Finance Teams: To process payments and manage billing
• Compliance Teams: To ensure regulatory compliance
• Product Teams: For feature development and analysis

5.2 Third-Party Service Providers (Data Processors)

We share your data with the following third parties:

Payment Processing

• İyzico: Payment processor and escrow manager

- Data: Payment information, transaction history, identity verification - Purpose: Payment processing, fraud detection, compliance - Data Transfers: International transfer (compliant with GDPR mechanisms)

AI and Technology Services

• OpenRouter: AI model API and processing

- Data: Text inputs, project descriptions, user interactions - Purpose: AI service delivery, model improvement - Data Transfers: International transfer (compliant with GDPR mechanisms)

• Cloudflare: Security, DDoS protection, and content delivery

- Data: IP address, usage patterns, technical data - Purpose: Platform security, performance optimization - Data Transfers: International transfer (compliant with GDPR mechanisms)

Communication Services

• Resend: Transactional and marketing email delivery

- Data: Email address, communication content - Purpose: Email delivery and engagement tracking - Data Transfers: International transfer (compliant with GDPR mechanisms)

Analytics

• Analytics Providers (to be specified in implementation)

- Data: Usage patterns, behavioral data, device information - Purpose: Platform analytics and optimization - Data Transfers: International transfer (compliant with GDPR mechanisms)

5.3 Legal Disclosure

We may disclose your data to:

• Law enforcement and government agencies (when legally required)
• Courts and regulatory bodies (in response to legal process)
• Parties involved in Platform disputes (limited data, as necessary)
• Successors in merger, acquisition, or bankruptcy (subject to this Policy)

5.4 Data Sharing Restrictions

We do NOT sell, trade, or lease your personal data to third parties for commercial purposes. However, we may share:

• Aggregated, anonymized data for research and analytics
• Limited information in disputes (between the involved parties only)
• Profile information visible in your public profile
• Necessary information to service providers under confidentiality agreements

6. Data Processing Across Borders (GDPR Compliance)

6.1 International Data Transfers

The Extrais Platform operates internationally. Your data may be transferred to and processed in countries outside the EU/EEA, including Turkey and countries where our service providers operate.

6.2 Transfer Safeguards

For transfers to non-EEA countries, we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved clauses in data processor agreements
• Adequacy Decisions: For countries with adequate data protection levels
• Privacy Shield/Binding Corporate Rules: Where applicable
• Explicit User Consent: For additional protections

6.3 Supplementary Measures

We implement additional safeguards for international transfers:

• Data minimization (only necessary data transferred)
• Encryption in transit and at rest
• Access controls and authentication
• Regular security assessments
• Compliance audits

7. Data Retention

7.1 Retention Periods by Data Type

Active Account Data

• Account Information: Retained while your Account is active
• Project Data: Retained for 7 years for legal compliance and dispute resolution
• Messages and Communications: Retained for 3 years after project completion
• Ratings and Reviews: Retained for the life of the Platform unless deleted by user

Financial Data

• Payment Records: Retained for 7 years (legal and tax requirements)
• Invoices and Receipts: Retained for 7 years
• Refund and Chargeback Records: Retained for 7 years

Security and Compliance Data

• Log Files and IP Addresses: Retained for 90 days
• Fraud Detection Data: Retained for 2 years
• Identity Verification Data: Retained for 3 years after account closure
• Dispute Records: Retained for 7 years

Marketing Data

• Email Lists and Preferences: Retained until you unsubscribe
• Analytics and Behavioral Data: Retained for 24 months
• Cookies: Retained for periods specified in Cookie Policy

AI Processing Data

• AI Training Data: Retained separately and anonymized within 6 months
• User Inputs to AI: Retained for 30 days unless used in AI training (with consent)
• AI Output Records: Retained for audit and compliance purposes

7.2 Deletion After Account Closure

When you close your Account:

• Identifiable personal data is deleted within 30 days
• Financial records are retained for 7 years (legal requirement)
• Project deliverables remain accessible to relevant parties
• You can request earlier deletion (with exceptions for legal obligations)

7.3 Data Minimization

We retain only data necessary for the purposes specified. Once purpose is fulfilled, data is:

• Anonymized (identifying information removed)
• Aggregated (combined with other data to prevent individual identification)
• Deleted securely (permanently and irreversibly)

8. Your Rights Under GDPR and Turkish Data Protection Law

8.1 Right of Access (Article 15 GDPR, Article 12 TDPL)

You have the right to:

• Request confirmation of whether we process your personal data
• Obtain a copy of your data in a commonly used electronic format
• Understand why your data is processed
• Learn who receives your data
• Know the retention period for your data

How to Exercise: Submit a written request to support@tabaglobal.com Response Time: Within 30 days (can be extended 60 days for complex requests)

8.2 Right of Rectification (Article 16 GDPR, Article 16 TDPL)

You have the right to:

• Correct inaccurate or incomplete personal data
• Update outdated information
• Supplement missing information
• Request correction of data processed unlawfully

How to Exercise: Use your Account settings to update information directly, or request assistance from support@tabaglobal.com Response Time: Without undue delay, typically within 30 days

8.3 Right to Erasure ("Right to be Forgotten") (Article 17 GDPR, Article 17 TDPL)

You have the right to request erasure of your personal data when:

• Data is no longer necessary for the purpose it was collected
• You withdraw consent (if processing was based on consent)
• You object to processing and no legitimate interest overrides
• Data has been processed unlawfully
• Erasure is required by law

Exceptions: We may retain data when:

• Data is necessary for legal compliance (financial records, tax documents)
• Disputes are ongoing or litigation is possible
• Data must be retained for platform security
• Data is necessary to establish, exercise, or defend legal claims

How to Exercise: Submit a written request to support@tabaglobal.com Response Time: Within 30 days

8.4 Right to Restrict Processing (Article 18 GDPR, Article 21 TDPL)

You have the right to restrict processing when:

• You contest the accuracy of your data
• Processing is unlawful but you request restriction instead of deletion
• The data is no longer needed for the purpose but you require it for a legal claim
• You object to processing and we assess our legitimate interest

During restriction, we will:

• Store your data but minimize processing
• Only process for legal reasons or with your consent
• Notify you before lifting restrictions
• Limit sharing to necessary parties

How to Exercise: Submit a written request to support@tabaglobal.com Response Time: Within 30 days

8.5 Right to Data Portability (Article 20 GDPR, Article 22 TDPL)

You have the right to:

• Receive your personal data in a structured, commonly used, machine-readable format (CSV, JSON, XML)
• Transmit your data to another service provider without hindrance
• Request direct transmission to another entity (where technically feasible)

Scope: Covers data you provided and data generated from your activities Exceptions: Does not cover data derived from analysis or AI processing; does not override IP rights

How to Exercise: Submit a written request to support@tabaglobal.com Response Time: Within 30 days

8.6 Right to Object (Article 21 GDPR, Article 21 TDPL)

You have the right to object to:

• Marketing Communications: Opt out of emails, notifications, and promotional messages
• Analytics and Tracking: Disable non-essential cookies and behavioral tracking
• Legitimate Interest Processing: Object when processing is not necessary for contract performance
• Direct Marketing: Including automated decision-making and profiling for marketing

Upon objection for direct marketing, we will cease processing immediately.

How to Exercise:

• Use unsubscribe links in emails
• Adjust privacy settings in your Account
• Submit a written request to support@tabaglobal.com

Response Time: Without undue delay, typically within 10 days

8.7 Right Against Automated Decision-Making and Profiling (Article 22 GDPR, Article 8 TDPL)

You have the right to:

• Know when decisions affecting you are made by automated means
• Request human review of automated decisions
• Express your point of view and challenge the decision
• Request explanation of the logic, significance, and consequences of automated processing

Exceptions: Automated decisions may be used when:

• Necessary for contract performance (project recommendations, fraud detection)
• Required by law
• You explicitly consent

How to Exercise: Submit a written request to support@tabaglobal.com Response Time: Within 30 days

8.8 Right to Withdraw Consent (Article 7 GDPR, Article 6 TDPL)

For data processing based on consent:

• You may withdraw consent at any time
• Withdrawal does not affect lawfulness of prior processing
• Processing must cease after withdrawal (unless another legal basis applies)

How to Exercise: Submit a written request to support@tabaglobal.com or disable consent in privacy settings Response Time: Immediate cessation of consent-based processing

9. Data Protection Officer and GDPR Compliance

9.1 Data Protection Officer Contact

For GDPR-related inquiries and data protection requests:

• Email: support@tabaglobal.com
• Address: Şehit Şakir Elkovan cad. No:3 Ataşehir Istanbul Türkiye
• Response Time: Within 3 business days

9.2 Data Protection Impact Assessment (DPIA)

We conduct Data Protection Impact Assessments for:

• New processing activities with high risk
• Large-scale data collection or processing
• Use of new technologies (including AI)
• Processing of sensitive or special data categories

9.3 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all third-party processors, ensuring:

• Clear definition of processing scope and purposes
• Confidentiality and security obligations
• Sub-processor notification and approval
• Data subject rights assistance
• Audit and inspection rights

9.4 Breach Notification

In case of a personal data breach, we will:

• Assess the breach within 72 hours
• Notify affected individuals without undue delay (if high risk)
• Notify regulatory authorities within 72 hours (if required by law)
• Document and investigate the breach
• Implement corrective measures
• Provide breach details and recommended actions

Notification will include:

• Nature of the breach
• Categories and approximate number of affected individuals
• Likely consequences
• Measures taken or proposed to address the breach

10. Special Categories of Data

10.1 Sensitive Data Restrictions

We do NOT intentionally collect Special Category Data (Articles 9 GDPR, Article 6 TDPL):

• Race or ethnicity
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data
• Health information
• Sex life or sexual orientation
• Criminal convictions or offenses

Exception: If you voluntarily provide sensitive data (e.g., in project descriptions or communications):

• We minimize collection and processing
• We process only with your explicit consent or if necessary for legal reasons
• We limit access to necessary personnel only
• We delete when no longer needed

10.2 Children's Data

• Extrais is not intended for individuals under 18 years old
• We do not knowingly collect data from children
• If we discover child data has been collected, we delete it immediately
• Parents/guardians may request deletion of child data

11. Security Measures

11.1 Technical Safeguards

• Encryption: TLS/SSL encryption for data in transit; AES encryption for data at rest
• Access Controls: Role-based access control (RBAC) with least privilege principle
• Authentication: Multi-factor authentication (MFA) for Account access
• Monitoring: Real-time monitoring for unauthorized access attempts
• Intrusion Detection: Automated detection and response systems
• Firewall Protection: Advanced firewalls and DDoS protection via Cloudflare

11.2 Organizational Safeguards

• Staff Training: Annual data protection and security training for all employees
• Confidentiality Agreements: All staff sign confidentiality and data protection clauses
• Background Checks: For employees with data access
• Vendor Management: Security assessments of all third-party vendors
• Incident Response: Documented procedures for data breaches and security incidents

11.3 Physical Safeguards

• Data Centers: Secure data centers with restricted physical access
• Backup Systems: Regular backups with redundancy and disaster recovery
• Environmental Controls: Climate control, fire suppression, flood protection
• Access Logging: All physical data access logged and monitored

11.4 Security Limitations

Despite our efforts, no security is absolute. You acknowledge that:

• Security measures may be subject to compromise
• Unauthorized access is possible despite precautions
• Transmission over the internet carries inherent risks
• You are responsible for maintaining Account security (strong passwords, MFA, secure devices)

12. Marketing Communications and Preferences

12.1 Types of Communications

You may receive:

• Transactional Emails: Order confirmations, payment receipts, project notifications (cannot be opted out of as they're service-essential)
• Service Updates: Platform changes, new features, maintenance notices
• Marketing Emails: Promotional offers, newsletters, feature announcements
• Personalized Recommendations: Project suggestions based on your profile and activity

12.2 Marketing Preferences

You can manage communication preferences:

• Email Unsubscribe: Click "Unsubscribe" in any marketing email
• Account Settings: Adjust notification and marketing preferences in your dashboard
• Cookie Preferences: Disable marketing cookies (see Cookie Policy)
• Do Not Track (DNT): Enable browser DNT signal (we respect DNT preferences)

12.3 Marketing Consent

For EU residents:

• Marketing emails require explicit opt-in consent
• You can withdraw consent at any time
• Withdrawal is immediate; processing of additional emails ceases
• Non-marketing service emails continue unless you close your Account

12.4 Targeted Advertising

We use targeting for online advertising:

• Behavioral Targeting: Based on your activity on our Platform
• Remarketing: Displaying ads to users who visited but didn't convert
• Lookalike Audiences: Showing ads to users similar to existing customers
• Partner Targeting: Working with advertising partners to reach relevant users

You can:

• Disable targeting by managing cookie preferences
• Opt out via advertising network links
• Use browser privacy settings or privacy tools

13. Your Responsibilities

13.1 Account Security

You are responsible for:

• Maintaining confidentiality of your password
• Protecting your login credentials
• Notifying us of unauthorized access
• Logging out when using shared devices
• Using strong, unique passwords
• Enabling multi-factor authentication
• Keeping contact information current

13.2 Data Accuracy

• You must provide accurate and complete information
• You must update information when it changes
• You are responsible for consequences of inaccurate data
• Fraudulent information may result in Account termination

13.3 Compliance with Laws

• You must comply with applicable data protection laws
• You must not use the Platform for illegal purposes
• You acknowledge data processing outside the EU/EEA
• You must obtain consent from others before providing their data

14. Data Retention and Deletion

14.1 Request Deletion

You may request deletion of specific data:

• Non-financial, non-legal data can generally be deleted
• Financial records are retained for 7 years (legal requirement)
• Project data is retained for dispute resolution (3-7 years depending on circumstances)
• You can delete account and profile data anytime

14.2 Deletion Process

1. Submit deletion request to support@tabaglobal.com
2. We verify your identity and authority
3. We assess for legal obligations or disputes
4. We delete data (or anonymize where deletion isn't possible)
5. We confirm deletion and provide documentation

14.3 Anonymization

Instead of deletion, we may anonymize data:

• Removing identifying information
• Aggregating data
• Making it impossible to link to your identity
• Retaining for analytics and improvement purposes

15. Policy Updates

15.1 Changes to This Policy

We may update this Policy periodically:

• Material Changes: We provide 30 days' notice via email or Platform notification
• Non-Material Changes: Effective immediately upon posting
• Your Rights: You may terminate your Account if you disagree with changes
• Continued Use: Using the Platform after notice constitutes acceptance of changes

15.2 Policy Version History

We maintain version history on our legal documents page, with:

• Effective date of each version
• Summary of changes
• Links to previous versions

16. Complaints and Escalation

16.1 Filing a Complaint

If you believe your data protection rights have been violated:

First: Contact us at support@tabaglobal.com with:

• Description of the issue
• Data and circumstances involved
• What resolution you seek
• Supporting documentation

Response: We will respond within 30 days with:

• Explanation of our position
• Actions taken or proposed
• Your available options

16.2 Data Protection Authority Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with:

Turkish Data Protection Authority (KVKK):

• Website: www.kvkk.gov.tr
• Address: Istanbul Turkey
• Process: Submit complaint form with documentation

European Data Protection Board (For EU residents):

• Member State: Your country of residence or workplace
• Contact: Your country's national Data Protection Authority
• Process: Submit complaint through your national authority

16.3 Judicial Remedies

You may also pursue:

• Civil court litigation for damages
• Injunctive relief for ongoing violations
• Administrative remedies through regulatory authorities
• Other remedies available under applicable law

17. Contact Information

17.1 For Data Protection Matters

• Email: support@tabaglobal.com
• Address: Şehit Şakir Elkovan cad. No:3 Ataşehir Istanbul Türkiye
• Response Time: Within 3 business days

17.2 For Other Inquiries

Use our standard support channels through your Account dashboard.

18. Integration with Other Policies

This Privacy Policy works in conjunction with:

• Terms of Service: Governs your use of the Platform
• Cookie Policy: Detailed information on cookies and tracking
• Acceptable Use Policy: Rules for content and conduct
• Dispute Resolution Policy: Process for resolving data-related disputes

In case of conflict, the more protective provision applies.

We are committed to protecting your privacy and ensuring transparency in our data practices. Thank you for trusting Extrais with your data.

Last Updated: March 19, 2026