Data controller identity and contact
The data controller (veri sorumlusu) responsible for the personal data described here is:
- Legal name: AGENTROF BİLİŞİM SİSTEMLERİ SANAYİ VE TİCARET LİMİTED ŞİRKETİ
- Address: Fatih Sultan Mehmet Mah., Balkan Cad. No:62/A, JustWork, Ümraniye, 34770 İstanbul, Türkiye
- Email: info@agentrof.com
- Website: agentrof.com
- MERSİS No: 0009200934700001
- Trade registry number: 1140769
We have not appointed a dedicated Data Protection Officer. For any question about this notice or your personal data, write to us at info@agentrof.com or by post to the address above.
What personal data we collect
We keep data collection to what the site needs. The categories are:
- Contact and enquiry details you submit. When you use our contact form, we collect your full name, email address, phone number, company name, your message, and your area of interest. In the IT marketplace flow only, we also record whether you are a buyer or a supplier (your role).
- Your IP address, for bot protection. To tell real people from automated bots, the form is protected by Cloudflare Turnstile, which processes your IP address at the moment of submission. Turnstile is designed to be privacy-preserving and largely cookieless.
- Cookieless, aggregate usage measurement. The site uses Cloudflare Web Analytics, which counts overall traffic (page views, referrers, approximate country, and device or browser type) without setting any cookie, fingerprinting your device, or identifying you. It processes request metadata, including your IP address, transiently at the edge to produce aggregate counts, and keeps only those aggregate statistics. Because it is cookieless and does not build profiles, it runs on our legitimate interest, separately from Google Analytics.
- Pseudonymous usage data, only after you consent. If, and only if, you accept analytics cookies, Google Analytics 4 collects pseudonymous data about your visit: pages viewed, approximate location, and device and browser type. No Google Analytics cookie is set, and no Google Analytics data is collected, before you opt in.
We do not ask for special categories of data (such as health, religion, or biometric data), and you should not include such data in your message.
Purposes of processing and the legal basis for each
We use each category of data for a specific purpose, and each purpose rests on a specific legal basis under the KVKK and, where the GDPR applies, under Article 6 of the GDPR.
| Purpose | Data used | KVKK basis | GDPR basis |
|---|---|---|---|
| Answering your enquiry and taking pre-contractual steps you ask for | Name, email, phone, company, message, area of interest, role | Art. 5/2: necessary for the establishment or performance of a contract (pre-contractual steps at your request), and our legitimate interest in responding to enquiries | Art. 6(1)(b) pre-contractual measures, and/or Art. 6(1)(f) legitimate interest |
| Protecting the form and site from bots and abuse | IP address via Cloudflare Turnstile | Legitimate interest in the security of our systems | Art. 6(1)(f) legitimate interest (security) |
| Measuring overall site traffic in aggregate, to understand, improve and secure the site | Aggregate, cookieless web analytics (Cloudflare Web Analytics) | Legitimate interest in understanding, improving and securing the site | Art. 6(1)(f) legitimate interest |
| Understanding how the site is used, to improve it | Pseudonymous analytics data (GA4) | Explicit consent (açık rıza) | Art. 6(1)(a) consent, with ePrivacy Art. 5(3) |
| Sending you optional marketing communications, if you separately ask for them | Name, email | Explicit consent (açık rıza) | Art. 6(1)(a) consent |
How we collect personal data
- Directly from you, when you fill in and submit the contact form.
- Automatically, for security, when Cloudflare Turnstile checks your submission and processes your IP address.
- Automatically and cookielessly, when Cloudflare Web Analytics counts your visit in aggregate at the edge, without any cookie or device identifier.
- Through cookies and similar technologies, including strictly necessary first-party cookies that remember your language and your cookie choice, and, only after you opt in, Google Analytics cookies. See our Cookie Policy for the full list.
Who receives your data
We do not sell your personal data. We share it only with the service providers (processors) that run parts of our site on our behalf, and only for the purposes above. Each acts on our instructions under a contract.
- Cloudflare, Inc. (United States): website hosting and content delivery, the Turnstile bot-protection check, and privacy-preserving web analytics.
- Airtable, Inc. (United States): stores the lead and contact records submitted through the form.
- Google (Google LLC) (United States): provides Google Analytics 4, used only after you consent.
We may also disclose data where the law requires it, for example to a competent public authority acting within its powers.
International data transfers
The providers above are based in the United States, so using the site involves transferring personal data outside Türkiye and outside the European Economic Area.
For transfers from Türkiye, we rely on the appropriate safeguards under KVKK Article 9, in particular the standard contract (standart sözleşme) approved by the Personal Data Protection Board, which we are putting in place with our providers. These standing transfers do not rely on the one-off explicit-consent exception.
For transfers from the European Economic Area to the United States, the safeguard depends on the provider:
- Cloudflare is certified under the EU-US Data Privacy Framework (DPF), with EU Standard Contractual Clauses (SCCs) as a fallback.
- Google is certified under the EU-US Data Privacy Framework (DPF).
- Airtable is not DPF-certified; transfers rely on EU Standard Contractual Clauses (SCCs).
The EU-US Data Privacy Framework rests on the European Commission's 2023 adequacy decision, which is valid and operational in 2026 but is currently under appeal before the Court of Justice of the European Union (the Latombe case). If that decision were invalidated, the DPF-based transfers would continue under the Standard Contractual Clauses instead.
How long we keep data
- Contact and lead records: kept for the duration of our relationship and for up to three years after our last contact, unless a longer period is required by law or you ask us to erase them sooner.
- Analytics data: retained in aggregate according to our Google Analytics settings, currently up to 14 months.
- Cloudflare Web Analytics: only aggregate statistics, with no cookie or individual identifier, kept by Cloudflare for a limited period.
- Consent records: kept for as long as needed to evidence the consent you gave and to meet our accountability obligations.
When a retention period ends, we delete or irreversibly anonymise the data.
Data security
We take reasonable technical and organisational measures to protect personal data against loss, misuse, and unauthorised access. Traffic to the site is encrypted in transit (HTTPS), access to the lead records is limited to people who need it, and the form is shielded by Cloudflare Turnstile against automated abuse. Our providers maintain their own recognised security programmes. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to keep our safeguards current.
Your rights
Under KVKK Article 11, you have the right to:
- learn whether your personal data is being processed;
- request information if your personal data has been processed;
- learn the purpose of the processing and whether your data is used in line with that purpose;
- know the third parties, in Türkiye or abroad, to whom your data is transferred;
- request correction of your data if it is incomplete or incorrectly processed;
- request erasure or destruction of your data within the conditions of Article 7;
- request that any correction, erasure, or destruction be notified to the third parties to whom your data was transferred;
- object to any result that arises against you solely from the automated analysis of your data;
- claim compensation for damage you suffer because your data was processed unlawfully.
If the GDPR applies to you (for example, you are in the European Economic Area or the United Kingdom), you also have the right to access your data, to have it rectified or erased, to restrict or object to its processing, to data portability, to withdraw any consent at any time without affecting processing already carried out, and to lodge a complaint with a supervisory authority.
How to exercise your rights
To make a request (başvuru), contact us in any of these ways:
- in writing, by post to our address above;
- through your registered electronic mail (KEP) address, if we have one on file;
- using a secure electronic signature or a mobile signature;
- from an email address you have previously registered with us;
- by writing to info@agentrof.com, which we accept as a practical first channel.
So that we can respond, please state your request clearly and give us enough detail to verify your identity. We will answer within 30 days of your request. If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Board (Kişisel Verileri Koruma Kurulu) in Türkiye. If the GDPR applies to you, you may also complain to the data protection supervisory authority in your country.
Automated decision-making
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing or profiling. The bot check protecting the form assesses the submission, not you, and does not by itself decide anything about you.
Changes to this policy
We may update this notice as our site or the law changes. When we do, we will revise the date at the top of the page, and for material changes we will give clearer notice on the site. The current version is dated 1 July 2026.
Contact
For any question about this notice or your personal data, contact us at info@agentrof.com or by post at AGENTROF BİLİŞİM SİSTEMLERİ SANAYİ VE TİCARET LİMİTED ŞİRKETİ, Fatih Sultan Mehmet Mah., Balkan Cad. No:62/A, JustWork, Ümraniye, 34770 İstanbul, Türkiye.