To put it briefly.
We do not track you, we do not sell your data, and every piece of information we collect has a clear reason. That is all.
At Graffe Bagno we process your personal data only to fulfil your order, manage your account, meet our legal obligations and — only if you have consented — to share our news with you. The 10 sections below are the “long version”.
Who looks after you?
Under KVKK, the data controller is our company:
- Graffe Bagno Tasarım ve Ticaret A.Ş.
- MERSIS: 0404-0987-6543-2100
- Address: [Legal headquarters address], Istanbul
- KVKK contact: kvkk@graffe.bagno · +90 216 398 47 64
We are registered with the KVKK Data Controllers Registry (VERBIS). You may request our registration number from kvkk@graffe.bagno.
What do we collect?
Only as much as is needed to do our job. The table below summarises what data is collected at each stage of a customer’s life cycle.
| Stage | Data collected | Required? |
|---|---|---|
| Site browsing | IP, browser information, page view | Yes (technical) |
| Newsletter signup | Email, name (optional) | Consent |
| Account creation | Full name, email, phone, password | Yes |
| Order | Address, invoice information, payment (token) | Yes |
| Customer support | Correspondence content, call recording | Yes |
| Showroom visit | Name, email, appointment detail | Consent |
About payment information
We never store credit card details on our servers. Payments are made through our PCI-DSS Level 1 certified payment provider; on our system only the last 4 digits of the card number and a token are kept.
Why do we process?
- Performance of the contract — preparing your order, shipping it, accepting its return.
- Legal obligation — e-invoice, tax records, financial legislation.
- Legitimate interest — fraud prevention, site security, service improvement.
- Explicit consent — newsletter, marketing communication, personalised recommendations.
Any processing based on explicit consent can be withdrawn at any time — the “unsubscribe” link in the newsletter footer or the preferences page in your account is sufficient.
Under which law?
Under Articles 5 and 6 of KVKK; a separate basis is determined for each purpose above. For GDPR compliance, GDPR Article 6 additionally applies to customers ordering from Europe.
How long do we keep it?
| Data type | Period | Reason |
|---|---|---|
| Order & invoice | 10 years | Tax legislation |
| Account information | While the account is active | Contract |
| Newsletter subscription | Until consent is withdrawn | Explicit consent |
| Support correspondence | 3 years | Legitimate interest |
| Server logs | 6 months | Security |
| Cookies | See section 08 | — |
When the periods expire, your data is either anonymised or deleted irreversibly.
With whom do we share?
With as few as possible. Our supplier list:
- Payment: iyzico (Turkey) — PCI-DSS Level 1.
- Shipping: Aras Kargo & Yurtiçi Kargo — name, address, phone for delivery.
- E-invoice: Logo, Foriba — by legislation.
- Email: Postmark — transactional mail.
- Newsletter: Mailchimp (EU servers) — subscribers only.
- Analytics: Plausible — cookieless, anonymous.
No data is sold, rented or exchanged for advertising purposes with any third party.
Cookie policy.
We use only three kinds of cookies:
| Type | Purpose | Duration |
|---|---|---|
| Essential | Cart, session, CSRF protection | Session |
| Preference | Language, currency, display settings | 1 year |
| Analytics (anonymous) | Page traffic — Plausible | No cookie |
We do not use advertising cookies, third-party tracking cookies, or fingerprinting.
Your rights.
Under Article 11 of KVKK you have the following rights. Simply send your request to kvkk@graffe.bagno — we respond within 30 days.
How do we protect it?
- End-to-end encrypted connection with TLS 1.3.
- Passwords hashed with bcrypt, never stored in plain text.
- ISO/IEC 27001 certified hosting infrastructure.
- Annual penetration testing, quarterly internal audit.
- Two-factor authentication — optional for accounts, mandatory for the admin panel.
Should we nevertheless detect a breach, we notify you and the Data Protection Authority within 72 hours.
If it changes.
For any material change to this policy, we notify you by email at least 30 days in advance and update the “last updated” date at the top of this page. No notification is sent for minor language corrections.
Previous versions are available from the archive.
