Manage calendars, teams, and bookings while on the move.
At Randevu Plus, protecting the data of your business and your clients is our highest priority. This policy comprehensively explains what data we collect, how we use it, with whom we share it, the international security standards we implement to protect your data, and the rights available to you. By using our platform, you agree to this policy.
We collect the following categories of information to deliver, improve, and personalize our services: account and identity information (first name, last name, email address, phone number, business name, tax identification number, profile photo, and account preferences), business profile information (business type, industry category, branch details, operating hours, services offered, staff roster, pricing information, and branding customizations), appointment and transaction data (appointment records, service history, customer notes, appointment statuses, cancellation and modification logs), financial information (payment method details — credit card information is not stored directly by us but processed by PCI DSS-compliant payment processors —, invoice information, subscription details, income-expense records, and commission calculations), communication data (messages sent and received through the platform messaging system, SMS records, email interactions, and WhatsApp/Instagram/Telegram integration data), usage and technical data (IP address, browser type and version, operating system, device identifiers, screen resolution, session durations, page views, clickstream data, and feature usage statistics), location data (business and branch addresses, geographic coordinates for map and directions services), and marketing data (campaign interaction records, open and click rates, coupon and voucher usage, customer segmentation information).
We use the information we collect for the following purposes: providing appointment management, calendar scheduling, reminder delivery, and online reservation services; operating, customizing, and delivering business performance analytics through the management dashboard; subscription management, invoicing, payment processing, and financial reporting; sending notifications, reminders, and customer communications via SMS, email, WhatsApp, Instagram, and Telegram; customer relationship management (CRM), customer segmentation, and personalized service delivery; staff management (shift planning, leave tracking, performance evaluation, commission calculation); inventory and stock management, product sales, and sales reporting; marketing campaigns, automated campaign rules, coupon and voucher management; ensuring platform security, preventing unauthorized access, and detecting fraud; anonymized analytics and usage statistics for improving service quality.
We process your data based on the following legal grounds: performance of a contract (providing platform services, subscription management, processing appointments and payments), compliance with legal obligations (tax legislation, retention of traffic data under Law No. 5651, reporting to regulatory authorities), our legitimate interests (service improvement, fraud prevention, platform security, anonymous analytics), establishment or protection of a right (use as evidence in legal disputes), and your explicit consent (marketing communications, optional cookies, third-party integrations). For processing activities based on explicit consent, you have the right to withdraw your consent at any time; withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
We share your data only when necessary for service delivery and with the following categories of recipients: payment service providers (Iyzico, Stripe — only within the scope of payment processing, PCI DSS compliant), cloud infrastructure providers (Google Cloud Platform, Firebase — data hosting and processing services), communication service providers (NetGSM — SMS delivery, Amazon SES — email delivery), analytics service providers (PostHog, Microsoft Clarity — anonymized usage data), social media integration partners (Meta/WhatsApp Business API, Telegram Bot API — only within the scope of integrations actively used by the business), AI service providers (Google Gemini, OpenAI — only within the scope of AI features enabled by the business, using anonymized data), and authorized public institutions as required by law.
For cross-border data transfers, the safeguards under Article 9 of KVKK and the EU General Data Protection Regulation (GDPR) are ensured; standard contractual clauses (SCCs), data processing agreements (DPAs), and where necessary, explicit consent mechanisms are applied. Comprehensive data processing agreements have been signed with all our third-party service providers.
We retain your data only for as long as required by processing purposes and legal obligations. Account and profile data is retained for the duration the account is active and for 3 years from the closure date, appointment and transaction records for 5 years, financial and invoice data for 10 years under the Tax Procedure Law, communication records for 3 years, traffic and access logs for 2 years under Law No. 5651, analytics data indefinitely in anonymized form, and cookie data for a maximum of 13 months. Upon expiration of retention periods, data is securely deleted, destroyed, or anonymized.
You have the following rights regarding your personal data under KVKK and GDPR:
We implement comprehensive technical and administrative measures to protect your data: secure data transmission with TLS 1.3/1.2 encryption, data-at-rest protection with AES-256 encryption, password hashing with bcrypt algorithm, role-based access control (RBAC) with the principle of least privilege, secure authentication via Firebase Authentication and JWT-based tokens, API rate limiting and DDoS protection, automated daily backups and geographically distributed disaster recovery, 24/7 security monitoring and anomaly detection systems, regular security audits and penetration testing, data protection and security awareness training for employees, and real-time error monitoring and security incident management with Sentry. Payment information is processed by PCI DSS Level 1 certified payment infrastructures, and credit card data is never stored in our systems.
Our platform uses the following cookie types: mandatory cookies (session management, security, CSRF protection, language and region preferences — cannot be disabled), analytics cookies (anonymized usage statistics via PostHog and Microsoft Clarity, page performance and error monitoring — with your explicit consent), and marketing cookies (campaign effectiveness measurement — with your explicit consent). You can manage your cookie preferences through the cookie consent banner presented on your first visit and the cookie management panel in platform settings. Third-party integrations (WhatsApp Business, Instagram, Telegram, Google Maps) are only activated when explicitly enabled by the business owner, and the respective privacy policies of these integrations apply.
In the event of a data breach, the Personal Data Protection Board and affected users will be notified within the 72 hours prescribed by KVKK; the notification will include the nature of the breach, affected data categories, potential consequences, and measures taken. Users accessing our platform from outside Turkey acknowledge that their data may be processed on servers located in Turkey; KVKK and GDPR safeguards are ensured for cross-border data transfers. We may revise this privacy policy in response to legislative changes, technological developments, or service updates; significant changes will be announced at least 30 days in advance via email and platform notifications. For questions and requests, you can reach us at privacy@randevu.plus.