KVKK Disclosure Notice

Last updated: June 4, 2026 Version: 2026.06.04.1

KVKK disclosure notice for CaterDeck website visitors and application users.

This English page is a support translation. The Turkish legal text prevails in case of inconsistency.

1. Data controller

The data controller is POIEX TEKNOLOJİ LİMİTED ŞİRKETİ. Contact details are available on the Company Information page.

Who is the controller for employee data?

POIEX is also the independent data controller for personal data of employees who use CaterDeck — not your employer. POIEX determines the purposes and means of processing employee data under KVKK Article 3 in its own name. Your employer runs a separate service relationship through CaterDeck and acts as its own controller only for its own processes. KVKK Article 11 requests concerning employee data on CaterDeck are addressed directly to POIEX through the channel listed in section 4.

2. Data subjects and categories

CaterDeck processes data relating to website visitors, company admins, employees, caterer admins, prospects, support contacts, privacy-rights requesters, and system operators. Categories include identity, phone number, email address, role, organization, meal selections, delivery and billing records, invoice legal name, tax identifier, tax office, billing address, caterer payout IBAN, invoice evidence URL, settlement/collection/payout references, support and privacy request messages, verification and response records, feedback, uploaded avatars, organization logos, dish images, cookie choices, device data, backup records, cron monitoring metadata, diagnostic events, and security logs.

Data is collected electronically through the website, app, OTP flow, organization actions, image uploads, support messages, privacy-rights requests, business email, and system logs. Processing is based on contract performance, pre-contractual steps, legal obligation, legitimate interest in customer support, security, service reliability, and explicit consent for optional analytics cookies.

The activity-level mapping is: website and cookie preferences rely on necessary service operation or explicit consent for Microsoft Clarity; authentication/session records rely on contract establishment/performance and account-security legitimate interest; meal operations and feedback rely on service performance and service-quality legitimate interest; billing, collection, and caterer payout settlement rely on contract performance and legal obligation; media uploads rely on service performance and operation; support and privacy requests rely on pre-contractual steps, contract performance, legal obligation, and customer-support legitimate interest; backups, cron monitoring, and diagnostics rely on service continuity, security, and legal obligations where records must be kept.

Data may be shared with company admins, caterers, hosting and security providers, object storage and backup providers, business email providers, SMS providers, cron-monitoring providers, error-monitoring providers, analytics providers, accounting, legal, and public-authority recipients when necessary. Current processors include Hetzner, Cloudflare, Cloudflare R2, Google Workspace, Sentry, Healthchecks.io, Microsoft Clarity, and Vatansms. See Sub-processors for the current full list. All listed processors except Vatansms operate outside Turkey, which triggers a cross-border transfer. The KVKK Article 9 safeguards (Board adequacy decision, Standard Contractual Clauses notified to the Board within 5 business days, written undertaking, or Binding Corporate Rules) are currently being put in place for the affected processors. Caterers receive only an operational subset (daily headcount, menu assignments, bulk-order line items, and delivery location); employee identity data (name, phone, email) is not shared with caterers. So the caterer can issue the food invoice, the billing identity of the company it is actively linked to (legal name, tax identifier, tax office, billing address) is disclosed to that caterer; the intermediation invoice and collection run through POIEX.

4. Account deletion

The in-app “Delete my account” flow (or a written KVKK Article 7 request) erases your name, phone, profile image, and the technical fields on consent records (IP, device). Active memberships end, in-progress (pre-deadline) meal selections are dropped, and the phone is freed for re-registration. Past meal selections, bulk orders, ratings, and billing-tied records are retained with the identity link cut, for the statutory retention period required by VUK m. 253 and TBK m. 146 — they appear as “Anonymous user” in per-person historical views; aggregate billing, headcount, and quality figures are unaffected.

If you are the sole active admin of an organization, deletion may be refused until another admin is appointed. This is a procedural prerequisite, not a refusal of the KVKK Article 7 right.

5. Rights

KVKK Article 11 requests can be sent to privacy@caterdeck.com. The right of access and portability can also be exercised in-app via “Download my data”.