Privacy Policy

01Introduction

This Privacy Policy explains how ANKASOFT (Ankasoft Bilgi Teknolojileri A.Ş. and ANKASOFT B.V.) handles personal data it receives through this website and its commercial engagements.

The policy applies to visitors of ankasoft.com and subdomains, and to prospects and customers who communicate with us through forms, email, LinkedIn or direct engagement.

02Data controller

For data collected through this website and for engagements originating from Türkiye, the controller is Ankasoft Bilgi Teknolojileri A.Ş., registered at Cevizli Mah. Mustafa Kemal Cad. Hukukçular Towers A Blok Kat:18, Kartal 34876 İstanbul, Türkiye.

For engagements originating from the European Union, the controller is ANKASOFT B.V., registered at Johan de Wittlaan 7, 2517 JR Den Haag, Netherlands.

03What we collect

Contact and form data: when you submit a contact form we collect the name, business email, company, phone (optional) and the message you provide. We do not use these fields for marketing automation and we do not share them with third-party advertisers.

Technical data: our server logs include IP address, user agent and timestamp for security and abuse-prevention purposes. Logs are rotated and deleted on a rolling window.

Analytics: we use a self-hosted Umami instance that does not set cookies and does not collect personal identifiers. No behavioural profiles are built about you.

04Purposes and legal bases

We process personal data to respond to enquiries, scope and deliver engagements, send relevant follow-up correspondence, meet contractual and legal obligations, and maintain the security of our systems.

Under GDPR, the legal bases are: your consent (when you submit a form), performance of a contract (when we scope, deliver or invoice), legal obligation (tax, accounting, regulatory), and our legitimate interests in running and securing our business.

Under KVKK, the corresponding grounds apply under Article 5, including express consent where required, contractual necessity, legal obligation and legitimate interests balanced against your rights.

05How long we keep data

Contact enquiries that do not convert to an engagement are deleted within twelve months unless you ask us to keep them longer. Engagement records are retained for the period required by contract and by applicable accounting and legal obligations, typically up to ten years after the engagement closes.

Security and server logs are retained on a short rolling window and are not exported or joined with other data.

06Sharing with third parties

We do not sell personal data and we do not disclose it to advertising networks. We share personal data only when strictly necessary: with vetted processors we engage to operate our infrastructure, with auditors and counsel under confidentiality, and with authorities when legally required.

Where a processor is outside your jurisdiction, we put in place appropriate safeguards, including Standard Contractual Clauses for transfers out of the EU and equivalent arrangements under KVKK.

07Security

We run an ISO 27001-aligned information security programme, with defence-in-depth controls: encryption in transit and at rest, least-privilege access, MFA for all internal systems, audit logging, and regular third-party penetration testing.

No system is perfectly secure. If we become aware of a breach that affects your personal data, we will notify you and the competent authorities within the statutory deadlines.

08Your rights

Under GDPR you have the right to access, rectify, erase, restrict processing, object to processing, and request portability of your personal data. You may withdraw consent at any time without affecting processing that occurred before the withdrawal.

Under KVKK (Article 11) you have equivalent rights, including the right to learn whether your data is processed, the purposes, the third parties to whom it was transferred, and to request correction, deletion or destruction.

Requests can be submitted via the contact page. We aim to respond within one month; more complex requests may take up to three months with prior notice.

09International transfers

Because we operate across Türkiye and the Netherlands, personal data may be transferred between those two jurisdictions. When data is transferred from the European Economic Area to Türkiye or third countries, we rely on the European Commission's Standard Contractual Clauses and supplementary safeguards as needed.

10Changes to this policy

We update this policy when our processing practices change or when regulations require it. The last-updated date above always reflects the most recent substantive change. Material changes are announced at least fourteen days before they take effect.