Privacy Policy

1. Who We Are

This Privacy Policy describes how ExportSync ("ExportSync", "we", "us", or "our") collects, uses, discloses, and protects information about you when you visit our website, create an account, request a quote, place an order, or otherwise interact with our services.

ExportSync is operated by ERLA Elektronik Hizmetler Pazarlama ve Ticaret Ltd. Şti., a limited liability company registered in Türkiye under MERSİS number [MERSİS number], with its registered office at [Registered address]. Our tax identification number is [Tax number].

For data protection inquiries, you can reach us at [email protected].

1.1 Data Controller Contact Person

For the purposes of the Turkish Personal Data Protection Law (KVKK) and the EU General Data Protection Regulation (GDPR), ERLA Elektronik Hizmetler Pazarlama ve Ticaret Ltd. Şti. is the data controller. Our designated contact person for data protection matters can be reached at [email protected].

2. Scope of This Policy

This policy applies to all individuals who interact with ExportSync, including buyers, prospective buyers, supplier representatives, and visitors to our website. ExportSync operates an international B2B sourcing platform, which means we may process personal data of individuals located in many jurisdictions, including the European Economic Area (EEA), the United Kingdom, the United States, and elsewhere.

For users located in Türkiye, additional rights and obligations under the Turkish Personal Data Protection Law (Law No. 6698, "KVKK") are described in Section 13 of this Privacy Policy and, where applicable, in our separate KVKK Disclosure Notice ("Aydınlatma Metni").

3. Information We Collect

3.1 Information you provide directly

When you register, request a quote, place an order, or contact us, we collect information you provide, including:

• Identity and contact information: name, job title, business email address, phone number.
• Company information: company name, registered country, business sector, role within the company.
• Commercial information: quote requests, product specifications, order history, shipping addresses, billing addresses.
• Financial information: for order processing, payment-related details handled exclusively by our payment processor (see Section 7). We do not directly store full card numbers on our systems.
• Communication content: messages, attachments, and call notes you exchange with our team.
• Verification information: for certain transactions or platform features, we may request additional documentation to verify your identity or business credentials.

3.2 Information collected automatically

When you use our website and platform, we automatically collect:

• Device and connection data: IP address, browser type and version, operating system, device identifiers, language preference.
• Usage data: pages visited, time spent on pages, links clicked, search queries within the platform, referrer URLs.
• Location data: approximate geographic location derived from your IP address.
• Cookies and similar technologies: see Section 9 for details.

3.3 Information from third parties

We may receive information about you from third parties when you use single sign-on or social login features, when business contact information is provided by a colleague at your organisation, or when our anti-fraud and verification partners share due-diligence data with us.

4. How We Use Your Information

We process personal data for the following purposes:

• To provide our services: creating your account, processing quote requests, coordinating orders, arranging shipping, issuing invoices, and providing customer support.
• To communicate with you: responding to your inquiries, sending transactional notifications (order confirmations, shipping updates, account changes), and providing service announcements.
• For marketing communications: with your consent or where permitted under applicable law, sending newsletters, market insights, and product updates. You may opt out at any time using the unsubscribe link in any marketing email or by contacting us at [email protected].
• To improve our platform: analysing usage patterns, diagnosing technical issues, and developing new features.
• For security and fraud prevention: protecting accounts, detecting and preventing fraud, and enforcing our Terms and Conditions.
• For legal compliance: meeting tax, accounting, customs, anti-money-laundering, and other legal obligations applicable to international trade.

5. Legal Bases for Processing (EEA, UK, and Equivalent Jurisdictions)

Where the General Data Protection Regulation (GDPR), UK GDPR, or equivalent legislation applies, we rely on the following legal bases:

• Performance of a contract: to provide the services you request and fulfil orders.
• Legitimate interests: to operate, secure, and improve our platform; to communicate with business contacts in a B2B context; to prevent fraud. Our legitimate interests do not override your fundamental rights and freedoms.
• Legal obligation: to retain transaction records, comply with tax law, and respond to lawful authority requests.
• Consent: for marketing communications, non-essential cookies (including analytics and marketing cookies), and any processing where consent is the appropriate basis. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. How We Share Your Information

We do not sell your personal information.

We share your information only as follows:

• With manufacturers and suppliers: to fulfil quote requests and orders, we share the minimum necessary information — specifically product specifications, order quantities, packaging requirements, and delivery deadlines. We do not share your company name, contact details, or any other identifying information with manufacturers unless you explicitly authorise it. All communication between you and the manufacturer is coordinated through ExportSync.
• With logistics and customs partners: shipping carriers, freight forwarders, and customs agents receive consignee information, shipping addresses, and any documentation required for international transport and customs clearance.
• With service providers: see Section 7 for the categories of service providers we use.
• With professional advisors: auditors, accountants, and lawyers under confidentiality obligations, when needed for our business operations.
• For legal reasons: when required by law, court order, or regulatory request, or to protect our rights, property, or safety, or that of our users or the public.
• In a business transaction: in connection with a merger, acquisition, financing, or sale of assets, your information may be transferred under appropriate confidentiality protections. We will notify you of any such transfer that materially changes the handling of your personal data.

7. Service Providers and Sub-Processors

To operate our platform, we work with carefully selected service providers who process data on our behalf. Current categories include:

• Hosting and infrastructure: our primary servers are located in France (European Union).
• Email delivery: Resend (transactional and marketing email delivery). Data processed in the United States under Standard Contractual Clauses.
• Payment processing: Iyzico (payment processing for orders). Payment card data is handled directly by the processor in compliance with PCI-DSS and is not stored on our systems.
• Analytics: Google Analytics (Google Ireland Limited / Google LLC). We use Google Analytics with IP anonymisation enabled to understand how our platform is used. Google processes this data in accordance with its own privacy policy. You may opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on or through our cookie consent settings.
• AI-assisted operations: Anthropic (large-language-model services used internally for content production, translation of marketing material, and operational tooling). We do not transmit user account data, personal data, order content, buyer-seller communications, or any information that could identify you to AI providers. AI services are used solely for internal content creation and operational efficiency.

Each service provider is bound by a written data processing agreement that requires them to handle your information consistent with this policy and applicable law. We regularly review our service providers to ensure they maintain appropriate security and privacy standards.

8. International Data Transfers

ExportSync is based in Türkiye, with primary infrastructure in France (EU). Depending on the service provider involved, your information may be processed in the following locations:

• European Economic Area (France): primary hosting and infrastructure.
• Türkiye: our offices and local operations.
• United States: certain service providers (email delivery, analytics, AI-assisted operations).

When we transfer personal data from the EEA or UK to countries not recognised as providing an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organisational safeguards where necessary.

When we transfer personal data from Türkiye to other countries, we rely on the transfer mechanisms available under the KVKK, including standard contractual clauses published by the KVKK Board, adequacy decisions (where available), or explicit consent of the data subject where no other mechanism applies.

If you would like more information about a specific transfer mechanism applicable to your data, please contact us at [email protected].

9. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our platform, remember your preferences, analyse how the service is used, and (with your consent where required) deliver relevant marketing.

The categories we use are:

• Strictly necessary: required for the platform to function (authentication, security, language preference, cookie consent state). These cannot be disabled.
• Functional: remember your settings and improve usability (e.g., preferred currency, recently viewed products).
• Analytics: help us understand how the platform is used so we can improve it. This includes Google Analytics cookies (with IP anonymisation enabled). These are set only with your consent.
• Marketing: used only with your consent, to measure the effectiveness of our marketing campaigns.

You can manage your preferences through our cookie consent banner displayed on your first visit, or at any time via the cookie settings link in the footer of our website. You can also control cookies through your browser settings. Disabling certain cookies may affect platform functionality.

For a detailed list of the specific cookies we use, their purposes, and their retention periods, please refer to our Cookie Policy.

10. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by applicable law. Our typical retention periods and their legal bases are:

• Account data: for the duration of your active account, plus 3 years after account closure to resolve any disputes or enforce agreements.
• Transaction and invoice records: 10 years from the end of the relevant financial year, as required by Turkish Commercial Code (Article 82) and Tax Procedure Law (Article 253), and equivalent obligations in other relevant jurisdictions.
• Communication records: 3 years after the last communication, unless related to an active order or dispute.
• Marketing data: retained until you withdraw consent or unsubscribe, plus up to 30 days to process your opt-out request.
• Analytics and cookie data: Google Analytics data is retained for 14 months. Other cookie data is retained for the periods specified in our Cookie Policy.
• Verification and KYC data: 10 years from the end of the business relationship, as required by anti-money-laundering regulations.

When personal data is no longer required, we delete or anonymise it in accordance with our data retention procedures.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete information.
• Deletion: request deletion of your personal data, subject to legal retention requirements.
• Restriction: request that we restrict the processing of your data in certain circumstances.
• Portability: request a structured, machine-readable copy of data you provided to us.
• Objection: object to processing based on legitimate interests, including direct marketing.
• Withdraw consent: at any time, where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
• Lodge a complaint: with your local data protection authority (see Section 11.1 below).

To exercise these rights, contact us at [email protected]. We respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before processing certain requests. We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive.

11.1 Supervisory authorities

If you believe your data protection rights have been violated, you may lodge a complaint with:

• Türkiye: Kişisel Verileri Koruma Kurumu (KVKK) — www.kvkk.gov.tr
• EEA/UK: the data protection authority in your country of residence. A list of EEA authorities is available at edpb.europa.eu.

12. Automated Decision-Making and Profiling

ExportSync does not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on you. If we introduce such processing in the future, we will update this Privacy Policy and provide you with specific information about the logic involved, the significance, and the envisaged consequences, as required by applicable law.

Our use of analytics tools (such as Google Analytics) is limited to aggregate, non-individualised analysis of platform usage patterns and does not involve automated decision-making about individual users.

13. Information for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides specific rights regarding your personal information, including the rights to know, delete, correct, opt out of the sale or sharing of personal information, and limit the use of sensitive personal information.

We do not sell or share personal information as those terms are defined under California law.

To exercise your CCPA/CPRA rights, contact us at [email protected]. We will not discriminate against you for exercising your privacy rights.

14. Information for Turkish Residents (KVKK)

If you are located in Türkiye, the Personal Data Protection Law (KVKK, Law No. 6698) grants you specific rights under Article 11, including the right to:

• Learn whether your personal data is being processed;
• Request information about processing if your data has been processed;
• Learn the purpose of processing and whether data is used in accordance with its purpose;
• Know the third parties to whom your data is transferred domestically or abroad;
• Request correction of incomplete or inaccurate data;
• Request deletion or destruction of your data under the conditions set out in Article 7 of the KVKK;
• Request notification of correction, deletion, or destruction to third parties to whom your data has been transferred;
• Object to a result that is against you arising from the analysis of your data exclusively through automated systems;
• Claim compensation for damage arising from unlawful processing of your data.

To exercise your rights under the KVKK, you may submit a written request to our registered office address or send an email to [email protected] using the email address registered to your account. We will respond within 30 days of receiving your request.

Data controller: ERLA Elektronik Hizmetler Pazarlama ve Ticaret Ltd. Şti.

VERBIS registration: Our registration process with the Data Controllers' Registry (VERBİS) is underway. The registration number will be published here upon completion.

The full disclosure required under KVKK is provided in our separate KVKK Aydınlatma Metni (KVKK Disclosure Notice), which should be read together with this Privacy Policy.

15. Children's Privacy

ExportSync is a B2B platform intended for use by businesses and authorised representatives of businesses. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected such information, please contact us at [email protected] and we will delete it promptly.

16. Security

We implement technical and organisational measures appropriate to the risks presented by our processing, including:

• Encrypted connections (HTTPS/TLS) for all data in transit;
• Encrypted storage of sensitive data at rest;
• Access controls and role-based permissions;
• Regular security reviews and vulnerability assessments;
• Incident response procedures.

No method of transmission over the internet is entirely secure, but we strive to protect your information using industry-recognised practices.

If a personal data breach affects your information and is likely to result in a risk to your rights, we will notify you and the relevant authorities as required by applicable law (within 72 hours for KVKK and GDPR-regulated breaches).

17. Third-Party Links

Our Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party service you visit. This Privacy Policy applies solely to information collected through the ExportSync Platform.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our services, legal requirements, or operational practices. The "last updated" date at the top of this page indicates when the policy was last revised. For material changes, we will provide at least 30 days' notice by email notification or a prominent banner on the Platform before the changes take effect.

19. Contact Us

For any questions about this Privacy Policy, to exercise your rights, or to raise a concern, contact us at:

Data controller: ERLA Elektronik Hizmetler Pazarlama ve Ticaret Ltd. Şti.
Email: [email protected]
Postal address: [Registered address]
Online: via our Contact page

If you are located in the EEA or UK and believe your rights have been violated, you may also lodge a complaint with the data protection authority of your country of residence. If you are located in Türkiye, you may lodge a complaint with the KVKK at www.kvkk.gov.tr.