Privacy Policy

Privacy & Personal Data Policy

1. Overview

This Privacy & Personal Data Policy is meant to provide information on the personal data collected, retained, processed, shared and transferred by iyzico. Any person who visits iyzico website, or uses any service provided by iyzico (e.g. makes a payment with his/her credit card to a merchant that receives payments via iyzico) is covered by this Privacy & Personal Data Policy When the term "iyzico" is used, it covers both iyzico Turkey and iyzico Europe as they share the same privacy principles and policy. iyzico might be referred to as "we", "us" or "our" in this policy. Legal titles and contact information of iyzico companies can be found at the end of this document. The terms "personal data", "personal information" and "your information" are used interchangeably and they mean any information than can be associated to an identified or identifiable natural person (e.g. name, e-mail address, birth date, national ID number)

We are aware that personal data is important for our clients as well as end users and we endeavor to undertake all necessary measures to ensure this policy is complied with by everyone within iyzico and that your personal data is kept safe.

Purpose of this Privacy & Personal Data Policy is:

• To explain, in the most transparent and readable way possible, our ways and purposes of using the data we collect about you;
• To clarify the types of information we collect upon your permission and the purposes and methods for processing of them;
• To inform you on the third parties we transfer this information to as well as our purpose and method in doing so;
• To let you know your choices and legal rights with respect to your personal data;
• To describe the extent of our responsibility for protection of your rights and privacy.

This policy applies to products and services of iyzico only. On websites and mediums that do not belong to iyzico, the policies and rules of the respective person or organization. Sometimes, in addition to iyzico's policies and rules, e.g. on a checkout form placed on a merchant's website, but transmits payment data to iyzico) both iyzico and the merchant's privacy policies shall apply. The type of personal data processed by iyzico depends on which services you benefit (some of them may not be available according to your region and legal status) and how you benefit from them.

2. Personal Data Collected by iyzico

We collect different types of personal data about you when you visit our website or use our services.

When you visit our websites, send or receive a payment via iyzico, or register to open an account you may use for receiving or sending funds and similar purposes; we will collect information necessary to offer and fulfill your request in an efficient and secure way. This information may include:

• Your contact details (e.g. your name, address, e-mail address, ID number).
• Payment details (e.g. your credit card number, expiry date, instalment choice).
• When someone sends funds to, or enters into any transaction that requires them to provide personal information about third persons, we collect personal data about those third persons.
• Information obtained from third-party sources, such as our clients from whom we receive category and name of the products or services you wish to purchase from the merchant, details on your membership with the merchant, your IP address and past transactions. We also receive information about your purchase from delivery companies to monitor your transaction's status.
• If you are applying to use the services of iyzico, your business details (e.g. your business name and category, tax ID, bank account details) some of the information requested may be related to a legal person and therefore outside the scope of personal data, however, as far as these details contain information related to a real person, you declare that you are authorized to share these pieces of personal information.
• If you are a seller utilizing a platform (e.g. a marketplace) which uses our services, the platform may transfer your personal data such as contact details and bank account number.
• Additional details you provide to us when you make use of optional services provided by iyzico or when you contact iyzico (e.g. via the contact us form located on our website or e-mail).
• Information obtained through cookies, beacons and other tracking technologies (e.g. device, geolocation and usage details). Please read the Section 4 below for more information on how we use cookies and other tracking technologies for provision of our services and interest-based marketing.

3. Use of Personal Data by iyzico and Legal Basis for Processing

We use your personal data for various purposes permitted under data protection laws in Turkey and the European Union. Our purposes in using your personal data are explained with some examples below and are justified by lawfulness criteria stipulated in data protection regulations of the European Union and Turkey, such as performance of contractual obligations, our legitimate interests, and legal obligations.

• To operate our sites and provide our services, We need to use your information to initiate payments, transfer funds, store your credit cards for your future use, and enable you to create, access and modify your account.
• To improve our services and manage our business needs, We monitor usage of our sites and services by you and analyze usage data to enhance our performance.
• To mitigate and manage risk and protect our platform and customers from harm, We detect and prevent fraud by identifying customers and measuring their risk level. These decisions may be made by automatic algorithms as well as human effort under set rules. If you learn that your application or a transaction you want to make has been rejected as a result of those procedures, you may contact us at the contact information provided at the end of this document.
• To contact you when needed, We may contact you regarding the status of your transaction. Also, when there is an issue related to your account or a payment you make, we may use your personal information to reach out to you so that we can resolve the issue. You may be contacted by iyzico employees, or by employees of our business partners, in which case we need to share your personal data with those business partners.
• To meet our legal obligations or resolve disputes, Some regulations in the jurisdictions require us to use and retain your information in certain ways. As a payment services provider, we are obliged to keep and inspect records of all transactions we facilitate for various reasons including data retention, anti-money laundering and taxation. When there is a legal dispute between iyzico and you, or between parties of a transaction facilitated by iyzico, your information may be used to resolve the dispute and presented to courts and other authorized dispute resolution authorities.

We may also use your information in additional ways that you have consented to. For instance, we may seek your consent for sending you marketing material, receiving your feedback or other processing activities. In those cases, you can always withdraw your consent by contacting us at the addresses provided at the end of this Policy. You should include information that enable us to recognize you in that notification. Your notification of withdrawal of your consent will be effective in the future and therefore will not make our prior processing unlawful but it will make us cease to process that information from the receipt of your notification onwards.

4. Use of Cookies and Other Tracking Technologies

When you use the iyzico website, access information related to you, such as your ISP's (Internet Sevice Provider) name, your IP Address, your browsing information and geolocation may be collected by iyzico. This information is used for improvement of iyzico's infrastructure, statistical evaluations, and better targeting of marketing material. Cookies and other tracking technologies (e.g. web beacons) that are operated by iyzico or third party service providers may also be used for collecting information on your usage to enable the website's functionalities such as customization, to mitigate risk (e.g. by prevent fraud), manage our infrastructure, and to promote our services.

Our website uses a web analytics tool named Google Analytics developed by Google, Inc. ("Google"). Google Analytics utilizes cookies and other identifiers to help website owners analyze the use of their website by their visitors and for rendering of the services provided by Google. Information related to your use of the website may be transferred to Google's servers located in various countries and be processed by Google at those locations. Google shall use this information for analyzing your use of the web, drafting reports on the usage of website for website owners and providing other services related to internet use (e.g. creating user segmentations). Google may transfer this information to third parties upon legal obligation and when third parties process this information on behalf of Google. For more information on privacy practices of Google with respect to Google Analytics, please visit this website: https://www.google.com/policies/privacy/partners/ If you do not wish your information to be used by Google Analytics, you may use the following link to opt out: https://tools.google.com/dlpage/gaoptout/

Our website utilizes a service provided by Hotjar Ltd. ("Hotjar") that identifies users' experiences on a website and evaluates the ease of use of the website and receives anonymous feedback from users. Cookies are placed on your computer for the provision of this service.

Our website utilizes a service provided by Optimizely Inc. ("Optimizely") that helps find out which version of the website is more suitable for use by showing different versions to different users. Cookies are placed on your computer for the provision of this service.

This website and iyzico merchant control panel utilize a service provided by Sosyo Plus Bilgi Bil. Tekn. Dan. Hiz. Tic. A.Ş. ("Insider") that helps merchants to find out the features they were not able to use before. Cookies are placed on your computer for the provision of this service.

This website utilizes a service provided by Doğan İnternet Yayıncılığı ve Yatırım A.Ş. ("Medyanet") that analyses user behavior. Cookies are placed on your computer for the provision of this service.

You may reject the use of cookies by applying the relevant settings to your web browser. However, please do not forget that this may cause you to be unable to use some or even all functions of the website. By using our website or services, you consent to processing of your personal data, as explained above, by Google, Hotjar, Optimizely, Insider, Medyanet and other third party service providers.

5. Retainment and Erasure of Personal Data

iyzico retains your personal data in an identifiable format for the shortest period of time necessary to fulfil our legal obligations and for our business needs.

When the period during which we retain your personal data ends, we will erase or anonymize your personal data so that they can no longer be associated with you, in line with our internal procedures that aim to ensure safety of your personal data.

When you close your account or request erasure of your personal data, we will erase or anonymize parts of it that we are not legally obliged to reject your erasure request or to keep even if your account is deleted.

The cookies we use have defined expiration times; unless you visit our sites or use our services within that time, the cookies are automatically disabled and retained data is deleted. You may also manually delete those cookies through your web browser's settings.

6. Transfer of Personal Data to Third Parties

While providing our services, we sometimes share your personal information with third persons for purposes explained in this section.

We share your personal data within the iyzico group companies in order to manage our operations and provide our services in a safe and consistent manner. The transfer between iyzico group companies takes place with adequate safeguards in place, and your personal data does not fall outside the scope of this privacy policy because of this transfer.

We utilize services of other companies as necessary and we may need to share your personal data with some of them. For example, when we receive your payment details (either directly from you or via the merchant you wish to make a payment to) we need to transfer them to respective financial institutions to initiate the payment. Or when the transaction you have made requires some additional steps to be taken (e.g. if it is an international purchase and customs procedures are to be completed) we may share your personal data with relevant service providers (e.g. customs brokers).

We may also transfer personal data to third persons (e.g. anti-fraud processing companies) in order to ensure safety and convenience of our users and business.

When you use our services, we notify the other parties to the transaction you have made, such as other users and merchants and this might include transfer of a portion of your personal data.

Law enforcement agents and other authorities may request information from us. We will share your information only when there is a legal obligation to do so; or when it is deemed necessary to prevent and/or prosecute a crime.

We may also need to share personal data with third parties for other business purposes (e.g. for audits, corporate governance, or executing our legal rights). We will always comply with the law when doing so.

7. Personal Data Transfers to Other Countries

Due to nature of our services, we might need to transfer some personal data internationally. A big part of our information technology infrastructure (the all infrastructure of iyzico Turkey) is located within Turkey and this means that if you are using our services or reaching out to our website from another country, your personal data will be transferred to Turkey. This transfer takes place within a lawful framework that ensures safety of your personal information. We rely on model contractual clauses issued by the European Commission for transfers between iyzico Europe and iyzico Turkey. In addition to the transfers between iyzico group companies, other transfers to third parties

In addition to transfers among iyzico group companies, the data transfers to third parties described above may require the transfer of your personal data to different countries. However, in all cases, we guarantee that your personal data will be transferred only to countries that ensure an adequate level of protection, or to recipients located outside such countries who undertake to safeguard your data in compliance with applicable regulations.

8. Choices Available to You

You have choices available with respect to our privacy practices. You may always decline to provide personal data requested by iyzico. However, if the information you have declined to provide is mandatory for provision of our services, you may not use our services. For instance, if you decline to enter your credit card number on the checkout form for a merchant who accepts credit card payments via iyzico, we cannot initiate the payment.

As mentioned in the Section 4 above, we use cookies also for better provision of our services. You may reject or delete them via your internet browser's settings. However, doing so may hinder your experience and make you unable to utilize our services.

You may review and modify some of the personal data we have about you in the settings section of our mobile or web application when you log in to your account. If you want to review or modify other pieces of information than available on the website, please contact us using the contact information at the end of this document.

From time to time, we communicate with you. These communications may be for marketing purposes or notifications related to a transaction you have been a party to. You can opt-out of all marketing related communications by following the instructions at the end of messages we send. However, you cannot opt-out of transactional messages, but you may only choose the methods and addresses you receive them to.

9. Your Rights

We want you to know that you have following rights with respect to your personal data, as per the regulations governing use of personal data within EEA or Turkey:

(a) To learn if we process your personal data, the types of data we process, sources we get your personal data from, third parties we transfer your personal data to within the country or internationally, the period for which we keep the personal data or how we determine that period;

(b) To access your personal data and to request the data provided by you to be given to you or another data controller in a structured, commonly used and machine readable format,

(c) To learn the purposes for which your personal data is processed and to query if they are used in a compatible manner with those purposes,

(d) To object to and request restriction of processing of your personal data,

(e) To request rectification of inaccurate and incomplete personal data about you,

(f) To request erasure of your personal data when there is no legal basis for further processing,

(g) To request notification of procedures such as erasure and rectification to other third parties to whom your personal data has been transferred,

(h) To object to any negative consequences arising from automatic analysis of your personal data,

(i) To request indemnification for any damages arising from unlawful processing of your personal data.

You can exercise these rights by contacting us at the addresses provided at the end of this Policy. Your application should include the information you have given to us while registering or making use of our services as well as a photo ID, so that we may identify you.

10. Protection of Personal Data

All personal data collected by iyzico is transmitted and stored in compliance with reasonable security standards as adopted by the industry. The security of payment data is ensured with our PCI DSS Level 1 Compliant infrastructure and all connections where personal data is transmitted are protected with encryption. Even though we take all reasonable measures to protect your information, you are responsible for securing and maintaining your account information, including your password.

11. Miscellaneous

Our services and websites are not directed to children, i.e. people who are not legal adults. We do not collect personal data from children or other individuals who are not legally able to use our services. If we find out that we have collected Personal Data from a child, we will promptly delete it, unless we are legally obligated to retain such data. If you believe that we have mistakenly or unintentionally collected information from a child, please contact us immediately at the addresses below.

We may make changes to this privacy policy in the future. Changes to the privacy policy will become effective on the date it is published to be effective. Users or our clients are obliged to follow any possible updates and inform their customers (or other users they make transactions with) on iyzico's data-processing activities (as well as this privacy policy) before they transfer other persons' information to iyzico.

12. Contact Information

For iyzico Turkey:

Company Title: iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş.

MERSIS (Central Registration System) Number: 0483034315700019

Address: Altunizade Mah. İnci Çıkmazı Sokak, No: 3 İç Kapı No: 10 Üsküdar İstanbul

E-Mail:  [email protected]

Phone: +90 216 599 01 00

Explicit Consent Text Regarding the Processing of Personal Data

1. Data Controller Status of Our Company:

Our company, iyzi Ödeme ve Elektronik Para Hizmetleri Anonim Şirketi (“iyzico” or the “Company”), acts as a “data controller” within the scope of the Law on the Protection of Personal Data No. 6698 (“Law”) in relation to personal data of users. This Explicit Consent Text Regarding the Processing of Personal Data aims to inform users about the personal data processing activities carried out by iyzico under the Law and to obtain their explicit consent for the cases specified in Article 3 below.

2. Purpose of Processing Users’ Personal Data:

Users’ personal data are processed within the scope of the personal data processing conditions and purposes set out in Articles 5 and 6 of the Law, including for the purposes of: performing necessary activities by business units to enable relevant persons to benefit from the services provided by iyzico; carrying out the relevant business processes; conducting commercial activities by iyzico; planning and execution of iyzico’s commercial and/or business strategies; ensuring the legal, technical, and commercial/operational security of iyzico and of the relevant persons in a business relationship with iyzico; and planning and executing activities necessary for the customization, promotion, and recommendation of iyzico’s services according to the tastes, usage habits, and needs of the relevant persons.

3. Personal Data to Be Processed Based on Users’ Explicit Consent and Processing Purposes:

In the cases where the personal data processing conditions under Articles 5/2 and 6/3 of the Law are not met, iyzico must obtain users’ explicit consent to process personal data.

Within this scope, users’ personal data may be processed, transferred to third parties, and shared with the parties indicated in this Explicit Consent Text for the following purposes: creating campaigns for users, performing cross-sales, identifying target audiences, tracking user activities to improve user experience, developing and personalizing iyzico’s website, user panel, and mobile application according to user needs, conducting direct or indirect marketing, personalized marketing and remarketing activities, executing segmentation, targeting, retargeting, analysis, and in-house reporting activities, conducting market research, planning and executing user satisfaction activities and user relationship management processes, as well as planning and executing the sales and marketing processes of iyzico’s services, and building or increasing loyalty to iyzico’s services - all based on the user’s consent.

Additionally, our Company, in order to provide you with better service and enable you to benefit from Open Banking services, will collect and process your personal data as a “Payment Service Provider” in accordance with your request and consent, within the framework set out by the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Law No. 6493”) and the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“Regulation”). Within payment services and data sharing services, there are two types of Payment Service Providers: Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP).

3.1. Processing of Your Personal Data Within the Scope of Account Information Service

As an Account Information Service Provider under Article 12(1)(g) of Law No. 6493, our Company compiles information regarding your accounts held with other Account Service Providers (ASPs) and presents it to you collectively through our online platforms.

While using this service, access to your demand deposit accounts with other ASPs will be provided only for the period you determine (0–6 months) and only with your consent granted under the Law No. 6493 and the Regulation. You may withdraw your consent at any time while using this service.

3.2. Processing of Your Personal Data Within the Scope of Payment Initiation Service

Under the payment initiation service, a licensed Payment Initiation Service Provider facilitates the initiation of a payment order from the payment account of a payment service user held with another payment service provider (ASP). Pursuant to Article 12(1)(f) of Law No. 6493, you can issue a payment order regarding your account held with another ASP directly through our Company without accessing your account via the ASP’s interface.

3.3. Processing of Your Personal Data Within the Scope of Qualified or Value-Added Services

Pursuant to Article 12(1)(f) and (g) of Law No. 6493, our Company may provide services that facilitate, secure, or enhance the efficiency of payment services. For individual users, these services may include budget management, bill management, account verification, and payment reminders to support financial awareness and management. For corporate users, they may include services such as debt and receivable management, accounting, invoicing, product, stock, and supply management that facilitate or enhance business operations - all provided under Article 15(9) of the Regulation.

For the purposes of processing within Open Banking, we process your Identity Information, Contact Information, Customer Transaction Information, and Device Information to provide open banking services and enable you to benefit more effectively from our products and services. These are processed under the legal bases of necessity for the establishment or performance of a contract, compliance with legal obligations, and cases explicitly provided by law.

3.4. Processing of Your Personal Data Within the Scope of the Findeks Risk Report

Our Company provides the Findeks risk report service in cooperation with Kredi Kayıt Bürosu A.Ş. (“KKB”), based on your request and consent. Accordingly, your personal data required to provide this service will be obtained from KKB, processed to generate the report, and presented solely to you.

This personal data processing activity will be carried out within the limits set by Law No. 6493, the membership agreements with KKB, and based on explicit consent as provided under Articles 5 and 6 of the Law. If you choose to use this service, your personal data will be transferred to and obtained from KKB.

4. Transfer of Users’ Personal Data:

Users’ personal data may be transferred to Company officials, our affiliates (domestic or foreign), business partners, suppliers, shareholders, legally authorized public institutions and private entities (including KKB in case of a Findeks risk report request), and Account Service Providers (ASPs) holding your payment accounts within the framework of Articles 8 and 9 of the Law, and for the purposes stated above.

5. Method and Legal Basis for Collecting Personal Data:

Personal data are collected from users electronically or physically upon iyzico’s request. Personal data collected based on the legal grounds specified above may be processed and transferred for the purposes set out in Articles 5 and 6 of the Law and in this Explicit Consent Text.

Within the provision of Open Banking services, your personal data are collected automatically by our Company through our online banking and mobile application, other ASPs, and databases of other institutions (for more information on “other institutions,” please visit our Privacy & Personal Data Policy at iyzico.com).

6. Users’ Rights as Data Subjects:

Under Article 11 of the Law, data subjects have the right to:

(i) learn whether their personal data are being processed,
(ii) request information if their personal data have been processed,
(iii) learn the purpose of processing and whether their personal data are used in accordance with this purpose,
(iv) know the third parties to whom their personal data are transferred domestically or abroad,
(v) request correction of personal data if they are incomplete or inaccurate,
(vi) request deletion or destruction of personal data if the reasons for processing no longer exist,
(vii) object to results arising to their detriment from analysis conducted solely by automated systems, and
(viii) claim compensation if they suffer damage due to unlawful processing of their personal data.

Requests regarding the exercise of these rights can be submitted through the methods specified in the Privacy & Personal Data Policy available at https://www.iyzico.com/gizlilik-politikasi. iyzico will evaluate such requests and respond within 30 days. iyzico reserves the right to charge a reasonable fee based on the tariff determined by the Personal Data Protection Board.

7. Granting of Explicit Consent:

By approving this Explicit Consent Text Regarding the Processing of Personal Data, you acknowledge and declare that you have been informed by iyzico and that you provide your explicit consent under the Law for iyzico, as a data controller or through data processors authorized under appropriate security measures, to process your personal data in the cases described above and when you use iyzico’s payment, electronic money, and open banking services, or ancillary services that facilitate and secure these services.

Such processing includes, but is not limited to, ensuring the reliable and continuous provision of iyzico’s products and services, maximizing customer satisfaction, executing and developing operations, performing marketing, advertising, and promotional activities for iyzico’s products and services or other offerings, informing users of opportunities and campaigns, and fulfilling contractual obligations.

You consent to the collection, recording, secure storage (physically or electronically), maintenance, alteration, reorganization, lawful disclosure, transfer, classification, or restriction of processing of your personal data — including your identity, address, and contact information — in compliance with the general principles under Article 4 of the Law, especially the principle of storage only for as long as required by law or processing purposes.

Furthermore, by using the Findeks risk service under Article 3.4, you provide your explicit consent for your personal data necessary for the provision of this service to be transferred to and obtained from Kredi Kayıt Bürosu A.Ş. and processed solely for the purpose of presenting the service to you.

Information Notice Regarding Personal Data Processing

Data Controller: iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş. (“iyzico”)

Contact Information:
iyzico:
Company Name: iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş.
MERSİS Number: 0483034315700019
Address: Altunizade Mah. İnci Çıkmazı Sokak No: 3 İç Kapı No: 10 Üsküdar İstanbul
E-mail:[email protected]
Telephone: +90 216 599 01 00

As iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş. (“iyzico” or the “Company”), we prioritize the protection of personal data and, as the entity responsible for processing your personal data, implement the necessary security measures in accordance with applicable legislation. This Privacy Notice aims to inform relevant persons about the personal data processing activities carried out by iyzico within the scope of the Personal Data Protection Law No. 6698 (the “Law”).

1. Purpose of Processing Personal Data of Users

Personal data of users (our customers or visitors of our website) are processed:

• In compliance with the law and principles of honesty
• Accurately and up to date
• For specific, explicit and legitimate purposes
• In a manner that is relevant, limited and proportionate to the purposes for which they are processed

As iyzico, we process users’ personal data in accordance with Articles 5 and 6 of the Law for the following purposes:

1. carrying out the necessary work by business units to enable relevant persons to benefit from the services provided by iyzico and executing related business processes,
2. carrying out the necessary work by relevant business units for the realization of commercial activities conducted by iyzico and executing related business processes,
3. planning and execution of iyzico’s commercial and/or business strategies,
4. ensuring the legal, technical and commercial/operational security of iyzico and the relevant persons in a business relationship with iyzico.

2. Transfer of Personal Data of Users

Users’ personal data may be shared, within the scope of the above-mentioned purposes and in compliance with Articles 8 and 9 of the Law and applicable legislation, with company officials, our domestic or foreign affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations, and private institutions.

3. Method and Legal Basis for Collecting Personal Data

Users’ personal data are collected electronically or physically upon iyzico’s request. Personal data may be processed and transferred in line with the purposes specified in this Privacy Notice in accordance with Articles 5 and 6 of the Law.

4. Retention of Personal Data

In the event that the consent period expires or consent is withdrawn by you, your data may continue to be stored and processed, subject to your approval, in order to provide value-added services related to administrative and operational processes to our corporate and merchant customers, and to provide qualified services to our individual customers.

5. Rights of Users as Data Subjects

Pursuant to Article 11 of the Law, users as data subjects have the right to:

1. learn whether their personal data are processed,
2. request information if their personal data have been processed,
3. learn the purpose of processing personal data and whether they are used in accordance with their purpose,
4. know the third parties to whom personal data are transferred domestically or abroad,
5. request correction of personal data if they are incomplete or inaccurately processed and request notification of such correction to third parties to whom the data have been transferred,
6. request deletion or destruction of personal data where the reasons requiring processing no longer exist, even though they have been processed in accordance with the Law, and request notification of such actions to third parties to whom the data have been transferred,
7. object to the occurrence of a result against themselves by analyzing the processed data exclusively through automated systems,
8. request compensation for damages in case of unlawful processing of personal data.

6. Requests and Applications

To exercise your rights stated above, you may submit your requests to our Company:

• through our Call Center after identity verification,
• via a notary public to the address: “Altunizade Mah. İnci Çıkmazı Sk. No:3 İç Kapı No:10 Üsküdar Istanbul”,
• by using your secure electronic signature to [email protected]

iyzico will evaluate such requests and finalize them within 30 (thirty) days. iyzico reserves the right to charge a reasonable fee based on the tariff determined by the Personal Data Protection Board regarding such requests.

7. Processing of Your Personal Data within the Scope of Open Banking Services and Legal Basis

Open Banking, established by the Central Bank of the Republic of Turkey within the framework of legal regulations, is a new payment service model that enables the monitoring of demand deposit TRY and foreign currency accounts via applications and websites of other banks and licensed institutions, and the initiation of payments from such accounts.

In order to provide better service and enable you to benefit from Open Banking services, our Company, as a “Payment Service Provider” as defined under the Law No. 6493 and the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers (“Regulation”), will collect your personal data in line with your request and consent.

There are two types of Payment Service Providers within the scope of payment services and data sharing services: Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP).

i. Processing of Personal Data within the Scope of Account Information Services

As an Account Information Service Provider under Article 12/1(g) of the Law, our Company aggregates information related to your accounts held with other Account Service Providers (ASPs) and presents them collectively on our online platforms.

When using this service, you will be able to access your relevant demand deposit accounts held with other ASPs within the scope of the consent you provide, limited to a period you determine between 0-6 months. You may withdraw your consent at any time.

ii. Processing of Personal Data within the Scope of Payment Initiation Services

Within the scope of payment initiation services, a licensed Payment Initiation Service Provider enables users to initiate a payment order from their payment account held with another provider (ASP). Under Article 12/1(f) of the Law, you may give a payment order for your account held with another ASP directly through our Company without accessing the ASP where your account is held.

iii. Processing of Personal Data within the Scope of Value-Added Services

Within the scope of services provided under Article 12/1(f) and (g) of the Law, our Company provides:

• For individual customers: services such as budget management, bill management, account verification, and payment reminders,
• For corporate customers: services such as receivables and payables management, accounting, invoicing, product, inventory and supply management

These services facilitate, secure, or enhance the effectiveness of payment services in accordance with Article 15/9 of the Regulation.

iv. Purposes and Parties for Processing Personal Data

Within the scope of Open Banking services, your personal data are collected and processed by our Company in accordance with the principles set out in Article 4 of the Law, in a manner that is relevant, limited and proportionate to the purposes.

Your personal data will only be used to provide the requested service, send notifications regarding changes, usage, maintenance services, and contract renewals, and will not be shared with third parties except for legal obligations or your consent.

v. Methods of Collecting Personal Data

Within the scope of Open Banking services, your personal data are collected automatically via our internet branch and mobile application, other ASPs, and databases of other institutions.

vi. Categories of Personal Data and Processing Purposes

In order to provide Open Banking services and enable you to benefit more effectively from our products and services, we process your identity information, contact information, transaction data, and device data for the purposes of providing payment initiation and account information services. This processing is based on legal grounds such as being necessary for the establishment or performance of a contract, compliance with legal obligations, and explicit provisions of law.

vii. Transfer to Third Parties

Your personal data may be transferred, where necessary and in line with the purposes of processing, to institutions with which information is shared in accordance with legal obligations and to the ASPs where your payment account is held within the scope of Open Banking services. For more information, you may visit our Privacy & Personal Data Policy at iyzico.com.

Consent Letter of Commercial Communication

I acknowledge that iyzi Ödeme ve Elekronik Para Hizmetleri A.Ş. to send a commercial electronic message to me by means of all kinds of electronic communication means such as text message (SMS), video and voice message (MMS), e-mail, letter, telephone, call center, automatic search and so on regarding all kinds of products and services to be offered by iyzi Ödeme ve Elekronik Para Hizmetleri A.Ş., by itself and / or by its service providers; the purpose of advertising, campaigns, discounts, gifts, raffles, promotions, advertising, publicity and information, developing special opportunities for my needs, maintaining the connection with me, customer satisfaction research, survey studies, celebration, wishes, approval and marketing studies.

iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş. / Mersis No: 0483034315700019 Tel No: 02165990100 Address: Maslak Mah. AOS 55. Sok. 42 Maslak A Blok Sitesi No:2/140 Sarıyer İstanbul – Turkey