Privacy Policy & Privacy Notice
Version: 2026-06-13 · Effective date: 13 June 2026
NOTICE: This text is a draft and not legal advice; it should be reviewed by a lawyer before going live.
This notice explains, in plain language, how your personal data is processed in the BQR digital business card service. It satisfies both the KVKK art.10 disclosure duty and the GDPR art.13-14 information duty.
Key distinction: BQR is often offered white-label to a business (the cardholder firm). In that case the DATA CONTROLLER for the information on your card is the cardholder firm; we (Görkem Sarı - Barlas Dijital) act only as the DATA PROCESSOR following its instructions. That firm decides what card content to collect and how to use it. If you obtained BQR directly from us, we are the controller for the card content.
Honest limit: The records we keep to run your account (email, sign-in, session, security logs) are our own processing; for these we are the DATA CONTROLLER. As a processor we also have non-waivable duties under KVKK art.12 / GDPR art.28 to secure the data, act on instructions and report breaches.
The checkbox below is not "consent"; it confirms you have read this notice. Marketing permission is separate and optional.
1. Controller, processor and contact
- In white-label use the DATA CONTROLLER is the cardholder firm that buys/manages your card. For content-related requests you may contact it first.
- DATA PROCESSOR and platform provider: Görkem Sarı (Barlas Dijital) - sole proprietorship.
- If you opened an account directly with us, we are the controller for the card content.
- Address: Ekinoba Mah. Ayberk Sok. No:5/33, Büyükçekmece / İstanbul
- Email: info@bqr.app
- Tax ID (VKN): 7460898686
- You may always send requests to the email above; in white-label cases we forward your request to the relevant firm.
2. Data we process
We process only the data needed for the service:
- Account: email address, display name.
- Sign-in and security: single-use sign-in link (magic-link) records, session record, IP address, browser info, failed login attempts.
- Card content: name, title, company, phone, email, address, business hours, map link, IBAN, social media links, avatar/logo/cover images. You enter this content.
- Contact form (card visitor): name, email, message text.
- Consent records: the accepted/acknowledged document and its version, date-time, IP, browser (for proof).
3. Purposes, legal bases and obligation to provide data
- Account creation, magic-link authentication, card publishing, QR/vCard generation: FORMATION AND PERFORMANCE OF A CONTRACT (KVKK 5/2-c · GDPR 6/1-b).
- Security, abuse and session-misuse prevention (login lockout, logs): LEGITIMATE INTEREST (KVKK 5/2-f · GDPR 6/1-f). Our interest here is protecting your account and the system against misuse; you may object to this processing within your rights in Section 7.
- Delivering a contact-form message to the cardholder: processing on the visitor's REQUEST / legitimate interest (for this data the controller is the cardholder firm).
- Legal record-keeping and consent storage: LEGAL OBLIGATION (KVKK 5/2-ç · GDPR 6/1-c).
- Marketing messages: EXPLICIT CONSENT (KVKK 5/1 · GDPR 6/1-a) - only if you opt in.
Obligation to provide data: Providing the basic data needed for the account and card (e.g. email) is a contractual precondition of the service; without it an account cannot be created or a card cannot be published. Other data (e.g. marketing permission) is optional.
Operation of the essential service is NOT conditioned on consent; even where we ask for consent we do not make it a precondition of the service.
4. How we collect data
- Account and card data: collected by automated means as you enter it via the sign-up screen, magic-link sign-in and the card editor.
- Security data (IP, browser, session): generated automatically by the system as you use the service.
- Contact-form data: collected when a person visiting your card completes and submits the form.
5. Transfers and international processing
- Cloud infrastructure: Cloudflare (Workers / D1 database / R2 file storage) and an email delivery service are used as sub-processors. They access data only to operate the service.
- You may request the current sub-processor list, including the email delivery service provider, from info@bqr.app.
- In white-label use, the platform provider (Barlas Dijital) accesses data as a processor for the cardholder firm.
- We do NOT sell your data to third parties for marketing.
- International: Cloudflare operates a global network; your data may be processed on servers outside Türkiye (this may include, for example, the European Union and/or the USA). No specific country is guaranteed.
- Such international transfer relies on appropriate safeguards under KVKK art.9 (standard contractual clauses / undertakings between the parties) or on the statutory derogations.
- You may request a copy of these safeguards (standard contractual clauses / undertakings) from info@bqr.app.
6. Retention periods
- Account and card data: while your account is active; if you delete the account/card, the parts not subject to legal retention are deleted within a reasonable time.
- Sign-in links (magic-link): very short-lived (minutes); invalid once used or expired.
- Session records: up to 30 days.
- Contact-form messages: deleted together with the card when the card is deleted.
- Consent and legal records: retained for the statutory limitation period for legal obligations and to prove possible claims.
7. Your rights under KVKK art.11 and GDPR
You have the rights to:
- Learn whether your data is processed and request information/a copy (access)
- Rectify inaccurate/incomplete data
- Erasure or destruction
- Restriction of processing
- Portability: export your card as vCard/JSON
- Object to processing; object to direct marketing at any time
- Object to automated decisions and seek compensation for damage
Requests: info@bqr.app. In white-label use you may send your request to the cardholder firm, or if you write to us we will forward it.
You also retain the right to lodge a complaint with the Turkish Data Protection Authority (KVKK) or, if in the EU, the relevant supervisory authority.
8. Automated decision-making
- No automated decision-making or profiling producing legal or similarly significant effects is carried out on your personal data.
- Automated security measures such as login lockout are technical protections that are not for profiling and do not produce legal or similarly significant effects on you.
9. Cookies
- Only a strictly necessary session cookie (bqr_session) is used; it keeps you signed in and is not for advertising or tracking.
- Preference local storage (language and theme choice) is kept on your device.
- The necessary cookie and preference storage do not require consent.
- We do NOT use advertising, analytics or tracking cookies. If added in future, a separate, equally weighted (accept/reject) cookie consent banner will be provided.
10. Withdrawing consent and changes
- For consent-based processing (e.g. marketing) you may withdraw your consent as easily as you gave it: the unsubscribe link in the email or the toggle in the panel. Withdrawal is prospective; it does not invalidate past processing.
- Declining or withdrawing marketing permission does not affect your account.
- We may update this notice. For material changes we update the version date and request a fresh read-acknowledgment where needed. The current version is always published on this page.