ID 10 — Privacy Notice under Turkish Personal Data Protection Law No. 6698 — D10V2 / v1.8

Including Alastyr VDS / İzmir / SMS Phone Verification / QNBpay / Univermobil Analitik and Local DB-IP Processing

Website: mechawork.com
Effective Date: 29 May 2026

Infrastructure Summary: The hosting infrastructure is used on Alastyr VDS, located in İzmir, Türkiye, at the Bornova data centre. Primary backups are stored on the server, while secondary backups are retained in encrypted form in storage owned by the data controller. An SMS-based verification/notification infrastructure is used for phone verification and certain service notifications.

The current phone-verification flow is designed on the basis of SMS only, Turkish phone numbers only, OTP verification triggered by the verification button next to the phone field, a validity period of 3 minutes, resend functionality and graduated blocking rules. In addition, the payment stage cannot be accessed and an order cannot be completed unless the phone-verification step on the pre-payment cargo/delivery screen has been completed.

Payment infrastructure is operated through QNBpay Virtual POS / QNBpay Secure Hosted Payment Page. Card details are not stored in Mechawork systems; they are entered directly on the hosted payment page operated by QNBpay during payment.

Mechawork may also use Univermobil Analitik, which runs on its own server, in order to measure general site usage and technical operation at an aggregated level solely within predefined publicly accessible page groups. Under this operation, limited anonymous measurement may be carried out after the information layer has been shown to the browser; no separate acceptance, permission or marketing-consent record is obtained through that layer. Approximate country, province/region and city information may be derived using the DB-IP IP to City Lite database held locally on the server. Raw IP addresses are not stored in analytics reporting tables or analytics logs.

1) Data Controller

For the purposes of Turkish Personal Data Protection Law No. 6698 (“KVKK”), the data controller is:

  • Brand: Mechawork
  • Title: Ersin Erçin Ünivermobil — Sole Proprietorship
  • Tax Office: İzmir Karşıyaka
  • Tax / Identification Number: 13831063892
  • Address: 1900 Sokak, Çağla Apt. No: 17 Daire: 1, Bayraklı / İzmir, Türkiye
  • KVKK Application Email: ersinercin@univermobil.com
  • Registered Electronic Mail Address (KEP): ersin.ercin@hs01.kep.tr

2) Categories of Personal Data Processed

2.1 Membership / account data

  • email address
  • account-status information
  • account creation / update date records
  • verified / unverified phone status information

2.2 Order and delivery data

  • name and surname
  • delivery address
  • phone number
  • order contents
  • selected components / configuration information
  • order amount, delivery and cargo information

2.3 Billing and financial transaction data

  • identity/invoice information required for issuing an e-Archive invoice
  • payment transaction records, including amount, date/time, transaction result and reference information

Note: Card details are not stored in the data controller’s systems; the payment transaction is carried out within the QNBpay / banking infrastructure.

2.4 Communication and support data

  • email address
  • phone number
  • support/complaint/request correspondence
  • order and delivery notification content
  • phone-verification and service-SMS records
  • SMS content/message bodies contained in current broker job records, such as OTP or service-notification text

2.5 Transaction security and technical records

  • IP address
  • timestamps
  • session information
  • error and security records
  • application logs
  • server-access / operational records
  • SMS OTP generation/sending time
  • verification result
  • error / blocking records
  • resend and graduated blocking records
  • request_id, status, device report and phone/message metadata associated with SMS broker job records

2.6 Limited anonymous site-usage statistics and technical measurement data

Within Univermobil Analitik, solely in predefined publicly accessible page groups, the following limited measurement data may be processed technically or recorded as aggregated statistics:

  • the short-lived, first-party, random/opaque anonymous measurement token named uma_visit
  • the signed technical marker named uma_notice_presented, showing that the information layer has been presented to the browser
  • view counts for approved publicly accessible page groups
  • approximate unique-visit and session counts within short-lived anonymous measurement
  • aggregated navigation transitions between approved publicly accessible page groups
  • aggregated counts of 403 and 404 technical result classes limited to approved publicly accessible areas
  • external source-category and public first-landing page-group statistics, solely within approved and reduced source classifications
  • broad device-class information, such as desktop, mobile, tablet or unknown device class
  • interface-language information
  • approximate country, province/region and city information which may be derived through the DB-IP IP to City Lite database stored locally on the server

Within this scope:

  • The uma_visit token does not carry a user identity, account information, IP address, page content, order, basket, payment or SMS-verification information.
  • Referrer information is evaluated only after being reduced to an approved source category and canonical domain level or to a general category such as external_other; arbitrary external link addresses are not retained as analytics reporting dimensions.
  • Browser/user-agent information is read temporarily only to determine a broad device class or to exclude automated/bot traffic; the raw user-agent value is not retained in analytics storage.
  • An IP address may be processed technically only during local server-side derivation of approximate location information; the IP address is not written to analytics reporting tables or analytics logs.
  • Analytics outputs are not linked to user accounts, drafts, baskets, orders, payments or SMS-verification/broker flows.

2.7 Third-party delivery data

Where the recipient directs delivery to a third person:

  • the third person’s name and surname
  • delivery address
  • phone information

3) Purposes of Processing Personal Data

Your personal data is processed for the following purposes:

  • creating and managing a membership account
  • receiving, verifying, preparing, assembling/configuring and delivering an order
  • establishing and performing the distance-sales contract
  • operating the payment process and keeping transaction records
  • carrying out cargo / delivery operations
  • making notifications relating to an order
  • carrying out customer-support, request and complaint processes
  • issuing e-Archive invoices and fulfilling related financial, commercial and legal obligations
  • ensuring information security, operating systems, logging and preventing misuse and abuse
  • resolving disputes and establishing, exercising or protecting rights
  • responding to lawful requests from competent authorities and bodies

3.1 SMS verification of the phone number and service SMS messages

The phone number is also processed for the following purposes:

  • verifying the phone number entered by the user/recipient
  • confirming the accuracy of the contact number to be used in order, delivery and refund processes
  • reducing the risk of an incorrect number or a number belonging to another person being entered
  • ensuring security, preventing misuse and preserving process integrity
  • sending SMS messages connected solely with performance of the service

Under the current operation, the contents of SMS messages sent for these purposes are limited to:

  • phone-verification / OTP code
  • notification that cargo has been dispatched
  • notification that delivery could not be completed / cargo could not be delivered
  • notification that the order has been cancelled
  • notification that a refund has been made

Important Note: These SMS messages are not used for advertising, marketing, campaigns or commercial electronic-message purposes; they are used solely for operating the order, delivery, security and refund process.

3.2 Limited anonymous site-usage measurement within Univermobil Analitik

The purposes of the limited measurement performed within Univermobil Analitik are:

  • measuring, at an aggregated level, the general usage intensity of approved publicly accessible page groups
  • evaluating approximate unique-visit and anonymous-session tendencies
  • understanding general navigation transitions between publicly accessible page groups
  • monitoring, in aggregated form, technical 403 and 404 result classes limited to approved publicly accessible areas
  • evaluating general access trends relating to reduced external source categories and public first-landing page groups
  • evaluating general usage distributions by broad device class and interface language
  • evaluating, at an aggregated level, approximate geographical distribution which may be derived by local DB-IP processing
  • producing anonymous statistics for technical improvement of site operation and publicly accessible interfaces

This measurement is not used for advertising, marketing, retargeting, behavioural profiling, individual visitor tracking or analysis of private customer transaction flows.

4) Method of Collection of Personal Data

Your personal data is collected through the following methods:

  • membership, order and communication forms on mechawork.com
  • user actions performed during account creation, login and order transactions
  • requests, support correspondence and complaint applications sent by email
  • information communicated during order, delivery, invoicing and cargo processes
  • transaction/reference records generated as a result of payment operations
  • necessary technical records, necessary cookies and logging mechanisms required for site security, session management and operation of the service
  • where necessary, transaction/verification records received through cargo companies, payment organisations or competent authorities

4.1 Method of collection for SMS phone verification and service SMS messages

The phone number and related verification/service records are additionally collected through:

  • entry of a phone number by the user/recipient in the phone field on the site
  • commencement of the SMS-verification process using the verification button next to the phone field
  • sending the SMS OTP code and entering it into the verification screen
  • creation of verification-attempt, failed-attempt, resend-request and blocking records
  • dispatch records for service-purpose SMS notifications

The current phone-verification flow is designed on the basis of SMS only, Turkish phone numbers only, a 3-minute OTP validity period, resending and graduated blocking logic. The phone-verification step on the pre-payment cargo/delivery screen is not considered completed until phone verification has succeeded; consequently, the payment stage cannot be reached and the order cannot be completed.

4.2 Method of collection for Univermobil Analitik

Limited anonymous site-usage statistics may be produced through the following technical means:

  • access by a visitor to a predefined publicly accessible page group
  • use of short-lived first-party technical measurement markers after the information layer has been presented to the browser
  • aggregation of approved public page-group views and transitions within the same short-lived anonymous measurement period
  • reduction of the external source only to an approved source-category / canonical-domain level or a general external-source class
  • temporary evaluation of user-agent information only to determine a broad device class and distinguish automated traffic
  • temporary technical processing of the IP address solely to derive approximate country, province/region and city information through the DB-IP IP to City Lite database stored locally on the server

Univermobil Analitik is restricted so that user-account, registration/login, draft, basket, checkout, order, payment and SMS-verification/broker flows remain outside the analytics measurement scope.

5) Legal Grounds for Processing Personal Data

Your personal data is processed on the basis of the personal-data-processing conditions set out in Article 5 of KVKK. The principal legal grounds relevant to Mechawork activities are as follows:

5.1 Processing directly related to the establishment or performance of a contract

The following operations rely on this legal ground to the extent necessary for establishing or performing the distance-sales relationship and membership/order process:

  • opening and operating a membership account
  • receiving and managing an order
  • processing selected product components
  • arranging delivery
  • fulfilling delivery direction to a third person
  • operating order-status notifications
  • verifying the phone number as the contact number to be used in order, delivery and refund processes
  • sending SMS notifications linked solely to operation of the service

5.2 Processing necessary for the data controller to comply with a legal obligation

The following operations rely on this legal ground:

  • issuing e-Archive invoices
  • keeping financial records
  • fulfilling obligations under consumer legislation
  • responding to lawful requests from official bodies and authorities
  • fulfilling statutory retention and disclosure obligations

5.3 Processing necessary for the establishment, exercise or protection of a right

The following operations rely on this legal ground:

  • management of disputes
  • carrying out complaint and return/defective-goods processes
  • retention of records with evidential value
  • bringing, defending or responding to legal claims
  • establishing, where necessary, ownership of a phone number and the verification flow
  • recording to whom and when delivery, failed-delivery or refund notifications were sent

5.4 Processing necessary for legitimate interests of the data controller, provided that fundamental rights and freedoms of the data subject are not harmed

The following operations rely on this legal ground:

  • ensuring site and server security
  • logging and error monitoring
  • reducing risks of misuse, fraud and unauthorised transactions
  • carrying out business-continuity, backup and system-audit processes
  • using cookies and session mechanisms necessary for operation of the service
  • verifying accuracy of a supplied phone number through SMS OTP
  • applying graduated blocking in response to repeated failed OTP attempts or resend abuse
  • measuring anonymous visit and technical-operation tendencies within approved publicly accessible page groups at an aggregated level without linking them to private customer transaction flows
  • evaluating approximate location distribution derived by local DB-IP processing solely within aggregated technical statistics

Note: Where a separate explicit consent is not required for the activities explained in this notice, Mechawork relies on the relevant lawful processing conditions. Univermobil Analitik operates within limited first-party anonymous-statistics measurement after presentation of its information layer; no separate acceptance, permission or marketing-consent record is obtained through that information layer. Cookies for advertising, marketing, retargeting or third-party visitor analytics are not used within the current Univermobil Analitik operation. The sending of a phone-verification code or a service SMS does not in itself constitute marketing consent and is not combined with different purposes.

6) Persons to Whom Personal Data May Be Transferred and Purposes of Transfer

6.1 Domestic recipient groups

Your personal data may be transferred, limited to the purposes of processing and to the extent necessary, to the following recipient groups:

  • Hosting / VDS provider: Alastyr Telekomünikasyon A.Ş.
    • server hosting, system operation and technical infrastructure
  • Cargo companies: DHL eCommerce Türkiye and/or Yurtiçi Kargo
    • delivery organisation and cargo process
  • Payment organisation / bank: QNBpay Virtual POS / QNBpay Secure Hosted Payment Page
    • conducting payment operations, collecting card details on the hosted payment page and directing refund transactions to the same payment instrument
  • Turkish Revenue Administration / e-Archive system
    • invoicing and fulfilment of financial obligations
  • Competent public bodies, authorities and judicial authorities
    • fulfilment of legal obligations and responding to official requests

6.2 Transfers concerning SMS phone verification and service SMS messages

The phone number and related dispatch/verification records may be shared, to the extent necessary, with the following recipient groups:

  • Telecommunications operator / SMS transmission infrastructure; currently a Türk Telekom line
    • transmission of SMS OTP and service notifications
  • Technical systems used within the SMS-verification / SMS-dispatch infrastructure
    • generation/sending of verification codes, recording and execution of the blocking flow
    • in the current operation, sending SMS messages through a self-owned broker service and a self-owned Android SMS sender device
  • Cargo companies
    • performance of delivery and delivery/failed-delivery communications
  • Competent public bodies, authorities and judicial authorities
    • fulfilment of legal obligations and responding to official requests

Note: The current protocol essentially provides for an architecture based on a self-owned broker service, a self-owned Android SMS sender device and a Türk Telekom SIM. This notice is arranged to explain the purpose and categories of processing and transfer independently of the technical architecture.

6.3 Transfers concerning Univermobil Analitik and local DB-IP processing

Univermobil Analitik is a limited first-party technical-statistics infrastructure operating on Mechawork’s own server.

  • Approximate country, province/region and city derivation may be carried out through the DB-IP IP to City Lite database stored locally on the server.
  • For this purpose, a visitor’s IP address is not remotely sent to DB-IP or to another third-party visitor-analytics service.
  • Google Analytics or comparable third-party visitor-analytics transfer is not performed within Univermobil Analitik.
  • Aggregated anonymous analytics outputs are not matched with user accounts, baskets, orders, payments or SMS-verification data.

6.4 Explanation concerning transfers abroad

Mechawork’s planned hosting infrastructure is located in Türkiye. However, due to:

  • technical routing depending on the email provider used by a recipient or addressee,
  • technical flow of email transmission through internet infrastructure,
  • foreign service providers used by the recipient on their own side,

certain communication records may technically come into contact with systems abroad.

If Mechawork separately adds planned overseas hosting or an external cloud-backup service, the relevant information text will be updated separately.

7) Retention Periods, Deletion/Deactivation and Backups

Your personal data is retained:

  • for retention periods prescribed under applicable legislation,
  • for the period necessary to establish and perform the contractual relationship,
  • for a reasonable period necessary for disputes, evidence and protection of rights,
  • for the operational period necessary for information security and system operation.

7.1 Backup arrangement

  • primary backups are retained on the server
  • secondary backups are retained in encrypted form on storage belonging to the data controller

7.2 Account deletion / deactivation

In the event of a request to delete or deactivate an account:

  • the account is first removed from active use,
  • data not required to be retained under applicable legislation and whose processing purpose has ended is deleted, destroyed or anonymised,
  • records within invoice, accounting, dispute and evidential obligations continue to be retained for the applicable statutory periods,
  • data included in backups, even where deleted from active systems, is separately managed within the backup architecture, technical restoration security and ordinary backup-cycle/overwrite processes.

7.3 Retention of phone-verification records

Phone-verification and service-SMS records are retained for the period necessary for:

  • security,
  • proof of verification,
  • dispute resolution,
  • verification of delivery / notification history,
  • management of misuse and repeated failed attempts.

These records may include OTP generation/sending time, verification result, failed attempt, resend and temporary blocking records, as well as records retained within broker job records under the current system, such as phone number, request_id, status and message content/SMS body.

7.4 Retention of Univermobil Analitik records

Within Univermobil Analitik:

  • the uma_visit technical cookie may be used within a maximum technical lifetime of 24 hours;
  • the uma_notice_presented technical marker is used within the browser session and is subject to a maximum server-side technical-validity limit of 24 hours;
  • short-lived hash/technical-state records used for approximate unique-visit, page-transition and comparable calculations may be retained within a maximum operational period of 48 hours;
  • daily aggregated analytics reporting records are retained for the limited reporting period determined for the current measurement scope; under the current structure, the reporting-retention period is applied so as not to exceed 365 days;
  • where an anonymous report is exported by an administrator, administrative audit records containing only the authorised administrator identity and report-generation metadata may additionally be retained for a limited period;
  • this notice will be updated if the measurement scope, measured dimensions or retention limits change.

8) Rights of the Data Subject under KVKK

Pursuant to Article 11 of KVKK, the data subject has the right to apply to the data controller and:

  • learn whether personal data concerning them has been processed,
  • request information where their personal data has been processed,
  • learn the purpose of processing personal data and whether it is used in accordance with that purpose,
  • know the third parties to whom personal data has been transferred domestically or abroad,
  • request correction where personal data has been processed incompletely or inaccurately,
  • request deletion or destruction of personal data within the conditions of KVKK and other applicable legislation,
  • request notification of correction, deletion or destruction operations to third parties to whom personal data has been transferred,
  • object to a result arising against them as a result of analysis of processed data exclusively by automated systems,
  • claim compensation for damages suffered due to unlawful processing of personal data.

9) Application Procedure

Applications under KVKK may be submitted through the following methods:

  • Written application:
    1900 Sokak, Çağla Apt. No: 17 Daire: 1, Bayraklı / İzmir, Türkiye
  • Application through Registered Electronic Mail (KEP):
    ersin.ercin@hs01.kep.tr
  • Application through your email address registered in the system:
    ersinercin@univermobil.com

The application must contain information sufficient to verify your identity and clarify your request. Applications will be concluded as soon as possible according to the nature of the request and, as a rule, no later than 30 days. Where the operation requires an additional cost, a fee may be requested within the framework permitted under applicable legislation.

10) Entry into Force and Replacement of Previous Text

This notice enters into force as D10V2 / v1.8 on the date on which it is published on mechawork.com and supersedes the previous active D10V1 / v1.7 notice on the same subject.