1. Introduction
This document is issued by XBİTCOMP YAZILIM VE BİLİŞİM TİCARET LİMİTED ŞİRKETİ ("xbitcomp", "we", the "Company") to inform visitors ("data subject", "you") of the website at xbitcomp.com how their personal data is processed, in accordance with Turkish Personal Data Protection Law no. 6698 ("KVKK") and, where applicable, the EU General Data Protection Regulation ("GDPR").
xbitcomp follows the principle of data minimisation: we process only what is necessary to run the site, to keep it secure, and to understand visitor behaviour. The site has no account, registration or subscription area aimed at visitors; when enabled, the voluntary contact form processes the name, e-mail and message content you submit only so that we can reply to your enquiry.
2. Data Controller
Under Article 3 of the KVKK, the data controller is the company identified below:
| Company Name | XBİTCOMP YAZILIM VE BİLİŞİM TİCARET LİMİTED ŞİRKETİ |
|---|---|
| Address | Esentepe Mah. Akademiyolu Sk. Teknoloji Geliştirme Bölgeleri B Blok No: 10 B İç Kapı No: Z05, Serdivan / Sakarya, Türkiye |
| Tax Office | GÜMRÜKÖNÜ V.D. |
| Tax Number | 8331132578 |
| Trade Registry (Mersis) No | 0833113257800001 |
| Registered Electronic Mail (KEP) | — |
| Contact e-mail |
3. Personal Data We Process and How We Collect It
The personal data below is collected and processed by automated means when you visit the site:
3.1. Connection and Device Data
- IP address
- Browser type and version (User-Agent)
- Operating system
- Referring page (HTTP Referer)
- URLs visited
- Date and time of the visit
- Approximate geographic location (country level, derived from IP)
This data is written to Cloudflare proxy and CDN logs as part of the basic operation of the internet protocol.
3.2. Bot Verification Data
When you click the "Send e-mail", "Message us on WhatsApp" or "Book 15 minutes" buttons, automated bot verification is performed by the Cloudflare Turnstile service. During this check, technical signals about your browser environment (no personal data content) are transmitted to Cloudflare, Inc. via our Worker endpoint at /api/contact-verify.
3.3. Cookie-free Performance Analytics
Cloudflare Web Analytics runs on the site. This service uses no cookies and collects visitor behaviour in an aggregated and anonymised form; it does not retain any individual user identity or device fingerprint and does not track across sites. It is always active and used for basic performance measurement.
3.4. Consent-based Analytics
If you grant the "Analytics" category in the cookie-consent panel, the following additional services are loaded:
- Google Analytics 4 (Google LLC) — collects anonymised visitor and session statistics through the
_gaand_ga_*cookies. IP addresses are processed by Google with IP-anonymisation enabled (anonymize_ip). - Microsoft Clarity (Microsoft Corporation) — provides anonymous session recording, heatmaps and click-behaviour analytics via the
_clck,_clskandMUIDcookies. All text and form inputs are transmitted masked, so the content of what you type is never passed to Microsoft. - Google Tag Manager (Google LLC) — orchestrates loading of the analytics tags above; on its own it does not retain visitor identifiers.
You can withdraw your consent at any time from the cookie-consent panel; the services and their cookies stop loading immediately.
3.5. After Contact Actions
When you click the "Send e-mail", "WhatsApp" or "Calendar" buttons, you are redirected to third-party platforms (your e-mail provider, WhatsApp, and Cal.com respectively). From that point on, the privacy policies of those platforms — which are outside our control — apply.
3.6. Contact-form Data (only when enabled)
When the contact form is enabled, the data you voluntarily enter — name, e-mail address and message content — is processed, alongside the time between page load and submission (anti-spam heuristic) and session-scoped UTM campaign parameters. This data is used solely so that we can reply to you and is not processed for any other purpose without your explicit consent.
4. Purposes of Processing
- Operating the site technically: serving content with the correct country/language, recording error logs.
- Securing the site: protecting against DDoS attacks, filtering malware, blocking bot traffic.
- Performance optimisation: fast page delivery via CDN, caching.
- Improving service quality: aggregated and largely anonymised analysis of which pages are visited and which content draws the most interest.
- Responding to enquiries: following up after you contact us through the form or the contact buttons.
- Compliance with legal obligations: responding to legitimate requests from competent public authorities.
Your data is not processed for sale to third parties, personalised advertising or profiling; the site carries no active advertising pixels (Meta Pixel, LinkedIn Insight, Google Ads, TikTok Pixel, etc.).
5. Legal Bases for Processing
Your personal data is processed under Article 5 of the KVKK on the legal grounds below; equivalent GDPR grounds are noted alongside for visitors covered by GDPR:
- KVKK art. 5(2)(f) — Legitimate interest of the data controller (GDPR art. 6(1)(f)): security, performance, technical operation and cookie-free performance analytics.
- KVKK art. 5(2)(ç) — Compliance with a legal obligation (GDPR art. 6(1)(c)): keeping server logs as required by competent authorities.
- KVKK art. 5(1) — Explicit consent (GDPR art. 6(1)(a) and ePrivacy Directive art. 5(3)): consent-based analytics cookies (Google Analytics 4, Microsoft Clarity, analytics tags loaded via GTM).
- KVKK art. 5(2)(c) — Performance of a contract (GDPR art. 6(1)(b)): handling enquiries you submit through the contact form so that we can scope a possible engagement.
6. Third Parties to Whom Data is Transferred
| Service Provider | Location | Data Accessed | Purpose | Legal Basis |
|---|---|---|---|---|
| Cloudflare, Inc. | USA (headquarters), global edge network | IP, User-Agent, referer, URL, Turnstile signals | Proxy, CDN, DDoS protection, bot verification, cookie-free analytics, Worker endpoints | Legitimate interest |
| Google LLC | USA (headquarters), global network | IP (anonymised), _ga/_ga_* cookies, event data, device/browser metadata | Google Analytics 4 and Google Tag Manager — aggregated visitor / behaviour statistics | Explicit consent |
| Microsoft Corporation | USA (headquarters), global network | _clck, _clsk, MUID cookies, masked click/scroll events | Microsoft Clarity — anonymised heatmaps and behaviour analytics | Explicit consent |
Apart from the service providers listed above, no data is transferred to any natural or legal person for commercial purposes.
Where legally required, data may be transferred to competent public authorities (KVKK art. 8(2)(a)).
7. International Data Transfers
The service providers above (Cloudflare, Inc., Google LLC and Microsoft Corporation) are headquartered in the United States and process data across global server networks. The data described above is therefore transferred outside Türkiye under KVKK art. 9 and outside the EEA under Chapter V of the GDPR.
Transfers take place under the following safeguards:
- Cloudflare: GDPR-aligned Data Processing Agreement (DPA) and EU Standard Contractual Clauses (SCCs).
- Google LLC: Google Ads/Analytics Data Processing Terms, SCCs and EU-U.S. Data Privacy Framework certification.
- Microsoft Corporation: Microsoft Online Services Data Protection Addendum, SCCs and EU-U.S. Data Privacy Framework certification.
If you do not consent to the consent-based transfers (Google, Microsoft), simply keep those categories switched off in the cookie-consent panel. The Cloudflare transfer is necessary for the site to operate and occurs as soon as you access the site.
8. Retention Periods
| Data Type | Retention |
|---|---|
| Cloudflare proxy / CDN logs | 4–7 days (Cloudflare standard policy) |
| Cloudflare Web Analytics anonymous data | 6 months (aggregated) |
| Google Analytics 4 event data | Configured property default: 14 months, then automatically deleted |
| Microsoft Clarity session data | 1 year (Microsoft standard policy) |
| Turnstile verification token | Single-use; not stored beyond the session |
| Contact-form records (when enabled) | 24 months after the enquiry has been concluded, then destroyed |
At the end of the retention period, data is automatically deleted or anonymised.
9. Your Rights (KVKK art. 11 / GDPR arts. 15–22)
Under Article 11 of the KVKK — and Articles 15–22 of GDPR for visitors covered by it — you have the following rights with regard to your personal data:
- To learn whether your personal data is being processed;
- To request information if your personal data has been processed;
- To learn the purpose of the processing and whether the data is used in accordance with that purpose;
- To know the third parties, in Türkiye or abroad, to whom your personal data has been transferred;
- To have your personal data corrected if it is incomplete or inaccurate;
- To request erasure or destruction of your personal data under KVKK art. 7;
- To request that operations under (e) and (f) be communicated to the third parties to whom the data was transferred;
- To object to a result drawn against you that arises exclusively from automated analysis of your processed data;
- To claim compensation if you suffer damage because of unlawful processing of your personal data.
10. How to Exercise Your Rights
To exercise the rights above, in accordance with the Communiqué on the Procedure and Principles for Application to the Data Controller:
- By e-mail: , including information sufficient to verify your identity.
- In writing: send a wet-ink signed petition to Esentepe Mah. Akademiyolu Sk. Teknoloji Geliştirme Bölgeleri B Blok No: 10 B İç Kapı No: Z05, Serdivan / Sakarya, Türkiye.
Your application will be answered free of charge within 30 days at the latest. If the request requires additional costs, the fee set out in the tariff fixed by the KVKK may be charged.
If your application is rejected, or you are not satisfied with the response, you have the right to lodge a complaint with the Personal Data Protection Board within 30 days.
11. Use of Cookies
For details about the cookies used on the site, see the Cookie Policy page.
12. Updates to This Policy
This policy may be updated in line with legislative changes or with changes to our service providers. The current version is always published on this page. The last update date is shown at the top of the page.