At MarineFlux we take the privacy of your personal data seriously. This Privacy Policy explains what data we collect when you use our website and services (the "Service"), how and why we process it, who we share it with, how long we keep it, and the rights you have. It applies to personal data of account holders, Authorised Users, website visitors, and the supplier representatives we contact on your behalf.
1. Data Controller
The controller of your personal data is Emre Can Yenikan, trading as "Ballast Yazılım ve Teknoloji", a sole proprietorship established in Türkiye, at Küçükbakkalköy Mah. Selvili Sok. No: 4/20, Workon Açık Ofis Bölümü, Ataşehir / İstanbul, Türkiye ("MarineFlux", "we", "us"). MERSIS No: [MERSIS NO — TO BE ADDED]; Trade Registry No: [TICARET SİCİL NO — TO BE ADDED].
For any privacy question or to exercise your rights, contact us at info@marineflux.com.
2. Definitions
We use terms as defined in the Turkish Personal Data Protection Law No. 6698 ("KVKK", Art. 3) and the EU/UK General Data Protection Regulation ("GDPR", Art. 4). In short: "personal data" is any information relating to an identified or identifiable individual; "processing" is any operation performed on personal data; "controller" decides why and how data is processed; and a "processor" processes data on the controller's behalf.
3. Categories of Data We Collect
- Account data — name, work email, password (stored only as a secure hash), company name, country, role, and account preferences.
- Contact data — information you give us when you contact support or correspond with us.
- Operational data — the content you submit and generate while using the Service: requisitions, RFQs, quotations, orders, vessel and fleet details, uploaded documents (for example proformas, invoices, packing lists, transport and class documents), and Agent conversation history.
- Third-party data — business-contact details of supplier representatives (for example name and email address) contained in messages and documents exchanged through the Service.
- Technical data — IP address, browser/user-agent, device and connection information, log and event data, and information collected through cookies and similar technologies (see our Cookie Policy).
- Consent and compliance data — records evidencing your acceptance of our legal terms (including a timestamp, a hash of the text shown, and technical metadata), and records relating to data-rights requests.
We do not intentionally collect special categories of personal data, and we ask that you do not submit them through the Service.
We keep internal usage and event logs (including per-account token-usage metering and a record of key actions taken in the Service) to operate, secure, debug, and improve the Service. These logs are retained on a rolling basis and deleted when no longer needed for these purposes.
4. How We Collect Data
We collect personal data: (a) directly from you, when you register, configure your account, submit Customer Content, or contact us; (b) automatically, through cookies, server logs, and analytics as you use the Service; and (c) from third parties, principally from supplier replies and the documents that flow through the platform.
5. Purposes and Legal Basis
We process personal data for the purposes below. Where the KVKK applies we rely on the processing conditions in Art. 5 and Art. 6; where the GDPR/UK GDPR applies we rely on the legal bases in Art. 6.
| Purpose | Legal basis (GDPR) | Condition (KVKK) |
|---|---|---|
| Create and administer your account; deliver the Service | Performance of a contract (Art. 6(1)(b)) | Necessary for performance of a contract (m.5/2-c) |
| Operate the Agent, source suppliers, send and receive RFQ/order communications, parse and validate documents | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) | Contract (m.5/2-c); legitimate interest (m.5/2-f) |
| Billing and payment when paid plans activate | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) | Contract (m.5/2-c); legal obligation (m.5/2-ç) |
| Customer support and service communications | Legitimate interests (Art. 6(1)(f)) | Legitimate interest (m.5/2-f) |
| Secure, monitor, debug, and improve the Service | Legitimate interests (Art. 6(1)(f)) | Legitimate interest (m.5/2-f) |
| Supplier identity / sanctions-oriented checks (KYB) | Legitimate interests (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c)) | Legitimate interest (m.5/2-f); legal obligation (m.5/2-ç) |
| Comply with tax, accounting, and other legal duties | Legal obligation (Art. 6(1)(c)) | Legal obligation (m.5/2-ç) |
| Establish, exercise, or defend legal claims | Legitimate interests (Art. 6(1)(f)) | Necessary for the establishment/exercise/protection of a right (m.5/2-e) |
| Marketing communications (where offered) | Consent (Art. 6(1)(a)) | Explicit consent (m.5/1) |
6. Data Retention
We keep personal data only as long as necessary for the purposes above or as required by law. Our principal retention windows are:
| Category | Retention | Basis |
|---|---|---|
| Active account profile | Duration of the subscription + 30 days | Contract performance |
| Deleted account | Soft-deleted for 30 days, then purged | Erasure right (GDPR Art. 17 / KVKK m.11 / LGPD Art. 18) |
| RFQs, quotations, orders, and order documents | 10 years | Turkish Commercial Code Art. 82; Tax Procedure Law Art. 253 |
| Invoices and payment-confirmation documents | 10 years | Tax Procedure Law Art. 253 |
| Sign-in events and server access logs | 12 months | Law No. 5651 |
| Inbound email content | 24 months | Proportionality — dispute resolution |
| Consent and data-rights records | 10 years | Legal-claim defence (GDPR Art. 17(3)(e); KVKK m.11) |
When you delete your account, your operational data is purged after the 30-day grace period; certain records — pseudonymised consent evidence, a deletion-execution log, and tax/invoice records — are retained for the periods above even after deletion, because we are legally required or permitted to keep them.
7. Third-Party Recipients
We share personal data with vetted service providers (processors) who act on our instructions:
| Provider | Role | Location |
|---|---|---|
| Google LLC (Firebase) | Database, authentication, file storage | United States and/or European Union |
| Vercel Inc. | Hosting (fra1, Frankfurt), analytics |
European Union (hosting); EU (analytics) |
| Anthropic PBC | AI processing for the Agent | United States |
| Twilio Inc. (SendGrid) | Outbound and inbound email | United States |
For supplier identity and sanctions-oriented checks we query GLEIF, OpenSanctions, and public business registries (for example Companies House, INSEE, KVK, ABR, NTA, CVR, Brønnøysund, BrasilAPI, EU VIES, ACRA). These queries carry supplier company names and identifiers, not the personal data of MarineFlux account holders.
We may also disclose personal data where required by law, court order, or a competent authority, to enforce our agreements, to prevent fraud or harm, or in connection with a merger, acquisition, or sale of assets (with appropriate safeguards). We do not sell personal data.
8. International Data Transfers
MarineFlux is established in Türkiye, and some processors are located outside your country, including in the United States and the European Union. When personal data crosses a border, we use the mechanism required by the law of the country the data comes from:
- From the EEA/UK — the European Commission's 2021 Standard Contractual Clauses (Module 2), with the UK International Data Transfer Agreement (IDTA) addendum for UK transfers, supported by a transfer-impact assessment and supplementary measures (encryption in transit and at rest, access controls) for transfers to the United States.
- From Türkiye (KVKK) — a KVKK Standart Sözleşme, notified to the KVKK Authority within 5 business days of signature. Following the 2024 KVKK reform, explicit consent alone is not relied on as a standalone transfer basis.
- From Switzerland — the Swiss FDPIC-recognised version of the Standard Contractual Clauses.
- From California — the CCPA does not restrict cross-border transfers; the disclosures in the California Addendum apply.
- From Brazil — transfers rely on the necessity to perform the contract (LGPD Art. 33(II)) with supplementary contractual safeguards.
A summary of our transfer safeguards is available on request at info@marineflux.com.
9. Your Rights
The rights you can exercise depend on the law applicable to your country of residence. In general, you may ask us to confirm whether we process your data, access it, correct it, delete it, restrict or object to processing, and receive it in a portable format. To exercise any right, contact info@marineflux.com; we will respond within the period required by the applicable law.
The region-specific sections below set out additional rights in more detail.
EEA & UK Addendum — GDPR / UK GDPR
If you reside in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply to MarineFlux's processing of your personal data, in addition to the main Privacy Policy.
Legal basis for processing (GDPR Art. 6)
We rely on the following legal bases, by purpose:
- Performance of a contract (Art. 6(1)(b)) — creating and administering your account, operating the Agent, exchanging RFQ and order communications, and (when paid plans activate) billing.
- Compliance with a legal obligation (Art. 6(1)(c)) — meeting tax, accounting, and other statutory duties, and retaining records we are required to keep.
- Legitimate interests (Art. 6(1)(f)) — securing, maintaining, debugging, and improving the Service; supplier identity and sanctions-oriented checks; and establishing or defending legal claims. Where we rely on legitimate interests, we have balanced them against your rights and you may object as set out below.
- Consent (Art. 6(1)(a)) — analytics cookies and any marketing communications. You may withdraw consent at any time.
Your rights
- Right of access (Art. 15) — request a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — "right to be forgotten", subject to the legal-claim defence exemption under Art. 17(3)(e)
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — to processing based on legitimate interests
- Rights related to automated decision-making (Art. 22) — including the right to obtain human review
- Right to withdraw consent at any time, where processing is based on consent
- Right to lodge a complaint with your supervisory authority
To exercise any of these rights, contact info@marineflux.com. We respond within one month, as required by the GDPR.
Supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence or place of work, or where you believe an infringement occurred. In the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO) — ico.org.uk. A list of EEA supervisory authorities is available through the European Data Protection Board — edpb.europa.eu.
EU and UK Representative
Where required under GDPR Art. 27 and UK GDPR § 27, MarineFlux will appoint a representative in the EU and the UK. The representative's contact details will be published here once the appointment is finalised. Until then, please contact us at info@marineflux.com.
Cross-border transfer mechanism
For transfers from the EEA/UK to Türkiye (where MarineFlux is established) and to sub-processors in third countries, we rely on the European Commission's 2021 Standard Contractual Clauses (Module 2), with the UK IDTA addendum for UK transfers, supported by a transfer-impact assessment and supplementary technical measures (encryption in transit and at rest, access controls). A summary of these safeguards is available on request at info@marineflux.com.
California Addendum — CCPA / CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you additional rights regarding your personal information, in addition to the main Privacy Policy.
Categories of personal information collected and disclosed
In the past 12 months we have collected the following CCPA categories of personal information, for the business purposes described in the Privacy Policy:
- Identifiers — name, work email, account identifiers, IP address.
- Commercial information — records of services used and procurement activity (RFQs, orders, documents).
- Internet or network activity — usage, log, and event data from your interaction with the Service.
- Professional or employment-related information — your company, role, and business-contact details.
We disclose these categories to our service providers (listed below and in the Privacy Policy) only as needed to provide the Service. We do not collect or use sensitive personal information beyond what is necessary to provide the Service, and we do not use it to infer characteristics about you.
Your CCPA rights
- Right to know what personal information we collect, use, and disclose
- Right to delete your personal information (subject to legal-claim defence and other statutory exemptions)
- Right to correct inaccurate personal information
- Right to opt-out of sale or sharing of your personal information (we do not sell or share personal information — see below)
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising your CCPA rights
Do Not Sell or Share My Personal Information
MarineFlux does not sell personal information, and does not share personal information for cross-context behavioural advertising, as those terms are defined by the CCPA/CPRA. Because we do not sell or share, there is no opt-out to perform; this section stands as our affirmation of that position. If this ever changes, we will update this addendum, provide a "Do Not Sell or Share My Personal Information" control, and obtain any consent required.
How to exercise your rights
Submit a verifiable consumer request by emailing info@marineflux.com. We will verify your request and respond within 45 days (extendable by a further 45 days where permitted). You may use an authorised agent to submit a request on your behalf, subject to verification.
Categories disclosed to third parties (service providers)
| Service provider | CCPA categories disclosed | Purpose |
|---|---|---|
| Google LLC (Firebase) | Identifiers, commercial, internet activity, professional | Database, authentication, storage |
| Vercel Inc. | Identifiers, internet activity | Hosting, analytics |
| Anthropic PBC | Identifiers, commercial, professional | AI processing (the Agent) |
| Twilio Inc. (SendGrid) | Identifiers, professional |
None of these disclosures constitutes a "sale" or "sharing" under the CCPA/CPRA. Each provider acts as a service provider under written terms that restrict use of the information to the purposes above.
Brazil Addendum — LGPD
If you reside in Brazil, the Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018) applies to MarineFlux's processing of your personal data, in addition to the main Privacy Policy.
Legal basis for processing (LGPD Art. 7)
We process personal data on the following legal bases, by purpose:
- Performance of a contract (Art. 7(V)) — creating and administering your account, operating the Agent, exchanging RFQ and order communications, and billing when paid plans activate.
- Legitimate interests (Art. 7(IX)) — securing, maintaining, and improving the Service; supplier identity and sanctions-oriented checks.
- Compliance with a legal or regulatory obligation (Art. 7(II)) — meeting tax, accounting, and other statutory duties.
- Regular exercise of rights (Art. 7(VI)) — establishing or defending legal claims.
- Consent (Art. 7(I)) — analytics cookies and any marketing communications; you may withdraw consent at any time.
Your LGPD rights (Art. 18)
LGPD grants you nine specific rights:
- Confirmation that processing exists
- Access to your data
- Correction of incomplete, inaccurate, or outdated data
- Anonymisation, blocking, or deletion of unnecessary or excessive data, or data processed unlawfully
- Data portability to another service provider
- Deletion of personal data processed with consent (subject to legal exemptions)
- Information about the public and private entities with whom we have shared your data
- Information about the possibility of refusing consent and the consequences of refusal
- Revocation of consent
To exercise any right, contact info@marineflux.com. We respond within 15 days, as required by the LGPD.
Cross-border transfers
LGPD adequacy for Türkiye has not been established by the ANPD. Our transfers therefore rely on:
- Performance of the contract (Art. 33(II)) — the transfer is necessary to deliver the Service you have requested;
- Supplementary contractual safeguards with our sub-processors; and
- Consent, where processing is based on consent.
The ANPD has signalled that a standard-contractual-clauses instrument is forthcoming; we will revisit this section as the framework develops.
ANPD complaint
You have the right to lodge a complaint with Brazil's data-protection authority, the Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.
For Turkish residents, please also see our separate KVKK Aydınlatma Metni, which covers your rights under Law No. 6698 in full.
10. Children's Data
The Service is a business-to-business product intended for use by companies through Authorised Users aged 18 or over. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact info@marineflux.com and we will delete it.
11. Security Measures
We apply technical and organisational measures appropriate to the risk, including encryption of data in transit (TLS) and at rest, role-based access controls and authentication, network and platform hardening, logging, and least-privilege access for our processors. No method of transmission or storage is completely secure, but we work to protect your data and to detect and respond to incidents. Where a personal-data breach is likely to result in a risk to your rights, we will notify the competent supervisory authority and affected parties within the timeframes required by law (for example, within 72 hours under the GDPR).
12. Cookies
We use cookies and similar technologies as described in our Cookie Policy, which explains the categories we use and how you can control them.
13. Changes
We may update this Privacy Policy from time to time. We will post the updated version here and update the "effective" date. Where a change is material, we will provide notice and, where required, request renewed acceptance scoped to the framework that applies to you. We encourage you to review this page periodically.
14. EU and UK Representative
Where required by GDPR Art. 27 and UK GDPR § 27, MarineFlux will appoint a representative in the EU and the UK. The representative's contact details will be published here once the appointment is finalised. Until then, you may contact us directly at info@marineflux.com.
15. Contact
If you have any question about this Privacy Policy or how we handle your personal data, contact the data controller at info@marineflux.com, or by post at the registered address in Section 1.