# Privacy Policy

How LazerdizaynCo collects, stores, shares and protects your personal data under KVKK (Turkey) and GDPR (European Union). Includes the list of processors, your rights and how to reach our DPO.

**Effective date:** April 23, 2026

This Privacy Policy explains how LazerdizaynCo ("we", "us", "our") collects, uses, stores, shares and protects your personal data. It is designed to comply with the Turkish Personal Data Protection Law No. 6698 ("KVKK") and the European Union General Data Protection Regulation 2016/679 ("GDPR"). If you have any question about this notice, please contact our Data Protection point of contact at [info@lazerdizayn.co](mailto:info@lazerdizayn.co).

## 1. Data Controller

The controller responsible for the processing of your personal data is LazerdizaynCo, operating from Eskişehir, Türkiye. Our Data Protection contact address is [info@lazerdizayn.co](mailto:info@lazerdizayn.co).

## 2. Personal Data We Collect

    - **Account and contact data** — full name, billing and shipping address, phone number, e-mail address, company name.

    - **Order data** — products purchased, variants, quantities, amounts paid, currency, uploaded logo/artwork files, design notes, production notes, order status history.

    - **Payment data** — last four digits of the card used, card brand, billing country, payment status. Full card numbers and CVC are handled by Stripe and never reach our servers.

    - **Technical data** — IP address, approximate city-level location derived from IP, user-agent, device type, browser language, referring URL, session and cart identifiers.

    - **Behavioural data** — pages viewed, products added to cart, add-to-cart / checkout / purchase events, search terms, click paths, measured via cookies and pixels described in our [Cookie Policy](/cookies).

    - **Communications** — messages you send via the contact form, quote form, newsletter and WhatsApp business line; replies from our team; customer-support tickets.

    - **Reviews and user-generated content** — star ratings, titles, written reviews and photos you voluntarily submit after a purchase.

## 3. Purposes and Legal Basis

    PurposeData usedLegal basis (GDPR)
    
        Process and ship your orderAccount, order, paymentContract (Art. 6(1)(b))
        Respond to enquiries and quotesContact, communicationsContract / Legitimate interest (Art. 6(1)(b)/(f))
        Send order status notificationsContact, orderContract (Art. 6(1)(b))
        Fraud prevention and securityTechnical, paymentLegitimate interest (Art. 6(1)(f))
        Analytics and service improvementTechnical, behaviouralConsent (Art. 6(1)(a))
        Marketing, remarketing, lookalike audiencesTechnical, behavioural, contactConsent (Art. 6(1)(a))
        Newsletter and promotional e-mailsContactConsent (Art. 6(1)(a))
        Legal compliance (tax, accounting, consumer law)Order, paymentLegal obligation (Art. 6(1)(c))
    

## 4. Processors and Third-Party Recipients

We use the following third-party data processors. Each one has signed a data-processing agreement with us (where required) and is listed together with the category of data they receive and their country of primary processing.

    - **Stripe, Inc.** — payment processing (name, billing address, card details, e-mail). Primary processing in the United States with EU/UK Standard Contractual Clauses.

    - **FedEx Corporation and affiliates** — international shipping and customs clearance (name, shipping address, phone, weight, declared value).

    - **Google LLC** — Google Analytics 4, Google Tag Manager, Google Ads conversion tracking (technical and behavioural data, hashed e-mail if enhanced conversions are enabled).

    - **Meta Platforms, Inc.** — Meta Pixel and Conversions API (technical, behavioural, hashed contact data for conversion matching).

    - **Microsoft Corporation** — Microsoft Clarity session analytics (technical and behavioural data).

    - **TikTok Pte. Ltd. / Pinterest, Inc.** — optional remarketing pixels (technical and behavioural data, only when enabled).

    - **Our transactional e-mail provider** — sends order confirmations, shipping updates and password resets (name, e-mail, order content).

    - **Our hosting provider** — runs the storefront infrastructure (all data, at rest encryption).

    - **Cloudflare Turnstile** — spam and bot protection on contact, quote, newsletter and review forms (IP address, browser signals).

We never sell your personal data. Data may be disclosed to law-enforcement or regulatory authorities when required by law, court order or valid legal process.

## 5. International Transfers

Some of our processors are established outside Türkiye, the European Economic Area and the United Kingdom. Where this is the case, transfers are safeguarded by the European Commission's Standard Contractual Clauses (SCCs), by the UK International Data Transfer Addendum, or — for KVKK purposes — on the basis of your explicit consent and the legal grounds of Article 9 of the KVKK.

## 6. Retention

    - Order and invoice records — retained for 10 years to comply with Turkish tax and commercial law.

    - Account data — retained while your account is active, and for 3 years thereafter.

    - Newsletter subscribers — retained until unsubscription plus up to 30 days for suppression-list compliance.

    - Server and application logs — retained for up to 90 days, except where a specific investigation requires longer retention.

    - Cookies — as specified in our [Cookie Policy](/cookies) (typically from session-only to 24 months).

## 7. Your Rights

Under GDPR (if you are in the EU/EEA/UK) and under KVKK Article 11 (if you are in Türkiye) you have the right to:

    - Access the personal data we hold about you;

    - Rectify inaccurate or incomplete data;

    - Erase your data ("right to be forgotten") subject to our legal retention obligations;

    - Restrict or object to processing based on legitimate interest or consent;

    - Request portability of data you provided under consent or contract;

    - Withdraw any consent at any time, without affecting the lawfulness of prior processing;

    - Lodge a complaint with the competent supervisory authority — in Türkiye, the Kişisel Verileri Koruma Kurumu (KVKK); in the EU, your local Data Protection Authority.

To exercise any of these rights send a written request to [info@lazerdizayn.co](mailto:info@lazerdizayn.co). We will respond within 30 days and may ask you to verify your identity before acting on a request.

## 8. Security

We protect personal data using TLS 1.2+ for all web and API traffic, encrypted backups, strict access controls, principle-of-least-privilege access for staff, two-factor authentication on administrative accounts, and ongoing security patching. Despite reasonable precautions, no internet transmission or storage system is 100% secure; if you believe your data has been compromised, please contact us immediately.

## 9. Children

Our storefront is not directed at children under 16 and we do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.

## 10. Changes to this Notice

We may update this Privacy Policy from time to time. The "Effective date" above will change accordingly and material changes will be communicated by storefront banner and, where appropriate, by e-mail.

---

_Last updated: April 24, 2026_