Last Updated: 17 April 2026
Effective Date: 17 April 2026
This Disclosure Notice has been prepared by CarbonSmart Teknoloji ve Danışmanlık A.Ş., in its capacity as data controller, pursuant to Article 10 of Law No. 6698 on the Protection of Personal Data ("KVKK") and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, in order to inform every natural person ("Data Subject") who interacts with CarbonSmart, including Platform visitors, corporate representatives requesting demos, Customer authorized persons and End Users, prospective customers, event participants, and representatives of business partners and suppliers. This document includes explanations regarding the identity of the data controller, the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the methods and legal basis for collecting personal data, and the rights of the Data Subject under KVKK Article 11.
1. IDENTITY AND CONTACT INFORMATION OF THE DATA CONTROLLER
1.1. Data controller:
Company name: CarbonSmart Teknoloji ve Danışmanlık A.Ş.
Headquarters: Sanayi Mahallesi, Teknopark Bulvarı, Teknopark İstanbul, Pendik/İstanbul 34906, Türkiye
Istanbul Office: A+Live Plaza, Barbaros Mahallesi, Begonya Sokak No:7, Ataşehir/İstanbul 34746, Türkiye
London Office: 2 Eastbourne Terrace, London W2 6LG, United Kingdom
Web: https://carbonsmart.io
Email: info@carbonsmart.io
1.2. CarbonSmart acts as a "data controller" within the meaning of the KVKK with respect to its cloud-based SaaS service, which includes the modules for Corporate Carbon Footprint (CCFP), CBAM Reporting, Product Carbon Footprint (PCF), LCA & EPD Platform, Sustainability Reporting (TSRS/CSRD/GRI), and Water Footprint.
2. CATEGORIES OF PERSONAL DATA PROCESSED
2.1. Personal data obtained from the Data Subject or from legitimate sources can be classified into the following categories:
2.1.1. Identity Data: First name, last name, title, signature/digital signature.
2.1.2. Contact Data: Corporate email, phone, address, registered electronic mail (KEP).
2.1.3. Customer Transaction Data: Subscription information, user role, invoice and payment information, order history.
2.1.4. Financial Data: Tax number, tax office, IBAN, billing address.
2.1.5. User Activity Data: Account ID, session data, IP, device/browser information, usage analytics, API call logs.
2.1.6. Marketing and Promotional Data: Newsletter consent, demo request form content, event registration information, marketing engagement records.
2.1.7. Transaction Security Data: Login/logout logs, traffic information under Law No. 5651, security event logs.
2.1.8. Legal and Compliance Data: Contracts, authorization documents, powers of attorney, KVKK applications, judicial/administrative case files.
2.1.9. Physical Premises Security Data: Visitor entry records maintained for office visits.
2.1.10. Third-Party Data Uploaded to the Platform by the Customer: Identity and contact data of third parties uploaded by the Customer for carbon footprint calculations, CBAM, PCF/LCA/EPD, TSRS/CSRD/GRI reporting, and water footprint calculations. With respect to such data, CarbonSmart acts as a data processor and a separate Data Processing Agreement applies.
2.2. CarbonSmart aims not to collect special categories of personal data unless absolutely necessary.
3. PURPOSES OF PROCESSING PERSONAL DATA
3.1. Personal data is processed for the following purposes, in compliance with the general principles set out in KVKK Article 4:
3.1.1. Management of subscription and service processes within the scope of the establishment and performance of contracts.
3.1.2. Account creation, authentication, authorization, and provision of access to the Platform.
3.1.3. Provision of products and services relating to carbon accounting, CBAM reporting, PCF/LCA/EPD calculations, TSRS/CSRD/GRI sustainability reporting, and water footprint analysis.
3.1.4. Provision of customer support services and management of requests, complaints, and errors.
3.1.5. Conduct of billing, collection, accounting, and finance operations.
3.1.6. Conduct of information security processes, fraud prevention, and detection and prevention of cyberattacks.
3.1.7. Conduct of business continuity, backup, and disaster recovery processes.
3.1.8. Fulfillment of legal obligations (tax, Turkish Commercial Code, Law No. 5651, Law No. 6563, KVKK, and related secondary legislation).
3.1.9. Management of requests from official authorities and judicial/administrative processes.
3.1.10. Marketing, promotion, event management, and business development (commercial electronic messages are subject to consent obtained via the Message Management System (IYS)).
3.1.11. Conduct of employee and supplier security processes and maintenance of office visit records.
3.1.12. Usage analytics and Platform development activities (with preference given to aggregated/anonymized data).
4. PARTIES TO WHOM PERSONAL DATA MAY BE TRANSFERRED AND PURPOSES OF TRANSFER
4.1. Domestic Transfers. Personal data may be transferred, limited to the relevant purpose, to the following parties:
(a) Contracted legal, financial advisory, independent audit, insurance, and consultancy firms – for compliance, audit, and advisory purposes.
(b) Software, cloud hosting, cybersecurity, CRM, call center, and support software providers – for the provision of the contracted services.
(c) Banks, payment service providers, and electronic payment institutions – for the conduct of collection processes.
(d) Public authorities authorized by law (Revenue Administration, Ministry of Treasury and Finance, Social Security Institution, Information and Communication Technologies Authority, Personal Data Protection Authority, courts, public prosecutors, enforcement offices) – within the scope of legal obligations.
(e) Group companies and shareholders – for governance and reporting purposes, only to the extent necessary.
4.2. Cross-Border Transfers. Due to CarbonSmart's cloud infrastructure and operational tools, personal data may be transferred abroad through the following providers:
(a) Amazon Web Services (AWS) – Frankfurt and Dublin regions; Platform hosting, database, backups.
(b) Google Cloud Platform and Google Workspace – corporate email, document collaboration.
(c) SendGrid/Mailgun – transactional and marketing email delivery.
(d) HubSpot – CRM, marketing automation, B2B lead management.
(e) Intercom – customer support and live chat.
(f) Sentry – application error and performance monitoring.
(g) Plausible Analytics – anonymous usage analytics (EU-based).
(h) LinkedIn Ireland Unlimited Company – B2B marketing.
(i) Intra-group operational processes via our London office (within the scope of UK GDPR).
4.3. Cross-border transfers are carried out within the framework of KVKK Article 9, on the basis of adequacy decisions issued by the Authority, standard contractual clauses, binding corporate rules, or exceptions permitted by law. No cross-border transfer is made without appropriate safeguards.
4.4. For data subjects resident in the EU/UK, the standard contractual clauses and additional safeguards required under GDPR Article 44 et seq. and the UK GDPR apply.
5. METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA
5.1. Method. Personal data is collected through both automated and non-automated means via the Platform interfaces, websites, browsers used on mobile devices, demo/contact/newsletter forms, email, call center, live chat, support ticket system, API integrations, physical contracts and documents, office visit records, event and trade fair registrations, business partners and referral channels, and notifications and inquiries received from official authorities.
5.2. Legal Basis. Personal data is processed on one or more of the following legal grounds:
5.2.1. KVKK Art. 5/2-a: Expressly provided for by law. This includes mandatory records under Tax Procedure Law No. 213, Turkish Commercial Code No. 6102, Internet Law No. 5651 and related regulations, and Electronic Commerce Law No. 6563.
5.2.2. KVKK Art. 5/2-c: Processing of the parties' personal data, provided that it is directly related to the establishment or performance of a contract. Preparation of subscription agreements, issuance of invoices, and provision of access to the Platform.
5.2.3. KVKK Art. 5/2-ç: Mandatory for the data controller to fulfill its legal obligations. Fulfillment of tax, commercial, and KVKK obligations.
5.2.4. KVKK Art. 5/2-e: Processing is mandatory for the establishment, exercise, or protection of a right. Pursuit of contractual claims and management of legal disputes.
5.2.5. KVKK Art. 5/2-f: Processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed. Information security, fraud prevention, product improvement, and B2B communications.
5.2.6. KVKK Art. 5/1 – Explicit consent: In cases where the above legal grounds are not applicable, such as the sending of commercial electronic messages for marketing purposes and optional marketing cookies, explicit consent is obtained.
5.3. The specific legal basis for each data category is as follows:
(a) Identity and contact data: KVKK Art. 5/2-a, c, ç, e, and f.
(b) Customer transaction and financial data: KVKK Art. 5/2-a, c, and ç.
(c) User activity and transaction security data: KVKK Art. 5/2-a (Law No. 5651), c, and f.
(d) Marketing data: KVKK Art. 5/1 (explicit consent) and Art. 5/2-f (with respect to promoting similar products/services to existing customers).
(e) Legal data: KVKK Art. 5/2-ç and e.
(f) Physical premises security data: KVKK Art. 5/2-f.
6. DATA SUBJECT RIGHTS UNDER KVKK ART. 11
6.1. The Data Subject may apply to CarbonSmart and exercise the following rights with respect to themselves:
(a) To learn whether their personal data is being processed.
(b) To request information if their personal data has been processed.
(c) To learn the purpose of processing of their personal data and whether the data is used in accordance with that purpose.
(ç) To know the third parties to whom their personal data is transferred domestically or abroad.
(d) To request rectification of personal data if it has been processed incompletely or incorrectly.
(e) To request the erasure or destruction of their personal data within the conditions stipulated in KVKK Art. 7.
(f) To request that the operations carried out under (d) and (e) be notified to third parties to whom their personal data has been transferred.
(g) To object to the occurrence of a result against themselves through analysis of the processed data exclusively by automated systems.
(ğ) To request compensation for damages incurred as a result of unlawful processing of their personal data.
6.2. Requests for the exercise of the above rights are evaluated by CarbonSmart in accordance with KVKK Art. 13 and the provisions of the Communiqué on the Procedures and Principles for Application to the Data Controller.
7. APPLICATION METHODS
7.1. The Data Subject may submit an application to CarbonSmart in accordance with the procedures stipulated in the Communiqué on the Procedures and Principles for Application to the Data Controller, using one of the following methods, in order to exercise their rights under the KVKK:
7.1.1. Written Application: A wet-signed petition may be delivered in person or via notary public to the following address:
CarbonSmart Teknoloji ve Danışmanlık A.Ş.
Sanayi Mahallesi, Teknopark Bulvarı, Teknopark İstanbul
Pendik/İstanbul 34906, Türkiye
Mark the envelope: "Request for Information under the Personal Data Protection Law"
7.1.2. Registered Electronic Mail (KEP): Application signed with a secure electronic signature sent to CarbonSmart's registered KEP address.
7.1.3. Secure Electronic Signature or Mobile Signature: Email signed with a secure electronic signature or mobile signature sent to info@carbonsmart.io.
7.1.4. Email Address Registered in Our System: Email sent to info@carbonsmart.io from the Data Subject's email address that has previously been notified to CarbonSmart and is registered in the system.
7.2. The application petition/message must contain at least the following information:
(a) First name, last name, and signature if the application is in writing.
(b) Turkish Republic Identification Number (or, for foreigners, passport number or, if applicable, identification number, and nationality).
(c) Place of residence or workplace address for service of process.
(ç) If applicable, the email address, phone, and fax number for notifications.
(d) Description of the subject matter of the request.
(e) Information and documents supporting the request.
7.3. The Data Subject may also submit the application using the form template published at carbonsmart.io/legal-kvkk. Use of the form is not mandatory.
7.4. If the application is made on behalf of a third party rather than the End User registered in the Customer's account, a power of attorney or authorization document must be provided.
8. APPLICATION PROCESS AND FEES
8.1. CarbonSmart will conclude applications submitted by the Data Subject as soon as possible according to their nature, and in any event within thirty (30) days from the date of receipt, free of charge.
8.2. If the operation requires an additional cost, the fees set out in the tariff determined by the Authority may be charged. If it is determined that the application arose from CarbonSmart's error, the fee charged will be refunded.
8.3. Applications may be rejected for the following reasons:
(a) The request falls within the exceptions set forth in KVKK Art. 28.
(b) The request is of a nature that would impede the rights and freedoms of others.
(c) The request is abusive, repetitive, or requires disproportionate effort.
(ç) The information subject to the request is publicly available.
8.4. Whether the request is accepted or rejected (with reasons), the response will be notified to the Data Subject in writing or electronically.
8.5. The Data Subject may file a complaint with the Personal Data Protection Authority within 30 days of becoming aware of CarbonSmart's response and, in any event, within 60 days from the date of application.
9. CHANGES
9.1. CarbonSmart may update this Disclosure Notice in line with changes in legislation and in product processes. The current text is published at carbonsmart.io/legal-kvkk. Data Subjects will be informed of material changes through appropriate channels.
10. CONTACT
10.1. For all questions and requests regarding this Disclosure Notice:
CarbonSmart Teknoloji ve Danışmanlık A.Ş.
Sanayi Mahallesi, Teknopark Bulvarı, Teknopark İstanbul
Pendik/İstanbul 34906, Türkiye
Email: info@carbonsmart.io
Web: https://carbonsmart.io/legal-kvkk
The Data Subject acknowledges that they have read this Disclosure Notice and have been informed that their personal data may be processed for the purposes and on the legal grounds set out above. For processing operations requiring explicit consent, separate explicit consent statements will be provided.
