Last Updated: 17 April 2026
Effective Date: 17 April 2026
This Privacy Policy ("Policy") has been prepared by CarbonSmart Teknoloji ve Danışmanlık A.Ş. ("CarbonSmart", "Company", "we") to explain the purposes, legal grounds, and manner in which personal data obtained in connection with the marketing website at carbonsmart.io and the carbon accounting and sustainability management software services offered through app.carbonsmart.io ("Platform" or "Service") is processed; the third parties to whom such data is transferred; and the rights of data subjects and how those rights may be exercised. The Policy has been prepared in compliance with applicable legislation, including Law No. 6698 on the Protection of Personal Data ("KVKK"), the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, and the Regulation on the Erasure, Destruction, or Anonymization of Personal Data; and, with respect to data subjects resident in the European Union, in compliance with Regulation (EU) 2016/679 ("GDPR"); and, with respect to data subjects resident in the United Kingdom, in compliance with the UK GDPR.
1. IDENTITY OF THE DATA CONTROLLER
1.1. The legal entity acting as data controller under the KVKK is set out below:
Company name: CarbonSmart Teknoloji ve Danışmanlık A.Ş.
Headquarters: Sanayi Mahallesi, Teknopark Bulvarı, Teknopark İstanbul, Pendik/İstanbul 34906, Türkiye
Istanbul Office: A+Live Plaza, Barbaros Mahallesi, Begonya Sokak No:7, Ataşehir/İstanbul 34746, Türkiye
London Office: 2 Eastbourne Terrace, London W2 6LG, United Kingdom
Contact Email: info@carbonsmart.io
Web Address: https://carbonsmart.io
1.2. To the extent required for data subjects resident in the European Union, an EU representative has been designated under GDPR Art. 27, whose contact details may be requested at info@carbonsmart.io.
2. DEFINITIONS
2.1. As used in this Policy:
(a) Personal Data: Any information relating to an identified or identifiable natural person,
(b) Special Category Personal Data: The data enumerated in KVKK Art. 6,
(c) Processing: Operations such as collecting, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making accessible, classifying, or preventing the use of personal data, by wholly or partially automated means or by non-automated means provided that they form part of a data filing system,
(d) Data Subject: The natural person whose personal data is processed,
(e) Customer: The legal entity or commercial enterprise (legal or natural person) that has entered into a subscription agreement in writing or electronically with CarbonSmart,
(f) End User: The natural person who uses the Platform on behalf of or for the account of the Customer,
(g) Platform Data: Any business data uploaded to the Platform by the Customer or End User,
shall have the meanings set out above.
3. CATEGORIES OF PERSONAL DATA PROCESSED
3.1. Given the nature of the Service it provides, CarbonSmart processes the following categories of personal data:
3.1.1. Identity Data: First name, last name, title, signature (including electronic signature).
3.1.2. Contact Data: Corporate email address, phone number, business address, registered electronic mail (KEP) address.
3.1.3. Customer Transaction Data: Subscription information, invoice and payment information (the full card number is not stored, although masked reference information held by the payment service provider is retained), order history, contract records.
3.1.4. Financial Data: IBAN, billing address, tax number/tax office, payment history.
3.1.5. User Activity Data: Account creation, login/logout records, IP address, session identifiers, browser type, device information, operating system, usage analytics, in-module clickstream and navigation traces, API call logs.
3.1.6. Marketing and Promotional Data: Newsletter subscription status, email open/click records, demo request form content, event registration information.
3.1.7. Cookie Data: Data obtained through strictly necessary, functional, analytical, and marketing cookies. For details, please refer to the Cookie Policy.
3.1.8. Support and Communication Data: Support ticket content, live chat records, video meeting recordings (only with the parties' prior notification and consent).
3.1.9. Legal and Compliance Data: Contracts, authorized representative documents, KVKK applications, legal case files.
3.1.10. Third-Party Data Uploaded to the Platform by the Customer: Personal data of supplier representatives, employees, or other third parties uploaded to the Platform by the Customer in connection with carbon accounting, CBAM reporting, PCF/LCA/EPD calculations, TSRS/CSRD/GRI sustainability reporting, and water footprint modules ("Platform Personal Data"). With respect to such data, CarbonSmart acts as a data processor within the meaning of KVKK Art. 3 and a processor within the meaning of GDPR Art. 28, and a separate Data Processing Agreement (DPA) applies.
3.2. CarbonSmart undertakes not to process special categories of personal data unless required for the operation of the Platform. If special category personal data is uploaded to the Platform by the Customer, the responsibility for processing rests with the Customer, as set out in the Terms of Service.
4. METHODS OF COLLECTING PERSONAL DATA
4.1. Personal data is collected (a) directly from the data subject through the Platform interfaces, web forms, mobile/desktop browser interactions, email, and support channels; (b) through representatives authorized by the Customer; (c) via API integrations and SSO connections; (d) through physically signed contracts, forms, and documents; (e) within the scope of events, trade fairs, demo meetings, and B2B sales discussions; (f) automatically through cookies, pixels, and similar technologies; and (g) through requests or notifications from public authorities or other competent bodies in line with legal obligations.
5. PURPOSES OF PROCESSING PERSONAL DATA
5.1. Personal data is processed in accordance with KVKK Art. 4, in a manner that is lawful and fair, for specified, explicit, and legitimate purposes, in a way connected with, limited to, and proportionate to the purposes for which it is processed, and only for the period stipulated in the relevant legislation. The principal processing purposes are:
5.1.1. Establishment and performance of the subscription agreement, account creation, and account management.
5.1.2. Provision, development, and improvement of the products and modules on the Platform (CCFP, CBAM, PCF, LCA & EPD, TSRS/CSRD/GRI, Water Footprint).
5.1.3. Conduct of billing, collection, accounting, and finance processes.
5.1.4. Provision of customer support services and management of requests and complaints.
5.1.5. Conduct of information security and cybersecurity processes; detection and prevention of unauthorized access.
5.1.6. Management of business continuity and backup processes.
5.1.7. Fulfillment of legal obligations (including tax, commercial books, KVKK, TSRS, and reporting compliance).
5.1.8. Corporate communications, marketing, and promotional activities; provided that the sending of commercial electronic messages is subject to explicit consent obtained pursuant to Electronic Commerce Law No. 6563.
5.1.9. Analysis of user experience and Platform performance and development of the product roadmap (with preference given to aggregated/anonymized data).
5.1.10. Management of legal disputes; conduct of litigation, enforcement, and official request processes.
5.1.11. Internal audit, risk management, compliance, and information security management system activities (targeting ISO 27001).
6. LEGAL GROUNDS FOR PROCESSING
6.1. Personal data is processed on the following legal grounds in accordance with KVKK Art. 5 and 6 and GDPR Art. 6 and 9:
6.1.1. Necessary for the processing of the parties' personal data, provided that it is directly related to the establishment or performance of a contract (KVKK Art. 5/2-c; GDPR Art. 6/1-b).
6.1.2. Necessary for the data controller to fulfill its legal obligations (KVKK Art. 5/2-ç; GDPR Art. 6/1-c).
6.1.3. Necessary for the establishment, exercise, or protection of a right (KVKK Art. 5/2-e; GDPR Art. 6/1-f legitimate interest).
6.1.4. Necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed (KVKK Art. 5/2-f; GDPR Art. 6/1-f) – for example, security, fraud prevention, and improvement of service quality.
6.1.5. Expressly provided for by law (KVKK Art. 5/2-a).
6.1.6. Where the legal grounds set out above are not applicable, the explicit consent of the data subject (KVKK Art. 5/1 and Art. 6/2; GDPR Art. 6/1-a).
6.2. In processing operations based on explicit consent, the data subject has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
7. TRANSFERS OF PERSONAL DATA
7.1. Domestic Transfers. Personal data may be transferred, within the scope of KVKK Art. 8, to legal, financial advisory, and independent audit firms from which services are obtained; to hosting, cybersecurity, customer support, and CRM software providers; to payment service providers and banks; and to public authorities authorized by law (e.g., the Ministry of Treasury and Finance, Social Security Institution, Revenue Administration, Personal Data Protection Authority, judicial authorities).
7.2. Cross-Border Transfers. CarbonSmart uses Amazon Web Services (AWS, Frankfurt and Ireland regions) and, where required, Google Cloud Platform for hosting infrastructure; Google Workspace and providers such as SendGrid/Mailgun for email and communication infrastructure; the privacy-friendly Plausible Analytics (EU-based) for product analytics; Sentry for error monitoring; Intercom/HubSpot for customer support; HubSpot for marketing automation; and the LinkedIn Insight Tag for B2B marketing. In addition, intra-group operational transfers may be made with the London office (United Kingdom). Cross-border transfers are made within the framework of KVKK Art. 9 and the related 2024 regulation, using whichever of the following methods is appropriate:
(a) Transfer to recipients located in countries declared by the Authority to provide an adequate level of protection,
(b) Transfer based on standard contractual clauses with notification to the Authority,
(c) Binding corporate rules, or
(d) Explicit consent in exceptional cases.
For EU/UK data transfers, GDPR Art. 44 et seq. and the European Commission's Standard Contractual Clauses (2021/914) apply.
7.3. CarbonSmart publishes the up-to-date list of subprocessors at the request of the Customers and/or on a trust center page such as trust.carbonsmart.io.
8. RETENTION PERIODS
8.1. Personal data is retained for the period required by the processing purpose and for the minimum periods stipulated in the relevant legislation. The principal retention periods are as follows:
8.1.1. Commercial books and records: 10 years pursuant to Article 82 of the Turkish Commercial Code.
8.1.2. Documents under the Tax Procedure Law: 5 years.
8.1.3. Contract and commercial communication records: 10 years from termination of the contract (statute of limitations under TBK Art. 146).
8.1.4. Subscription accounts and Platform content: For the duration of the subscription, followed by permanent deletion after a 90-day grace period from termination (subject to the Customer's right to data portability).
8.1.5. Support tickets: 3 years from the date of closure.
8.1.6. Marketing consents and consent records: 3 years pursuant to Law No. 6563 and IYS records.
8.1.7. Logs and security records: At least 2 years pursuant to Law No. 5651 and related regulations.
8.1.8. Cookie-based data: The periods specified in the Cookie Policy.
8.2. Data whose retention period has expired is deleted, destroyed, or anonymized in periodic disposal cycles within the framework of the Personal Data Retention and Disposal Policy.
9. RIGHTS OF THE DATA SUBJECT
9.1. Pursuant to KVKK Art. 11, the data subject may apply to CarbonSmart and exercise the following rights with respect to themselves:
(a) To learn whether their personal data is being processed.
(b) To request information if their personal data has been processed.
(c) To learn the purpose of processing of personal data and whether the data is used in accordance with that purpose.
(ç) To know the third parties to whom personal data is transferred domestically or abroad.
(d) To request rectification of personal data if it has been processed incompletely or incorrectly.
(e) To request the erasure or destruction of personal data within the conditions stipulated in KVKK Art. 7.
(f) To request that the operations carried out under (d) and (e) be notified to third parties to whom personal data has been transferred.
(g) To object to the occurrence of a result against the person through analysis of the processed data exclusively by automated systems.
(ğ) To request compensation for damages incurred as a result of unlawful processing of personal data.
9.2. Data subjects resident in the EU/UK additionally have rights under GDPR Art. 15-22, including the rights to data portability and to object to processing.
10. SECURITY MEASURES
10.1. As part of its objective to comply with the ISO/IEC 27001 Information Security Management System standard, CarbonSmart implements and continuously reviews the following administrative and technical measures:
10.1.1. Access controls, role- and permission-based authorization, and the principle of least privilege.
10.1.2. Encryption of data in transit with TLS 1.2/1.3 and data at rest with AES-256.
10.1.3. Multi-factor authentication and corporate SSO integration options.
10.1.4. Security monitoring, SIEM solutions, penetration testing, and vulnerability scans.
10.1.5. Code security, security review within the SDLC, and dependency scans.
10.1.6. Disaster recovery and business continuity plans, with regular backups.
10.1.7. Regular KVKK and information security training for employees, and confidentiality undertakings.
10.1.8. Supplier risk assessments, data processing agreements, and subprocessor approval processes.
10.2. Where Customers opt for VPC or On-Premise deployment, the security measures are adapted to the relevant technical architecture and separate security documentation is provided.
11. COOKIES
11.1. CarbonSmart uses cookies and similar tracking technologies for purposes including session management, security, remembering user preferences, analyzing usage statistics, and B2B marketing. Detailed information about the type, duration, purpose, and third-party providers of the cookies, as well as instructions for managing cookies, is set out in the Cookie Policy.
12. CHILDREN'S PERSONAL DATA
12.1. The Service offered by CarbonSmart is B2B in nature and is not directed to persons under the age of 18. CarbonSmart does not knowingly collect personal data from children. Parents/guardians who believe that a child's personal data has been transmitted to the Platform without their knowledge or consent may contact info@carbonsmart.io to request deletion of the data.
13. THIRD-PARTY INTEGRATIONS
13.1. The Customer may integrate the Platform with third-party systems (ERP, EBYS, accounting software, supply chain platforms, single sign-on (SSO) providers, API clients). The data sharing that occurs through these integrations takes place on the Customer's instruction and under the Customer's responsibility. CarbonSmart cannot be held responsible for the privacy practices of third-party service providers.
14. AUTOMATED DECISION-MAKING AND PROFILING
14.1. CarbonSmart uses AI-supported analytical components in processes such as carbon calculations, data validation, and emission categorization; however, these processes do not constitute solely automated individual decision-making producing legal effects on, or having a similar significant impact on, the data subjects. Platform outputs are reviewed and approved by the Customer.
15. DATA BREACH NOTIFICATION
15.1. In the event of unauthorized disclosure, access, or loss of personal data, notification will be made to the Personal Data Protection Authority pursuant to KVKK Art. 12/5 as soon as possible and, in any event, within 72 hours; affected data subjects will also be informed within a reasonable time. For EU/UK data subjects, the notification processes set out in GDPR Art. 33-34 apply.
16. CHANGES TO THE POLICY
16.1. CarbonSmart may update this Policy from time to time. The current version is published at carbonsmart.io/legal-privacy. Material changes are announced via in-Platform notification and/or email. Continued use of the Platform after a change constitutes acceptance of the updated Policy.
17. CONTACT AND APPLICATIONS
17.1. Data subjects may use the following channels to exercise their rights under the KVKK and to submit any questions or requests regarding the Policy:
Address: CarbonSmart Teknoloji ve Danışmanlık A.Ş., Sanayi Mahallesi, Teknopark Bulvarı, Teknopark İstanbul, Pendik/İstanbul 34906
Email: info@carbonsmart.io
Web: carbonsmart.io/legal-privacy
17.2. Applications may be made in writing, via a KEP address, by secure electronic signature, by mobile signature, or via the email address that the data subject has previously notified to CarbonSmart and which is registered in our system. The procedural compliance of the application is evaluated in accordance with the provisions of the Communiqué on the Procedures and Principles for Application to the Data Controller.
