GDPR Compliance

The General Data Protection Regulation (GDPR) (EU) 2016/679 is the primary legal framework governing the protection of personal data for individuals within the European Union and European Economic Area. In Turkey, Law No. 6698 on the Protection of Personal Data (KVKK) establishes an equivalent framework. Pinet Bilişim A.Ş. ("we", "our", "the Company"), the operator of Meet2Be, is fully committed to compliance with both GDPR and KVKK in all aspects of our data processing activities.

This page provides a detailed account of our GDPR and KVKK compliance framework, including our roles as data controller and data processor, the legal bases we rely on, the rights available to data subjects, our technical and organisational security measures, our sub-processor framework, and our data breach response procedures.

Turkey's KVKK, enacted in 2016, was modelled on the EU's Data Protection Directive 95/46/EC and substantially aligns with the principles of GDPR. Both frameworks share the same foundational principles: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

Where differences exist, we apply the stricter of the two standards. This means EU/EEA users benefit from full GDPR protection, while all users — including Turkish users — benefit from rights equivalent to or exceeding those in KVKK. Our compliance programme is designed to satisfy both frameworks simultaneously, without requiring separate data handling processes for different user populations.

As Turkey's KVKK Kurumu pursues an adequacy decision from the European Commission, we continue to monitor developments and will update our compliance procedures accordingly. Our Standard Contractual Clauses (SCCs) for cross-border data flows are already in place to address any gap in the interim.

Meet2Be operates in a dual capacity under GDPR and KVKK, depending on the nature of the data processing activity:

Under GDPR Article 6 and KVKK Article 5, every processing activity must have a lawful basis. We document the applicable basis for each processing activity in our Records of Processing Activities (RoPA). The six available bases and their application to our operations are:

Under GDPR Articles 15–22 and KVKK Article 11, you have comprehensive rights over your personal data. These rights are absolute in some cases and qualified in others (subject to legal exceptions). Submit all rights requests to privacy@meet2be.com with proof of identity. We respond within 30 days; complex requests may be extended by up to two further months with notice.

We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive. We may suspend the response period once to verify your identity. If we refuse a request, we will explain our reasons and your right to complain to a supervisory authority.

We operate globally, which means your data may be stored or processed in countries outside Turkey and the EEA — including countries without an EU adequacy decision. We ensure that all international transfers comply with GDPR Chapter V and KVKK Article 9 through the following mechanisms:

We maintain an up-to-date list of all third countries to which we transfer personal data, together with the applicable transfer mechanism. This list is available upon request at privacy@meet2be.com.

When acting as a data processor for event organisers, we engage sub-processors who may access personal data submitted through the platform. We maintain a complete and up-to-date list of our sub-processors, available at privacy@meet2be.com.

All sub-processors are engaged under a written sub-processing agreement imposing data protection obligations equivalent to those in our DPA (GDPR Article 28/4). We conduct due diligence on all sub-processors prior to engagement and at regular intervals thereafter.

We notify data controller customers (event organisers) of any intended changes to sub-processors with at least 30 days' advance notice, providing an opportunity to object. If a customer objects and the disagreement cannot be resolved, the customer may terminate the relevant services without penalty.

Pursuant to GDPR Article 25 and the principle of data protection by design and by default, we integrate data protection considerations into all system development, feature design, and business process activities from inception, rather than as an afterthought.

Our privacy by design commitments include: collecting only the minimum personal data necessary for each specific purpose (data minimisation); pseudonymising and encrypting personal data by default where technically feasible; ensuring that, by default, only personal data strictly necessary for each purpose is processed (privacy by default settings); conducting privacy impact reviews before launching new features involving personal data; and maintaining documented records of all data processing activities (ROPA) as required by GDPR Article 30.

Our engineering practices include code review requirements for features touching personal data, privacy-aware security testing protocols, and mandatory data protection training for all engineering staff.

Under GDPR Article 35, a Data Protection Impact Assessment (DPIA) is required before undertaking processing that is likely to result in a high risk to the rights and freedoms of natural persons. We conduct DPIAs for all new processing activities involving: large-scale processing of special category data; systematic profiling with significant effects; use of new technologies with uncertain privacy implications; or processing that could result in high risk by any other means.

Each DPIA includes: a description of the processing and its purposes; an assessment of necessity and proportionality; identification of the risks to data subjects; and the measures envisaged to address those risks. Where a DPIA indicates a high residual risk that cannot be mitigated through technical or organisational measures, we consult the relevant supervisory authority prior to commencing processing (GDPR Article 36).

DPIA documentation is retained for the life of the processing activity and for a minimum of five (5) years thereafter. DPIAs are reviewed whenever there is a change in the nature, scope, context, or purposes of the processing.

We have implemented a documented Personal Data Breach Response Procedure compliant with GDPR Articles 33 and 34 and KVKK requirements. Our procedure ensures that breaches are detected, contained, assessed, and reported in a timely and systematic manner.

Breach notifications will include: the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects. All breaches — regardless of whether notification to a supervisory authority is required — are recorded in our internal breach register.

In accordance with the storage limitation principle (GDPR Article 5/1-e; KVKK Article 4/2-ç), we retain personal data only for as long as necessary for the original purpose and any applicable legal obligation. Our data retention schedule is documented and reviewed annually.

Key retention periods: Account data — retained for the duration of the subscription and for 3 years post-termination to handle any dispute or claim. Financial and billing records — retained for 10 years as required by Turkish Tax Procedure Law (VUK). Event and participant data — retained for the duration of the organiser's subscription and deleted within 90 days of subscription termination; we do not retain participant data after account closure for any longer than necessary. Server logs — retained for 90 days for security purposes. Marketing consent records — retained for the duration of the consent and for 3 years thereafter as evidence of consent.

When retention periods expire, personal data is securely deleted using industry-standard deletion methods (overwriting or cryptographic erasure for encrypted data) or irreversibly anonymised. We do not archive personal data in a form that permits identification beyond the applicable retention period.

We implement appropriate technical and organisational measures (TOMs) under GDPR Article 32 and KVKK Article 12, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Our current TOMs include:

• Encryption of all personal data in transit using TLS 1.2 or higher with HSTS and certificate pinning.
• Encryption of sensitive personal data at rest using AES-256.
• Pseudonymisation of personal data where full identification is not required for the processing purpose.
• Role-based access controls (RBAC) ensuring that employees access only the personal data necessary for their specific duties.
• Multi-factor authentication (MFA) required for all administrative and privileged access to systems containing personal data.
• Regular vulnerability assessments, penetration testing, and security code reviews.
• Comprehensive audit logging of all access to and modifications of personal data.
• Mandatory annual data protection training for all staff with access to personal data.
• A formal vendor due diligence process for all suppliers processing personal data.
• An incident response plan tested at least annually through tabletop exercises.

You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes applicable law. You may lodge your complaint with the authority in your country of habitual residence, place of work, or the place of the alleged infringement.

We ask that you contact us first at privacy@meet2be.com before submitting a formal complaint to a supervisory authority. We are committed to resolving complaints quickly and informally where possible. We will respond within 5 business days of receiving a complaint.