Kaktüs Doktoru logo
0

Privacy Policy

Last Updated: 21/05/2026

1. Data Controller and Scope

The website operated under the Kaktüs Doktoru brand processes personal data for product listings, the plant dictionary, cart, checkout/payment, manual inquiry, membership, order and customer support processes. For payment and collection infrastructure, Sinan Kara and the PayTR infrastructure may be involved in Turkey-based transactions. This policy explains which personal data we process, for what purposes, and on which legal grounds under Turkish data protection legislation, including Law No. 6698 on the Protection of Personal Data.

When you use Kaktüs Doktoru or submit a checkout/manual inquiry form, you are informed about the personal data processing activities described in this policy.

2. Personal Data We Process

Depending on the service, the following categories of data may be processed:

  • Identity data: full name and account name.
  • Contact data: email address, phone number, delivery and billing address.
  • Customer transaction data: cart contents, order or manual inquiry records, order notes, return/exchange/support correspondence.
  • Transaction security data: IP address, session records, security and audit logs, CSRF/session data, device or cookie identifiers.
  • Marketing and preference data: cookie preferences, favorites, recently viewed products, campaign or notification preferences where consent or preference is provided.
  • Payment transaction data: payment status, transaction references, payment provider responses and collection records. Card number, CVV and similar sensitive card details are not stored in Kaktüs Doktoru systems; they are processed through the secure infrastructure of the payment provider.

3. Purposes and Legal Grounds

Your personal data is processed based on contract performance, legal obligations, establishment/exercise/protection of rights, legitimate interests and, where required, explicit consent for the following purposes:

  • Operating membership, session, cart, checkout/payment and manual inquiry processes.
  • Creating manual inquiries or order records, contacting customers and planning delivery.
  • Managing product, stock, price, shipping and payment processes.
  • Ensuring payment security and transaction verification through PayTR or future activated payment providers.
  • Fulfilling invoice, accounting, tax and consumer law obligations.
  • Reviewing damaged, defective, incorrect or missing product reports.
  • Preventing fraud, misuse, unauthorized access and security incidents.
  • Improving visitor experience, site performance and product content.

4. Data Transfers

Personal data may be shared, only to the extent necessary and purpose-limited, with the following parties:

  • Sinan Kara, PayTR and payment infrastructure providers for payment and collection processes.
  • Cargo/courier companies for delivery and logistics processes.
  • Transactional email providers for email and notification delivery.
  • Technical infrastructure providers for website hosting, database, security, backup and media storage services.
  • Authorized persons, institutions and authorities for accounting, tax, dispute, audit and legal obligation processes.

5. International Transfers

Some technical providers used for website infrastructure, email delivery, security, analytics or payment support may operate servers outside Turkey. Where an international transfer is required, Kaktüs Doktoru acts in accordance with the transfer conditions set out under Turkish data protection legislation. Where explicit consent is required, a separate consent mechanism is provided.

6. Retention Period

Personal data is retained for the period required by the processing purpose and the applicable legal retention periods. Order, invoice, accounting, consumer dispute and tax records may be retained for statutory periods. Data whose retention period has expired is deleted, destroyed or anonymized.

7. Data Security

Kaktüs Doktoru applies reasonable technical and administrative measures to protect personal data against unauthorized access, loss, misuse or unlawful processing. These measures include session security, CSRF protection, access authorization, audit logs, encryption and provider-level security controls.

8. Data Subject Rights

Under Article 11 of Law No. 6698, you may request information about whether your personal data is processed, request information if it has been processed, learn the purpose of processing, know third parties to whom it is transferred, request correction of incomplete or incorrect processing, request deletion or destruction where conditions apply, request notification of these operations to third parties, object to automated analysis results, and request compensation for damages arising from unlawful processing.

9. Contact

For privacy questions and data subject requests, you may contact us at [email protected]. Requests are reviewed within the statutory period and no later than 30 days.