Free shipping on orders over TRY 750

Academy Coffee

Legal

Privacy Policy

Version 2.0

Effective: April 20, 2026

This document explains how we, Academy Coffee, handle your personal data. The same care we take when roasting coffee extends here: what we collect and why, where we keep it, how long we keep it, and at every step which rights stay in your hands.

Legally, we follow the Turkish Personal Data Protection Law (KVKK, No. 6698). For visitors outside Turkey, the EU General Data Protection Regulation (GDPR) applies in parallel. Where the two differ, whichever gives you more protection wins.

1. Data Controller

Academy Coffee is a sole proprietorship registered under the name of Fatih Mehmet Kaya. Your data controller is therefore a natural person, not a company.

  • Fatih Mehmet Kaya · Academy Coffee
  • Sultantepe Mah., Selmani Pak Cad., Ekşioğlu Apt. No: 63/H, Apt. 11, 34672 Üsküdar/Istanbul
  • Tax Office / No: Üsküdar · 5310806742
  • hello@academyroastery.com

2. Categories of Personal Data We Process

We collect only what we need to serve you well. Nothing ambient, nothing speculative.

  • Identity and contact: name, email, phone, delivery and billing address.
  • Account: password (stored only as a cryptographic hash), session identifier, language preference.
  • Orders: products, quantities, prices, invoice records.
  • Payment reference: transaction ID, amount, result. Card details are processed by iyzico; we do not see or store them.
  • Communications: content of messages you send via form or email.
  • Workshop registrations: chosen workshop, date, special requests (e.g. allergies).
  • Wholesale enquiries: business name, contact person, estimated monthly volume.
  • Reviews: displayed name, rating, text. Email is collected privately for verification.
  • Technical: IP (anonymised where possible), browser, device, session identifier.

A full technical inventory of every processing activity is kept under version control at docs/KVKK_VERI_ENVANTERI.md. Summary available on request.

3. Purposes of Processing and Lawful Basis

For every purpose, a specific legal basis applies under KVKK Article 5 and GDPR Article 6. Not one blanket justification: we match purpose to basis.

PurposeLawful basis
Account, order, payment, deliveryPerformance of a contract (KVKK 5/2-c · GDPR 6/1-b)
Invoice, tax records, consumer-law obligationsLegal obligation (KVKK 5/2-ç · GDPR 6/1-c)
Security, fraud prevention, error trackingLegitimate interest (KVKK 5/2-f · GDPR 6/1-f)
Newsletter, analytics cookies, product reviewsExplicit consent (KVKK 5/1 · GDPR 6/1-a)
Customer support, answering enquiriesLegitimate interest (KVKK 5/2-f · GDPR 6/1-f)
Workshop registration, attendance, follow-upPerformance of a contract (KVKK 5/2-c · GDPR 6/1-b)
B2B / wholesale lead management (CRM)Legitimate interest (KVKK 5/2-f · GDPR 6/1-f)
Subscription management (recurring deliveries)Performance of a contract (KVKK 5/2-c · GDPR 6/1-b)

4. Third-Party Processors

Running a small, considered online shop means leaning on a short list of trusted providers. Each has a data processing agreement with us and is limited to what they need for their role.

  • iyzico Ödeme Hizmetleri A.Ş. · Ödeme altyapısı (region: Türkiye)
  • Vercel Inc. · Barındırma ve CDN (region: AB (Frankfurt))
  • Supabase Inc. · Oturum ve veri depolama (region: AB (Frankfurt))
  • Sanity.io · İçerik yönetimi (region: AB (İrlanda))
  • Functional Software, Inc. (Sentry) · Hata izleme (region: AB (Frankfurt))
  • Vercel Analytics · Anonim ziyaretçi ölçümü (region: AB)
  • Cloudflare, Inc. · Form bot koruması (Turnstile) (region: Global)

5. International Transfers

Most of our processors are based in the EU; some in the US. We transfer your data outside Turkey only when a provider requires it, and only under the following safeguards:

  • Standard Contractual Clauses (SCC): approved by the European Commission, signed with each non-EU processor.
  • EU Adequacy Decisions: for destinations the European Commission has certified as offering equivalent protection.
  • EU–US Data Privacy Framework (DPF): for US-based providers where applicable.

You can request the full list of transfer mechanisms per processor at any time.

6. Retention

We keep data as long as there is a clear reason to. When the reason ends, the data goes.

  • Order and invoice records: 10 years (Tax Procedure Law Art. 253).
  • Account data: while the account is active, plus 3 years.
  • Communications: 3 years from last interaction.
  • Workshop registrations: 2 years after the workshop date.
  • Newsletter consent: until withdrawn; withdrawal record kept for 5 years.
  • Security and error logs: 30–90 days depending on source.
  • Cookie preferences: 1 year in your browser.

7. Security Measures

Under KVKK Art. 12 and GDPR Art. 32 we apply technical and administrative measures proportional to the risk. The essentials:

  • Encryption in transit: TLS 1.3, HTTPS-only.
  • Password hashing: argon2id. Plain-text passwords are never stored anywhere.
  • Row-level access control: database rules ensure each user can only read their own records.
  • Admin access: restricted to a corporate email allow-list with two-factor authentication.
  • Health monitoring: continuous checks at /api/health and hourly external smoke tests.
  • Rate limiting: on login, payment callbacks and form submissions to deter abuse.
  • Content Security Policy: restricts third-party scripts to a vetted allow-list.
  • Encrypted backups: daily automated, 7-day retention, stored in-region by the database provider.

8. Children's Data

Our products and services are intended for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has provided personal data to us, write to us at the address below and we will delete it.

9. Automated Decision-Making and Profiling

We do not use automated decision-making that produces legal or similarly significant effects on you, nor do we build profiles used to target or classify you. If this ever changes, we will update this notice and ask for explicit consent where required.

10. Marketing Communications

We send the newsletter only after you have ticked the opt-in box and confirmed your address by clicking a link in our verification email. No tick, no email.

At any time, you can withdraw consent by clicking the "unsubscribe" link at the bottom of every marketing email. We confirm unsubscription immediately and keep a record for 5 years solely to prove that consent was withdrawn.

Transactional emails (order confirmations, workshop reminders) are not marketing; they are part of delivering what you ordered and cannot be turned off without cancelling the service itself.

11. Your Rights

Under KVKK Art. 11 and GDPR Art. 15–22 you may:

  • learn whether your personal data is processed;
  • request information on the processing;
  • learn the purpose and whether it is used accordingly;
  • know third parties to whom the data is transferred;
  • request correction, erasure or anonymisation;
  • receive your data in a portable format (GDPR only);
  • object to automated decisions that affect you;
  • claim compensation for unlawful-processing damage;
  • withdraw consent at any time;
  • lodge a complaint with the supervisory authority (see section 15).

12. How to Exercise Your Rights

The simplest route is to email hello@academyroastery.com with "Data request" in the subject line. Tell us who you are, what you want, and the account or order this concerns. We respond within 30 days.

Under the Turkish Data Protection Authority's Communiqué on Procedures and Principles for Application to the Data Controller (Art. 5), formal applications may also be submitted by:

  • Wet-ink signed letter delivered in person or by post to the address above;
  • Secure electronic signature (e-imza) to the email address above;
  • Mobile signature to the same email address;
  • An email address already registered with us, used for a prior communication.

Applications are free of charge. If a request requires extraordinary handling effort, the fee schedule published by the Authority may apply; we will inform you of any cost before acting.

13. Data Breach Notification

If a personal data breach occurs, we follow KVKK Art. 12(5) and GDPR Art. 33–34:

  • We notify the Turkish Data Protection Authority within 72 hours of becoming aware;
  • If the breach is likely to result in high risk, we inform affected individuals directly and without undue delay, by email and (where relevant) via a notice on our status page (/durum).
  • Every breach, notification and mitigation step is recorded in our internal breach log.

14. Cookies

Cookies are covered in detail in a separate notice: Cookie Policy. Essential cookies make the site work; analytics cookies are only placed after you opt in through the banner.

15. Supervisory Authority

If you believe we have not handled your data in line with this notice, you may lodge a complaint with:

  • Turkish Personal Data Protection Authority (KVKK): kvkk.gov.tr
  • For EU/EEA residents: your local Data Protection Authority: edpb.europa.eu

We would rather fix the problem ourselves; writing to us first usually saves everyone time.

16. When This Notice Changes

This notice is version 2.0, effective April 20, 2026. When we make a material change (a new processor, a new purpose, a shift in retention), we publish the new version here, update the version number, and where required obtain fresh consent. Minor copy edits do not trigger a version bump.

Previous versions are kept in the version control history of the repository that powers this site; we can share them on request.