1. Overview
Cproat is committed to protecting the personal data of everyone who interacts with our platform. This page provides a comprehensive overview of our compliance with two major data protection frameworks:
- GDPR — the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council, which came into force on May 25, 2018. The GDPR sets out the rights of individuals located in the European Economic Area (EEA) and obligations for organizations that process their data.
- KVKK — the Turkish Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu), Law No. 6698, which entered into force on April 7, 2016. KVKK governs the processing of personal data in Turkey and applies to all natural and legal persons operating within Turkey.
While these two regulatory regimes originate in different jurisdictions, they share common principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Cproat applies these principles universally to all users, regardless of their location.
For full details of how we collect and use your personal data, please read our Privacy Policy. This page focuses specifically on your legal rights and how to exercise them.
2. Data Controller
Under both GDPR and KVKK, the entity that determines the purposes and means of processing personal data is known as the Data Controller (or Veri Sorumlusu under KVKK). The Data Controller bears primary legal responsibility for compliance.
Data Controller: Cproat
Country of Establishment: Republic of Turkey
Contact: info@cproat.com
Website: cproat.com
Cproat acts as a Data Controller for all personal data it processes about its users (names, email addresses, usage data, etc.). For business data surfaced through our search functionality (i.e., information about other companies and their employees that appears in search results), Cproat acts as a data processor on behalf of its users, who are the controllers of how they subsequently use that data.
Important: If you are a Cproat user who has obtained personal data about individuals through our Service (for example, contact information for business representatives), you become a Data Controller for that data and are responsible for processing it in compliance with applicable data protection law, including obtaining any required legal basis for outreach and complying with anti-spam regulations.
3. GDPR Applicability
The GDPR applies to Cproat on two grounds:
3.1 Processing Data of EU/EEA Residents
Even though Cproat is established in Turkey (a non-EU country), the GDPR applies to us under Article 3(2) because we offer services to individuals located in the European Economic Area. Specifically, Article 3(2)(a) of the GDPR provides that the Regulation applies to the processing of personal data of data subjects who are in the Union where the processing activities are related to the offering of goods or services to such data subjects, irrespective of whether a payment is required.
As Cproat actively markets and provides its services to users in EU member states and EEA countries, we are subject to the GDPR with respect to the personal data of those users.
3.2 Our Commitment to GDPR Compliance
Our GDPR compliance commitments include:
- Processing personal data only on the legal bases set out in Article 6 (and Article 9 for special categories, though we process none).
- Providing transparent information about our processing activities in our Privacy Policy.
- Respecting all data subject rights as described in Section 5 of this page.
- Implementing appropriate technical and organizational security measures (Article 32).
- Ensuring lawful mechanisms for international data transfers (Articles 44–49), primarily through Standard Contractual Clauses.
- Maintaining records of processing activities as required by Article 30.
- Responding to data subject requests within the statutory timeframes.
3.3 Data Protection Officer (DPO)
Cproat does not currently meet the thresholds that would make appointment of a formal Data Protection Officer mandatory under Article 37 of the GDPR (we do not process data on a large scale, are not a public authority, and our core activities do not consist of regular and systematic monitoring of individuals on a large scale). However, our privacy team serves the function of handling all data protection matters and can be contacted at info@cproat.com.
4. KVKK Applicability
The Turkish Personal Data Protection Law (KVKK, Law No. 6698) applies to Cproat as a data controller established and operating in the Republic of Turkey. KVKK governs the processing of personal data of natural persons in Turkey.
4.1 Key KVKK Principles
Under KVKK Article 4, personal data must be processed in compliance with the following principles:
- Compliance with law and good faith — data must be processed lawfully and fairly.
- Accuracy and up-to-dateness — data must be accurate and, where necessary, kept current.
- Processing for specified, explicit, and legitimate purposes — purposes must be defined before processing begins.
- Being relevant, limited, and proportionate — only data necessary for the stated purpose should be collected.
- Retention for the period prescribed by relevant legislation or required for the purpose — data must not be kept longer than necessary.
4.2 Legal Bases Under KVKK
Under KVKK Article 5, personal data may be processed without explicit consent where:
- It is explicitly provided for by law.
- It is necessary for the protection of the life or physical integrity of the data subject or another person who is unable to give consent.
- It is necessary for the performance of a contract to which the data subject is a party, or where it is necessary to take steps at the request of the data subject prior to entering into a contract.
- It is necessary for compliance with a legal obligation to which Cproat is subject.
- The data has been made public by the data subject themselves.
- It is necessary for the establishment, exercise, or defence of a legal right.
- It is necessary for the legitimate interests pursued by Cproat, provided that those interests do not override the fundamental rights and freedoms of the data subject.
4.3 KVKK Registration
Data controllers in Turkey who process personal data are required to register with the VERBİS system (Veri Sorumluları Sicili — Data Controllers Registry) maintained by the KVKK Personal Data Protection Board (Kişisel Verileri Koruma Kurulu). Cproat complies with all applicable VERBİS registration requirements.
5. Your Eight Rights Under the GDPR
The GDPR grants individuals in the EU/EEA eight fundamental rights with respect to their personal data. These rights are explained in detail below, along with how each applies to your use of Cproat.
Right 1 — Right to Be Informed (Articles 13–14)
You have the right to receive clear, transparent, and easily understandable information about how your personal data is collected and used. This is fulfilled primarily through our Privacy Policy, this compliance page, and our Cookie Policy. We provide this information at the point of data collection (e.g., at sign-up) and keep it accessible at all times.
We provide information about: the identity and contact details of the data controller; the purposes and legal bases for processing; recipients of the data; data retention periods; and your rights.
Right 2 — Right of Access (Article 15)
You have the right to obtain confirmation of whether we are processing your personal data, and if so, to receive a copy of that data (a "Subject Access Request" or SAR). The copy must be provided in a commonly used electronic format.
The information we will provide includes: the categories of data processed; the purposes of processing; any recipients or categories of recipients; the retention period; and your rights.
We will provide the first copy free of charge. If you request further copies, we may charge a reasonable administrative fee. We will respond within 30 days, extendable by a further two months in complex cases with notice to you.
How to exercise: Email info@cproat.com with the subject line "Subject Access Request". Include the email address associated with your account.
Right 3 — Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected without undue delay, and the right to have incomplete data completed, including by providing a supplementary statement.
You can update your name and email address directly from your account settings. For any other data you believe to be inaccurate, contact us at info@cproat.com and describe the correction needed.
Where we have shared the data with third parties, we will inform them of the rectification unless it would be impossible or involve disproportionate effort.
Right 4 — Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to request the deletion of your personal data in the following circumstances:
- The personal data is no longer necessary in relation to the purposes for which it was collected or processed.
- You withdraw your consent on which processing was based, and there is no other legal ground for processing.
- You object to processing (under Article 21) and there are no overriding legitimate grounds for processing.
- The personal data has been unlawfully processed.
- The personal data must be erased to comply with a legal obligation.
Exceptions apply where processing is necessary for: compliance with a legal obligation; the establishment, exercise, or defence of legal claims; or other grounds set out in Article 17(3).
How to exercise: Delete your account from the account settings page, or email info@cproat.com. Account deletion triggers deletion of your personal data within 30 days (see our Privacy Policy Section 7 for retention exceptions such as billing records).
Right 5 — Right to Restriction of Processing (Article 18)
You have the right to request that we restrict (i.e., pause) the processing of your personal data where:
- You contest the accuracy of the data — restriction applies for the period we need to verify accuracy.
- The processing is unlawful but you oppose erasure and request restriction instead.
- We no longer need the data but you require it for the establishment, exercise, or defence of legal claims.
- You have objected to processing under Article 21 and we are in the process of verifying whether our legitimate grounds override yours.
When processing is restricted, we may still store your data but will not process it further (except with your consent, or for legal claims, or to protect rights of another person, or for important public interest reasons).
How to exercise: Email info@cproat.com specifying that you are requesting restriction and the reason. We will confirm the restriction within 30 days.
Right 6 — Right to Data Portability (Article 20)
Where processing is based on consent or on the performance of a contract, and is carried out by automated means, you have the right to:
- Receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV).
- Have that data transmitted directly to another data controller where technically feasible.
You can export your saved leads and search history directly from the Cproat dashboard at any time. For a full export of all personal data we hold about you (including account data and usage history), contact us at info@cproat.com.
Note that this right applies only to data you have provided to us — it does not apply to data we have derived or inferred about you.
Right 7 — Right to Object (Article 21)
You have the right to object at any time to the processing of your personal data where we rely on legitimate interests (Article 6(1)(f)) or public task (Article 6(1)(e)) as the legal basis.
Upon receiving your objection, we must stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
You also have an absolute right to object to processing for direct marketing purposes (if we ever conduct such activities). If you object to direct marketing, we must cease that processing immediately with no overriding legitimate grounds required.
How to exercise: Email info@cproat.com clearly stating "Right to Object" and specifying which processing activity you are objecting to and on what grounds.
Right 8 — Rights Related to Automated Decision-Making and Profiling (Article 22)
You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you.
Cproat does not make any automated decisions that produce legal effects or similarly significant effects concerning users. We do not use profiling to make decisions about your account, creditworthiness, access to services, or any other matter of legal or comparable significance. Search result ranking within the platform is based on objective search parameters, not personal profiling.
If in the future we were to introduce automated decision-making of this nature, we would update this page and our Privacy Policy and provide you with an appropriate opt-out mechanism.
6. Your Rights Under KVKK
Under KVKK Article 11, individuals (data subjects / veri sahipleri) have the following rights:
| KVKK Right | Description |
|---|---|
| Right to Learn | Whether your personal data is being processed by Cproat. |
| Right of Access | If your data is being processed, to request information about the processing. |
| Right to Know Purpose | To learn the purpose of the processing and whether the data is used in accordance with that purpose. |
| Right to Know Third Parties | To know the third parties in Turkey or abroad to whom your personal data is transferred. |
| Right to Rectification | To request correction of incomplete or inaccurate personal data. |
| Right to Erasure or Destruction | To request deletion or destruction of your data where the conditions for processing no longer exist. |
| Right to Notify Third Parties | To request that any correction, deletion, or destruction be notified to third parties to whom the data was transferred. |
| Right to Object to Automated Decisions | To object to any result arising against you that is based on automatic processing of your data. |
| Right to Compensation | To request compensation for damages incurred due to unlawful processing of your personal data. |
To exercise any of these rights under KVKK, please contact us as described in Section 7 below. We will respond within 30 days as required by KVKK Article 13.
7. How to Submit a Data Subject Request
Whether you are an EU/EEA resident exercising GDPR rights or a Turkish resident exercising KVKK rights, you can submit a data subject request through the same channel. Our process is as follows:
7.1 How to Submit
Submit your request by email
Send to: info@cproat.com
Subject line: "Data Subject Request — [Type of Request]"
(e.g., "Data Subject Request — Access", "Data Subject Request — Erasure")
7.2 What to Include
To help us verify your identity and process your request efficiently, please include:
- The email address associated with your Cproat account.
- The type of request you are making (e.g., access, rectification, erasure, portability, restriction, objection).
- The specific data or processing activities your request relates to, if applicable.
- For rectification requests: the data you believe is inaccurate and the correct version.
- For objection requests: the specific processing activity you are objecting to and your reasons.
7.3 Identity Verification
To protect your privacy and prevent unauthorized access to your data by others, we may need to verify your identity before fulfilling a request. We will verify your identity by confirming that the request comes from, or is confirmed by, the email address associated with your account. In cases involving particularly sensitive data or where there is reason for doubt, we may request additional verification.
We will never ask you for your password as part of identity verification.
7.4 Response Timeframe
| Regulation | Standard Response Time | Extension (if needed) |
|---|---|---|
| GDPR | Within 30 days of receipt of the request | Up to 2 additional months for complex or high-volume requests; we will notify you within the initial 30-day period if an extension is needed |
| KVKK | Within 30 days of receipt of the request | Not generally extendable under KVKK; the 30-day deadline is firm |
We will always acknowledge receipt of your request promptly (typically within 2–3 business days) and will keep you informed if we require additional information or more time.
7.5 Free of Charge
Responding to data subject requests is generally provided free of charge. Where requests are manifestly unfounded or excessive (in particular because of their repetitive character), we may charge a reasonable administrative fee or refuse to act on the request, as permitted under GDPR Article 12(5) and applicable KVKK guidance. We will notify you in advance if a fee applies.
8. Data Processing Agreement (DPA)
A Data Processing Agreement (DPA) is a contract between a Data Controller (you or your organization) and a Data Processor (Cproat, in cases where we process data on your behalf) that sets out the obligations and rights of each party with respect to the processing of personal data.
8.1 When a DPA Is Required
Under GDPR Article 28, whenever a data controller engages a data processor, the parties must enter into a binding DPA. If your organization is subject to GDPR and you are using Cproat in a manner where Cproat processes personal data on your behalf (for example, if your account contains personal data of individuals that you have input), you may require a DPA.
Similarly, under KVKK, data controllers using data processors must ensure contractual protections are in place for any processing activities.
8.2 Requesting a DPA
Business customers who require a Data Processing Agreement with Cproat may request one by contacting us:
DPA Requests:
Email: info@cproat.com
Subject: "DPA Request — [Your Organization Name]"
Please include your organization's name, jurisdiction, and a brief description of your use case.
Our standard DPA is modelled on the European Commission's Standard Contractual Clauses and incorporates the specific obligations required by GDPR Article 28(3), including:
- Processing only on documented instructions from the controller.
- Confidentiality obligations for authorized personnel.
- Implementation of appropriate technical and organizational security measures.
- Restrictions on engaging sub-processors without prior authorization.
- Assisting the controller with data subject rights requests.
- Assisting the controller with security obligations, breach notifications, DPIAs, and prior consultations.
- Deletion or return of data at the end of the service relationship.
- Making available all information necessary to demonstrate compliance.
8.3 Cproat as a Data Controller
For the personal data of Cproat's own registered users (name, email, usage data, etc.), Cproat acts as a Data Controller — not a data processor. In this capacity, Cproat independently determines the purposes and means of processing, and is directly responsible for compliance. No DPA is required between Cproat and its users for this category of data; Cproat's obligations are set out in this policy and the Privacy Policy.
9. Supervisory Authorities
Data subjects have the right to lodge a complaint with a supervisory authority if they believe their personal data has been processed in violation of applicable law. You may do so without prejudice to any other administrative or judicial remedy.
We encourage you to contact us first at info@cproat.com so that we have the opportunity to resolve your concern directly. However, you are under no obligation to do so before contacting a supervisory authority.
9.1 Turkey — KVKK Board
For Turkish residents or for complaints related to KVKK compliance, the relevant supervisory authority is the Turkish Personal Data Protection Board (Kişisel Verileri Koruma Kurulu):
Kişisel Verileri Koruma Kurumu (KVKK)
Nasuh Akar Mahallesi, 1407. Sokak No:4, 06520 Çankaya/Ankara, Turkey
Website: www.kvkk.gov.tr
Online complaint form available on the KVKK website
9.2 EU/EEA — Local Data Protection Authority
EU/EEA residents may lodge a complaint with the supervisory authority of their EU member state of habitual residence, place of work, or the place where an alleged infringement occurred. A list of all EU/EEA supervisory authorities is maintained by the European Data Protection Board:
European Data Protection Board (EDPB)
List of EU supervisory authorities: edpb.europa.eu/members
Some examples of EU supervisory authorities:
- Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — bfdi.bund.de
- France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
- Netherlands: Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
- Ireland: Data Protection Commission (DPC) — dataprotection.ie
- Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
10. International Data Transfers
Personal data may be transferred outside the European Economic Area (EEA) or outside Turkey in connection with our use of third-party service providers. We rely on the following safeguards:
| Transfer | Safeguard Mechanism |
|---|---|
| EEA → Supabase (EU data centers — Germany) | No transfer outside the EEA. Data remains within the EU. |
| EEA/Turkey → Apify (United States) | Standard Contractual Clauses (SCCs) — EU Commission Implementing Decision (EU) 2021/914 |
| Turkey → EU (Supabase, Germany) | Standard Contractual Clauses adapted for Turkey-to-EU transfers; or explicit consent where applicable |
| Cproat (Turkey) → User's country | Processing in accordance with these policies; no outbound transfer of user PII beyond listed processors |
We continuously monitor developments in international data transfer law and update our transfer mechanisms as needed. Where the European Commission has made an adequacy decision for a country, we may rely on that decision as an alternative transfer mechanism.
11. Technical and Organizational Security Measures
Cproat implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32 and KVKK Article 12.
Our security measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. HTTPS is enforced for all connections.
- Encryption at rest: Data stored in Supabase databases is encrypted at rest using AES-256.
- Access controls: Access to production systems is restricted to authorized personnel only, with role-based access control (RBAC) and multi-factor authentication (MFA) required.
- Password security: Passwords are hashed using bcrypt with appropriate cost factors. Plain-text passwords are never stored or logged.
- Audit logging: Access to production databases and administrative functions is logged for security auditing purposes.
- Data minimization: We collect only the minimum data necessary for the purposes described in our Privacy Policy.
- Vendor security: We assess the security practices of our third-party processors and require appropriate contractual commitments.
- Incident response: We have documented procedures for identifying, containing, and reporting personal data breaches. We will notify affected users and relevant supervisory authorities of breaches as required by applicable law (GDPR Article 33–34; KVKK Article 12).
11.1 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:
- Notify the relevant supervisory authority (KVKK Board and/or the lead EU supervisory authority) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34.
- Maintain internal records of all breaches, including those that do not require notification.
12. Children's Data
Cproat is a professional B2B platform intended for use by businesses and adults (individuals aged 18 and over). We do not knowingly collect or process personal data from children under the age of 18.
Under GDPR Article 8, where the processing of personal data of a child is based on consent and the child is under 16 years old (or a lower age set by an EU member state, but no lower than 13), the consent of a parent or guardian is required. As Cproat does not serve children and requires users to be at least 18, this provision does not create additional obligations for us beyond our blanket prohibition on child data processing.
If we discover that we have inadvertently collected personal data from a child, we will delete it promptly. If you believe a child has created an account, please contact info@cproat.com.
13. Contact & Questions
For all data protection inquiries, rights requests, DPA requests, or questions about this compliance page, please contact us:
Cproat — Privacy & Compliance Team
Email: info@cproat.com
Country: Republic of Turkey
Data Subject Request Response Time: within 30 days
General Inquiry Response Time: within 5 business days
Please use info@cproat.com for all data protection matters. For general technical support inquiries, please use our standard support channel from within your account.
We take all data protection inquiries seriously and are committed to resolving your concerns in a timely and transparent manner.
For more information, see our related legal documents:
- Privacy Policy — full details on data collection, use, and retention
- Terms of Service — the rules governing use of the Service
- Cookie Policy — details on our use of cookies and local storage