Privacy Notice (GDPR)
Effective: 4 May 2026 · Last update: 4 May 2026
1. Data Controller
This Privacy Notice describes how YES BİLİŞİM TEKNOLOJİLERİ YAZILIM DANIŞMANLIK SAN. VE TİC. A.Ş. ("YesPDF", "we", "us") processes your personal data
when you use YesPDF Online (online.yespdf.com.tr). YesPDF acts as the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR / Regulation (EU) 2016/679).
Note for non-EU users: YesPDF is established in Türkiye. Where this notice references GDPR rights and obligations,
we extend equivalent rights to all users globally on a voluntary basis, including users in the European Economic Area (EEA), the United Kingdom, and Switzerland.
2. Data We Collect
| Category | Data Items |
|---|
| Identity | First name, last name |
| Contact | Email address |
| Account & Billing | Subscription plan, payment date, billing amount, payment status |
| Technical | IP address, browser User-Agent, session cookies, audit log entries |
| Transient | Uploaded PDF files (auto-deleted within 24 hours of processing) |
| Preferences | Language choice, UI cookie preferences |
Important: We do not store your card details. All payment processing is handled by a PCI-DSS compliant payment service provider with 3D Secure authentication.
3. Purposes of Processing
- Providing and managing the service (account creation, authentication, session management)
- Subscription billing and payment lifecycle (invoicing, cancellation, refunds)
- Customer communication (email notifications, support requests)
- Service security (preventing unauthorised access, fraud, and abuse)
- Compliance with legal obligations (tax, audit log retention, lawful requests)
- Service improvement (anonymous usage statistics)
4. Lawful Basis (Article 6 GDPR)
| Lawful basis | Applies to |
|---|
| Contract performance — Art. 6(1)(b) | Account creation, subscription billing |
| Legal obligation — Art. 6(1)(c) | Tax, audit log retention |
| Legitimate interest — Art. 6(1)(f) | Security, fraud prevention, service improvement (balanced against your fundamental rights) |
| Consent — Art. 6(1)(a) | Optional cookies, marketing communications (where applicable) |
5. Recipients & Third-Party Sharing
We share your data only with the following processors, all bound by data processing agreements:
- Payment Service Provider (iyzico or comparable, Türkiye-based, PCI-DSS Level 1) — name, email, IP, transaction amount, processed only during the payment session.
- Email service provider — email address for transactional notifications.
- Hosting infrastructure — Hetzner Online GmbH (Germany, EU member state) — entire system data for hosting purposes.
We do not sell your data, do not use it for behavioural advertising, and do not share it with data brokers.
6. International Transfers
Servers are located in Germany (EU). The data controller (Yes Bilişim) is established in Türkiye.
Türkiye is currently not on the European Commission's adequacy list. Transfers from the EEA to Türkiye are made under
Article 46(2)(c) GDPR using Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where required.
Where a transfer falls under Article 49 derogations (e.g. necessary for performance of a contract with the data subject), it is conducted on that basis.
No data is transferred outside Türkiye and the EEA other than to the listed recipients.
7. Retention Periods
| Data type | Retention | Reason |
|---|
| Account information (name, email) | Lifetime of the account + 30 days after deletion request | Contract |
| Uploaded PDF files | Auto-deleted within 24 hours after processing | Service contract |
| Payment records (audit) | 10 years | Türkiye Tax Procedure Law and Commercial Code |
| Audit logs (login / actions) | 2 years | Legitimate interest (security) |
| Communication emails | 3 years | Legitimate interest |
8. Security Measures
- All traffic encrypted with TLS 1.2/1.3.
- Uploaded files encrypted at rest with AES-256.
- Passwords stored as bcrypt hashes; plain-text passwords are never accessible.
- Payments via 3D Secure on a PCI-DSS compliant gateway; card details never reach our servers.
- Comprehensive audit logging for authentication and processing events.
- Infrastructure hosted in an ISO/IEC 27001 certified data centre.
9. Your Rights (Articles 15-22 GDPR)
- Access (Art. 15): obtain confirmation and a copy of your personal data
- Rectification (Art. 16): correct inaccurate or complete incomplete data
- Erasure / right to be forgotten (Art. 17): request deletion under specified conditions
- Restriction (Art. 18): limit processing in certain situations
- Data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format
- Objection (Art. 21): object to processing based on legitimate interest
- Automated decision-making (Art. 22): right not to be subject to a decision based solely on automated processing — we do not use solely automated decision-making with legal effect
- Withdraw consent at any time, where processing is based on consent
10. Exercising Your Rights / Lodging a Complaint
To exercise any of the rights above:
- Self-service: Account Settings → Privacy → clear history / close account.
- Email: privacy@yesbilisim.com.tr — we respond within 30 days at no cost (extendable by 60 days for complex requests under Art. 12(3)).
You also have the right to lodge a complaint with your local supervisory authority. EU/EEA residents may contact their national Data Protection Authority. Turkish residents may contact the
Kişisel Verileri Koruma Kurulu at kvkk.gov.tr.
11. Cookies
- Strictly necessary cookies: session management, CSRF protection (no consent required, Recital 30 / ePrivacy strictly-necessary exemption).
- Functional cookies: language preference, UI settings.
- Analytics / advertising cookies: not currently used.
You may disable cookies in your browser, but parts of the service may not work correctly.
12. Changes to This Notice
We may update this Notice as needed. Material changes will be communicated via in-app notification and/or email.
The latest version is always available at this URL; the effective date is shown at the top.