0 (212) 916 38 38
Qera
This text is a draft, pending legal review.

GDPR Data Processing

Last updated: 04.06.2026

This page is prepared for international and EU customers within the scope of the European Union General Data Protection Regulation (GDPR / Regulation (EU) 2016/679). For personal-data processing in Türkiye, our KVKK Privacy Notice applies; compliance is maintained with both frameworks.

1. Scope and Roles

Qera (within Ze Yatırım Holding) may act as a controller in respect of its own marketing and communication activities, and as a processor in respect of data processed on customer instructions within the scope of the ERP service it provides. This page explains the roles and applied principles pursuant to Article 4 et seq. of the GDPR.

  • Controller/processor: [Legal entity name — legal review]
  • EU representative (if any, GDPR Art. 27): [EU representative — legal review]
  • Data-protection contact point: [DPO / contact — legal review]

2. Lawful Basis

We process personal data on one of the following grounds pursuant to GDPR Article 6:

  • Contract (Art. 6(1)(b)): necessity for the conclusion or performance of a contract.
  • Legal obligation (Art. 6(1)(c)): compliance with applicable law.
  • Legitimate interest (Art. 6(1)(f)): balanced against the rights and freedoms of the data subject.
  • Explicit consent (Art. 6(1)(a)): in cases such as marketing and non-essential cookies.

3. Data Processed and Purposes

  • Contact/identity: first name, last name, title, e-mail, phone, organization information.
  • Request data: demo/quote/contact request content and correspondence.
  • Technical/digital trace: IP, cookie identifiers, session and device information.

This data is processed for the purposes of responding to requests, performing the contractual relationship, site security, legal obligations and consent-based analytics/marketing.

4. Data-Subject Rights

Pursuant to GDPR Articles 15–22, as a data subject you have the following rights:

  • Right of access (Art. 15).
  • Right to rectification (Art. 16).
  • Right to erasure / “to be forgotten” (Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object (Art. 21) and rights regarding automated decisions/profiling (Art. 22).
  • Right to withdraw consent where processing is based on consent.
  • Right to lodge a complaint with the competent supervisory authority.

5. Data Processing Agreement (DPA)

Where we act as a processor, we sign a Data Processing Agreement (DPA) with corporate customers pursuant to GDPR Article 28. The DPA covers the subject matter, duration, purpose, data categories, sub-processors and security measures of the processing. To request a DPA, you can reach us at info@qera.com.tr. [Standard DPA template — legal review]

6. Sub-processors

In providing our service we use sub-processors for certain operations. Our principal sub-processor, as the cloud infrastructure provider, is Microsoft Azure. GDPR-compliant agreements are concluded with sub-processors; affected customers are informed of changes to the sub-processor list.

  • Microsoft Azure — cloud infrastructure (hosting, storage, compute).
  • [Other sub-processors — legal review]

7. International Transfers

Where personal data is transferred outside the EU/EEA, appropriate safeguards are provided pursuant to GDPR Chapter V (Art. 44 et seq.); where necessary, the European Commission’s Standard Contractual Clauses (SCC) and additional protective measures are applied. [Transfer mechanisms and grounds — legal review]

8. Data Residency

Data is hosted on Microsoft Azure cloud infrastructure in a highly available, redundant architecture. With corporate customers, specific data-residency arrangements may be evaluated in line with needs and regulatory requirements. [Precise hosting region — customer/legal confirmation]

9. Technical and Organizational Measures

Pursuant to GDPR Article 32, appropriate technical and organizational measures are applied, such as encryption in transit and at rest, role-based access control, backups and traceable operations. For more information, see our Trust Center page.

10. Breach Notification

When a personal-data breach is detected, the necessary processes are run to provide timely notification to the competent supervisory authority and, where required, to the affected data subjects, pursuant to GDPR Articles 33–34. [Breach response procedure — legal review]

11. Contact

For requests and questions under the GDPR, you can reach us at info@qera.com.tr or via our Contact page.