Privacy Policy
1. Introduction
1.1. Purpose
This Privacy Policy ("Policy") describes how Evaste collects, uses, shares, and protects your personal data when you use our services.
Evaste is a data privacy and consent management platform that helps businesses comply with GDPR, KVKK, CCPA, and other data protection regulations.
1.2. Scope
This Policy applies to:
- evaste.co website and all subdomains
- Evaste web application and dashboard
- Mobile applications
- APIs and SDKs
- Customer support communications
1.3. Acceptance
By using Evaste services, you acknowledge that you have read and understood this Policy and consent to the processing of your personal data as described herein.
2. Data Controller Information
2.1. Data Controller
- Evaste (operated by Group Taiga)
- Address: Levent, Istanbul, Turkey
- Email: info@evaste.co
- Web: https://evaste.co
- Phone: +90 532 494 42 64
2.2. Data Protection Officer (DPO)
Email: dpo@evaste.co
2.3. EU Representative
For GDPR purposes, our EU representative can be contacted at: eu-representative@evaste.co
3. Personal Data We Collect
3.1. Data You Provide
(a) Account Information: Full name, email address, company name, job title, phone number (optional), billing address
(b) Payment Information: Credit card details (processed by Stripe), billing information, transaction history
(c) Communications: Support tickets, email correspondence, chat messages, feedback and surveys
3.2. Data Collected Automatically
(a) Technical Data: IP address, browser type and version, operating system, device information, screen resolution
(b) Usage Data: Pages visited, features used, time spent on platform, click patterns, error logs
(c) Cookie Data: Session cookies, preference cookies, analytics cookies (with consent)
3.3. Data from Third Parties
(a) OAuth providers (Google, Microsoft) - email, name, profile picture
(b) Payment processors - transaction status
(c) Analytics services - aggregated usage data
3.4. Special Categories of Data
Evaste does not intentionally collect special categories of personal data (health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sexual orientation).
4. Purposes and Legal Bases for Processing
4.1. Contractual Necessity (GDPR Article 6(1)(b))
| Purpose | Data Used |
|---|---|
| Account creation and management | Name, email, password |
| Service provision | All account data |
| Customer support | Contact info, communications |
| Billing and payments | Payment and billing info |
4.2. Leğitimate Interests (GDPR Article 6(1)(f))
| Purpose | Leğitimate Interest | Data Used |
|---|---|---|
| Service improvement | Product development | Usage data |
| Security | Fraud prevention | IP, device info |
| Analytics | Business optimization | Aggregated usage |
| Marketing (B2B) | Business growth | Company info |
4.3. Legal Obligations (GDPR Article 6(1)(c))
| Purpose | Legal Requirement | Data Used |
|---|---|---|
| Tax compliance | Tax regulations | Financial records |
| Legal proceedings | Court orders | Relevant data |
| Regulatory reporting | Data protection laws | Processing records |
4.4. Consent (GDPR Article 6(1)(a))
| Purpose | Data Used |
|---|---|
| Marketing emails | Email address |
| Newsletter | Email, preferences |
| Analytics cookies | Browsing data |
| Third-party integrations | Various |
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
5. Data Retention Periods
5.1. Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 2 years | Contract |
| Consent records | 7 years | Legal requirement |
| Financial records | 10 years | Tax regulations |
| Support tickets | 3 years | Leğitimate interest |
| Usage logs | 2 years | Leğitimate interest |
| Marketing data | Until opt-out | Consent |
5.2. Deletion
After the retention period expires:
- Data is automatically deleted or anonymized
- Backups are purged within 90 days
- Anonymized data may be retained for analytics
5.3. Data Export
You may request a copy of your data at any time (see Section 9).
6. Data Sharing and Transfers
6.1. Categories of Recipients
(a) Service Providers (Sub-processors): Cloud hosting (AWS, Google Cloud), Payment processing (Stripe), Email services (SendGrid), Analytics (Google Analytics - optional), Customer support (Intercom), Error monitoring (Sentry)
(b) Professional Advisors: Lawyers, accountants, auditors (under confidentiality)
(c) Legal Authorities: When required by law or court order
(d) Business Transfers: In case of merger, acquisition, or asset sale
6.2. No Selling of Personal Data
Evaste does NOT sell personal data to third parties.
6.3. Sub-processor List
A complete list of sub-processors is available at: https://evaste.co/legal-center/sub-processors
7. International Data Transfers
7.1. Transfer Mechanisms
For transfers outside the EEA/UK, we rely on:
(a) EU-US Data Privacy Framework (DPF): For certified US companies
(b) Standard Contractual Clauses (SCCs): EU Commission approved 2021 SCCs with supplementary measures where necessary
(c) Adequacy Decisions: For countries with adequate protection level
7.2. Transfer Impact Assessment
We conduct Transfer Impact Assessments (TIAs) for each sub-processor considering:
- Destination country legislation
- Government access risks
- Adequacy of supplementary measures
7.3. Data Localization
Enterprise customers may request:
- EU-only data storage
- Turkey-only data storage
8. Data Security
8.1. Technical Measures
(a) Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest, Key management via AWS KMS
(b) Access Control: Role-based access control (RBAC), Multi-factor authentication (MFA), Single sign-on (SSO)
(c) Infrastructure: Firewalls and intrusion detection, DDoS protection (Cloudflare), Regular vulnerability scanning
8.2. Organizational Measures
- Security policies and procedures
- Employee training
- Background checks
- Confidentiality agreements
- Incident response procedures
8.3. Certifications
- ISO 27001 (in progress)
- SOC 2 Type II (planned)
- Annual penetration testing
8.4. Breach Notification
In case of a personal data breach:
- Supervisory authority notified within 72 hours (if required)
- Affected individuals notified without undue delay (if high risk)
- Breach documented in internal register
9. Your Rights (GDPR)
9.1. Right of Access (Article 15)
You have the right to obtain: Confirmation of processing, copy of your personal data, information about processing
9.2. Right to Rectification (Article 16)
You may request correction of inaccurate data or completion of incomplete data.
9.3. Right to Erasure (Article 17)
You may request deletion of your data when: No longer necessary for original purpose, you withdraw consent, you object to processing, unlawful processing, legal obligation to erase
9.4. Right to Restriction (Article 18)
You may request restriction of processing in certain circumstances.
9.5. Right to Data Portability (Article 20)
You may receive your data in a structured, machine-readable format and transmit it to another controller.
9.6. Right to Object (Article 21)
You may object to processing based on leğitimate interests, including profiling and direct marketing.
9.7. Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.
9.8. How to Exercise Your Rights
Email: privacy@evaste.co. Response time: 30 days (extendable by 60 days for complex requests). Identity verification may be required.
9.9. Right to Lodge a Complaint
You may lodge a complaint with your local supervisory authority. Turkey: KVKK (kvkk.gov.tr), EU: Your national data protection authority.
10. Your Rights (CCPA - California Residents)
10.1. Right to Know
California residents have the right to know: Categories of personal information collected, sources of personal information, business purposes for collection, categories of third parties with whom information is shared, specific pieces of personal information collected
10.2. Right to Delete
You may request deletion of your personal information, subject to certain exceptions.
10.3. Right to Opt-Out
Evaste does NOT sell personal information. Therefore, there is no need for an opt-out mechanism for sales.
10.4. Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights.
10.5. How to Exercise CCPA Rights
Email: ccpa@evaste.co. Toll-free: Available upon request. Response time: 45 days.
10.6. Authorized Agents
You may use an authorized agent to submit requests on your behalf.
11. Cookies and Tracking
11.1. Cookie Policy
For detailed information about cookies, please see our Cookie Policy: https://evaste.co/legal-center/cookie-policy
11.2. Do Not Track
We honor Do Not Track (DNT) browser signals.
11.3. Analytics Opt-Out
You may opt out of analytics tracking via:
- Cookie preferences on our website
- Browser settings
- Google Analytics opt-out browser add-on
12. Children's Privacy
12.1. Age Restrictions
Evaste services are not intended for individuals under 18 years of age.
12.2. COPPA Compliance
We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will delete the information immediately.
12.3. Parental Rights
Parents or guardians may contact us to: Review child's information, request deletion, refuse further collection
13. Automated Decision-Making
13.1. Profiling
Evaste uses limited automated profiling for:
- Fraud detection
- Service personalization
- Usage analytics
13.2. No Significant Effects
We do not make automated decisions that produce legal or similarly significant effects on individuals.
13.3. Human Review
You may request human review of any automated decision.
14. Policy Changes
14.1. Updates
We may update this Policy periodically. Material changes will be communicated via:
- Email notification
- Platform notification
- Website banner
14.2. Review
We recommend reviewing this Policy regularly.
14.3. Version History
Previous versions available upon request.
15. Contact Information
- Evaste (Group Taiga)
- Address: Levent, Istanbul, Turkey
- General Inquiries: info@evaste.co
- Privacy Requests: privacy@evaste.co
- Data Protection Officer: dpo@evaste.co
- CCPA Requests: ccpa@evaste.co
- Web: https://evaste.co
- Phone: +90 532 494 42 64
This Privacy Policy became effective on January 12, 2026.
By using Evaste services, you acknowledge that you have read and understood this Policy.
Privacy Policy
1. Introduction
1.1. Purpose
This Privacy Policy ("Policy") describes how Evaste collects, uses, shares, and protects your personal data when you use our services.
Evaste is a data privacy and consent management platform that helps businesses comply with GDPR, KVKK, CCPA, and other data protection regulations.
1.2. Scope
This Policy applies to:
- evaste.co website and all subdomains
- Evaste web application and dashboard
- Mobile applications
- APIs and SDKs
- Customer support communications
1.3. Acceptance
By using Evaste services, you acknowledge that you have read and understood this Policy and consent to the processing of your personal data as described herein.
2. Data Controller Information
2.1. Data Controller
- Evaste (operated by Group Taiga)
- Address: Levent, Istanbul, Turkey
- Email: info@evaste.co
- Web: https://evaste.co
- Phone: +90 532 494 42 64
2.2. Data Protection Officer (DPO)
Email: dpo@evaste.co
2.3. EU Representative
For GDPR purposes, our EU representative can be contacted at: eu-representative@evaste.co
3. Personal Data We Collect
3.1. Data You Provide
(a) Account Information: Full name, email address, company name, job title, phone number (optional), billing address
(b) Payment Information: Credit card details (processed by Stripe), billing information, transaction history
(c) Communications: Support tickets, email correspondence, chat messages, feedback and surveys
3.2. Data Collected Automatically
(a) Technical Data: IP address, browser type and version, operating system, device information, screen resolution
(b) Usage Data: Pages visited, features used, time spent on platform, click patterns, error logs
(c) Cookie Data: Session cookies, preference cookies, analytics cookies (with consent)
3.3. Data from Third Parties
(a) OAuth providers (Google, Microsoft) - email, name, profile picture
(b) Payment processors - transaction status
(c) Analytics services - aggregated usage data
3.4. Special Categories of Data
Evaste does not intentionally collect special categories of personal data (health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sexual orientation).
4. Purposes and Legal Bases for Processing
4.1. Contractual Necessity (GDPR Article 6(1)(b))
| Purpose | Data Used |
|---|---|
| Account creation and management | Name, email, password |
| Service provision | All account data |
| Customer support | Contact info, communications |
| Billing and payments | Payment and billing info |
4.2. Leğitimate Interests (GDPR Article 6(1)(f))
| Purpose | Leğitimate Interest | Data Used |
|---|---|---|
| Service improvement | Product development | Usage data |
| Security | Fraud prevention | IP, device info |
| Analytics | Business optimization | Aggregated usage |
| Marketing (B2B) | Business growth | Company info |
4.3. Legal Obligations (GDPR Article 6(1)(c))
| Purpose | Legal Requirement | Data Used |
|---|---|---|
| Tax compliance | Tax regulations | Financial records |
| Legal proceedings | Court orders | Relevant data |
| Regulatory reporting | Data protection laws | Processing records |
4.4. Consent (GDPR Article 6(1)(a))
| Purpose | Data Used |
|---|---|
| Marketing emails | Email address |
| Newsletter | Email, preferences |
| Analytics cookies | Browsing data |
| Third-party integrations | Various |
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
5. Data Retention Periods
5.1. Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 2 years | Contract |
| Consent records | 7 years | Legal requirement |
| Financial records | 10 years | Tax regulations |
| Support tickets | 3 years | Leğitimate interest |
| Usage logs | 2 years | Leğitimate interest |
| Marketing data | Until opt-out | Consent |
5.2. Deletion
After the retention period expires:
- Data is automatically deleted or anonymized
- Backups are purged within 90 days
- Anonymized data may be retained for analytics
5.3. Data Export
You may request a copy of your data at any time (see Section 9).
6. Data Sharing and Transfers
6.1. Categories of Recipients
(a) Service Providers (Sub-processors): Cloud hosting (AWS, Google Cloud), Payment processing (Stripe), Email services (SendGrid), Analytics (Google Analytics - optional), Customer support (Intercom), Error monitoring (Sentry)
(b) Professional Advisors: Lawyers, accountants, auditors (under confidentiality)
(c) Legal Authorities: When required by law or court order
(d) Business Transfers: In case of merger, acquisition, or asset sale
6.2. No Selling of Personal Data
Evaste does NOT sell personal data to third parties.
6.3. Sub-processor List
A complete list of sub-processors is available at: https://evaste.co/legal-center/sub-processors
7. International Data Transfers
7.1. Transfer Mechanisms
For transfers outside the EEA/UK, we rely on:
(a) EU-US Data Privacy Framework (DPF): For certified US companies
(b) Standard Contractual Clauses (SCCs): EU Commission approved 2021 SCCs with supplementary measures where necessary
(c) Adequacy Decisions: For countries with adequate protection level
7.2. Transfer Impact Assessment
We conduct Transfer Impact Assessments (TIAs) for each sub-processor considering:
- Destination country legislation
- Government access risks
- Adequacy of supplementary measures
7.3. Data Localization
Enterprise customers may request:
- EU-only data storage
- Turkey-only data storage
8. Data Security
8.1. Technical Measures
(a) Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest, Key management via AWS KMS
(b) Access Control: Role-based access control (RBAC), Multi-factor authentication (MFA), Single sign-on (SSO)
(c) Infrastructure: Firewalls and intrusion detection, DDoS protection (Cloudflare), Regular vulnerability scanning
8.2. Organizational Measures
- Security policies and procedures
- Employee training
- Background checks
- Confidentiality agreements
- Incident response procedures
8.3. Certifications
- ISO 27001 (in progress)
- SOC 2 Type II (planned)
- Annual penetration testing
8.4. Breach Notification
In case of a personal data breach:
- Supervisory authority notified within 72 hours (if required)
- Affected individuals notified without undue delay (if high risk)
- Breach documented in internal register
9. Your Rights (GDPR)
9.1. Right of Access (Article 15)
You have the right to obtain: Confirmation of processing, copy of your personal data, information about processing
9.2. Right to Rectification (Article 16)
You may request correction of inaccurate data or completion of incomplete data.
9.3. Right to Erasure (Article 17)
You may request deletion of your data when: No longer necessary for original purpose, you withdraw consent, you object to processing, unlawful processing, legal obligation to erase
9.4. Right to Restriction (Article 18)
You may request restriction of processing in certain circumstances.
9.5. Right to Data Portability (Article 20)
You may receive your data in a structured, machine-readable format and transmit it to another controller.
9.6. Right to Object (Article 21)
You may object to processing based on leğitimate interests, including profiling and direct marketing.
9.7. Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.
9.8. How to Exercise Your Rights
Email: privacy@evaste.co. Response time: 30 days (extendable by 60 days for complex requests). Identity verification may be required.
9.9. Right to Lodge a Complaint
You may lodge a complaint with your local supervisory authority. Turkey: KVKK (kvkk.gov.tr), EU: Your national data protection authority.
10. Your Rights (CCPA - California Residents)
10.1. Right to Know
California residents have the right to know: Categories of personal information collected, sources of personal information, business purposes for collection, categories of third parties with whom information is shared, specific pieces of personal information collected
10.2. Right to Delete
You may request deletion of your personal information, subject to certain exceptions.
10.3. Right to Opt-Out
Evaste does NOT sell personal information. Therefore, there is no need for an opt-out mechanism for sales.
10.4. Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights.
10.5. How to Exercise CCPA Rights
Email: ccpa@evaste.co. Toll-free: Available upon request. Response time: 45 days.
10.6. Authorized Agents
You may use an authorized agent to submit requests on your behalf.
12. Children's Privacy
12.1. Age Restrictions
Evaste services are not intended for individuals under 18 years of age.
12.2. COPPA Compliance
We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will delete the information immediately.
12.3. Parental Rights
Parents or guardians may contact us to: Review child's information, request deletion, refuse further collection
13. Automated Decision-Making
13.1. Profiling
Evaste uses limited automated profiling for:
- Fraud detection
- Service personalization
- Usage analytics
13.2. No Significant Effects
We do not make automated decisions that produce legal or similarly significant effects on individuals.
13.3. Human Review
You may request human review of any automated decision.
14. Policy Changes
14.1. Updates
We may update this Policy periodically. Material changes will be communicated via:
- Email notification
- Platform notification
- Website banner
14.2. Review
We recommend reviewing this Policy regularly.
14.3. Version History
Previous versions available upon request.
15. Contact Information
- Evaste (Group Taiga)
- Address: Levent, Istanbul, Turkey
- General Inquiries: info@evaste.co
- Privacy Requests: privacy@evaste.co
- Data Protection Officer: dpo@evaste.co
- CCPA Requests: ccpa@evaste.co
- Web: https://evaste.co
- Phone: +90 532 494 42 64
This Privacy Policy became effective on January 12, 2026.
By using Evaste services, you acknowledge that you have read and understood this Policy.