KVKK Clarification Text

What is KVKK? KVKK (Kisisel Verilerin Korunmasi Kanunu, Law No. 6698) is the Turkish data-protection law, broadly equivalent to the EU GDPR. As a Turkey-based service we are required to publish this Clarification Text. If you are an EU/UK resident, your GDPR rights apply alongside KVKK; the substance is similar (access, rectification, deletion, objection). For day-to-day data questions, our Privacy Policy is a friendlier read.

Last Updated: April 28, 2026

This Clarification Text has been prepared to inform you about the processing of your personal data by biletalarmi.com ("Company" or "Data Controller") in accordance with Article 10 of the Law on Protection of Personal Data No. 6698 ("KVKK") and the Communiqué on Procedures and Principles for Fulfilling the Obligation to Inform.

biletalarmi.com is an independent platform that offers free alarm services to users via email, Telegram, or web push notifications when TCDD train tickets or empty seats become available. There is no organic link or representation relationship with TCDD Taşımacılık A.Ş.

1. Identity of the Data Controller

The company information acting as the data controller for the processing of your personal data is as follows:

Title:
Address:
Email: [email protected]
Kayıtlı E-Posta (KEP) Address:
Tax Identification Number (TIN):

2. Purposes of Processing Personal Data

Your collected personal data will be processed within the framework of the personal data processing conditions specified in Articles 5 and 6 of the KVKK, for the purposes stated below:

Provision, execution, and development of alarm services.
Sending user-specific notifications (email, Telegram, web push).
Troubleshooting technical issues related to the operation of services, debugging, and performance improvement.
Security, fraud, and abuse prevention activities (e.g., applying rate limits with IP addresses).
Performing statistical analyses and improving service quality.
Personalizing user experience (e.g., theme preferences).
Fulfilling legal obligations in accordance with relevant legislation.
Responding to requests from authorized institutions and organizations.
Resolution of legal disputes and execution of judicial processes.
For marketing and advertising activities (only with your explicit consent).
Bot verification (via Cloudflare Turnstile).

3. To Whom and For What Purpose Personal Data May Be Transferred

Your personal data may be transferred in line with the realization of the purposes stated above, and within the framework of the personal data processing conditions specified in Articles 8 and 9 of the KVKK, in a lawful and fair manner, observing the principle of data minimization, and in a limited and proportionate manner:

To service providers (such as email sending services, Telegram API integration, web push notification services).
To authorized public institutions and organizations (in accordance with legal requests).
To professional consultants such as legal advisors, auditors, and lawyers.
To analytics service providers (Google Analytics - only with your consent).
To security service providers (such as Cloudflare Turnstile).

Third parties to whom data is transferred have commitments regarding the protection and security of personal data within the framework of contracts made with the data controller.

4. Method and Legal Basis for Collecting Personal Data

Your personal data is collected electronically through the biletalarmi.com website, via alarm creation forms, cookies, and server logs.

This personal data is processed based on the following legal grounds specified in Article 5 of the KVKK:

Explicit Consent: Obtaining your explicit consent in cases such as marketing communication or the use of Google Analytics.
Establishment or Performance of a Contract: Being necessary for the performance of the service contract, such as providing you with the alarm service and sending committed notifications.
Legitimate Interest of the Data Controller: Processing data being necessary for the legitimate interests of the data controller, such as ensuring service security (e.g., rate limits with IP addresses), improving system performance, and preventing illegal uses.
Fulfillment of Legal Obligation: Retention and sharing of information requested by relevant legal regulations.

5. Rights of the Data Subject

Pursuant to Article 11 of the KVKK, everyone whose personal data is processed has the following rights:

To learn whether personal data is processed,
To request information if personal data has been processed,
To learn the purpose of personal data processing and whether it is used appropriately for its purpose,
To know the third parties to whom personal data is transferred, in Turkey or abroad,
To request the rectification of incomplete or inaccurate personal data,
To request the erasure or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
To request that the rectification, erasure, or destruction operations mentioned above be notified to third parties to whom personal data has been transferred,
To object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
To demand the compensation of the damage if personal data is processed unlawfully and the person suffers damage.

To exercise your rights stated above, you can submit your requests to in writing or by other methods determined by the Personal Data Protection Board.

You can send your applications, along with the necessary information to identify your identity, to the email address or via registered mail to . Your request will be answered free of charge within thirty days at the latest. However, if the operation requires an additional cost, the fee specified in the tariff determined by the Board may be charged.

6. Data Security

As the data controller, we take appropriate security measures to protect your personal data against risks of unauthorized access, disclosure, alteration, or destruction. These measures include technical and administrative security measures:

Encryption of data (both in transit and at rest).
Access controls and authorization mechanisms.
Firewalls and network security solutions.
Regular security audits and penetration tests.
Personnel training and awareness programs.

7. Other Provisions

The Company may update, change, or repeal the provisions of this Clarification Text at any time. The updated or amended Clarification Text will become effective on the date it is published on our website. It is recommended that you regularly check this text to understand your rights and how your personal data is processed.