Privacy & Data Policy
Version 2026-05-01 · 09.07.2026
1. Data Controller
Flanör is the data controller under the EU General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK No. 6698). The personal data collected from members is processed under the purposes, legal bases and retention periods set out below.
2. Categories of Data Processed
- Identity: name, username, display name.
- Contact: email address, optional city.
- Application content: motivation text, declared interests.
- Account content: avatar, bio, club & event participation, comments, messages.
- Technical data: IP address, user-agent, session timestamps, push subscription token.
- Consent log: which consent was given, against which policy version, when, from which IP.
3. Purposes of Processing (GDPR Art. 5(1)(b))
- Evaluating membership applications and creating accounts
- Organising events, RSVP and check-in flow
- Member-to-member messaging and club communication
- Security, abuse detection and meeting legal obligations
- With your explicit consent — marketing and announcement notifications
4. Legal Basis (GDPR Art. 6)
- Consent (Art. 6(1)(a)): Marketing notifications, photo release, optional flows.
- Contract (Art. 6(1)(b)): Membership application, account, event RSVP.
- Legitimate interest (Art. 6(1)(f)): Security, audit log, abuse prevention.
- Legal obligation (Art. 6(1)(c)): Lawful requests from competent authorities.
5. Retention
Data is processed for as long as the membership is active. After account deletion, personal data is anonymised within 30 days. Content (comments, messages, RSVPs) is preserved under the pseudonym "Deleted Member" for historical consistency, with no link back to the individual. Consent logs and audit records may be retained for up to 10 years where required by law.
6. Sharing & Transfers
Your personal data is never sold, rented or shared for marketing. Transfers are limited to:
- Hosting / infrastructure provider
- Email service provider (SMTP or transactional API)
- Apple / Google / Mozilla push endpoints for push notifications (subscription token only)
- Competent authorities where required by law
7. Your Rights (GDPR Art. 15-22 / KVKK Art. 11)
As a data subject you have the right at any time to:
- Know which data of yours is being processed
- Obtain a copy of your data (you can self-export a ZIP from My data)
- Request rectification of inaccurate data
- Request erasure or anonymisation ("right to be forgotten")
- Withdraw consent at any time
- Object to processing
To exercise these rights, use the My data dashboard in your account, or write to dursunyartasi@gmail.com.
8. Cookies
We only use strictly necessary cookies for session management (PHP session, CSRF token, theme preference). We do not set third-party analytics, ad or tracking cookies.
9. Security
Passwords are stored using one-way argon2id/bcrypt hashing. All traffic is served over TLS. Each access to personal data inside the admin panel is recorded in the data_access_logs table and is auditable.
10. Policy Changes
The current version of this policy is shown at the top of this page. Material changes will bump the version number and active members will be notified. Previous consent versions remain stored in the consent log.
11. Contact
To reach the data controller: dursunyartasi@gmail.com