Applicable jurisdiction
These documents are presented for the United States. KeyBrox is operated by a Turkish company (ASTRAL GAYRİMENKUL DANIŞMANLIK TİC. LTD. ŞTİ.); Turkish law governs the agreement, while your mandatory local data-protection and consumer rights remain reserved and unaffected.
Data-protection framework: CCPA / CPRA · Supervisory authority: the California Privacy Protection Agency or your State Attorney General
KVKK Privacy Notice
This privacy notice has been prepared by ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ (the “Company”, “We”) in its capacity as Data Controller, pursuant to Article 10 of the Turkish Personal Data Protection Law No. 6698 (KVKK) and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Disclosure Obligation, for users of the KeyBrox platform (keybrox.com).
1. Data Controller Information
Legal name: ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ
Address: Aksoy Mahallesi Girne Caddesi 36/3 Zemin Kat, Karşıyaka/İzmir, Türkiye
Trade Registry No: 258033 · MERSİS: 0091134928700001 · Tax No: 0911349287
E-mail: kvkk@keybrox.com
KEP (registered e-mail): astralgayrimenkuldanismanlik@hs01.kep.tr
Phone / WhatsApp: +90 505 869 00 81
VERBIS No: Registration application is in progress.
2. Personal Data Processed
The following categories of personal data are processed via the KeyBrox platform:
2.1. Identity Data
First name, surname, Turkish ID number (T.C. kimlik no — only for contractual and accounting transactions), date of birth, gender, profile photo.
2.2. Contact Data
Phone number, e-mail address, business address, WhatsApp contact information.
2.3. Location Data
GPS coordinates (panic button, viewing report/zabıt, AR price analysis), IP-based approximate location, property visit locations.
2.4. Financial Data
Commission amounts, turnover figures, stakeholder split ratios, invoice details (VAT-inclusive/exclusive), payment history, bank account details (only for offices with active accounting integration).
2.5. Professional Data
Real-estate consultancy licence information, office assignment, performance metrics (XP, badges, assist chain, turnover leaderboard rank), viewing records, customer portfolio, listing information.
2.6. Digital Trace Data
Session information (JWT token metadata), browser/device information (user agent), application usage statistics, push notification subscription records (OneSignal subscription ID), cookie data, IP address.
2.7. Visual and Audio Data
Profile photo, virtual-tour panoramic images, the signature image (base64) in the viewing report/zabıt, mediation evidence (images, audio recordings, screenshots).
2.8. Special Categories of Personal Data
No special categories of personal data (race, ethnic origin, political opinion, philosophical belief, health data, etc.) are processed across the platform. Such data may appear in content voluntarily shared by the parties during a mediation process; in that case, the explicit-consent mechanism under KVKK Article 6 applies.
3. Purposes of Processing Personal Data
Your personal data is processed for the following purposes:
- Service delivery: Platform access, CRM operations, commission calculation, portfolio matching, management of customer relationships.
- Contractual obligations: Fulfilment of the membership agreement, data processing agreement and SLA commitments.
- Legal obligations: Tax legislation (VUK), the Turkish Commercial Code, MASAK regulations, requirements of the Turkish Code of Obligations No. 6098.
- Security: Emergency notification via the panic button, location sharing, escalation chain; platform security audits and access controls.
- Performance and gamification: Data processing for motivation modules such as XP, badges, assist chain, goal wheel, hall of fame and cheer wall.
- Communication: Push notifications (OneSignal), e-mail notifications, SMS (optional), in-app messaging.
- Analytics and reporting: Office performance reports, market pulse, regional analysis, turnover leaderboard, agent performance evaluation.
- Dispute resolution: Mediation board, evidence collection, timeline creation, data processing for the broker’s decision.
- Product development: Platform improvement based on anonymous usage statistics (no individual identification is performed).
- Marketing (with explicit consent): Promotional notifications, feature announcements, satisfaction surveys. Applied only to users who have given explicit consent.
- Protection of legal rights: Retention of data as evidence in potential disputes.
4. Legal Bases for Processing Personal Data
The following legal bases under KVKK Article 5/2 apply:
| Legal Basis | Area of Application |
|---|---|
| Expressly provided by law (Art. 5/2-a) | Accounting records under VUK, MASAK notifications |
| Establishment/performance of a contract (Art. 5/2-c) | Platform membership agreement, SaaS service agreement |
| Legal obligation (Art. 5/2-ç) | Statutory retention periods, notifications to government authorities |
| Legitimate interest of the data subject (Art. 5/2-e) | Panic button — location sharing in case of vital danger |
| Legitimate interest of the data controller (Art. 5/2-f) | Security measures, fraud prevention, service quality |
| Explicit consent (Art. 5/1) | Marketing communications, optional analytics, location tracking |
5. Method of Collecting Personal Data
Your personal data is collected through the following channels:
- Directly: Platform registration form, profile update, transaction entry, viewing record, mediation application.
- Automatically: Cookies, device information, IP address, GPS (where the user has granted permission), push notification subscription records.
- Third parties: Agent information entered by the broker/office manager, real-estate listing data, OneSignal notification metrics.
6. Transfer of Personal Data
6.1. Domestic Transfer
Personal data may be transferred to the following parties under KVKK Article 8:
- Broker office manager: In the multi-tenant structure, each broker can access the performance and transaction data of their own agents (joint data controllership).
- Authorized public authorities: Upon a court order, prosecutor’s request or legal obligation (MASAK, Tax Office, SGK).
- Business partners: The payment processor Paddle.com Market Limited (acting as Merchant of Record for billing and cross-border tax handling), SMS/e-mail providers.
6.2. International Transfer
Under KVKK Article 9, data is transferred to the following technical infrastructure providers:
| Provider | Country | Purpose | Safeguard |
|---|---|---|---|
| Vercel Inc. | USA | Frontend hosting, edge rendering, CDN | EU Standard Contractual Clauses (SCC) + SOC 2 Type II |
| Hostinger International | Lithuania (EU) | Backend hosting, database | GDPR-adequate (EU location) |
| OneSignal Inc. | USA | Push notification infrastructure | EU Standard Contractual Clauses (SCC) + DPA |
| Google LLC (Gemini) | USA/EU | AI Assistant — chat, listing text generation | SCC + DPA + not used for model training |
| Google LLC (Firebase) | USA/EU | Mobile push notifications (FCM) | EU Standard Contractual Clauses (SCC) + ISO 27001 |
| Cloudflare Inc. | Global | CDN, DNS, WAF security | SCC + ISO 27001 + SOC 2 |
For international data transfers, EU Standard Contractual Clauses and additional technical measures (encryption, pseudonymization) are applied to meet the adequate-protection conditions set out in KVKK Article 9. Content transferred to the AI assistant (Google / Gemini) is not used by the provider for model training.
7. Multi-Tenant Data Controllership Structure
Important: The KeyBrox platform operates as a multi-tenant SaaS. Accordingly, data controllership is shared as follows:
- ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ (Platform Operator): Responsible for technical infrastructure, data security, backups, access control and platform-wide data processing. Acts as the “Data Processor” under KVKK.
- Broker Offices (Tenants): Primarily responsible for processing the personal data of the agents and customers within their own virtual office. Act as the “Data Controller” under KVKK.
- Joint Data Controllership: For platform-wide gamification data (leaderboard, XP, hall of fame), evidence data consolidated during mediation, and inter-office matching operations, ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ and the relevant broker office act as “Joint Data Controllers”. In that case, the allocation of responsibilities between the parties is determined by the Data Processing Agreement.
8. Data Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Financial data (commission, invoices) | 10 years | VUK Article 253 |
| Contract and membership records | Contract term + 10 years | TBK Article 146 (general limitation period) |
| Transaction records | 10 years | TTK Article 82 |
| Performance data (XP, badges) | Membership term + 1 year | Legitimate interest |
| Viewing and report (zabıt) records | 5 years | Legal evidentiary purpose |
| Mediation files | 5 years from the date of decision | Legal evidentiary purpose |
| Marketing communication records | Until consent is withdrawn | Explicit consent |
| Log and access records | 2 years | Law No. 5651 |
| Cookie data | Maximum 13 months | ePrivacy Directive |
| Panic button incident records | 3 years | Security and legal evidence |
Personal data whose retention period has expired is deleted, destroyed or anonymized within the periodic destruction process (in six-month cycles). Upon termination of membership, data is irreversibly destroyed within 90 days at the latest; items that are legally required to be retained are archived for the applicable statutory periods.
9. Rights of the Data Subject
Pursuant to KVKK Article 11, data subjects whose personal data is processed have the following rights:
- To learn whether their personal data is being processed
- To request information if their personal data has been processed
- To learn the purpose of processing and whether the data is used in accordance with that purpose
- To know the third parties to whom personal data is transferred, domestically or abroad
- To request rectification where personal data has been processed incompletely or inaccurately
- To request erasure or destruction of personal data under KVKK Article 7
- To request that rectification and erasure operations be notified to the third parties to whom the data was transferred
- To object to a result against the person arising from analysis of the processed data solely by automated systems
- To claim compensation for damage suffered due to unlawful processing of personal data
10. How to Exercise Your Rights
Pursuant to KVKK Article 13, you may use one of the following methods to exercise the rights listed above:
10.1. Application Methods
| Method | Address | Subject Line |
|---|---|---|
| Written application | Aksoy Mahallesi Girne Caddesi 36/3 Zemin Kat, Karşıyaka/İzmir | “KVKK Information Request” |
| KEP (registered electronic mail) | astralgayrimenkuldanismanlik@hs01.kep.tr | “KVKK Information Request” |
| E-mail (with secure electronic signature) | kvkk@keybrox.com | “KVKK Information Request” |
| In-app (My Account › Data Request) | keybrox.com/app?m=hesabim | Automated form |
10.2. Application Process
- Identity verification is carried out for the application (a copy of the Turkish ID or platform authentication).
- Applications are answered free of charge within 30 days at the latest (KVKK Article 13/2).
- If the process requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board may be charged.
- If your request is rejected, you have the right to file a complaint with the Personal Data Protection Board within 30 days of notification of the decision.
11. Data Security Measures
The following technical and administrative measures are applied to protect your personal data:
11.1. Technical Measures
- Encryption of data in transit with TLS 1.3
- Session cookie encryption with AES-256-GCM
- Hashing of passwords with bcrypt (never stored in plaintext)
- Encryption at the database level (encryption at rest)
- JWT (JSON Web Token) based authentication (15-min access, 30-day refresh)
- Role-based access control (RBAC) — broker, agent, admin
- Multi-tenant data isolation (separation by user_id + office_id)
- Cloudflare WAF and DDoS protection
- Daily automated backups (7-day retention) and 4-hourly incremental backups
- Vulnerability scanning (periodic)
11.2. Administrative Measures
- KVKK awareness training for employees
- Confidentiality agreement (all personnel)
- Data processing inventory (VERBIS classification)
- Data breach response plan (24-hour processor-to-controller, 72-hour regulator notification)
- Access authorization matrix (data minimization principle)
- Periodic internal audit (every six months)
12. Cookie Policy
For detailed information about the use of cookies, please review our Cookie Policy page.
13. Changes to This Privacy Notice
This privacy notice may be updated in line with legal regulations and platform developments. For material changes you will be informed via in-app notification and/or e-mail. The updated text is effective as of its publication date.
14. Personal Data Protection Board Contact
Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu)
Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No:4, 06520 Çankaya/Ankara, Türkiye
Phone: +90 312 216 50 50
Web: www.kvkk.gov.tr
