Personal data

KVKK Clarification Text

Information about personal data processed during Vira Collective applications, payments, QR ticket generation, and door verification.

Last updated: June 2, 2026

This is a draft notice prepared to provide transparent in-app information. Before production use, controller details, retention periods, and the official request channel should be finalized by legal counsel.

Scope and data controller

This clarification text explains why and how personal data collected through the Vira Collective website and event application flow is processed. Main attendees, guests added to an order, users completing payment, and participants verified at the door are within this scope.

The production version should include the data controller's trade name, registration or tax information, registered address, and contact channel. Team members and service providers acting for Vira Collective should access personal data only when necessary for their role.

Categories of processed data

The application and payment flow may process full name, email, phone number, Instagram username, event and pass preference, billing city, billing address, ID or passport number, guest name, guest contact details, and gender preference.

Payment card details are not stored in Vira Collective systems. Card details are collected on the secure iyzico payment screen. The QR ticket does not directly store personal data; it works through a server-side verification token.

Application data: full name, contact details, social profile, and event preference.
Order data: reference number, payment status, pass type, and attendee count.
Door data: QR scan time, ticket status, and repeated scan attempts.
Technical data: IP address, user agent, transaction time, and security logs.

Purposes and legal bases

Data is processed to review invitation requests, manage event capacity, initiate secure payment, generate QR tickets, verify door entry, prevent abuse, comply with legal obligations, and respond to support requests.

Processing may rely on performance of a contract, compliance with legal obligations, establishment or protection of a right, legitimate interest, and explicit consent where required. Activities requiring explicit consent should be requested separately from this clarification text.

Transfers and service providers

Information required for payment initiation and collection is shared with iyzico. Email, PDF ticket generation, database, hosting, security monitoring, and operational support providers may also access data only within their service scope.

Door staff see only the minimum information needed for verification: attendee name, ticket code, pass information, and ticket status. Personal data is not sold for marketing or unrelated third-party advertising.

Retention, security, and deletion

Personal data is retained for the period required for application and event operations and, where necessary, for accounting, disputes, and legal obligations. When the purpose no longer exists, data is deleted, destroyed, or anonymized.

Access is role-based, QR tokens are designed not to carry direct personal data, payment card data is not stored, and sensitive operational areas are protected with authorization controls.

Data subject rights

Within the scope of KVKK, you may ask whether your personal data is processed, request information if it has been processed, ask about processing purposes and recipients, request correction of incomplete or inaccurate data, and request deletion or destruction where applicable.

The production request channel should be clearly announced. Requests are reviewed after identity verification and answered within the periods required by applicable law.