Last Updated: June 15, 2025

Introduction

Welcome to Lansarin’s Privacy Policy. Lansarin operates under two legal entities – one in Turkey and one in the UK – and is committed to protecting your personal data in compliance with the EU General Data Protection Regulation (GDPR) and Turkey’s Kişisel Verilerin Korunması Kanunu (KVKK, Law No. 6698). This Privacy Policy explains how we collect, use, share, and protect your personal information, and outlines your rights under GDPR and KVKK. Who We Are: The data controllers for your personal data are:

LANSARİN ULUSLARARASI İDARİ DANIŞMANLIK VE TERCÜMANLIK TİCARET LİMİTED ŞİRKETİ (Turkey) – Registered address: Öğretmenevleri Mah. 922. Sok. No:3/15, Konyaaltı 07070 ANTALYA, Turkey. Tax ID: 6081722390. MERSİS No: 0608172239000001.

LANSARIN INTERNATIONAL LTD (United Kingdom) – Registered address: 71–75 Shelton Street, London WC2H 9JQ, UK. Company No: 16332928.

These entities are collectively referred to as “Lansarin,” operating the website lansarin.com jointly. Each entity may act as a data controller of personal data collected via our website and services, determining the purposes and means of processing. We have appointed a Data Protection Officer (DPO), Mr. Can Aleksander Danilov, who oversees our data protection compliance. If you have any questions or requests regarding your personal data, you can contact our DPO at [email protected] or by phone at +90 242 606 0004 ext. 100. By using our website or services, you acknowledge that you have read and understood this Privacy Policy. We encourage you to read it carefully to know what personal data we collect, why we collect it, how we use and protect it, and what rights you have. We process personal data lawfully, fairly, and transparently, in accordance with the principles and requirements of GDPR and KVKK.

What Personal Data We Collect

Personal data means any information relating to an identified or identifiable natural person. Lansarin collects personal data from you through our website forms, communications, and documents you provide, as well as some data automatically through cookies when you use our site. The types of personal data we may collect include:

Identity Information: Name, surname, date of birth, and similar identifiers. We may also collect identification document details (such as passport or national ID numbers, scan copies of passports or IDs) when you provide them for our services.

Contact Information: Telephone number, email address, postal address, and other contact details you provide via contact forms or communication with us.

Client Documents and Content: Any personal information contained in documents or files you submit to us for translation or consulting purposes. These may include sensitive details (for example, health information, financial or legal information, or other sensitive data) present in birth certificates, medical reports, contracts, IDs, passports, or other documents you send. Sensitive personal data (special category data) could include data revealing race, ethnic origin, political opinions, religion, health or sexual life, biometric identifiers, etc., and we handle such data with extra care and lawful bases as described below.

Marketing Preferences: If you engage with our marketing (e.g. signing up for newsletters or requesting updates), we may collect your name, email, phone number, preferred language, and general location (e.g. country or city) for marketing and customer relationship purposes.

Website Usage Data: When you visit lansarin.com, we automatically collect technical data such as your IP address, browser type, operating system, referring URL, and browsing behavior on our site through cookies and similar technologies. In particular, we use Google Analytics cookies to gather statistical information about site traffic and usage patterns (e.g. which pages you viewed, time spent, and interactions). This usage data may qualify as personal data (for example, IP addresses or unique IDs in cookies). We explain our use of cookies and analytics in more detail in the Cookies and Analytics section.

We collect personal data directly from you (for instance, when you fill out a contact form, request a quote, call or email us, or upload documents to our site) and automatically (through tracking technologies on our website). We do not obtain personal data from third-party sources about you, except via the tools mentioned (such as Google Analytics). We limit our collection to what is relevant and necessary for the purposes described in this Policy, in line with the principle of data minimization.

How and Why We Use Your Personal Data (Purposes of Processing)

We process your personal data only for specific, explicit, and legitimate purposes. In particular, Lansarin may use your personal information for the following purposes:

Providing Services and Responding to Requests: To communicate with you and take steps at your request prior to entering into a contract, and to perform our translation and consulting services. This includes responding to inquiries or quote requests, verifying your identity when necessary, receiving and processing the documents you submit for translation, carrying out the translations or consulting work, delivering translated documents, and managing payments or fees. We process identity, contact, and document data for these purposes in order to fulfill our contractual obligations or to take pre-contract steps at your request. For example, if you request a translation service, we will use the personal data in your documents and your contact details to perform that service and communicate with you (this is necessary for the performance of the contract with you). If you refuse to provide necessary personal data, we may be unable to provide the requested service.

Compliance with Legal Obligations: To comply with laws and regulations to which we are subject. This includes using personal data as needed for accounting, tax, and business record-keeping, issuing invoices, verifying customer identity where required by law (for instance, for certain official translation certifications), and fulfilling obligations to government authorities or law enforcement (such as responding to lawful information requests or court orders). The legal basis for such processing is the necessity for compliance with a legal obligation under GDPR Art. 6(1)(c) and KVKK Article 5(2)(ç). For example, Turkish regulations may require us to retain copies of certain documents or record identity information for specified periods, and tax laws require us to keep transaction records. We only process and share the minimum data necessary to meet our legal requirements.

Processing Special Categories of Data (Sensitive Data): If the documents or information you provide contain special category (sensitive) personal data (such as data about health, biometric data, or other sensitive information as listed in GDPR Art. 9(1) and KVKK Art. 6), we will process such data only for the specific purpose of providing the requested service and with appropriate safeguards. Our legal basis for processing sensitive data is typically your explicit consent, unless another specific exception applies (under GDPR Art. 9(2) or KVKK Art. 6). For instance, KVKK explicitly prohibits processing sensitive personal data without express consent, except in limited cases defined by law. Therefore, by voluntarily submitting sensitive information to us (for example, a medical report for translation), you are understood to be giving explicit consent for us to process that information solely for the purpose of service provision. 

In cases where other legal justifications exist (e.g. the processing is necessary for the establishment, exercise, or defense of legal claims, per GDPR Art. 9(2)(f) or KVKK 5(2)(e)), we may rely on those, but in general we will seek consent for sensitive data processing. You may withdraw consent at any time (see “Your Rights” below), and we will cease processing the sensitive data unless another lawful basis applies.

Marketing Communications (with Consent): If you opt-in to our marketing mailing list or request to receive updates, we will use your provided contact information (name, email, phone) and preferences (e.g. language, region) to send you promotional materials, newsletters, industry news, or information about our services. This is done only with your consent (GDPR Art. 6(1)(a); KVKK Art. 5(1)), which you may provide, for example, by ticking a checkbox on our website forms indicating you want to receive marketing emails. You have the right to withdraw your consent at any time, and we will stop sending you marketing messages if you do so. 

Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. (Note: We do not engage in spam – we aim to send relevant communications occasionally, and you can unsubscribe easily via a link in our emails or by contacting us.)

Website Analytics and Service Improvement: To analyze and improve our website functionality, user experience, and the quality of our services. We use cookies and analytics tools (like Google Analytics) to collect data about how visitors use our site (e.g. which pages are most visited, what website referred them, and aggregate user demographics). We process this usage data to understand and optimize website performance and to tailor our content or services to better suit user interests. The legal basis for this processing is our legitimate interest (GDPR Art. 6(1)(f)) in monitoring and improving our services and website, provided such interests are not overridden by your data protection rights. Under both GDPR and KVKK, we must ensure that our legitimate interests do not infringe on your fundamental rights and freedoms. 

To that end, we have measures in place to minimize privacy impact (for example, we may use IP anonymization in Google Analytics and we only view aggregated trend data). Where required by law (such as under EU e-Privacy rules), we will obtain your consent for non-essential cookies before collecting analytics data. You can manage your cookie preferences as described in the Cookies section.

Maintaining Security and Preventing Misuse: To protect our business, website, and users from fraud, cyber-attacks, theft of services, or other unlawful or malicious activity. We may process personal data (like IP addresses or account information) to detect and mitigate security threats, debug and repair errors, and enforce our terms of service. This processing is based on our legitimate interests in keeping our services secure and preventing misuse, and on compliance with legal obligations relating to data security. We implement appropriate security measures by law to safeguard personal data.

Legal Claims and Records: To establish, exercise, or defend legal claims and to keep appropriate business records. For example, we may retain and use relevant personal data to handle potential disputes with clients, to prove the quality of our work (e.g. storing a copy of a translated document in case a question arises later), or to exercise our rights in court or other proceedings. The legal basis for processing in such cases includes the necessity for compliance with legal obligations (e.g. record retention laws) and our legitimate interests or those of third parties in legal proceedings, as well as specific provisions in GDPR (Art. 9(2)(f)) and KVKK (Art. 5(2)(e)) that allow processing when “mandatory for the establishment, exercise or protection of any right”. This means if personal data is needed as evidence or for us to pursue/defend a legal claim, we may process it for that purpose.

We will not use your personal data for any purpose that is incompatible with the original purposes described above, unless we obtain your consent or have a clear legal basis for that new purpose. We also do not engage in any form of automated decision-making, including profiling, that produces legal or similarly significant effects on you. All processing of your data is done on the bases of one or more lawful justifications as required by GDPR and KVKK – such as your consent, performance of a contract with you, compliance with a legal obligation, or our legitimate interests – and we only rely on legitimate interests where we have weighed them against your rights and found no undue impact. 

We summarize our legal bases as follows: we will only process your personal data if at least one of the legal grounds under GDPR Article 6(1) or KVKK Article 5 applies (e.g. your consent, necessity for a contract with you, compliance with a law, or legitimate interests that do not override your privacy). 

For special (sensitive) data, we ensure an additional condition under GDPR Article 9 or KVKK Article 6 is met (primarily explicit consent) before processing.

Cookies and Analytics

Cookies are small text files placed on your device when you visit our website. Lansarin uses cookies and similar tracking technologies to provide and improve our services, to remember your preferences, and to analyze how our website is used. When you first visit our site, you will see a cookies notice or banner if required by your jurisdiction, allowing you to consent or manage your cookie preferences. The types of cookies we may use include:

Essential Cookies: These are necessary for our site to function properly (e.g. to remember your language selection or keep you logged in to a client portal, if applicable). They do not require consent under most laws.

Analytics Cookies: We use Google Analytics, a web analytics service provided by Google, Inc., to collect information about how visitors use our site. Google Analytics cookies gather data such as your IP address (which we may anonymize), device type, browser, and pages visited. We use these insights to compile reports and improve site functionality. The information generated by these cookies (which may be transmitted to and stored by Google on servers in the United States or the EU) helps us understand user interactions with our website on an aggregate level.

Functionality/Preference Cookies: These cookies allow our site to remember choices you make (such as language preference) and provide enhanced features.

Marketing Cookies: At present, we do not use third-party advertising cookies on lansarin.com. If this changes in the future, we will update our cookie disclosures and obtain any necessary consents.

Your Choices: You can manage or disable cookies at any time. Most web browsers allow you to refuse new cookies, delete existing cookies, or alert you when new cookies are being sent to your device. Please note that blocking certain cookies (especially essential ones) may affect your ability to use some features of our website. To opt-out of Google Analytics, you can install the Google Analytics opt-out browser add-on, which prevents Google Analytics from collecting information on your visits. We process data collected via cookies in accordance with this Privacy Policy. Where consent is required (e.g. for analytics cookies under EU law), we will only use those cookies if you have given consent via the cookie banner or settings on our site. You can withdraw cookie consent by adjusting your settings on our site or clearing your cookies. 

How We Share Your Personal Data

Lansarin does not sell or rent your personal data to third parties. However, in the course of running our business and providing our services, we may need to share some of your personal data with certain third parties. We disclose personal data only to the extent necessary and with appropriate safeguards. The categories of recipients include:

Within Lansarin: Your personal data may be shared between our two corporate entities (the Turkish company and the UK company) and internally among departments and staff who need the information to perform their duties. For example, a project initiated via our UK office may be fulfilled in coordination with our team in Turkey, so your information could be accessed by authorized personnel in both locations. All Lansarin employees and members are bound by confidentiality obligations and trained on data protection. Only authorized company personnel (employees or contractors working under strict confidentiality) have access to client files and personal data you provide. We enforce internal security and privacy policies to prevent unauthorized access or use.

Service Providers (“Processors”): We utilize trusted third-party service providers to support our operations, who may process personal data on our behalf and under our instructions. 

These include:

Customer Relationship Management (CRM) and Business Management Tools: We may store client contact details, inquiries, and project information in a cloud-based CRM system to organize our client communications and workflow. (For example, we might use a secure CRM software to keep track of your requests and our interactions.)

Email and Communication Services: We rely on third-party email service providers and marketing email platforms to send communications. For instance, if you subscribe to our newsletter, your name and email may be stored in an email delivery service (such as MailChimp, SendGrid, or similar) to facilitate sending bulk emails. We also use standard email servers (such as Gmail/Outlook) for day-to-day correspondence with clients.

Cloud Storage and IT Infrastructure: We may use cloud storage platforms or project management tools (potentially hosted outside of our company) to store or collaborate on translation documents and files. These platforms might host data on servers in various countries (see “International Transfers” below), but we only use reputable providers with strong security measures.

Analytics Tools: As noted, we use Google Analytics which involves sending pseudonymous usage data to Google. Google acts as a data processor for us in providing aggregated analytics.

These third-party providers are bound by contracts (Data Processing Agreements) to process personal data only for our purposes and following our instructions, and to protect it with appropriate security measures. They cannot use your data for their own unrelated purposes. 

We only share data that is necessary for the services they provide. For example, our CRM will store your contact info and inquiry details, but not irrelevant data; our email provider will have your email address to send messages, but cannot spam you beyond our communications; our cloud storage contains your files which are protected by encryption and access controls.

Business Partners (Joint Controllers): In general, Lansarin itself handles your projects internally. We do not routinely share personal data with independent partner companies except our own affiliates. If in some cases we partner with another firm or subcontract a task (for example, collaborate with a specialized translator or consultant for a particular project), we will ensure that they are either working under our direction as a processor or are themselves compliant with GDPR/KVKK as a controller for the portion of data shared. In any event, such sharing would be made clear to you and done only if necessary to fulfill your requested service.

Authorities and Legal Requirements: We may disclose personal information to government authorities, regulators, law enforcement, courts, or other third parties if required to do so by law or legal process. For instance, if a court order or administrative demand compels us to provide data, or if we must report certain transactions under anti-fraud or money laundering rules, we will comply to the extent the law requires. We may also disclose data if necessary to establish or defend our legal rights or to protect vital interests of individuals (e.g. in an emergency). We will endeavor to notify you of such requests when permissible.

Professional Advisors: On occasion, we might share information with our professional advisors (lawyers, accountants, auditors) on a need-to-know basis, ensuring they also have a duty to keep it confidential. For example, our accountant may see client names on invoices for financial reporting, or our legal counsel might review a contract including personal data if a dispute arises. This is under the umbrella of legitimate interests and legal obligation (ensuring our business complies with the law and can defend its rights).

Corporate Transactions: If in the future Lansarin undergoes a business transition such as a merger, acquisition, or asset sale, personal data might be transferred to the new owner or partner as part of that deal, under the condition that equivalent privacy protections will be maintained. If such a situation occurs, we will inform data subjects as required by law.

We do not share personal data with any third parties for marketing purposes unless we have your consent to do so. We also do not engage in any profiling with third-party data. All third-party disclosures are made in accordance with the “need to know” principle and relevant legal requirements. This means we inform you of who your data is shared with and why, and ensure that any such sharing is transparent and lawful. If you have questions about specific third parties who may handle your data, feel free to contact us for more information.

International Data Transfers

Because Lansarin operates in both Turkey and the United Kingdom – and uses certain cloud services that may be hosted in other countries – your personal data may be transferred to or accessed from countries outside of your own. Different countries have different data protection laws, and we are committed to ensuring that adequate protections are in place for international transfers as required by GDPR and KVKK. Transfers between the EU/UK and Turkey: Personal data that we collect may be stored or processed on servers located in Turkey, the United Kingdom, or other countries where our service providers are situated. If you are located in the European Economic Area (EEA), note that the UK is considered a third country under EU GDPR since Brexit. However, the European Commission has issued an adequacy decision for the UK, confirming that the UK offers data protection standards essentially equivalent to the EU. This means personal data can flow freely from the EEA to the UK without additional safeguards at least until the adequacy decision is reviewed. 

Therefore, transfers of personal data from EU-based users to our UK entity are permitted just as if within the EU. For transfers of personal data from the EEA/UK to Turkey (or any other country outside the EEA that has not been deemed “adequate” by the European Commission), we take steps to comply with GDPR Chapter V requirements. In practice, this means we will employ appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) with the data importer, binding them to EU privacy standards. 

These SCCs are legal contracts that ensure your data enjoys protection even after being transferred abroad. We will also assess on a case-by-case basis whether supplementary measures are needed (for example, encryption in transit and at rest) to protect data in the destination country. In certain cases, if a transfer is necessary and no other safeguards are available, we may rely on your explicit consent for that specific transfer (GDPR Art. 49(1)(a)), after informing you of possible risks. Transfers from Turkey (KVKK compliance): Turkish law (KVKK) has stringent rules for transferring personal data abroad. KVKK Article 9 stipulates that personal data cannot be sent outside Turkey without the data subject’s explicit consent unless specific conditions are met. Those conditions include that the foreign country has sufficient protection as determined by the Turkish Data Protection Board, or that the Turkish controller and foreign recipient provide written guarantees of adequate protection and obtain the Board’s approval. (As of now, Turkey has not officially announced a list of countries deemed to have sufficient protection, so in practice data exports from Turkey typically require explicit consent or a special permit.) Lansarin ensures compliance with these requirements. This means: if we need to transfer personal data collected in Turkey to another country (for example, to our UK office or to a cloud server in the EU or US), we will obtain your explicit consent for the transfer unless we can rely on an exception under KVKK (such as the transfer being necessary for performance of a contract with you, and we have appropriate safeguards in place). 

By providing your information to us and engaging our services, Turkish data subjects may be asked to give a clear consent statement for overseas transfer when required. We have internal agreements between our Turkey and UK entities to protect personal data, and we apply security measures universally. Service Providers in Other Countries: Some of our third-party processors (e.g. email or cloud services) might store data on servers located in the United States or other jurisdictions. For example, Google Analytics data may be processed on Google’s global servers (which could include the U.S.). When we transfer personal data from the EU/UK to a provider in a country without an adequacy decision (like the US), we will have an SCC or equivalent legal mechanism in place, and if transferring from Turkey, we will obtain consent or Board approval as needed. We monitor developments in international data transfer regulations (such as the new EU-US Data Privacy Framework, UK international data transfer agreement, etc.) and will adapt our practices accordingly to remain compliant. Despite the international transfers, we want to reassure you that your data will always be protected to a high standard. We contractually require recipients of the data to safeguard it in line with GDPR/KVKK requirements, and we will not transfer personal data to any organization or country unless we are satisfied that there are adequate controls in place including the security of your data and your rights. If you have questions about cross-border data or want more details about our transfer safeguards (for example, a copy of the contractual clauses we use), please contact us.

Data Retention – How Long We Keep Your Data

We retain personal data for no longer than is necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. In compliance with the storage limitation principle, once the relevant purpose is achieved or no longer applicable, we will either securely delete, destroy, or anonymize your personal data. We have internal policies defining retention periods for different categories of data. In general:

Enquiry Data: If you contact us with an inquiry or request a quote but do not ultimately use our services, we will retain your contact details and communications for a limited period (approximately one year) in case you decide to proceed, or for our own administrative follow-up. After that, we will delete or anonymize those communications unless we have another legitimate reason to keep them (for instance, if needed for legal purposes).

Client Data (Contracts and Projects): If you become a client, we will retain your personal data for the duration of our business relationship and thereafter as necessary to comply with legal obligations or for our legitimate interests. For example, transaction records, invoices, and associated identity/contact information must be kept for a certain number of years under tax and accounting laws (in Turkey, financial records are typically kept for 10 years). Likewise, we may keep copies of translated documents or consulting deliverables (which may contain personal data) in our archives for a reasonable period (e.g. up to 5–10 years) to support warranty, quality assurance, or future reference requests. This helps if you need a document re-issued or if a question arises about the translation. All such retained files will be stored securely and access limited.

Identity Documents: Copies of passports, IDs, or similar documents provided for verification are generally used only as needed (for example, confirming the spelling of names in a translation). We do not intend to keep physical or digital copies of identity documents longer than necessary. Typically, these would be deleted once the project is completed, unless required to be retained for compliance reasons (e.g. attached to a sworn translation record) or with your consent for future use.

Marketing Data: If you have consented to receive marketing communications, we will retain your contact information until you unsubscribe or withdraw your consent. If we notice that our emails to you have consistently gone unopened or you otherwise show no engagement over an extended time (generally 1–2 years), we may remove you from our mailing list as part of good data hygiene. We aim not to keep marketing data indefinitely without interaction. You can unsubscribe at any time, and we will promptly honor such requests.

Website Logs and Analytics: Raw web server logs (which include IP addresses) are typically retained for a short period (a few months) for security monitoring and then deleted. Google Analytics data is retained for a defined retention period in Google’s systems (for instance, 14 months) after which it is automatically deleted or aggregated. We only view aggregated analytics and do not maintain user-level browsing profiles beyond these technical logs.

Legal Retention and Deletion: In all cases, if you exercise your right to erasure (right to be forgotten) and no exemption applies, we will delete the relevant data. If data is needed for a legal claim or must be kept by law, we will retain it for that purpose alone and not use it for anything else. Turkish KVKK explicitly requires that personal data be destroyed or anonymized when the reason for processing ceases, and we adhere to that rule. We have a schedule to periodically review the data we hold and erase records that are no longer needed.

After the expiration of the applicable retention period, we will securely destroy or anonymize your personal data. For physical documents, this may involve shredding or incineration; for electronic data, we use secure deletion methods. Anonymized data (which can no longer be associated with you) may be retained for statistical purposes without further notice to you, since it ceases to be personal data. Example: Suppose you provided us with documents for translation in a certain year. We might retain the translation files and your project details for, say, 5 years to accommodate any follow-up needs. After 5 years, absent any active need or legal requirement, we would delete those files from our archive. Meanwhile, the invoice for that project containing your name and amount might be kept for 10 years in our financial records (per legal requirement) before being purged. If you have any specific questions about our retention practices for different types of data, please contact us. We can also honor requests to delete data sooner in certain cases, provided we have no legal obligation to keep it.

How We Protect Your Personal Data (Security)

Lansarin takes the security and confidentiality of your personal data seriously. We implement appropriate technical and organizational measures to protect personal information against unauthorized access, loss, alteration, or disclosure. These measures include, but are not limited to:

Technical Safeguards: We use encryption protocols and secure connections (HTTPS/TLS) for our website and online forms to prevent interception of data in transit. Data stored electronically is protected by firewalls, antivirus and anti-malware tools, and access control mechanisms (password protection, two-factor authentication for administrative access, etc.). We regularly update our software and systems to patch vulnerabilities. Where possible, personal data (especially sensitive documents) are encrypted at rest. We maintain secure backup routines and have disaster recovery plans to prevent data loss.

Organizational Measures: Access to personal data is restricted on a need-to-know basis. Only authorized Lansarin personnel and trusted service providers (bound by contracts) can access your data. Staff members are trained on data protection principles and confidentiality obligations; they understand that disclosing personal data is in violation of this Policy or the law. 

We have internal policies to handle data securely, including guidelines for using and sharing client files, and procedures for handling any suspected security incidents.

Physical Security: Our offices in Turkey and the UK are secured to prevent unauthorized physical access to systems that store personal data. Documents in paper form are kept in locked cabinets with controlled access. If we print any sensitive document (e.g., for translation work), we ensure it’s secured and shredded after use if not returned to the client.

Third-Party Assurance: When we use third-party processors (such as cloud services), we choose providers that demonstrate strong security practices and certifications (for example, ISO 27001 for information security or SOC 2 compliance). We ensure through contracts that they must also protect your data and notify us of any breaches.

Data Breach Response: Despite all precautions, no system is 100% secure. We have a data breach response plan in place. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the competent authorities (e.g., the KVKK Board in Turkey, and/or the ICO in the UK/EU as applicable) without undue delay and within statutory timeframes. If the breach is likely to result in a high risk to you (such as identity theft or fraud), we will also inform you promptly with the relevant details and guidance on protection, as required by law.

We continually review and update our security measures in line with technological advancements and emerging threats. However, you should also take care in how you transmit information to us. We encourage you to use the secure upload forms on our website for sending documents rather than unencrypted email, when possible. If you suspect any unauthorized access or have concerns about the security of your data with us, please notify us immediately.

Your Rights Under GDPR and KVKK (Data Subject Rights)

You have robust rights regarding your personal data. Lansarin is committed to respecting these rights and enabling you to exercise them. Your rights under GDPR (for EU/UK individuals) and under KVKK (for individuals in Turkey) are largely similar. They include the right to be informed about how your data is processed (fulfilled by this Privacy Policy), as well as the following:

Right of Access: You can request confirmation of whether we are processing personal data about you, and if so, request a copy of that personal data (commonly known as a data subject access request). We will also provide information about the processing such as the purposes, the categories of data, the recipients, and any available information about the data’s source if not collected from you.

Right to Rectification: If any of your personal data that we hold is inaccurate or incomplete, you have the right to have it corrected or completed without undue delay. For example, if your name or contact info has changed or there’s a typo in our records, please let us know and we will update it.

Right to Erasure: You have the right to request deletion of your personal data in certain circumstances (also known as the “right to be forgotten”). For instance, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent (where consent was the basis) and there is no other legal ground, or if you object to processing and we have no overriding legitimate grounds, or if the data was processed unlawfully, you can ask us to erase it. We will honor such requests to the extent required by law. Keep in mind, there are exceptions – we might retain some data if needed for compliance with a legal obligation or for the establishment or defense of legal claims.

Right to Restrict Processing: In certain scenarios, you can ask us to limit the processing of your data (i.e., keep it but not use it). This can apply if you contest the data’s accuracy (until verified), or if processing is unlawful and you prefer restriction over deletion, or if we no longer need the data but you need it for legal claims, or if you have objected to processing (pending verification of overriding grounds). When processing is restricted, we will mark the data and only process it for specific reasons (with your consent or for legal claims, etc.).

Right to Data Portability: For data you provided to us and which we process by automated means under your consent or a contract, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, CSV or JSON) so that you can reuse it or transmit it to another controller. Where technically feasible, you can also request that we send this data directly to another organization at your direction. This right facilitates moving your data between services.

Right to Object: You have the right to object to our processing of your personal data at any time if the processing is based on our legitimate interests (or those of a third party) and you have a particular situation that you believe warrants stopping the processing. If you object, we will assess whether our legitimate grounds override your rights; if not, we will cease the processing. Importantly, you have an absolute right to object to processing of your data for direct marketing purposes at any time – if you object, we will stop using your data for marketing immediately, with no exceptions. Additionally, under KVKK, you may object to decisions made solely by automated means if those decisions produce legal or significant effects on you.

Right to Withdraw Consent: If we rely on your consent for any processing (for example, for marketing or processing sensitive data), you have the right to withdraw that consent at any moment. Once you withdraw consent, we will stop the processing that was based on consent. Withdrawal does not affect the lawfulness of processing done before the withdrawal.

Right to Information and to Know Recipients: You have the right to be informed of the identities of third parties (or categories of third parties) to whom your personal data has been disclosed, both domestically and internationally. We strive to provide that information within this Policy (see “How We Share Your Data”). You can request more details on data transfers and recipients specific to your data if needed.

Right to Complain and Seek Redress: If you believe we have violated your data protection rights or KVKK/GDPR requirements, you have the right to lodge a complaint with the relevant supervisory authority. For EU or UK individuals, this would be your country’s Data Protection Authority (for example, the UK’s Information Commissioner’s Office (ICO) or your EU member state’s DPA). For Turkey, it is the Kişisel Verileri Koruma Kurumu (KVKK Authority). We would appreciate the chance to address your concerns first, but you are free to contact these authorities directly. Additionally, under KVKK Article 11 and GDPR Article 79, you have the right to judicial remedy – meaning you can take legal action or seek compensation for damages if you suffered material or non-material harm due to unlawful processing of your data.

These rights are subject to certain legal conditions and exceptions. For example, we might not be able to fully erase data that we must keep by law, or we might decline a request if it jeopardizes others’ rights or is manifestly unfounded or excessive (in which case we would inform you of the reason). However, we aim to be as accommodating as possible. Exercising your rights is free of charge in most cases. We may only charge a reasonable fee or refuse to act on requests that are repetitive, excessive, or obviously unfounded, as allowed by GDPR.

Exercising Your Rights and Contacting Us

We are here to help with any privacy-related requests or questions. To exercise your rights outlined above or to contact us about any data protection matter, please use the following contact details:

Email: You can email our Data Protection Officer at [email protected]. Please detail your request (for example, “I would like a copy of my personal data you hold” or “Please correct/update X information” or “I withdraw consent for marketing”). For your security, we might need to verify your identity sufficiently (especially for access or deletion requests) – for example, by asking you to write from the email address we have on file, or to provide a piece of information we have in our records – to ensure we do not release data to the wrong person.

Physical Mail: You may also send a written request to our Turkish office address: Lansarin Ltd., Öğretmenevleri Mah. 922. Sok. No:3/15, Konyaaltı 07070 Antalya, Turkey (Attention: Data Protection Officer). If you are in Turkey, you can submit requests in Turkish. We accept requests in English or Turkish.

Telephone: For general questions, you may call +90 242 606 0004 ext. 100 to reach our DPO. Note, however, that for certain rights (like obtaining a copy of your data or deletion), we will likely ask for a written request to maintain a clear record of your instructions.

We will respond to your request as soon as possible and within no later than 30 days of receipt, as required by law. 

If your request is complex or if we have received many requests, we may inform you that we need an extension (up to an additional 60 days under GDPR) to respond, explaining the reasons. In Turkey, KVKK also mandates a maximum of 30 days to respond to you. We will provide our answer in writing, either via email or postal mail, depending on how you contacted us or your preference. If we decline to take action on your request (which is rare), we will explain our justification and inform you of how you can object to our decision (including via the relevant Data Protection Authority). For Turkish data subjects: To facilitate your application, you may refer to the “Veri Sorumlusuna Başvuru Usul ve Esasları Hakkında Tebliğ”. While it’s not required to cite law articles in your application, specifying that you are making a request under KVKK and clearly indicating which rights you wish to exercise (by referencing Article 11 rights, for example) will help us process it efficiently. We do not charge for requests; however, if a request leads to additional costs (for example, requiring mailing of physical copies), we might charge the amount allowed by the Personal Data Protection Board’s tariff (KVKK allows charging a fee for exceeding a certain number of pages or copies), but we will inform you in advance. 

Currently, typical requests via email are free. We kindly ask that you keep your information with us up-to-date. If anything changes (like you get a new email address or phone number), please let us know so we can correct our records – this ensures you can exercise your rights and we can reach you if needed.

Third-Party Links

Our website may contain links to third-party websites or resources (for example, social media pages or references to partner organizations). This Privacy Policy does not cover those external sites. If you follow links to other websites, please be aware that they have their own privacy policies and that we do not accept responsibility or liability for their content or practices. Nonetheless, we seek to only link to reputable sites. We encourage you to read the privacy notices of any external sites you visit.

Updates to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, ensure compliance with legal requirements, or for other operational, legal, or regulatory reasons. If we make significant changes, we will notify you by an appropriate means – for example, by posting a prominent notice on our website (or, if appropriate, via email notification). The “last updated” date at the bottom of this Policy will indicate when the latest changes were made. Your continued use of our website or services after the effective date of an updated Privacy Policy constitutes your acknowledgment of the changes. We encourage you to periodically review this page for the latest information on our privacy practices. If you have any questions or comments about this Privacy Policy or how Lansarin handles your personal data, please do not hesitate to contact us using the contact information provided above. We value your trust and are dedicated to protecting your personal data while providing you with quality translation and consulting services.