Oris Invoiceby ORIS Intelligence
Start free
🇹🇷 Türkiye home
Türkiye · TR

Privacy Policy

How we collect, use, store, and share personal information when you use Oris Invoice. Aligned with the local data-protection regime listed below.

Aligned with: KVKK Law No. 6698·Effective: April 29, 2026

Not legal advice. This page is a templated baseline aligned with KVKK Law No. 6698. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.

1. Who we are

Oris Invoice is operated by ORIS Intelligence Pvt Ltd ("we", "us", or "Oris"). For users resident in Türkiye, this Privacy Policy is governed by KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698) and the rulings of the KVKK Kurulu (Personal Data Protection Authority). We register as a controller in VERBİS where the threshold is met.

2. What personal data we collect

We collect: account identifiers (ad, soyad, e-posta, telefon), tax registration data (VKN, TCKN, Vergi Dairesi, Ticaret Sicili), invoice and customer master data, payment metadata, and standard system telemetry. We do not collect special-category data (KVKK Art. 6) unless you upload it.

3. Lawful basis and purpose

We process personal data on the basis of (a) KVKK Art. 5(2)(c) — contract performance; (b) KVKK Art. 5(2)(a) — express consent for non-essential analytics; (c) KVKK Art. 5(2)(ç) — legal obligation under VUK and KVK; (d) KVKK Art. 5(2)(f) — legitimate interest in security.

4. Sub-processors and international transfers

Vetted list available on request. For Turkish residents, primary data hosting is in eu-central-1 (Frankfurt) or eu-west-2 (London). Cross-border transfers comply with KVKK Art. 9 — Kurul-approved standard contracts (Taahhütname / Standart Sözleşme) where adequacy decisions are not available.

5. Retention

Account and invoice data retained for the longer of (a) subscription duration plus 30 days, or (b) 5-year statutory retention under VUK Art. 253 (10 years for some categories). Audit logs retained on INSERT-only basis. Backups retained 35 days.

6. Your rights (KVKK Art. 11)

Under KVKK Art. 11 you may request access, correction, deletion (where statutory retention does not preempt), notification of corrections to third parties, objection, and damages for unlawful processing. Submit to privacy@orisinvoice.com — we respond within 30 days. Complaints can be filed with KVKK Kurulu.

7. Security

AES-256-GCM at rest. Sensitive fields (TCKN, banka hesabı, KDV/VKN) individually encrypted at the column level with KMS-managed keys. PostgreSQL Row-Level Security keyed on org context. SOC 2 Type II + ISO 27001-aligned ISMS, plus KVKK Art. 12 technical-organizational measures.

8. Cookies and analytics

Essential cookies for authentication only. Optional analytics cookies disabled by default; require consent. No cross-site tracking pixels; no sale of user data.

9. Children's data

Oris is a B2B service not directed at individuals under 18 (KVKK + Türk Medeni Kanunu). We do not knowingly collect personal data from children.

10. Contact and updates

Privacy: privacy@orisinvoice.com. DPO / VERBİS irtibat kişisi: dpo@orisinvoice.com. Material changes posted 30 days before effective.