KVKK Disclosure Notice (Personal Data Protection Notice)

> Prepared in accordance with Article 10 of Turkish Law No. 6698 on the Protection of Personal Data (KVKK).
> Effective date: 30 April 2026 · Version: 1.0

1. Identity of the Data Controller

In accordance with KVKK Article 3/1-(ı), the addressee of this notice in the capacity of data controller is Biyogaz Akademisi. Contact details are as follows:

  • Legal entity: Biyogaz Akademisi (Biogas Academy)
  • Email (KVKK requests): kvkk@biyogazakademisi.com
  • General contact: info@biyogazakademisi.com
  • Address: Istanbul, Türkiye
  • Web address: https://biyogazakademisi.com

2. Categories of Personal Data Processed

The following categories of personal data are collected and processed on the Biyogaz Akademisi platform:

Identity and contact data:

  • First name, last name, email address

  • Username and account identifier

  • Password (only as bcrypt hash; plaintext is never stored)

Transaction and session data:
  • Session cookie (PHP session ID, mandatory for session management)

  • Language preference cookie (TR/EN choice)

  • Cookie consent state (stored in localStorage only, not transmitted to server)

  • Login timestamp, last login IP address

Connection and device data:
  • IP address (in the request_log table and ip_geolocation cache)

  • Geographic location (country/region level via IP; no precise address detection)

  • Browser type and version, operating system, device type (derived from User-Agent header)

  • Autonomous System Number (ASN) and internet service provider

User content data:
  • Comments you write and comment votes

  • Articles you bookmark

  • Profile information (biography, affiliation, ORCID, photo — for users with author role only)

Activity data:
  • Article view records (article_view_log; bot traffic is filtered, IP is hashed and deduplicated within 30 minutes)

  • Article download log (timestamps of PDF/Word downloads)

  • Newsletter subscription state, confirmation token, unsubscribe token

Security data:
  • Two-factor authentication (TOTP) encrypted secret — stored only upon explicit user request

  • Password reset token (15 minutes validity, single use)

  • Failed login attempt counter (for rate limiting)

3. Purposes of Processing

The above personal data is processed for the following purposes:

  • Account creation and management: Registration, login, profile update, password management
  • Content delivery: Article publication, comment system, bookmark management, language preference
  • Newsletter delivery: Subscription with explicit consent, double opt-in confirmation, unsubscribe
  • Site security: Brute-force attack prevention (rate limit), session security, two-factor authentication
  • Compliance with legal obligations: Provision of log records upon authorized authority requests
  • Content quality measurement: Anonymous aggregate statistics (page views, article downloads)
  • Community moderation: Comment review, spam and malicious content filtering
  • Editorial team communication: Author applications and approval process
Personal data is not processed for marketing purposes. The site does not use third-party advertising networks; no advertising cookies are placed.

4. Legal Bases

In accordance with KVKK Articles 5 and 6, processing activities are based on one or more of the following legal grounds:

Processing ActivityLegal Basis
Account creation, login, profile managementPerformance of contract (Art. 5/2-(c))
Password security, session managementLegitimate interest of data controller (Art. 5/2-(f))
Newsletter subscription and deliveryExplicit consent (Art. 5/1)
Comment publication, bookmarksPerformance of contract (Art. 5/2-(c))
Brute-force protection, log keepingLegitimate interest (Art. 5/2-(f)) and legal obligation (Art. 5/2-(a))
Two-factor authentication (TOTP)Explicit consent (Art. 5/1, opt-in by user)
IP geolocation (country level)Legitimate interest — site security and geographic content distribution analysis (Art. 5/2-(f))

5. Data Collection Methods

Personal data is collected through the following methods:

  • Data entered directly by the user: Registration form, login form, profile update, comment submission, newsletter signup form
  • Automatic technical data: HTTP headers (IP, User-Agent, Referer), session cookies, language preference cookie
  • Through third-party services: Only ipinfo.io service is used for IP-based country/ASN detection; only the IP address is sent to this service, no user identity information is shared
The site does not use third-party tracking tools such as Google Analytics, Facebook Pixel, Hotjar. Typography (Source Serif 4, Inter Tight) is served self-hosted, no Google Fonts CDN calls are made.

6. Transfer of Personal Data

Within the scope of KVKK Articles 8 and 9, your personal data is not transferred to third parties. The following exceptions apply only:

  • Authorized public institutions: When meeting lawful requests from judicial authorities or the KVKK Board
  • Service provider (ipinfo.io): Only the IP address is shared for IP-geolocation mapping; under data processor agreement with ipinfo Inc., USA-based
  • Transfer abroad: No transfer abroad apart from the single exception above

7. Retention Periods

Personal data is deleted, destroyed, or anonymized when the processing purpose ceases to exist or when the legal retention period expires:

Data CategoryRetention Period
Account data (email, name, profile)While account is active + 3 years (for legal limitation)
Password hashUpdated immediately upon password change; old hash not retained
Session cookieWhen browser closes or 7 days later (long session)
CommentsWhile account is active + while article remains in archive
IP address (request_log)12 months
IP geolocation cache90 days (anonymous, no link to user)
Article view log24 months (with hashed IP)
Newsletter subscription dataUntil unsubscription date + 6 months (for legal evidence)
Password reset token15 minutes (auto-deleted if unused)
Failed login counter24 hours
2FA secret keyUntil user disables 2FA

8. KVKK Article 11 — Data Subject Rights

Pursuant to Article 11 of the Law, you have the following rights as a user:

  1. To learn whether your personal data is being processed
  2. To request information regarding processing if so
  3. To learn the purpose of processing and whether the data is used in accordance with the purpose
  4. To learn the third parties to whom data is transferred at home or abroad
  5. To request correction in case of incomplete or incorrect processing
  6. To request deletion or destruction of data within the framework of legal conditions
  7. To request that the correction, deletion, or destruction is notified to third parties to whom the data is transferred
  8. To object to results that arise to your detriment from analysis of processed data exclusively through automated systems
  9. To request compensation for damages in case of unlawful processing of data

9. Application Methods

To exercise the above rights, you may apply through one of the following methods:

  • By email: Send your request to kvkk@biyogazakademisi.com along with documents establishing your identity
  • In writing: By registered mail to: Biyogaz Akademisi · KVKK Application · Istanbul, Türkiye
  • Via account: After login, via Dashboard → Account Settings → Data Request (coming soon)
In accordance with the Communiqué on Procedures and Principles for Application to the Data Controller, your applications will be answered within 30 days at the latest. In case of rejection of your application, finding the response insufficient, or no response within the period, you have the right to file a complaint with the Personal Data Protection Board.

10. Security Measures

In the capacity of data controller, the following technical and administrative measures are taken:

  • Password security: Hashing with bcrypt cost 12; plaintext is never stored
  • Session security: HttpOnly + Secure cookies, CSRF token protection
  • Two-factor authentication (TOTP): Available to all accounts, RFC 6238 compliant
  • Brute-force protection: Temporary lock after 5 failed login attempts in 15 minutes
  • Data backup: Daily automatic backup, 30 days retention
  • Network security: All traffic over HTTPS (TLS 1.2+), HSTS header active
  • Data minimization: Only data necessary for the processing purpose is collected

11. Cookie Policy

The site uses the following cookie categories:

  • Essential cookies (no consent required): Session cookie (PHP session), CSRF token, language preference
  • Functional cookies (no consent required): Cookie consent state (kept only in localStorage)
  • Analytics or marketing cookies: Not placed
Your cookie preference appears at the bottom of the site page; even with the "Reject" choice, only essential cookies remain active.

12. Updates

This Disclosure Notice may be updated based on changes in data processing operations. Significant changes will be communicated to registered users via email. The current version is always published on this page.

---

Related documents: Privacy Policy · Terms of Use · Contact