Back to home

Privacy Policy

ROUTINE AI CLARIFICATION TEXT ON THE PERSONAL DATA PROCESSING AND PRIVACY POLICY

As Eylul Erbil (Routine AI), in my capacity as the data controller, I have prepared this consolidated and legally reinforced text in order to fulfill our obligation to clarify pursuant to Article 10 of the Law No. 6698 on the Protection of Personal Data. We base our policy on the principle stated in the (KVKK Board Decision No. 2020/404 dated 20.05.2020) which establishes that “The obligation to clarify is an obligation that must be fulfilled independently of cases where explicit consent is obtained and other personal data processing conditions in the Law”. In line with our principle of transparency, all our clarification and privacy processes have been gathered into a single and understandable text, taking into account the finding in the (KVKK Board Decision No. 2023/1645 dated 28.09.2023) that “the presentation of three different texts creates a complex situation for the data subjects”.

This text has been drafted in a clear and transparent language to avoid unlawful situations, as highlighted in the (KVKK Board Decision No. 2023/134 dated 10.02.2022), such as “content not being presented to users in an easily understandable manner and the possibility of users accepting terms of use without fully understanding them”. Pursuant to the rule in the (KVKK Board Decision No. 2018/90 dated 26.07.2018) that “The fulfillment of the obligation to clarify by the data controller is not subject to any consent”, this text is for information purposes only.

  1. Identity of the Data Controller

Regarding your personal data collected through the Routine AI application, the “data controller” is Eylul Erbil (Routine AI). We are aware of our identity and obligations as the data controller even in cases where “the electronic system in which records obtained from candidates in an electronic environment are kept belongs to a company abroad”, pursuant to the (KVKK Board Decision No. 2021/799 dated 12.08.2021).

  1. Processed Personal Data, Purposes of Processing and Legal Grounds

Pursuant to the (KVKK Board Decision No. 2023/134 dated 01.03.2023), your data is processed by strictly adhering to the principles of “processing for specific, explicit and legitimate purposes” and “being relevant, limited and proportionate to the purposes for which they are processed”. In accordance with the rule highlighted in the (KVKK Board Decision No. 2021/389 dated 20.04.2021), which states “As regulated in paragraph (h) of the first paragraph of Article 5 of the Communiqué, the “legal ground” mentioned in paragraph (ç) of the first paragraph of Article 10 of the Law refers to which of the processing conditions specified in Articles 5 and 6 of the Law the personal data is based on within the scope of the obligation to clarify”, our legal grounds are clearly stated below. Our text never includes vague expressions such as “(...) including but not limited to the personal data listed (...)” (KVKK Board Decision No. 2020/404 dated 20.05.2020).

A. Identity, Contact and Usage Data

Your name, e-mail address, age, profile photo and in-app usage data are processed based on the legal ground of the necessity for the establishment and performance of a contract pursuant to Article 5/2-c of Law No. 6698, for the purposes of creating your user account and performing the service.

B. Private Personal Data (Health Data)

Your pregnancy status, medication use and skin conditions are collected to provide you with the most suitable skin care routine. Pursuant to the (KVKK Board Decision No. 2018/143 dated 05.12.2018), it is accepted that “health data of individuals are private personal data” and the act of “processing private personal data without the explicit consent of the data subject” is prohibited. As stated in the (Constitutional Court, B. 2019/20473 dated 3/2/2022) decision, with the awareness that health details “have the nature of personal data” and that “it is prohibited to process health details, which are considered within the scope of private personal data in Article 6 of Law No. 6698, without the explicit consent of the individual”, your data is processed only with your independent explicit consent. Pursuant to the (Council of State, 8th Chamber, E. 2016/3316, K. 2020/280 dated 28.01.2020) decision, the rule is applied that “in accordance with the principle of narrow interpretation of exception-containing provisions, information regarding the health data of persons, whose processing conditions are included in Law No. 6698 itself, can only be processed in case of the explicit consent of the person”.

C. Biometric Data (Facial Photos)

Your facial photos uploaded to our application are analyzed by artificial intelligence. In accordance with the rule referred to in the (KVKK Board Decision No. 2020/915 dated 01.12.2020) that “biometric data is defined in the GDPR as 'personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data'," these photos are considered biometric data. Pursuant to the (Constitutional Court, B. 2018/11988 dated 10/3/2022) decision, “In Article 6 of Law No. 6698... biometric data is also accepted as private personal data. Biometric data has been accepted as private personal data due to its importance, as it contains biological or behavioral information belonging to the person that allows the separation of a person from other individuals and the identification of the person’s identity itself. It is clear that fingerprints also contain physiological information that belongs only to that person and serves to directly identify the person’s identity, and in this context, they are biometric data.”. Facial data is also subject to strict protection within this scope.

As stated in the (Regional Administrative Court of Istanbul, 3rd Administrative Law Chamber, E. 2018/105, K. 2018/186 dated 14.02.2018) decision, the principle that “IT IS PROHIBITED TO PROCESS private personal data without the explicit consent of the data subject” and “it is stipulated that personal data can only be processed in 'cases provided for in the law' or with the 'explicit consent of the person'," is fundamental. For this reason, your facial photos are processed only with your explicit consent. Based on the necessity of “the principle of proportionality in the processing of personal data, establishing a reasonable balance between the data processing activity and the intended purpose” pursuant to the (KVKK Board Decision No. 2020/167 dated 27.02.2020), uploading a photo is not mandatory. As specified in the (KVKK Board Decision No. 2021/389 dated 20.04.2021), the rule that “the provision of any product and/or service (or benefiting from any product and/or service) shall not be made conditional upon the giving of explicit consent by the data subject” is strictly followed.

  1. Transfer of Personal Data Abroad

Our database servers are located within the borders of Germany, and your skin analyses are performed through artificial intelligence models residing abroad. We act in accordance with the rule stated in the (KVKK Board Decision No. 2020/404 dated 20.05.2020) that “the use of services whose servers are located abroad constitutes a transfer of personal data abroad and action must be taken in accordance with Article 9 of the Law”.

Considering the provision highlighted in the (KVKK Board Decision No. 2022/249 dated 17.03.2022) that “personal data cannot be transferred abroad without the explicit consent of the data subject” and the situation in our concrete case that “there is no undertaking application approved by the Board”, our transfer activity is based solely on your explicit consent. Pursuant to the (KVKK Board Decision No. 2020/173 dated 27.02.2020), “Personal data cannot be transferred abroad without the explicit consent of the data subject” and “Countries with adequate protection are determined and announced by the Board”. In this context, since implicit consents hidden within the clarification text “cannot be characterized as a lawful explicit consent”, transfer consent is obtained through a separate and independent text. In accordance with the rule stated in the (KVKK Board Decision No. 2020/559 dated 22.07.2020) that “being a party to Convention No. 108 is not sufficient on its own for the determination of safe country status under Law No. 6698, as is the case in EU practice”, consent is also obtained for our Germany servers. The entities to which transfers are made are clearly stated rather than using vague expressions such as “...may be shared with other third parties deemed appropriate and/or abroad” (KVKK Board Decision No. 2020/404 dated 20.05.2020).

  1. Data Security and Retention Period

In line with the provision in the (Constitutional Court, B. 2019/20473 dated 3/2/2022) decision that “The data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to... prevent unlawful access to personal data”, your data is encrypted using cryptographic methods. Within the scope of our obligation to “prevent the unlawful processing of personal data” as expressed in the (KVKK Board Decision No. 2018/143 dated 05.12.2018), your biometric data is stored in isolation. In accordance with the (KVKK Board Decision No. 2020/404 dated 20.05.2020), the highest level of data security standards are applied with the awareness that “biometric data do not lose their quality of being biometric data when they are stored using the hashing method”.

  1. Your Rights as a Data Subject

Pursuant to Article 11 of the Law, you have the freedom to learn whether your data is processed, to request its deletion and to exercise all other legal rights. Your requests will be fulfilled within the legal period.