Asmo (hereinafter referred to as the "Company" or "We") attaches the utmost importance to the lawful processing of our customers' personal data. Through this Personal Data Protection Notice and Privacy Policy, we aim to ensure that personal data is processed in compliance with the Law on the Protection of Personal Data No. 6698 ("the Law") and all other applicable national and international legislation.
Transparency is one of our top priorities in the field of personal data protection. We have prepared this Personal Data Protection Notice and Privacy Policy both to fulfil our statutory obligations and to keep you fully informed whenever we process your personal data in order to deliver a better experience to you.
Our core principles governing all personal data processing activities are as follows:
Lawfulness and Fairness
Acting in accordance with the law and rules of good faith.
Accuracy and Currency
Keeping personal data accurate and up to date.
Specified, Explicit and Legitimate Purposes
Processing data only for defined, explicit, and legitimate purposes.
Relevance, Limitation and Proportionality
Processing data that is relevant to, limited to, and proportionate with the purposes for which it is processed.
Retention for the Necessary Period
Keeping data only for the period prescribed by relevant legislation or required for the relevant purpose.
This Personal Data Protection Notice and Privacy Policy sets out our declarations regarding the processing of personal data of our customers and natural persons who come into contact with us, in a manner compliant with applicable legislation. Your personal data is collected through the Asmo platform, mobile applications, SMS channels, and digital environments by fully automated or partly automated means.
The personal data we collect is categorised as follows:
Identity and Contact Data
Phone number, business owner name, and optionally provided e-mail address, processed for account verification and service provisioning.
Business Information
Business name, operating sector, target audience definitions; address, city, district, and geographic location data provided via map; and details of products/services offered.
Brand and Design Preferences
Brand colours, typography, logo, and preferences relating to corporate communication tone.
Media Files
Product images, location photographs, and logo files uploaded by the user. These files are stored on secure infrastructure and transmitted to artificial intelligence services solely for content generation purposes.
Social Media Data
Username of the connected Instagram account and access token information stored encrypted in our database.
Financial Information
Subscription plan, payment status, cardholder name, and the last 4 digits of the card number. Raw card data is never stored on our systems — it is tokenised entirely by our payment provider.
Transactional and Technical Security Data
IP address, browser/device information (user agent), session tokens stored using a hashing method, and SMS OTP attempt records.
Marketing and Analytics Data
Usage analytics and user experience reports collected for the purpose of improving our services.
Your personal data is processed for the following purposes within the framework of the conditions set out in Articles 5 and 6 of the Law:
Service Provision and Account Management
Carrying out identity verification processes, ensuring account security, and creating a business profile specific to the user.
Content Generation and Personalisation
Transforming your brand preferences and media files into personalised content through artificial intelligence services.
Ensuring Operational Security
Prevention of fraud, rate limiting, and protecting the system infrastructure against cyber-attacks.
Management of Financial Processes
Collection of subscription fees, billing processes, and establishment of payment security.
Regulatory Compliance
Providing information to competent authorities and institutions, and fulfilling legal obligations.
Your personal data may be shared with our suppliers with whom we cooperate for the performance of our services (Vercel Blob), artificial intelligence service providers from whom we receive content generation support (OpenAI, Google Gemini), and payment institutions. Such transfers are carried out in accordance with Articles 8 and 9 of the Law, with the necessary technical and administrative measures in place.
The transfer of your personal data abroad may take place:
Where your explicit consent has been obtained; or
Where your explicit consent has not been obtained but one or more of the other data processing conditions specified in the Law are met, and: (a) there is adequate protection in the destination country as determined by a decision of the Personal Data Protection Board; or (b) where adequate protection does not exist in the destination country, our Company and the relevant Data Controller in the foreign country have jointly undertaken in writing to provide adequate protection and the permission of the Personal Data Protection Board has been obtained.
Within the framework of the provisions set out in the relevant legislation.
When determining personal data retention periods, we take into account applicable legislation and the purposes for which the data subject to the relevant process is processed. In this context, any statutes of limitation relating to legal obligations arising from personal data processing activities are always taken into consideration. Where the purpose of processing personal data ceases to exist, the data is deleted, destroyed, or anonymised unless there is another legal reason or basis permitting the retention of the personal data.
We take reasonable technical and administrative measures to protect your personal data against risks of unauthorised access, accidental data loss, intentional deletion, or damage. In this context:
Pursuant to Article 11 of the Law, the data subject has the following rights against the data controller:
To learn whether personal data relating to them is being processed.
To request information if personal data relating to them has been processed.
To learn the purpose of processing personal data and whether it is being used in accordance with its purpose.
To know the third parties to whom personal data has been transferred, domestically or abroad.
To request the rectification of personal data in the event it is incomplete or inaccurate.
To request the deletion or destruction of personal data within the framework of the conditions prescribed by applicable legislation.
To request that the transactions carried out pursuant to rectification, deletion, and destruction requests be notified to the third parties to whom the personal data has been transferred.
To object to a result arising against the person themselves through the analysis of the processed data exclusively by automated systems.
To claim compensation for damages in the event of damage arising due to the unlawful processing of personal data.
We respond to data subjects who wish to exercise the rights set out above, within the limits prescribed by the Law, within a maximum of thirty days in the manner prescribed by the Law. In order for a third party to submit a request on your behalf, there must be a special power of attorney drawn up by a notary in the name of the person who will make the application on your behalf.
Applications are as a rule processed free of charge; however, where a fee schedule is prescribed by the Personal Data Protection Board, a fee may be charged in accordance with that schedule.
In order to identify whether the applicant is the data subject, we may request information from the relevant person and may direct questions to the person regarding their application in order to clarify the matters stated therein.
For more detailed information on the procedures and principles to be followed when submitting an application, you may refer to the Communiqué on Procedures and Principles for Application to the Data Controller published by the Personal Data Protection Authority of Turkey (KVKK).
© 2026 Asmo. All rights reserved.
Back to Home