ROTA

Privacy Policy

Effective Date: July 10, 2026

Luminis Lojistik Teknoloji Ticaret Danışmanlık Hizmetleri Limited Şirketi (operating under the "Rota" brand, hereinafter referred to as "COMPANY", "Luminis"), operates the Rota mobile application (hereinafter referred to as "APPLICATION", "ROTA") and the https://rota-app.com website (together, the "Service").

This Privacy Policy has been prepared to explain the procedures and principles regarding the processing of personal data under Law No. 6698 on the Protection of Personal Data ("KVKK") and related legislation. It explains how we collect, use, share, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with the European Union General Data Protection Regulation (GDPR), Law No. 6698 on the Protection of Personal Data (KVKK), and other applicable legislation.

1. Our Capacity: When We Are a Data Controller, and When a Data Processor

The data processed by Rota is not of a single type; our capacity under the KVKK varies according to the data category. This policy covers both axes:

  • Data for which Rota is the data controller: The account, billing, marketing, and website usage data of individuals visiting our website, those obtaining information about our application, and the representatives of the customer (employer) organizations that register with Rota. For this data, Luminis determines the purposes and means of processing; the data controller is Luminis.
  • Data for which Rota is the data processor: The workforce data that employers process about their own employees through the Rota platform (such as shifts, location, clock-in/out verification, leave, and documents). For this data, the employer organization determines the purposes and means of processing; the data controller is the employer, and Luminis acts solely on the employer's instructions in its capacity as data processor. If you are an employee and wish to make requests regarding this data, you must direct them to your employer, who is the data controller.

2. Data Controller (Company Information for Data We Process Ourselves)

For the data for which Rota is the data controller, our company information is:

Luminis Lojistik Teknoloji Ticaret Danışmanlık Hizmetleri Limited Şirketi

  • Address: Küçükbakkalköy Mah. Yüksel Sk. No: 10 A Ataşehir/İstanbul, Turkey
  • Tax ID: 6091389933
  • Data Protection Contact: privacy@rota-app.com
  • Representative: Mehmet Can Işıklarlı

For employee workforce data, the data controller is the relevant employer organization; the company information and point of application for such data is your employer.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Special Category Personal Data: Personal data on race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data, as limited by law.
  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data.
  • Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the controller.
  • VERBİS: Data Controllers Registry Information System (Turkey).
  • LAW: Law No. 6698 on the Protection of Personal Data.

4. Personal Data Processed and Our Capacity

The data categories processed in the context of your use of the Service, and Luminis's capacity for each, are as follows:

Data CategoryScopeCapacity
Account InformationFull name, email, phone number, company information, position.For customer/representative accounts, Luminis = Data Controller; for employee accounts created by the employer, employer = controller, Luminis = processor.
Billing DataInvoicing and payment information regarding the customer organization, IBAN, tax identification number.Luminis = Data Controller
Technical DataDevice information, IP address, browser information, cookie records, usage logs.Luminis = Data Controller
Location InformationGPS coordinates for shift clock-in/out verification.Employer = controller, Luminis = processor
Visual DataSelfie photos taken for attendance verification (standard visual evidence; no identity verification / biometric matching is performed).Employer = controller, Luminis = processor
Workforce DataShift schedules, attendance records, leave data, performance notes.Employer = controller, Luminis = processor

5. Purpose and Legal Basis of Processing

Luminis's own purposes as data controller (KVKK Art. 5/6 — establishment and performance of contracts, legal obligations, legitimate interests):

  • Execution of contractual processes (B2B subscription),
  • Execution of finance and accounting processes (billing the customer),
  • Customer relationship management (admin account and support processes),
  • Execution of information security processes,
  • Development and optimization of products and services (website analytics, error monitoring),
  • Execution of marketing analysis studies (permission-based corporate communication).

Purposes for which the employer is the data controller and Luminis acts as processor on the employer's instructions:

  • Shift planning and tracking of working hours,
  • Clock-in/out (attendance) verification (location and visual evidence),
  • Leave management and document storage,
  • Fulfillment of the employer's obligations arising from labor law and legislation.

The scope and legal basis of this second group of purposes are determined by the employer and fall under the employer's obligation to inform.

6. Data Sharing and Third Parties

Your personal data may be transferred to relevant public institutions for the resolution of disputes or pursuant to legislation, to judicial authorities or relevant law enforcement upon request, for the purpose of realizing the above-mentioned purposes while taking adequate measures, in accordance with the transfer conditions specified in Articles 8 and 9 of the Law.

  • Your Employer (Data Controller): As the organization subscribing to Rota, your employer has access to your attendance records, shift information, leave data, and verification data (location, selfie). For this data, the employer is the data controller and Luminis is the data processor acting on the employer's behalf.
  • Infrastructure Providers: Supabase, Inc. (database and authentication), Vercel, Inc. (web hosting), Expo / EAS (mobile application distribution). Under written contracts, these providers act as data processors for data for which Luminis is the data controller, and as sub-processors for employee workforce data.
  • Legal Authorities: Upon request by law, court order, or regulatory authority.

Recorded personal data is not shared with any third party for material benefit and is not used for advertising purposes.

7. International Data Transfer

Rota’s primary database and file storage infrastructure is hosted in the European Union in the Frankfurt (eu-central-1) region. In addition, sub-processors used for email, error monitoring, analytics, or application distribution may transfer or process your data in countries outside Turkey and/or the European Economic Area (EEA), including the United States. Such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms under applicable law (including KVKK Article 9 where relevant).

8. Data Retention

Data for which Luminis is the data controller is retained for the periods required by the relevant purpose and legislation. For employee workforce data, the retention period is determined by the employer as data controller; Luminis hosts such data on the employer's instructions for as long as the employer maintains an active Rota subscription and your account is active. Upon account deletion or termination of employer subscription:

  • Account information is deleted within 30 days.
  • Data is retained for different periods as required by applicable labor legislation and other legal requirements, and then permanently deleted.
  • Anonymous and aggregate analytical data may be retained indefinitely.

9. Data Security

To protect your personal data, we implement appropriate technical and organizational security measures including encryption in transit and at rest (TLS), SSL and encryption in the mobile application, user-based authorization, logging, access controls, regular security audits, and secure authentication mechanisms. We keep these up to date with regular penetration testing.

10. Children's Privacy

The Service is designed for workforce management and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the application or via email. The updated policy will take effect as of the date of publication.

12. Your Rights

As a personal data subject, we hereby inform you that you have the following rights under Article 11 of the Law:

  • To learn whether your personal data is processed,
  • To request information if your personal data has been processed,
  • To learn the purpose of processing your personal data and whether it is used in accordance with that purpose,
  • To know the third parties to whom your personal data is transferred within or outside Turkey,
  • To request the correction of your personal data if incompletely or incorrectly processed, and to request that such correction be communicated to third parties to whom your personal data has been transferred,
  • To request the deletion or destruction of your personal data when the reasons requiring its processing have ceased, despite being processed in accordance with the Law and other relevant legislation, and to request that such deletion or destruction be communicated to third parties to whom your personal data has been transferred,
  • To object to the occurrence of a result against yourself due to the analysis of your processed data exclusively through automated systems,
  • To request compensation for damages incurred due to the unlawful processing of your personal data.

When exercising these rights, the party you should address varies according to the capacity of the data: for data for which Luminis is the data controller (account, billing, website usage), address Luminis directly; for employee workforce data (shifts, location, selfie, leave, attendance), you must apply to your employer, who is the data controller. Acting as data processor, Luminis cannot perform operations directly on such data without the employer's instructions and will forward requests of this nature to the relevant employer.

You may submit your applications to Luminis by filling out the Data Subject Application Form available from us, and by mailing it to our Company's address at Küçükbakkalköy Mah. Yüksel Sk. No: 10 A Ataşehir/İstanbul, Turkey, by emailing it to privacy@rota-app.com, or by delivering it physically. Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and no later than thirty days; however, if the operation requires additional cost, a fee may be requested from you in accordance with the tariff determined by the Personal Data Protection Board. In case of rejection of the request, the reason(s) for rejection will be communicated to you in writing or electronically with justification.


This document is provided for informational purposes only. The legally binding version is the Turkish original.