Privacy Policy

Effective Date: April 20, 2026

Luminis Lojistik Teknoloji Ticaret Danışmanlık Hizmetleri Limited Şirketi (operating under the "Rota" brand, hereinafter referred to as "COMPANY"; "DATA CONTROLLER"), operates the Rota mobile application (hereinafter referred to as "APPLICATION", "ROTA") and the https://rota-app.com website (together, the "Service").

This Privacy Policy has been prepared by the data controller to establish the procedures and principles regarding the processing of personal data under Law No. 6698 on the Protection of Personal Data ("KVKK") and related legislation. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with the European Union General Data Protection Regulation (GDPR), Law No. 6698 on the Protection of Personal Data (KVKK), and other applicable legislation.

1. Data Controller (Company Information)

The data controller responsible for your personal data:

Luminis Lojistik Teknoloji Ticaret Danışmanlık Hizmetleri Limited Şirketi

Address: Küçükbakkalköy Mah. Yüksel Sk. No: 10 A Ataşehir/İstanbul, Turkey
Tax ID: 6091389933
Data Protection Contact: privacy@rota-app.com
Representative: Mehmet Can Işıklarlı

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.
Special Category Personal Data: Personal data on race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data, as limited by law.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data.
VERBİS: Data Controllers Registry Information System (Turkey).
LAW: Law No. 6698 on the Protection of Personal Data.

3. Personal Data Processed

In the context of your use of our Service, your personal data in the following categories may be processed:

Account Information: Full name, email, phone number, company information, position.
Location Information: GPS coordinates for shift clock-in/out verification.
Visual Data: Selfie photos for attendance verification.
Workforce Data: Shift schedules, attendance records, leave data, performance notes.
Technical Data: Device information, IP address, browser information, usage logs.

4. Purpose and Legal Basis of Processing

The following legal bases are relied upon under the Law and GDPR:

Conduct of business activities,
Execution of contractual processes,
Fulfillment of legal obligations,
Execution of human resources processes,
Customer relationship management,
Execution of finance and accounting processes,
Execution of information security processes.

Data is processed under KVKK Articles 5 and 6, based on the legal grounds of explicit legal provisions, establishment and performance of contracts, the data controller's fulfillment of legal obligations, and the establishment, use, or protection of a right.

5. Data Sharing and Third Parties

Your personal data may be transferred to relevant public institutions for the resolution of disputes or pursuant to legislation, to judicial authorities or relevant law enforcement upon request, and to institutions within or outside Turkey, business partners, and legally authorized private law persons, occupational health and safety experts, relevant financial advisors, and infrastructure providers for the purpose of realizing the above-mentioned purposes while taking adequate measures, in accordance with the conditions for the transfer of personal data and transfer abroad specified in Articles 8 and 9 of the Law.

Your Employer: As the organization subscribing to Rota, your employer has access to your attendance records, shift information, leave data, and verification data (location, selfie).
Infrastructure Providers: Supabase, Inc. (database and authentication), Vercel, Inc. (web hosting), Expo / EAS (mobile application distribution). These providers act as data processors under written contracts.
Legal Authorities: Upon request by law, court order, or regulatory authority.

Recorded personal data is not shared with any third party for material benefit and is not used for advertising purposes.

6. International Data Transfer

Your data may be transferred to and processed in countries outside Turkey and the European Economic Area (EEA), including the United States, where our infrastructure providers operate. Such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized transfer mechanisms.

7. Data Retention

Your personal data is retained as long as your employer maintains an active Rota subscription and your account is active. Upon account deletion or termination of employer subscription:

Account information is deleted within 30 days.
Data is retained for different periods as required by applicable labor legislation and other legal requirements, and then permanently deleted.
Anonymous and aggregate analytical data may be retained indefinitely.

8. Data Security

To protect your personal data, we implement appropriate technical and organizational security measures including encryption in transit and at rest (TLS), SSL and encryption in the mobile application, user-based authorization, logging, access controls, regular security audits, and secure authentication mechanisms. We keep these up to date with regular penetration testing.

9. Children's Privacy

The Service is designed for workforce management and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the application or via email. The updated policy will take effect as of the date of publication.

11. Your Rights

As a personal data subject, we hereby inform you that you have the following rights under Article 11 of the Law:

To learn whether your personal data is processed,
To request information if your personal data has been processed,
To learn the purpose of processing your personal data and whether it is used in accordance with that purpose,
To know the third parties to whom your personal data is transferred within or outside Turkey,
To request the correction of your personal data if incompletely or incorrectly processed, and to request that such correction be communicated to third parties to whom your personal data has been transferred,
To request the deletion or destruction of your personal data when the reasons requiring its processing have ceased, despite being processed in accordance with the Law and other relevant legislation, and to request that such deletion or destruction be communicated to third parties to whom your personal data has been transferred,
To object to the occurrence of a result against yourself due to the analysis of your processed data exclusively through automated systems,
To request compensation for damages incurred due to the unlawful processing of your personal data.

You may submit your applications regarding the above-listed rights by filling out the Data Subject Application Form available from us, and by mailing it to our Company's address at Küçükbakkalköy Mah. Yüksel Sk. No: 10 A Ataşehir/İstanbul, Turkey, by emailing it to privacy@rota-app.com, or by delivering it physically. Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and no later than thirty days; however, if the operation requires additional cost, a fee may be requested from you in accordance with the tariff determined by the Personal Data Protection Board. In case of rejection of the request, the reason(s) for rejection will be communicated to you in writing or electronically with justification.

This document is provided for informational purposes only. The legally binding version is the Turkish original.