Privacy Policy

1. Who We Are (Data Controller)

The data controller under KVKK and GDPR is Globalist Accounting Office, an independent CPA firm registered in Turkey and trading as Galata CPA, whose principal office is located at Ebulula Mardin Caddesi, Çağlayan Sitesi B/12 D:4, Akatlar-Beşiktaş, Istanbul, Turkey.

The firm is owned and operated by Gülseren Çalkan, a Sworn Certified Public Accountant (Serbest Muhasebeci Mali Müşavir — SMMM) authorised to practise in Turkey.

For any matter concerning this Policy, your personal data, or the exercise of your rights, you can reach us at info@galatacpa.com or by phone at +90 533 701 51 90.

2. What Personal Data We Collect

Contact form submissions: when you use the contact form, we receive your name, email address, optional phone number, country of residence, and the content of your message. If you voluntarily share business details (company name, sector, approximate turnover) in the message, we process that information only for the purpose of responding.

Email correspondence: if you email us directly at info@galatacpa.com, we retain the email headers and body as part of our business records.

Analytics (optional, consent-based): if you accept analytics cookies via our consent banner, we collect aggregated visit data through Google Analytics 4 and Cloudflare Web Analytics — for example approximate region, device type, pages viewed, session duration, and referring source. These tools are configured to anonymise IP addresses.

Technical logs: our hosting provider (Cloudflare) keeps short-term access logs for security and abuse prevention. These may include your IP address, user agent, and request timestamps.

We do not knowingly collect data from children under 16. We do not collect special categories of personal data (health, biometric, political opinions) through our website.

3. Why We Process Your Data

Service delivery and client communication: to respond to enquiries, prepare engagement proposals, perform the CPA services you instruct us to perform, invoice you, and keep you informed of matters concerning your file.

Legal and regulatory compliance: to satisfy our obligations under Turkish tax, commercial, and professional law — including retention of books and records under the Tax Procedure Law No. 213 ("VUK") and the Turkish Commercial Code No. 6102 ("TTK").

Security and fraud prevention: to protect the website, our clients, and our operations against unauthorised access, abuse, and fraudulent enquiries.

Analytics and service improvement (with consent): to understand aggregate usage of the website and improve content, navigation, and language coverage.

Marketing (with consent only): we do not send unsolicited marketing. If you opt in expressly, we may occasionally send professional updates relevant to cross-border business in Turkey.

4. Legal Basis for Processing

Performance of a contract (KVKK Art. 5(2)(c); GDPR Art. 6(1)(b)): processing is necessary to respond to a pre-contract enquiry or to perform an engagement we have signed with you.

Legal obligation (KVKK Art. 5(2)(ç); GDPR Art. 6(1)(c)): processing is required to comply with VUK, TTK, tax law, anti-money-laundering legislation, and the rules of our professional chamber.

Legitimate interest (KVKK Art. 5(2)(f); GDPR Art. 6(1)(f)): processing is necessary for our legitimate interests in operating and protecting our firm — such as essential cookies, server logging, and fraud prevention — where those interests are not overridden by your rights.

Explicit consent (KVKK Art. 5(1); GDPR Art. 6(1)(a)): where required — notably for non-essential analytics cookies and optional marketing — we rely on your freely given, specific, informed, and unambiguous consent, which you may withdraw at any time.

5. Data Sharing and Processors

We do not sell personal data. We share it only with trusted processors that act on our instructions and are bound by contractual confidentiality and data-protection obligations.

Resend (transactional email delivery): handles the outbound notification triggered by contact-form submissions so we can read and reply to your message.

Cloudflare (hosting, CDN, security, optional web analytics): serves the website and its assets, mitigates abuse, and — where you consent — provides cookieless aggregate analytics.

Google Analytics 4 (optional, consent-only): used to measure aggregate usage when you accept analytics cookies. IP anonymisation is enabled, and we do not share analytics data for advertising.

Turkish public authorities and professional chamber: when required by law (for example tax authorities, courts, or the Union of Chambers of Certified Public Accountants of Turkey — TÜRMOB), we may disclose the minimum data necessary.

International transfers: some processors (Resend, Cloudflare, Google) may process data outside Turkey or the EEA. Transfers rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent contractual commitments.

6. How Long We Keep Data

Client files and accounting records are retained for ten (10) years after the end of the relevant fiscal year, as required by the Turkish Tax Procedure Law No. 213 and the Turkish Commercial Code No. 6102.

Contact-form enquiries that do not become engagements are kept for up to twenty-four (24) months, then deleted or anonymised, unless a longer period is necessary to defend a legal claim.

Analytics data (where you consent) is retained for up to fourteen (14) months at event level; aggregate reports may be kept longer in non-identifiable form.

Technical security logs are kept for short periods (typically up to 30 days) unless a specific security incident requires longer retention.

At the end of the applicable period, personal data are securely deleted, anonymised, or destroyed in accordance with the Regulation on the Deletion, Destruction, or Anonymisation of Personal Data.

7. Your Rights

Under KVKK Article 11 and GDPR Articles 15–22, you have the right to: learn whether your personal data is processed; request information about processing; know the purpose of processing; learn the third parties to whom data is transferred domestically or abroad; request correction of inaccurate or incomplete data; request deletion or destruction; request that corrections, deletions or destruction be notified to third parties; object to outcomes arising solely from automated analysis; and claim compensation for unlawful damage.

Under GDPR you additionally have the right to data portability and the right to lodge a complaint with a supervisory authority in your EU/EEA member state.

We respond to rights requests within thirty (30) days under KVKK and within one (1) month under GDPR. Fees may apply only where the Personal Data Protection Authority of Turkey has set a tariff for certain requests, in line with applicable regulations.

You can submit a request by emailing info@galatacpa.com, subject line "Data Request", with enough information to verify your identity. We may ask for additional verification where necessary to protect you against fraud.

8. Security, Changes, and How to Reach Us

We apply reasonable technical and organisational measures — including transport encryption (TLS), access controls, strong passwords, two-factor authentication on sensitive accounts, and least-privilege principles — consistent with industry standards for a firm of our size. No internet transmission or storage system can be guaranteed to be entirely secure, and we therefore cannot promise absolute confidentiality.

We may update this Policy to reflect legal, technical, or business changes. The "Last updated" date at the top reflects the most recent revision. Material changes will be highlighted on the site before they take effect.

For any question, request, or complaint regarding this Policy or your personal data, please contact us at info@galatacpa.com or by post at Ebulula Mardin Caddesi, Çağlayan Sitesi B/12 D:4, Akatlar-Beşiktaş, Istanbul, Turkey. If you are dissatisfied with our response, you may file a complaint with the Personal Data Protection Authority of Turkey (KVKK) or, where applicable, your local EU/EEA supervisory authority.