Privacy Policy


Personal Information: Information which can alone or in combination with other information identifies an individual. Examples are: Surname, forename, initials, address, postcode, etc…

Data Subject: A data subject is the person who is the subject of the information.

Data Controller: A data controller is the individual, company or organisation that determines the purpose and the manner in which personal information may be processed.

Data Processor: A data processor processes the personal information on behalf of a data controller.

Data protection legislation: Within this policy, ‘data protection legislation’ shall be taken to mean all relevant legislation
Information Assets: Information Assets are pieces of information that are valuable to the organisation, such as databases, data files, contracts and agreements, and archived information.

Information Asset Owner: Information Asset Owners are nominated to help achieve and monitor a robust Information Governance culture, address risks to the information assets they ‘own’ and to provide assurance on the security and use of these assets.

Open Consent: Consent about a specific subject, based on information and expressed with free will.

Anonymization: It is the change of personal data in such a way that it loses its quality as personal data and this situation cannot be undone. Ex: Masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person by means of techniques.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system.


Personal data processed by MobilyPay are limited to the following purposes and conditions:

  • The processing of your personal data by MobilyPay is directly related to and necessary for the establishment or performance of a contract. (Name, surname, address information, etc.)
  • The processing of personal data is mandatory for MobilyPay to fulfil its legal obligations towards the data owner or other legally authorized parties.
  • Provided that the personal data has been made public by the Customer; processing by MobilyPay on a limited basis for this publicizing purpose.
  • The processing of personal data by MobilyPay is mandatory for the fulfilment, establishment, use or protection of MobilyPay’s responsibilities to the Customer.
  • It is mandatory to process personal data for the legitimate interests of MobilyPay, provided that it does not harm the fundamental rights of the Customer.
  • If necessary, to check the accuracy of the information conveyed by the Customer.
  • To communicate with the Customer when necessary in order to continue the company’s operations.


In accordance with the relevant articles of the relevant Personal Data Protection Laws, all Customers have the following rights:

  • Learning whether personal data is processed or not.
  • If personal data has been processed, requesting information about it.
  • Learning the purpose of processing personal data and whether they are used in accordance with its purpose.
  • Knowing the third parties to whom personal data is transferred at home or abroad.
  • Requesting correction of personal data in case of incomplete or incorrect processing.
  • To request the deletion or destruction of personal data, provided that appropriate conditions are met and there is no legal obstacle.
  • To request the compensation of the damage in case of loss due to unlawful processing of personal data

    The rules for sharing personal data of MobilyPay’s customers with third parties are as follows:

    • Personal data can be transferred to third parties for the purposes of data processing, provided that the explicit consent of the data owner is obtained and by taking the necessary security measures.
    • If personal data transfer is mandatory in order to fulfil a legal obligation of MobilyPay, without the explicit consent of the Customer.
    • If the personal data has been made public by the Customer, without the explicit consent of the Customer.
    • The disclosure is made with the prior written consent of the customer.


    While determining the retention period of personal data, first of all, the obligations brought by the legal regulations concerning the personal data are taken into consideration. Except for legal regulations, the storage period is determined by taking into account the purposes of processing personal data. When the purpose of data processing is eliminated, and there is no other legal reason or basis to keep the data, the data whose purpose of processing is eliminated is deleted, destroyed or anonymized.