istebu
Caterers Companies Marketplace
TR Sign in Interactive Demo ↗ Get Started

KVKK Disclosure Notice

Last updated: July 6, 2026 · Version: 2026.07.06.1

KVKK disclosure notice for istebu website visitors and application users.

This English page is a support translation. The Turkish legal text prevails in case of inconsistency.

1. Data controller

The data controller is POİEX TEKNOLOJİ LİMİTED ŞİRKETİ. Contact details are available on the Company Information page.

Who is the controller for your data?

POİEX is also the independent data controller for the personal data of people who use istebu — not the organization you belong to (your employer, school, etc.). POİEX determines the purposes and means of processing this data under KVKK Article 3 in its own name. The organization you belong to runs a separate service relationship through istebu and acts as its own controller only for its own processes. KVKK Article 11 requests concerning this data on istebu are addressed directly to POİEX through the channel listed in section 5.

2. Data subjects and categories

istebu processes data relating to website visitors, organization admins, beneficiaries, Seller (food-service seller) admins, prospects, support contacts, privacy-rights requesters, and — at school-segment customers — children/students (an account-less eater whose name, meal selection, cancellation, rating and optional dish-review note are processed) and their guardians (who select, edit, cancel and rate on the child’s behalf). No health, dietary, or allergy data is processed about a child — allergens are product information on dishes, not person-linked health data. At onboarding, a school or company may provide the phone numbers of the members to be invited (a school’s parents or a company’s staff); for these prospective members only the phone number and the invite status are processed, solely to send the join link by SMS, and for school parents no child data is involved in that flow. Categories include identity, phone number, email address, role, organization, meal selections, delivery and billing records, invoice legal name, tax identifier, tax office, billing address, Seller payout IBAN, food business registration number and verification status, the Seller’s verification documents (tax certificate and food business registration certificate, stored privately and not disclosed to organizations), invoice evidence, settlement/collection/payout references, support and privacy request messages, verification and response records, feedback (including an optional free-text note on a dish review shared with the Seller, shown back to the author but not to organization admins), in-app product feedback about the application itself (with the screen it was sent from, the app version, and the interface language), uploaded avatars, organization logos, dish images, cookie choices, device data, backup records, cron monitoring metadata, diagnostic events, and security logs. A school parent may also contact us from inside the app to bring istebu to their own workplace; for this inbound inquiry we process the parent’s phone number, message content, workplace name, city, source organization (attribution only), and our response records, and no child data is involved.

3. Purposes, legal basis, and transfers

Data is collected electronically through the website, app, OTP flow, organization actions, image uploads, support messages, privacy-rights requests, business email, and system logs. Processing is based on contract performance, pre-contractual steps, legal obligation, legitimate interest in customer support, security, service reliability, and explicit consent for optional analytics cookies. A school or company may also provide the phone numbers of the members to be onboarded (parents or staff); a one-time invitation SMS carrying only the join link is sent to them via Vatansms and is logged for audit and retry. Separately, the POİEX internal team may occasionally send operational announcements about the service (e.g. “the canteen is closed tomorrow”) to the existing members of an organization you belong to by bulk SMS; the recipient list is derived from the organization’s own membership/eater records (no phone list is pasted), delivery is via Vatansms, and the message sent together with its send status is logged for audit.

The activity-level mapping is: website and cookie preferences rely on necessary service operation or explicit consent for Microsoft Clarity; authentication/session records rely on contract establishment/performance and account-security legitimate interest; meal operations and feedback rely on service performance and service-quality legitimate interest; guardian-proxy child meal coordination at school-segment customers relies on the guardian’s explicit consent (KVKK Article 5/2) for the child’s personal data, recorded as a separate act at child-add, and on contract performance / service-operation legitimate interest for the guardian’s own account data; voluntary in-app product feedback relies on the legitimate interest in improving the application and is visible only to the POİEX internal team (notification email via Google Workspace, including the submitter’s name and phone number so the team can follow up when a response is needed), never to organization admins or Sellers; billing, collection, and Seller payout settlement rely on contract performance and legal obligation; Seller verification (food business registration via GGBS and taxpayer status via GİB) relies on contract performance, legal obligation, and marketplace-trust legitimate interest; media uploads rely on service performance and operation; support and privacy requests rely on pre-contractual steps, contract performance, legal obligation, and customer-support legitimate interest; backups, cron monitoring, and diagnostics rely on service continuity, security, and legal obligations where records must be kept.

Data may be shared with organization admins, Sellers, hosting and security providers, object storage and backup providers, business email providers, SMS providers, cron-monitoring providers, error-monitoring providers, analytics providers, accounting, legal, and public-authority recipients when necessary. Current processors include Hetzner, Cloudflare, Cloudflare R2, Google Workspace, Sentry, Healthchecks.io, Microsoft Clarity, Vatansms, Paraşüt (e-invoicing/accounting), and WhatsApp/Meta. See Sub-processors for the current full list. All listed processors except Vatansms and Paraşüt operate outside Turkey, which triggers a cross-border transfer; Vatansms and Paraşüt are based in Turkey. The KVKK Article 9 safeguards (Board adequacy decision, Standard Contractual Clauses notified to the Board within 5 business days, written undertaking, or Binding Corporate Rules) are currently being put in place for the affected processors. Sellers (food-service sellers) receive only an operational subset: daily headcount, menu assignments, bulk-order line items, delivery location, and the name needed for a beneficiary to find their own meal on the delivery label. The label shows the beneficiary’s first and last name, so that boxes are not mixed up between people who share a first name at handout. The beneficiary’s phone number and email address are not shared with Sellers. The QR code on the delivery label contains an unguessable, unique link to that meal’s info page. The page opens without login for whoever holds the link (e.g. by physically seeing the label); the personal data it shows is no more than what is already printed on the label (first name, that day’s meal selection, the Seller’s name, date, and delivery time), and it additionally shows the dishes’ declared food information (description, allergens, dietary tags, special warnings, and energy — product information, not personal data). The same page allows a one-time rating of the meal for 24 hours after delivery; it contains no price, phone number, or other contact details. The QR on the box label of a bulk-ordered meal works the same way; that page shows no beneficiary identity — only the ordering organization’s name and that day’s dishes — and allows one rating per box without login. A bulk-box rating is linked to no person, so it carries no personal data and no identity link to erase under KVKK Article 7. So the Seller can issue the food invoice, the billing identity of the organization it is actively linked to (legal name, tax identifier, tax office, billing address) is disclosed to that Seller; the intermediation invoice and collection run through POİEX. Once a Seller’s verification is complete, its seller identifying information (trade title and tax identifier/VKN) is shown publicly on the marketplace and to actively linked client organizations in the app, as required by the seller-transparency obligation under Law No. 6563 and Article 5 of the E-Commerce Regulation; the Seller’s food business registration number remains internal compliance data and is not disclosed to clients.

When a parent uses the in-app card to ask about istebu for their own workplace, the prefilled message they choose to send is transported over WhatsApp/Meta infrastructure outside Turkey (a cross-border transfer, with the Article 9 safeguards being put in place as above). The legal basis is pre-contractual steps at the data subject’s own request and legitimate interest in answering inbound sales inquiries (KVKK Article 5/2-c and 5/2-f). Because the parent initiates the contact, no explicit consent is taken and this is not an unsolicited commercial electronic message under Law No. 6563 / İYS; no child data is shared, and any later marketing message back to the parent would require separate explicit consent.

4. Account deletion

Retention periods vary by processing purpose; see the Privacy Policy Retention section for details. The in-app “Delete my account” flow closes your account immediately: sessions are revoked, the account can no longer be signed into, active memberships end, in-progress (pre-deadline) meal selections are dropped, and the phone is detached so the number is freed for re-registration. Your personal data is not yet destroyed at closure; it is stored with access closed, to prove the underlying transactions were real and to establish, exercise, or protect a legal right (KVKK Article 5/2-e), and is deleted or anonymized in the periodic destruction cycle following closure (within six months at the latest). On a written KVKK Article 7 request the deletion is completed within 30 days at the latest.

When the deletion is processed, your name, phone, profile image (including the image file in object storage), and the technical fields on consent records (IP, device) are erased; the eater (meal-subject) name on your meal records is also stripped. Past meal selections, bulk orders, ratings, and billing-tied records are retained with the identity link cut, for the statutory retention period required by VUK m. 253 and TBK m. 146 — they appear as “Anonymous user” in per-person historical views; aggregate billing, headcount, and quality figures are unaffected. Free-text in-app product feedback is retained to improve the product; when the deletion is processed the identity link is cut (the feedback’s link to your account is removed) and the text itself is kept. The free-text note on a dish review is scrubbed (its content cleared); the review record itself is not deleted but retained anonymized, with the identity link cut, together with the structured star rating.

A guardian’s meal selections, ratings and review notes placed for a child are not auto-deleted over time; they are kept for the service relationship. When the child is removed, or when the child’s sole guardian closes their account, the child’s record is closed (it drops off rosters and its pre-deadline future orders are cancelled); the child’s identity is stripped (anonymized in place) on the schedule above (in the periodic destruction cycle, or within 30 days on the guardian’s KVKK Article 7 request), while the billing-related past records are retained anonymized (not deleted). When a guardian merely leaves the organization (without deleting their account), only the child’s in-progress (pre-deadline) future orders are cancelled (so the customer is not billed) and the child’s identity is preserved while it remains enrolled. The guardian exercises the child’s KVKK rights.

If you are the sole active admin of an organization, deletion may be refused until another admin is appointed. This is a procedural prerequisite, not a refusal of the KVKK Article 7 right.

5. Rights

KVKK Article 11 requests can be sent to privacy@worknmeal.com. The right of access and portability can also be exercised in-app via “Download my data”.

istebu

Workplace meal, redefined

Ankara, Türkiye

Mobile apps · Coming soon
Download on the App Store
Get it on Google Play

Product

  • How it works
  • Why now
  • Numbers
  • Interactive Demo

Solutions

  • For Caterers
  • For Companies
  • Marketplace

Company

  • Contact
  • FAQ
  • Privacy Policy
  • Terms of Use
  • KVKK Disclosure
  • Cookie Policy
  • Sub-processors
  • Company Information

© 2026 istebu. All rights reserved.

TR hello@worknmeal.com v2026.07.06.38
Cookie preferences

Necessary cookies keep the site working. Optional analytics cookies collect usage and session replay data with Microsoft Clarity only if you accept. Error monitoring (Sentry) runs separately under legitimate interest and is not affected by this preference.

Details are available in the Cookie Policy. Cookie Policy