Privacy Policy
How istebu processes personal data, shares it with processors, and stores it.
This English page is a support translation. The Turkish legal text prevails in case of inconsistency.
1. Controller
The data controller for istebu services is POİEX TEKNOLOJİ LİMİTED ŞİRKETİ. Company contact details are listed on the Company Information page.
Who is the controller for your data?
POİEX is also the independent data controller for the personal data of people who use istebu — not the organization you belong to (your employer, school, etc.). POİEX determines the purposes and means of processing this data under KVKK Article 3 in its own name. The organization you belong to runs a separate service relationship through istebu and acts as its own controller only for its own processes. KVKK Article 11 rights concerning this data on istebu are exercised directly against POİEX at privacy@worknmeal.com.
2. Data we process
We process account and role data, phone-based login records, meal selections, cancellation and bulk-order records, delivery and billing-period data, invoice legal name, tax identifier, tax office, billing address, Seller payout IBAN, food business registration number and verification status, the Seller’s two verification documents (tax certificate and food business registration certificate) which — like the food registration number — are Seller compliance data stored in a private bucket, read only by our reviewer via short-lived links, and not disclosed to organizations, invoice evidence, settlement/collection/payout references, support and privacy-rights messages, ratings, feedback (including an optional free-text note on a dish review that is shared with the Seller and shown back to you in your own history, but never to organization admins; because the note text can identify you, you are told it is shared with the Seller before you write it), in-app product feedback you submit about the application itself (together with the screen it was sent from, the app version, and the interface language; forwarded only to the POİEX internal team with your name and phone number so we can follow up if needed), uploaded avatars, organization logos, dish images, language and cookie preferences, backup records, cron monitoring metadata, masked diagnostic events, opt-in analytics data, and — at school-segment customers — a child/student’s name plus the meal selection, cancellation, rating, and review note a guardian enters on their behalf (no child health, dietary, or allergy data is processed; allergens are product information on dishes). We also process the phone number, message content, workplace name, city, source organization (attribution only), and our response records when a school parent contacts us from inside the app to bring istebu to their own workplace; no child data is involved in that flow.
3. Purposes and processors
Data is used for secure login, corporate meal coordination, headcount, delivery, invoicing, collection, Seller payout settlement, support, privacy-rights handling, service quality, media storage, backup and disaster recovery, security, cron monitoring, error monitoring, and optional analytics. Current starter processors include Hetzner, Cloudflare, Cloudflare R2, Google Workspace, Sentry, Healthchecks.io, Microsoft Clarity, Vatansms, Paraşüt (e-invoicing/accounting), and WhatsApp/Meta. See Sub-processors for the current full list and the KVKK Article 9 transfer mechanisms. Organization admins access the operational data of their own organization (headcount, beneficiary selections — including the specific dishes each member chose for the day, never the price — name/phone, billing records). Sellers (food-service sellers) receive only the operational data needed to produce and deliver the meal: daily headcount, menu assignments, bulk-order line items, delivery location, and the name needed for a beneficiary to find their own meal on the delivery label. The label shows the beneficiary’s first and last name, so that boxes are not mixed up between people who share a first name at handout. The beneficiary’s phone number and email address are not shared with Sellers. The QR code on the delivery label contains an unguessable, unique link to that meal’s info page; the page opens without login for whoever holds the link, shows no more personal data than what is already printed on the label (first name, that day’s meal selection, the Seller’s name, date, and delivery time) plus the dishes’ declared food information (description, allergens, dietary tags, special warnings, energy — product information, not personal data), and allows a one-time rating of the meal for 24 hours after delivery. It contains no price, phone number, or other contact details. The QR on the box label of a bulk-ordered meal works the same way; that page shows no beneficiary identity — only the ordering organization’s name and that day’s dishes — and allows one rating per box without login. A bulk-box rating is linked to no person, so it carries no personal data and no identity link to erase. So the Seller can issue the food invoice, the billing identity of the organization it is actively linked to (legal name, tax identifier, tax office, billing address) is disclosed to that Seller; the intermediation invoice and collection run through POİEX. Once a Seller’s verification is complete, its seller identifying information (trade title and tax identifier/VKN) is shown publicly on the marketplace and to actively linked client organizations in the app, as required by the seller-transparency obligation under Law No. 6563 and Article 5 of the E-Commerce Regulation; the Seller’s food business registration number remains internal compliance data and is not disclosed to clients. When a parent uses the in-app card to ask about istebu for their own workplace, the prefilled message they choose to send is transported over WhatsApp/Meta infrastructure outside Turkey; the legal basis is pre-contractual steps at the data subject’s own request and legitimate interest in answering inbound sales inquiries (KVKK Article 5/2-c and 5/2-f). Because the parent initiates the contact, no explicit consent is taken and this is not an unsolicited commercial electronic message under Law No. 6563 / İYS; no child data is shared, and any later marketing message back to the parent would require separate explicit consent.
The main legal-basis groups are: OTP/session records for account access and security under contract and legitimate interest; meal, delivery, headcount, and feedback records for service performance and quality; guardian-proxy child meal coordination at school-segment customers under the guardian’s explicit consent (KVKK Article 5/2) for the child’s data and contract performance / service-operation legitimate interest for the guardian’s own account data; support/demo messages for pre-contractual requests, contract performance, and customer-support legitimate interest; privacy-rights request records for legal obligation; and media uploads, backups, and diagnostics for service operation, security, and continuity.
Some infrastructure, storage, business email, monitoring, analytics, and messaging providers operate outside Turkey, primarily in Germany, the United States, Latvia, and Ireland. The KVKK Article 9 cross-border safeguards (Board adequacy decision, Standard Contractual Clauses notified to the Board within 5 business days, written undertaking, or Binding Corporate Rules) are currently being put in place for the affected processors. This page and the company’s records will be updated as each safeguard is recorded.
4. Retention
Retention depends on purpose: refresh sessions last 7 days, cookie consent lasts 6 months, language preference lasts 1 year, error/replay diagnostics last 90 days, private database backups rotate after 30 days, cron monitoring records remain for the active service account and may remain in provider backups for up to 2 months, Clarity analytics may last up to 13 months, support records and in-app product feedback are retained for the active customer period plus 2 years unless tied to legal or billing records, workplace-referral (WhatsApp) inquiry records are retained for 1 year, and invoice/legal records are retained for 10 years. Uploaded images remain until replaced, deleted, or no longer needed for the active service relationship. Where a dispute, security incident, or legal obligation applies, the relevant records may be retained for as long as necessary. These are the retention periods for which the relevant data is kept; in-app personal records are retained for the service relationship and statutory retention obligations, and are removed when that obligation ends or when you delete your account, on the schedule described in Section 5.
5. Account deletion and what is kept afterwards
Starting the in-app “Delete my account” flow closes your account immediately: your sessions are revoked, the account can no longer be signed into, your active memberships are ended, in-progress (pre-deadline) meal selections are cancelled, and your phone number is detached from the account so the same number can be reused for re-registration (the in-app record is replaced with an anonymous sentinel).
Your personal data is not yet destroyed at the moment of closure: your name, profile image (including the image file in object storage), the phone-number record, the technical fields on consent records (IP address, device), the content of SMS messages sent to you, and the free-text notes you added to dish reviews continue to be stored with access closed, for the purpose of proving that the underlying transactions were real and of establishing, exercising, or protecting a legal right (KVKK Article 5/2-e). This data is deleted or anonymized in the periodic destruction cycle following closure (within six months at the latest). If you want your data destroyed sooner, a KVKK Article 7 request to privacy@worknmeal.com is completed within 30 days at the latest.
When the deletion is processed (on request or in the periodic destruction cycle): your name, phone number, profile image, and the technical fields on consent records are erased; the eater (meal-subject) name on your meal records is also stripped. Past meal selections, bulk orders, ratings, and billing-related records are retained — with the identity link cut — for the statutory retention period required by Vergi Usul Kanunu m. 253 and Türk Borçlar Kanunu m. 146. They appear as “Anonymous user” in any per-person historical view; aggregate billing, headcount, and quality analytics are unchanged. Consent records’ existence and timestamps are retained for audit; personal fields are scrubbed. Free-text product feedback you submitted about the application is retained to improve the product; when the deletion is processed the identity link is cut (the feedback’s link to your account is removed) and the text itself is kept. The free-text note you added to a dish review is scrubbed (its content cleared); the review record itself is not deleted but retained anonymized, with the identity link cut, together with the structured star rating.
The meal selections, ratings, and review notes a guardian enters for a child are not auto-deleted over time; they are kept for the service relationship. When the child is removed, or when the child’s sole guardian closes their account, the child’s record is closed: it drops off rosters and its in-progress (pre-deadline) future orders are cancelled. The child’s identity is not destroyed at that moment; it is stripped (anonymized in place) on the schedule above (in the periodic destruction cycle within six months at the latest, or within 30 days on the guardian’s KVKK Article 7 request), while the billing-related past records are retained anonymized (not deleted). When a guardian merely leaves the organization (without deleting their account), only the child’s in-progress (pre-deadline) future orders are cancelled (so the customer is not billed) and the child’s identity is preserved while it remains enrolled. The guardian exercises the child’s KVKK rights. A guardian acts in two capacities: their own account data rests on contract performance and service-operation legitimate interest, while the child’s data rests on the guardian’s explicit consent (KVKK Article 5/2). You may withdraw that consent at any time by removing the child from the app or writing to privacy@worknmeal.com; on withdrawal future selections for the child stop and their identity is anonymized on the same schedule, and any other guardian’s separate consent is unaffected.
If you are the sole active admin of an organization, the deletion may be refused until another admin is appointed. This is not a refusal of your KVKK Article 7 right; it is a procedural prerequisite to protect other users’ access to a paid service.
You can keep using istebu on your own after your organization’s contract ends, delete your account at any time, or rejoin with another organization using the same phone number.
6. Contact
Privacy questions and data protection rights requests can be sent to privacy@worknmeal.com.