PERSONAL DATA PROTECTION AND KVKK INFORMATION NOTICE

Pursuant to the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the data controller for the rokmarkt.com website is:

• Name – Surname: İsmail Hakkı GÜNDÜZ
• Title: Operator of the rokmarkt.com website
• Address: Eskişehir, Türkiye
• E-mail: [email protected]

This Information Notice has been prepared to fulfill the information obligation under Article 10 of the KVKK regarding personal data processed within the scope of the services provided through the rokmarkt.com website (the "Site").

rokmarkt.com is a listing and middleman communication platform where listings related to Rise of Kingdoms accounts, resource offers and similar digital assets can be viewed, listing information is presented in an organized manner, and users may be directed to the relevant person, support team or middleman for communication.

The platform does not directly sell products, does not receive payments on behalf of users, does not hold payments, does not process payments and does not provide escrow services. Sale and purchase, payment, transfer, approval, cancellation, refund and dispute processes take place outside the Site between the relevant buyer, seller and/or middleman.

When you register on the Site, use the Site, create a listing or resource order, or contact us, the following categories of personal data may be processed:

Identity and Account Data

• username
• e-mail address
• password hash records
• if Google login is used, e-mail address, verified e-mail information and provider account ID provided by the Google account

Contact Data

• phone number, Discord username, Steam username or similar contact information, only if provided by the user or if the relevant feature is used

Account, Listing and Order Data

• game account descriptions, features, images, screenshots and similar listing content
• for resource listings or resource orders: resource amount, estimated price, order status, Discord username, phone number and e-mail address where applicable

Transaction and Usage Data

• listings and order requests
• listing updates
• profile preferences, language selection and marketing permissions

Technical and Log Data

• IP address, browser information, device type, operating system and basic connection information
• visit time, page view records, visitor/session identifiers
• server logs, error records, security records, rate-limit records and basic performance measurement data

Communication and Support Records

• support requests, contact form content and reply records
• technical delivery records for mandatory system e-mails

rokmarkt.com does not request special categories of personal data from users. Users should not share special categories of personal data through listing descriptions, support requests, screenshots or off-site communication channels. If such data is shared, the relevant content may be deleted, masked or removed from publication for security, legal compliance or platform order purposes.

rokmarkt.com is not a payment institution, electronic money institution, bank, financial intermediary or escrow service provider. The Platform does not receive payments on behalf of users, does not hold payments, does not process payments and does not store account sale proceeds within Rokmarkt.

Credit card, debit card, IBAN or similar payment data are not collected on the Platform. Payment, transfer, approval, cancellation, refund and dispute processes take place outside the Site between the relevant buyer, seller and/or middleman.

Your personal data may be processed for the following purposes under Article 5 of the KVKK and other relevant provisions:

Membership and Account Management

• creating a membership record
• managing the account
• carrying out login, social login, password reset, e-mail verification and e-mail change processes

Listing Publication and Operation of the Platform

• creating, editing and managing account listings, resource listings or resource orders
• listing, filtering, sorting listings and carrying out basic operational processes

Communication and Notification

• sending mandatory notifications regarding registration, login, e-mail verification, password reset and e-mail change processes
• responding to support requests

Security, Prevention of Abuse and Legal Obligations

• ensuring account security
• detecting and preventing suspicious activities, abuse and technical attacks
• fulfilling legal obligations and carrying out evidentiary processes in case of disputes

Statistics and Improvement

• measuring platform performance
• analysing error records
• observing basic usage trends
• improving user experience

Marketing and Information

• sending announcements, campaigns and informational e-mails only where explicit consent has been provided

Personal data may be collected automatically or partially automatically through membership, login, listing creation, resource orders, support requests, contact forms, e-mail notifications, cookies, localStorage, sessionStorage, server logs and security records.

Personal data may also be processed through Google OAuth login flows, Cloudflare and Vercel infrastructure records, Brevo e-mail delivery processes, Upstash rate-limit records, image files stored on Cloudflare R2, security, consent and analytics records stored on MongoDB, and membership, listing, resource order and middleman management records stored on Neon PostgreSQL.

Personal data may be processed based on the legal grounds under Article 5 of the KVKK, including:

• processing being necessary for the establishment or performance of a contract,
• processing being necessary for the data controller to fulfill its legal obligations,
• processing being necessary for the establishment, exercise or protection of a right,
• processing being necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,
• explicit consent where required.

The Site may use cookies, localStorage, sessionStorage, beacons and similar technologies for session management, language preference, security, visitor/session distinction, basic usage analytics and performance measurement.

Through cookies and similar technologies, data such as IP address, device information, browser information, visited pages, session duration and visitor/session identifiers may be processed.

Internal analytics systems may collect basic usage and traffic measurements. Cloudflare Web Analytics and Vercel Speed Insights may also be used for third-party performance and basic analytics.

Where required, user preference or explicit consent mechanisms may be operated for non-essential analytics, advertising, marketing or performance technologies.

Technical Service Providers

• hosting, database, CDN, media storage, e-mail, logging, security, rate-limit and performance analytics providers

Third-Party Technical Providers

• Vercel, Neon PostgreSQL, MongoDB Atlas, Cloudflare, Cloudflare R2/CDN, Brevo, Upstash Redis, Google OAuth, Cloudflare Web Analytics and Vercel Speed Insights

Competent Public Authorities

• competent public authorities where legally required

Relevant Person, Seller, Buyer or Middleman

• where necessary for a user request, resource order, listing interest or the related transaction process

Brevo is used for mandatory notification e-mails and system e-mails. Similar e-mail service providers may also be used in the future based on technical requirements.

In this context, the following data may be transferred to Brevo:

• e-mail address,
• technical information related to the sent e-mail.

This transfer is made only for sending mandatory notifications and ensuring technical reliability.

The servers of service providers used for the operation of the Site, such as Vercel, Neon PostgreSQL, MongoDB Atlas, Cloudflare, Cloudflare R2/CDN, Brevo, Upstash Redis, Google OAuth, Cloudflare Web Analytics and Vercel Speed Insights, may be located abroad or such providers may access data from abroad. Therefore, personal data may be transferred abroad or become accessible from abroad.

Such transfers are carried out where the necessary legal conditions are met under Article 9 of the KVKK and relevant secondary legislation. For non-essential marketing, advertising or analytics activities requiring cross-border transfer, user preference or explicit consent mechanisms may be operated where required.

rokmarkt.com is not a seller, payment institution, escrow provider or transaction party that guarantees the accuracy of listings, the flawless condition of accounts, the outcome of a transaction or the conduct of middlemen. The platform's role and limits of responsibility are described in detail in the User Agreement.

Users are responsible for the personal data they share through off-site communication channels with the relevant person, seller, buyer or middleman. Rokmarkt is not responsible for damages arising from personal data, payment information, account access information or similar information shared through off-site communication channels.

Personal data are retained for the period required for the relevant processing purposes and applicable legislation. Retention periods may vary depending on the data category, processing purpose, legal obligations, security requirements, dispute risk and technical retention policies.

Membership, listing, resource order, support request and transaction-related records may be retained for as long as necessary for service operation, security, dispute management and legal proof.

Legal consent, explicit consent, user agreement acceptance and legal document version records may be retained as long as the relevant rights and obligations continue for legal proof and version verification purposes.

Certain technical records may be retained for limited periods. Internal analytics records may technically be retained for up to 180 days, rate-limit records for up to 90 days, and security and authentication event records for up to 365 or 730 days depending on event type. Short-term technical tokens and cookies such as session, password reset and e-mail verification records are retained only for the period required for the relevant security or verification process.

Traffic and log data may be retained for the periods prescribed under Law No. 5651 and related secondary legislation, where applicable.

Personal data whose retention period has expired or whose processing reason no longer exists are deleted, destroyed or anonymized in accordance with applicable legislation and technical possibilities. Deletion processes for backups, security logs and legal proof records may be completed within different periods due to technical and legal requirements.

rokmarkt.com takes reasonable administrative and technical measures, within current technical possibilities, to protect personal data against unauthorized access, disclosure, loss or other unlawful processing.

In this context, measures such as the following may be implemented:

• authorization and access control,
• monitoring of security, error and abuse records,
• implementation of appropriate technical protections on server, database and media storage infrastructures

Passwords are stored using appropriate cryptographic hashing methods and are not kept in plain form in the system.

Requests regarding KVKK rights may be submitted through [email protected] or other methods specified under KVKK and relevant legislation. If applications by KEP or written mail are accepted, the relevant KEP address or postal address suitable for notification shall be separately specified.

Personal data requests are concluded as soon as possible and within 30 days at the latest.

This Personal Data Protection and KVKK Information Notice may be updated if the operation of the Site, applicable legislation or data processing activities change. The updated text becomes effective as of the date it is published on the Site.