Privacy Policy and KVKK Information Notice

Data Controller

The data controller under the KVKK and the controller under the GDPR is: LEONIX TRUCK PARTS LLC, 7901 4th St N STE 300, St Petersburg, FL 33702, USA. The Platform is operated under the SPAR brand.

Contact: info@autobaba.co, +90 539 389 57 48.

Categories of Personal Data Processed

The following categories of personal data are processed through the Platform:

• Vendor application and onboarding data: company name, contact person name, email address, phone number, city, product and cost data.
• Portal account data (via the WorkOS infrastructure): name, email address, sign-in records.
• Marketplace order data (received from marketplace channels): buyer name, shipping address, ordered items; only to the extent needed for the fulfillment handoff.
• Server logs: IP address, browser information (user agent), timestamps.

Purposes of Processing

Your personal data is processed for the following purposes:

• Evaluating vendor applications and managing onboarding and contract processes.
• Creating portal accounts, authenticating users, and securing accounts.
• Handing marketplace orders off to the operating partner and tracking order processes.
• Securing the Platform and detecting and fixing errors.
• Complying with obligations arising from applicable legislation.

Legal Bases

Your personal data is processed on the legal bases set out in KVKK Article 5/2-c (processing directly related to the conclusion or performance of a contract), Article 5/2-ç (processing necessary for the controller to comply with a legal obligation), and Article 5/2-f (legitimate interests of the controller, provided that the fundamental rights and freedoms of the data subject are not harmed). Where these bases do not apply, your explicit consent is sought.

For data subjects within the scope of the GDPR, the corresponding legal bases are: Article 6(1)(b) (performance of a contract), Article 6(1)(c) (legal obligation), and Article 6(1)(f) (legitimate interests); where required, Article 6(1)(a) (consent).

Recipients of Personal Data

Your personal data may be shared with the following recipients, limited to the purposes listed above:

Payments, logistics, customs, and payouts are executed by the operating partner, not by the Platform; the Platform emits handoff events only.

• Marketplace channels (Amazon, Walmart, eBay, and our own marketplace): within the scope of order operations.
• WorkOS Inc. (USA): provider of authentication and session management services, acting as a processor.
• PostHog, Inc. (USA): only where you grant explicit consent for the Analytics category, for product analytics and usage measurement, acting as a processor.
• The operating partner: order handoff data necessary for carrying out logistics, customs, payment, and payout processes.

International Transfers

The Platform is hosted on servers located in the United States. Personal data of users in Türkiye is therefore transferred to and processed in the USA. This transfer is carried out under KVKK Article 9, based on your explicit consent and/or appropriate safeguards and standard contractual commitments.

If you consent to the Analytics category through the cookie banner, product analytics data is processed by PostHog, Inc. (USA) in the USA. This international transfer is based on your explicit consent under KVKK Article 9; if you do not consent, no analytics data is transferred to PostHog.

For visitors in the European Economic Area, transfers to third countries (including WorkOS Inc. in the USA and, where consent is given, PostHog, Inc.) are carried out in accordance with Chapter V of the GDPR, in particular the standard contractual clauses (SCCs).

Retention Periods

Account and contract data is retained for the duration of the contractual relationship and, after it ends, for the statutory retention periods. Server logs are kept for a limited period for security and error-detection purposes. Personal data whose retention period has expired is deleted, destroyed, or anonymized.

Data Subject Rights

Under KVKK Article 11, you may apply to the data controller to exercise the following rights:

Data subjects within the scope of the GDPR additionally have the rights of access, rectification, erasure, restriction of processing, data portability, and objection.

• To learn whether your personal data is being processed.
• To request information if your personal data has been processed.
• To learn the purpose of processing and whether the data is used in line with that purpose.
• To know the third parties to whom personal data is transferred, in Türkiye or abroad.
• To request correction of personal data that was processed incompletely or inaccurately.
• To request deletion or destruction of personal data under the conditions set out in KVKK Article 7.
• To request that corrections, deletions, and destructions be notified to the third parties to whom the data was transferred.
• To object to a result arising against you through analysis of processed data exclusively by automated systems.
• To claim compensation for damages suffered due to unlawful processing of personal data.

How to Apply

You can submit requests concerning your rights by email to info@autobaba.co or in writing to LEONIX TRUCK PARTS LLC, 7901 4th St N STE 300, St Petersburg, FL 33702, USA. Requests are resolved within the periods prescribed by applicable legislation.

Right to Lodge a Complaint

If your application is rejected, you find the response insufficient, or no response is given in time, you retain the right to lodge a complaint with the Turkish Personal Data Protection Board (Kişisel Verileri Koruma Kurulu). Data subjects in the European Economic Area may lodge a complaint with the data protection supervisory authority of their country.