PRIVACY POLICY
1. Data Controller
This Privacy Policy ("Policy") has been prepared by ISP TRANSFER VE YAZILIM HIZMETLERI ANONIM SIRKETI ("Company"). The company acts as the data controller under the legislation on the Protection of Personal Data (Law No. 6698).
Address: Gokturk Merkez Mah. Cesmebasi Cad. No:51/A Eyupsultan / ISTANBUL
E-mail: [email protected]
This Policy explains how the personal data of drivers and other authorized users of the ISP Driver mobile application ("Application") are collected, processed, shared with whom, and how they are protected.
2. Personal Data We Collect
2.1. Registration and Identity information
The following information is collected during registration for the application:
- Name and surname
- E-mail address
- Telephone number
- For individual accounts: Turkish ID number. This information is stored in encrypted form on our servers.
- For corporate accounts: Company name, taxpayer identification number, and tax office.
2.2. Location Information
Our application collects location data in two different scenarios:
Real-time location during active work: When a driver starts a task assigned to them, their real-time location data are sent to our servers at regular intervals throughout the task. The server stores the last location record for that task. When the task is completed or canceled, location sharing stops. This feature requires access to location data even when the phone is not active on the screen (in the background).
Location history during the shift: When the driver starts a shift, location data are recorded at specific time and distance intervals, even if there is no active task. These records are stored on our servers. Location information is used solely for operational coordination, route verification, and compliance with relevant legal obligations.
2.3. Photographs and Visual Data
Drivers can upload a profile photo and a photo of their vehicle through the application. These images are stored on a secure external storage infrastructure.
2.4. Notification Identifier
In order to send job assignments and operational notifications, a device-specific notification identifier is recorded and shared with notification platforms.
2.5. Operational Data
The following data are processed in relation to transactions conducted through the application:
- Pickup and drop-off addresses
- The names and contact information of the passengers assigned to the task
- Vehicle information (license plate, model, category)
- Trip history and status information
2.6. Technical and Device Data
The application automatically collects the following technical information when errors or crashes occur:
- Device model and operating system version
- Application version
- Error details and technical logs
2.7. Usage Analytics Data
In order to improve the user experience of the application, usage data and application events are collected anonymously or on a pseudonymous basis.
2.8. Reward and Score Data
The driver's score history and level information are stored in the system.
3. Why Do We Use Personal Data?
| Data | Intended Use |
|---|---|
| Identification and contact information | Authentication, account management, secure login via OTP, operational communication |
| Turkish ID number | Verification of driver identification, compliance with legal obligations |
| Corporate tax information | Company registration and related documentation |
| Real-time location (active work) | Trip tracking, driver-operation coordination, passenger safety |
| Location history during the shift | Shift verification and operational planning |
| Photograph | Profile definition, vehicle registration |
| Operational data | Trip management, passenger notification, U-ETDS statutory reporting |
| Technical and device data | Detection and elimination of application errors |
| Usage analytics data | Improving application performance and the user experience |
| Award / score data | Performance monitoring and encouragement system |
4. Who Do We Share Your Data With?
Your personal data are only shared with third parties for the following purposes and only to the extent necessary. Your data are neither sold nor rented.
| Recipient | Country / Region | Data Shared | Purpose |
|---|---|---|---|
| Sentry Inc. | USA | Device information, error logs | Application error tracking |
| Expo Inc. / EAS | USA | Notification identifier | Push notification infrastructure |
| Apple (APNs) | USA | Identifier and content of notification | iOS notification delivery |
| Google (FCM) | USA | Identifier and content of notification | Android notification delivery |
| Firebase (Google) | USA | Device information, usage data | Usage analysis |
| Cloudflare R2 | Europe (EU) | Profile and vehicle photos | Photo storage |
| Ekomesaj | Türkiye | Telephone number, OTP content | Authentication with SMS |
| Brevo | Europe (EU) | E-mail address, OTP content | Authentication via e-mail |
| CM.com | Europe (EU) | Telephone number, message content | WhatsApp operational notifications |
| Ministry of Transport and Infrastructure of the Republic of Türkiye | Türkiye | Transportation and passenger records | Mandatory statutory reporting (U-ETDS) |
| ISP Operation Team | Türkiye | Location, trip, vehicle, and passenger data | Daily operational coordination |
5. Transfer of Personal Data Abroad
The Company processes and stores Personal Data obtained from service providers such as Sentry, Expo, Apple, Google, and Firebase; servers such as Cloudflare, Brevo, and CM.com; and third-party software developers. In this context, the processing of such personal data is carried out in accordance with Law No. 6698 and all relevant legislation. The user acknowledges and agrees that, within the scope of Law No. 6698, the data collected as a result of using the application may be shared with service providers and third-party software companies. In this context, the user hereby consents in advance to the sharing of personal data with service providers, third-party software developers, and servers, and to their storage by the relevant institutions and organizations.
6. Data Retention Period
| Data | Retention Period |
|---|---|
| Account and identity information | This information is retained as long as the account remains active. If your account is deleted, your personal data will be deleted or anonymized within no later than 90 (ninety) days, provided that legal obligations such as tax, social security, dispute resolution, or audits by competent authorities remain unaffected. For copies stored on backup media, this period is no longer than 180 (one hundred eighty) days. |
| Real-time location (active work) | Real-time location data are transmitted during the task; the last known location associated with the task is stored. After the task is completed, these location data are retained for a maximum of 24 (twenty-four) months in association with the task/operation record; at the end of this period, they are deleted or anonymized. |
| Location history during the shift | Location data collected during the shift are retained for 24 (twenty-four) months; they are deleted or anonymized once the purpose of processing no longer applies or the retention period expires. |
| Profile and vehicle photos | They are retained as long as the account remains active. Following the deletion of the account, these are removed within no later than 90 (ninety) days, including technical processes within the storage and distribution infrastructure. |
| Error logs | Logs generated by the application error tracking service (Sentry) are retained for the duration specified by the retention setting in effect for that date in the relevant project; based on the current configuration, this period is generally up to 90 (ninety) days, and this Policy will be updated if the duration changes. |
| U-ETDS records | Data processed under the U-ETDS are stored for the periods specified in the Road Transport Code and relevant secondary legislation. |
7. Data Security
The following technical measures are taken to ensure the security of your personal data:
- All data transmission between the application and our servers is conducted over an encrypted connection (HTTPS/TLS).
- Turkish ID numbers are stored encrypted (at-rest encryption) on our servers.
- Session information is stored in the device's operating system's secure storage (iOS Keychain / Android Keystore).
- Photos are uploaded only via secure links that allow access only to authorized users.
8. Your Rights
You have the following rights regarding your personal data:
- 1. Learning whether your personal data are processed or not, and how they are processed
- 2. Requesting the rectification of data processed incompletely or inaccurately
- 3. Requesting the erasure or destruction of your personal data
- 4. Learning the third parties to whom your data are transferred
- 5. Objecting to the processing of your personal data
- 6. Requesting compensation for the damage you suffer arising from the unlawful processing of data
To delete your account and data: You can submit a request from the Account > Profile section within the application.
For other applications:
Name and Surname :
E-Mail :
Phone :
Your applications submitted to the company's email address [email protected] after filling out the information above will be responded to within no later than 30 (thirty) days. You also have the right to file a complaint with the Personal Data Protection Board.
9. Policy Updates
This Privacy Policy may be updated as necessary and as required by applicable laws, subject to the limitations imposed by such laws. In case of important amendments, the users shall be informed via in-app notifications and/or email. The updated policy shall always be published on the Privacy Policy page.
10. Applicable Legislation and Governing Law
This policy is governed by Turkish law and is prepared in accordance with all relevant legislations, notably the Personal Data Protection Law and the Turkish Code of Obligations. Turkish courts shall have jurisdiction over all disputes arising from this policy, and the Istanbul (Central) Caglayan Courts and Enforcement Offices are hereby designated as the competent authorities.
