1. Data Controller
The data controller for this website is Oğuzhan Sert (natural person, Istanbul, Türkiye). For any questions, requests or complaints regarding your personal data, please contact info@oguzhansert.dev. I act as data controller within the meaning of KVKK Art. 3/1-i and GDPR Art. 4(7).
2. Categories of Data Collected
This site is mostly a passive portfolio + blog surface; there is no signup form, comment system or newsletter. Collected data falls into the narrow categories below:
Visitor side (in your browser)
NEXT_LOCALEcookie — stores your language preference for 1 year.cookie-notice-acklocalStorage key — records that you dismissed the cookie banner; never transmitted to the server.
Operator side (admin only)
admin-tokencookie — operator authentication on the admin panel (24-hour TTL).admin_otpstable — admin email (plaintext, lowercased), SHA-256 hash of the 6-digit code, failed-attempt counter (max 5), IP address, browser user-agent (10-minute TTL).admin_sessionstable — SHA-256 hash of session token, IP, user-agent, last-activity timestamp, revocation timestamp (24-hour TTL).audit_logtable — admin action records (90-day TTL). Outgoing emails sent through/api/admin/emailalso record the recipient address and a body preview (up to 100 characters) in this table.
Third party
- Cloudflare's edge keeps connection metadata (IP, request time) under its own retention policy — see cloudflare.com/privacypolicy.
No analytics, advertising or third-party tracking cookies are placed on your device.
3. Processing Purposes and Lawful Bases (KVKK Art. 5 / GDPR Art. 6)
| Data Category | Purpose | Lawful Basis |
|---|---|---|
| NEXT_LOCALE | Correct delivery of language | KVKK 5/2-f / GDPR 6(1)(f) — legitimate interest |
| cookie-notice-ack | Avoid repeating cookie banner | KVKK 5/2-f / GDPR 6(1)(f) |
| admin-token + admin_sessions + admin_otps | Protect admin account | KVKK 5/2-c, 5/2-f / GDPR 6(1)(b), 6(1)(f) |
| audit_log | Auditability of admin actions; KVKK Art. 12 security measure | KVKK 5/2-ç / GDPR 6(1)(c) — legal obligation |
| Cloudflare connection metadata | Technical delivery, DDoS protection | KVKK 5/2-c, 5/2-f / GDPR 6(1)(b), 6(1)(f) |
| Resend / Google Gemini (operator-triggered only) | Admin OTP email, admin text features | KVKK 5/2-c, 9/1 / GDPR 6(1)(b), 49(1)(b) |
4. Data Retention (KVKK Art. 7 / GDPR Art. 5(1)(e))
admin_otps→ 10 minutes (TTL + cron delete)admin_sessions→ 24 hours (revoke deletes immediately; the cron purges revoked-or-expired in one sweep)audit_log→ 90 days (cron delete)NEXT_LOCALE→ 1 year (browser-controlled)admin-token→ 24 hours (browser-controlled)cookie-notice-ack→ indefinite (browser-controlled, user can clear)
Cron delete fires daily via /api/admin/cron/purge.
5. International Transfers and Processors
| Processor | Category | Location | Safeguards | |---|---|---|---| | Supabase (self-hosted) | Content storage | Hostinger VPS, EU | Self-hosted, JWT auth, RLS | | Cloudflare | CDN + DDoS | Anycast, US HQ | KVKK 9/1 contract; SCCs | | Resend Inc. | Operator email | US | Operator OTP only; visitor emails are never sent | | Google Gemini API | Operator text features | US | Only operator-typed text is sent; visitor data is never sent |
Sentry error tracking is currently disabled; if the operator enables it in the future, this notice will be updated before activation.
6. Your Rights (KVKK Art. 11 / GDPR Art. 15-22)
(a) Right to know whether your personal data is processed, (b) Right to obtain information if it is, (c) Right to know the purpose and whether that purpose is being honored, (d) Right to know third-party recipients in Türkiye and abroad, (e) Right to rectify incomplete or inaccurate data, (f) Right to erasure (right to be forgotten) under KVKK Art. 7 conditions, (g) Right to be informed when (e)/(f) operations are propagated to third-party recipients, (h) Right to object when automated processing produces a result against you, (i) Right to compensation for damages caused by unlawful processing.
Under GDPR you also have the right to data portability (Art. 20) and to lodge a complaint with the supervisory authority of your habitual residence (Art. 77).
7. Contact Channel
To exercise any of the rights above, send an email to info@oguzhansert.dev with the subject line "Privacy Request". Requests are answered free of charge within 30 days. To complain to the Turkish Data Protection Authority: kvkk.gov.tr.
8. Policy Updates
Whenever this notice is changed, the "Last updated" timestamp at the top is refreshed. For significant changes, a banner is shown at the top of the homepage.