KVKK Disclosure Notice

Last updated: June 16, 2026 Version: 2026.06.17.1

KVKK disclosure notice for Work&Meal website visitors and application users.

This English page is a support translation. The Turkish legal text prevails in case of inconsistency.

1. Data controller

The data controller is POİEX TEKNOLOJİ LİMİTED ŞİRKETİ. Contact details are available on the Company Information page.

Who is the controller for employee data?

POİEX is also the independent data controller for personal data of employees who use Work&Meal — not your employer. POİEX determines the purposes and means of processing employee data under KVKK Article 3 in its own name. Your employer runs a separate service relationship through Work&Meal and acts as its own controller only for its own processes. KVKK Article 11 requests concerning employee data on Work&Meal are addressed directly to POİEX through the channel listed in section 4.

2. Data subjects and categories

Work&Meal processes data relating to website visitors, company admins, employees, Seller (food-service seller) admins, prospects, support contacts, privacy-rights requesters, and system operators. Categories include identity, phone number, email address, role, organization, meal selections, delivery and billing records, invoice legal name, tax identifier, tax office, billing address, Seller payout IBAN, food business registration number and verification status, the Seller’s verification documents (tax certificate and food business registration certificate, stored privately and not disclosed to companies), invoice evidence, settlement/collection/payout references, support and privacy request messages, verification and response records, feedback (including an optional free-text note on a dish review shared with the Seller, shown back to the author but not to company admins), in-app product feedback about the application itself (with the screen it was sent from, the app version, and the interface language), uploaded avatars, organization logos, dish images, cookie choices, device data, backup records, cron monitoring metadata, diagnostic events, and security logs.

Data is collected electronically through the website, app, OTP flow, organization actions, image uploads, support messages, privacy-rights requests, business email, and system logs. Processing is based on contract performance, pre-contractual steps, legal obligation, legitimate interest in customer support, security, service reliability, and explicit consent for optional analytics cookies.

The activity-level mapping is: website and cookie preferences rely on necessary service operation or explicit consent for Microsoft Clarity; authentication/session records rely on contract establishment/performance and account-security legitimate interest; meal operations and feedback rely on service performance and service-quality legitimate interest; voluntary in-app product feedback relies on the legitimate interest in improving the application and is visible only to the POİEX internal team (notification email via Google Workspace, including the submitter’s name and phone number so the team can follow up when a response is needed), never to company admins or Sellers; billing, collection, and Seller payout settlement rely on contract performance and legal obligation; Seller verification (food business registration via GGBS and taxpayer status via GİB) relies on contract performance, legal obligation, and marketplace-trust legitimate interest; media uploads rely on service performance and operation; support and privacy requests rely on pre-contractual steps, contract performance, legal obligation, and customer-support legitimate interest; backups, cron monitoring, and diagnostics rely on service continuity, security, and legal obligations where records must be kept.

Data may be shared with company admins, Sellers, hosting and security providers, object storage and backup providers, business email providers, SMS providers, cron-monitoring providers, error-monitoring providers, analytics providers, accounting, legal, and public-authority recipients when necessary. Current processors include Hetzner, Cloudflare, Cloudflare R2, Google Workspace, Sentry, Healthchecks.io, Microsoft Clarity, Vatansms, and Paraşüt (e-invoicing/accounting). See Sub-processors for the current full list. All listed processors except Vatansms and Paraşüt operate outside Turkey, which triggers a cross-border transfer; Vatansms and Paraşüt are based in Turkey. The KVKK Article 9 safeguards (Board adequacy decision, Standard Contractual Clauses notified to the Board within 5 business days, written undertaking, or Binding Corporate Rules) are currently being put in place for the affected processors. Sellers (food-service sellers) receive only an operational subset: daily headcount, menu assignments, bulk-order line items, delivery location, and the minimal name needed for an employee to find their own meal on the delivery label. As a rule the label shows only the first name; where two people in the same delivery share a first name, the smallest part of the surname needed to tell them apart is added (a single letter in the common case; data minimization). The employee’s full surname, phone number, and email address are not shared with Sellers. The QR code on the delivery label contains an unguessable, unique link to that meal’s info page. The page opens without login for whoever holds the link (e.g. by physically seeing the label); the personal data it shows is no more than what is already printed on the label (first name, that day’s meal selection, the Seller’s name, date, and delivery time), and it additionally shows the dishes’ declared food information (description, allergens, dietary tags, special warnings, and energy — product information, not personal data). The same page allows a one-time rating of the meal for 24 hours after delivery; it contains no price, phone number, or other contact details. The QR on the box label of a bulk-ordered meal works the same way; that page shows no employee identity — only the ordering company’s name and that day’s dishes — and allows one rating per box without login. A bulk-box rating is linked to no person, so it carries no personal data and no identity link to erase under KVKK Article 7. So the Seller can issue the food invoice, the billing identity of the company it is actively linked to (legal name, tax identifier, tax office, billing address) is disclosed to that Seller; the intermediation invoice and collection run through POİEX. Once a Seller’s verification is complete, its seller identifying information (trade title and tax identifier/VKN) is shown publicly on the marketplace and to actively linked client companies in the app, as required by the seller-transparency obligation under Law No. 6563 and Article 5 of the E-Commerce Regulation; the Seller’s food business registration number remains internal compliance data and is not disclosed to clients.

4. Account deletion

The in-app “Delete my account” flow (or a written KVKK Article 7 request) erases your name, phone, profile image, and the technical fields on consent records (IP, device). Active memberships end, in-progress (pre-deadline) meal selections are dropped, and the phone is freed for re-registration. Past meal selections, bulk orders, ratings, and billing-tied records are retained with the identity link cut, for the statutory retention period required by VUK m. 253 and TBK m. 146 — they appear as “Anonymous user” in per-person historical views; aggregate billing, headcount, and quality figures are unaffected. Free-text in-app product feedback is not anonymized — because the text itself could identify you, it is deleted outright on account deletion; the free-text note on a dish review is likewise scrubbed on deletion, while the structured star rating is retained anonymized.

If you are the sole active admin of an organization, deletion may be refused until another admin is appointed. This is a procedural prerequisite, not a refusal of the KVKK Article 7 right.

5. Rights

KVKK Article 11 requests can be sent to privacy@worknmeal.com. The right of access and portability can also be exercised in-app via “Download my data”.