Privacy Policy
How Work&Meal processes personal data, shares it with processors, and stores it.
This English page is a support translation. The Turkish legal text prevails in case of inconsistency.
1. Controller
The data controller for Work&Meal services is POİEX TEKNOLOJİ LİMİTED ŞİRKETİ. Company contact details are listed on the Company Information page.
Who is the controller for employee data?
POİEX is also the independent data controller for personal data of employees who use Work&Meal — not your employer. POİEX determines the purposes and means of processing employee data under KVKK Article 3 in its own name. Your employer runs a separate service relationship through Work&Meal and acts as its own controller only for its own processes. KVKK Article 11 rights concerning employee data on Work&Meal are exercised directly against POİEX at kvkk@worknmeal.com.
2. Data we process
We process account and role data, phone-based login records, meal selections, cancellation and bulk-order records, delivery and billing-period data, invoice legal name, tax identifier, tax office, billing address, Seller payout IBAN, food business registration number and verification status, the Seller’s two verification documents (tax certificate and food business registration certificate) which — like the food registration number — are Seller compliance data stored in a private bucket, read only by our reviewer via short-lived links, and not disclosed to companies, invoice evidence, settlement/collection/payout references, support and privacy-rights messages, ratings, feedback (including an optional free-text note on a dish review that is shared with the Seller and shown back to you in your own history, but never to company admins; because the note text can identify you, you are told it is shared with the Seller before you write it), in-app product feedback you submit about the application itself (together with the screen it was sent from, the app version, and the interface language; forwarded only to the POİEX internal team with your name and phone number so we can follow up if needed), uploaded avatars, organization logos, dish images, language and cookie preferences, backup records, cron monitoring metadata, masked diagnostic events, and opt-in analytics data.
3. Purposes and processors
Data is used for secure login, corporate meal coordination, headcount, delivery, invoicing, collection, Seller payout settlement, support, privacy-rights handling, service quality, media storage, backup and disaster recovery, security, cron monitoring, error monitoring, and optional analytics. Current starter processors include Hetzner, Cloudflare, Cloudflare R2, Google Workspace, Sentry, Healthchecks.io, Microsoft Clarity, Vatansms, and Paraşüt (e-invoicing/accounting). See Sub-processors for the current full list and the KVKK Article 9 transfer mechanisms. Company admins access the operational data of their own company (headcount, employee selections — including the specific dishes each member chose for the day, never the price — name/phone, billing records). Sellers (food-service sellers) receive only the operational data needed to produce and deliver the meal: daily headcount, menu assignments, bulk-order line items, delivery location, and the minimal name needed for an employee to find their own meal on the delivery label. As a rule the label shows only the first name; where two people in the same delivery share a first name, the smallest part of the surname needed to tell them apart is added (a single letter in the common case; data minimization). The employee’s full surname, phone number, and email address are not shared with Sellers. The QR code on the delivery label contains an unguessable, unique link to that meal’s info page; the page opens without login for whoever holds the link, shows no more personal data than what is already printed on the label (first name, that day’s meal selection, the Seller’s name, date, and delivery time) plus the dishes’ declared food information (description, allergens, dietary tags, special warnings, energy — product information, not personal data), and allows a one-time rating of the meal for 24 hours after delivery. It contains no price, phone number, or other contact details. The QR on the box label of a bulk-ordered meal works the same way; that page shows no employee identity — only the ordering company’s name and that day’s dishes — and allows one rating per box without login. A bulk-box rating is linked to no person, so it carries no personal data and no identity link to erase. So the Seller can issue the food invoice, the billing identity of the company it is actively linked to (legal name, tax identifier, tax office, billing address) is disclosed to that Seller; the intermediation invoice and collection run through POİEX. Once a Seller’s verification is complete, its seller identifying information (trade title and tax identifier/VKN) is shown publicly on the marketplace and to actively linked client companies in the app, as required by the seller-transparency obligation under Law No. 6563 and Article 5 of the E-Commerce Regulation; the Seller’s food business registration number remains internal compliance data and is not disclosed to clients.
The main legal-basis groups are: OTP/session records for account access and security under contract and legitimate interest; meal, delivery, headcount, and feedback records for service performance and quality; support/demo messages for pre-contractual requests, contract performance, and customer-support legitimate interest; privacy-rights request records for legal obligation; and media uploads, backups, and diagnostics for service operation, security, and continuity.
Some infrastructure, storage, business email, monitoring, and analytics providers operate outside Turkey, primarily in Germany, the United States, and Latvia. The KVKK Article 9 cross-border safeguards (Board adequacy decision, Standard Contractual Clauses notified to the Board within 5 business days, written undertaking, or Binding Corporate Rules) are currently being put in place for the affected processors. This page and the company’s records will be updated as each safeguard is recorded.
4. Retention
Retention depends on purpose: refresh sessions last 7 days, cookie consent lasts 6 months, language preference lasts 1 year, error/replay diagnostics last 90 days, private database backups rotate after 30 days, cron monitoring records remain for the active service account and may remain in provider backups for up to 2 months, Clarity analytics may last up to 13 months, support records and in-app product feedback are retained for the active customer period plus 2 years unless tied to legal or billing records, and invoice/legal records are retained for 10 years. Uploaded images remain until replaced, deleted, or no longer needed for the active service relationship.
5. Account deletion and what is kept afterwards
The in-app “Delete my account” flow (or your written KVKK Article 7 request) erases your name, phone number, profile image, and the technical fields on consent records (IP address, device). Active sessions are revoked and active memberships are ended. Your phone is replaced with an anonymous sentinel so the original number can be reused for re-registration.
Past meal selections, bulk orders, ratings, and billing-related records are retained — with the identity link cut — for the statutory retention period required by Vergi Usul Kanunu m. 253 and Türk Borçlar Kanunu m. 146. They appear as “Anonymous user” in any per-person historical view; aggregate billing, headcount, and quality analytics are unchanged. Consent records’ existence and timestamps are retained for audit; personal fields are scrubbed. Free-text product feedback you submitted about the application is not anonymized — because the text itself could identify you, it is deleted outright when the account is deleted.
If you are the sole active admin of an organization, the deletion may be refused until another admin is appointed. This is not a refusal of your KVKK Article 7 right; it is a procedural prerequisite to protect other users’ access to a paid service.
6. Contact
Privacy questions and data protection rights requests can be sent to privacy@worknmeal.com.