Privacy Policy

TakiPlus ("we", "the Platform") values your privacy. This Privacy Policy explains, in accordance with Turkish Law No. 6698 on the Protection of Personal Data (KVKK) and EU Regulation 2016/679 (GDPR), what personal data we collect, why we process it, with whom we share it, and how you can exercise your rights.

This notice is published under KVKK Art. 10 information-duty and does not constitute legal advice.

TakiPlus — currently operated by a natural person; upon corporate registration, trade name, MERSİS number and registered address will be added here.

• Privacy contact: gizlilik@takiplus.com
• VERBİS registration: to be completed if thresholds are exceeded; registration number will be published here.

We process the following categories of personal data for identity, account management, and anti-abuse purposes:

• Telegram identity (TMA users): telegramId, first/last name, username, photo URL, language code, premium flag — provided by Telegram.
• Google identity (web OAuth): googleSub (opaque stable id), verified email, name, optional photo — received via OIDC ID token.
• Apple identity (web OAuth — forthcoming): appleSub, email.
• Email sign-up: normalised email, argon2/scrypt password hash, first name.
• Phone number: E.164 format stored after OTP verification via NetGSM (Turkey) or Twilio (international).
• Device fingerprint: opaque ThumbmarkJS hash — used for anti-abuse (max 2 accounts per device, 3 on Safari/ITP).
• IP event ledger: hashed IP (SHA-256 with server salt) + event kind (signup/login/otp) + country code + user agent. Raw IPs are never persistently stored.
• Signup IP / country: one-time raw IP + ISO-2 country captured at signup for diagnostics only.
• Trust tier: trusted | verified | low | blocked — computed heuristically, overridable by admin.
• Activity metrics: active-day count, organic coins earned, last active day.
• Usage data: spins, streak days, chest openings, task completions, mini-game results, SMM orders (target URL + service + quantity), chat messages, invite-link shares.
• Financial data: Telegram Stars purchases (tracked by Telegram), coin transaction ledger (internal).
• Third-party survey data: User.id + language preference shared with survey partners when a user opens a survey. Answers given inside the survey belong to the partner (see below).

• Directly from you: sign-up and profile forms.
• Telegram: initData (TMA) or Login Widget (web).
• OAuth providers: Google, Apple (forthcoming).
• Device / browser: ThumbmarkJS fingerprint, User-Agent, IP from HTTP headers.
• Partner networks: server-to-server (S2S) callbacks from BitLabs / TheoremReach upon survey completion.

• Contract performance: service delivery, SMM order fulfilment, coin ledger accounting.
• Legitimate interest: fraud and multi-account detection (fingerprint + IP), product analytics, security logging.
• Consent: device fingerprint collection (via KVKK banner); marketing communications.
• Legal obligation: tax retention for Stars purchases, security incident reporting.

• Account + service delivery → contract performance (Art. 5/2-c)
• Anti-abuse + security → legitimate interest (Art. 5/2-f)
• Device fingerprint, marketing → explicit consent (Art. 5/1)
• Financial retention → legal obligation (Art. 5/2-ç)

• Contract (Art. 6(1)(b)) — account setup, SMM fulfilment.
• Consent (Art. 6(1)(a)) — device fingerprint, marketing.
• Legitimate interests (Art. 6(1)(f)) — anti-fraud, security logs.
• Legal obligation (Art. 6(1)(c)) — financial/tax retention, incident reporting.

We share data with the following processors, each governed by its own privacy policy:

Some of our processors are located outside Türkiye (USA, Germany, UAE). Under KVKK, transfers take place on the basis of contract performance (Art. 5/2-c) where necessary, and explicit consent (Art. 9/1) otherwise. Under GDPR, transfers outside the EEA rely on Standard Contractual Clauses (SCCs) where applicable, or on adequacy decisions / explicit consent.

• Account data: while account is active + 5 years after deletion (commercial/tax retention).
• Phone OTP records: 10-min TTL in Redis + 90-day audit row.
• IP event ledger: 180 days.
• Device fingerprints: while account is active + 1 year for anti-abuse analytics.
• Financial records (Stars purchases): 10 years (tax law).
• Chat messages: soft-deleted immediately on user request, purged after 30 days.

• All traffic encrypted with TLS 1.2+.
• Passwords hashed with argon2/scrypt; never stored in clear text.
• JWT secrets support rotation; session cookies are httpOnly, sameSite=lax, secure.
• IPs stored in the ledger as SHA-256 salted hashes.
• Admin panel protected by HTTP Basic Auth; 2FA is on the roadmap.
• Access logs for critical tables.

Under KVKK Art. 11, you have the right to:

• Learn whether your data is being processed
• Request information about the processing (purposes, transfers, sources)
• Request correction of inaccurate or incomplete data
• Request deletion/destruction per applicable law
• Request notification of corrections/deletions to third parties
• Object to decisions resulting from automated analysis that produce adverse effects
• Seek compensation for damage caused by unlawful processing

Under GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), complaint to a supervisory authority.

Exercise your rights by emailing gizlilik@takiplus.com. Response time: 30 days (KVKK), 1 month (GDPR).

• session — httpOnly JWT cookie, 30 days. Essential for login.
• admin_session — essential for the admin panel.
• tp_did — localStorage; device-id cache (not a cookie).
• tp_kvkk_accepted — localStorage; KVKK banner consent record.
• Ezoic / AdSense cookies — governed by their own policies; consent captured via KVKK banner.

The Service is not directed to users under 18. We do not knowingly collect personal data from minors. If we become aware of such data, we delete the relevant account and records. Parents who suspect their child's data is being processed may contact us at gizlilik@takiplus.com.

We currently do not send marketing emails. Telegram bot notifications are our primary channel; you can opt out via bot commands (e.g. /stop). If email marketing is introduced in the future, it will operate on an opt-in basis with an easy unsubscribe link in every message.

Material changes are announced via in-app notifications and Telegram bot messages. The last-updated date is shown at the top of this page.

Privacy requests: gizlilik@takiplus.com

General support: destek@takiplus.com

KVKK complaints: kvkk.gov.tr
GDPR complaints: data protection authority of your EU member state of residence.