Privacy Policy

The data controller for the processing activities described in this policy is GRS Roller Sanayi ve Ticaret A.Ş., a company incorporated under the laws of the Republic of Türkiye.

Address: OSB Mh. Platin Sk. No:6, 16140 Işıktepe OSB / Nilüfer, Bursa / Türkiye Phone: +90 224 324 40 72 E-mail: satis@grsroller.com Website: https://www.grsroller.com

When you visit our website, submit a quotation request, contact us or apply for a job, we may process the following categories of personal data:

• Identity data: first name, last name, job title
• Contact data: e-mail address, phone number, company name, country/city
• Customer transaction data: quotation requests, product specifications, correspondence
• Marketing and communication data: newsletter preferences, marketing consents
• Security and audit data: IP address, browser information, visit date and time, log records
• Cookie data: session and preference cookies, analytics and marketing cookies (see also our Cookie Policy)
• Recruitment data: CV, education and work experience (for job applicants only)

We process your personal data for the following purposes:

• Responding to quotation and information requests; establishing and managing the commercial relationship
• Concluding contracts, preparing orders, managing shipping and after-sales support
• Fulfilling our legal, tax, accounting and export obligations (invoicing, customs documents)
• Measuring website performance and improving user experience
• Sending marketing communications (newsletters, announcements) where you have given your explicit consent
• Information security, fraud prevention and maintaining log records
• Evaluating job applications and running our HR processes

We process your personal data relying on the following legal bases under KVKK Articles 5 and 6 and GDPR Article 6:

• Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract (KVKK 5/2-c; GDPR 6/1-b)
• Processing is necessary for compliance with a legal obligation to which we are subject (KVKK 5/2-ç; GDPR 6/1-c)
• Processing is necessary for the establishment, exercise or defence of legal claims (KVKK 5/2-e; GDPR 6/1-f)
• Processing is necessary for our legitimate interests, provided such interests are not overridden by your fundamental rights (KVKK 5/2-f; GDPR 6/1-f) — e.g. security, fraud prevention
• You have given your explicit consent (KVKK 5/1; GDPR 6/1-a) — e.g. marketing messages, optional cookies

Your personal data may be shared, within the purposes stated above and subject to appropriate safeguards, with the following categories of recipients:

• Hosting, cloud infrastructure and IT service providers
• E-mail delivery and customer communication platforms
• Web analytics and performance monitoring services (e.g. Google Analytics)
• Logistics, customs, freight and insurance providers (for international shipments)
• Legal, tax and financial advisors (lawyers, independent auditors, accountants)
• Public authorities and institutions, where required by law

GRS Roller does not sell your personal data to any third party for marketing purposes.

Some of our cloud and analytics providers may host data in the European Union or other jurisdictions. International transfers are carried out in accordance with KVKK Article 9 and GDPR Chapter V, based on appropriate safeguards such as adequacy decisions, EU Standard Contractual Clauses (SCCs) or your explicit consent. For detailed information about these transfers you can contact us at satis@grsroller.com.

We retain your personal data only for as long as necessary to fulfil the purposes set out above and in line with the maximum periods prescribed by applicable law. Typical retention periods include:

• Quotation and contact requests: duration of the commercial relationship + 10 years (Turkish Commercial Code and Tax Procedure Law)
• Marketing consent records: 3 years from the date of withdrawal of consent
• Website log records: at least 2 years (Law No. 5651)
• Job applications: maximum 2 years after the position is closed

At the end of the retention period, data is destroyed in accordance with the Turkish Regulation on the Deletion, Destruction or Anonymisation of Personal Data.

Under KVKK Article 11 and GDPR Articles 15–22 you have the following rights:

• To learn whether your personal data is being processed
• To request information about such processing if data has been processed
• To learn the purpose of processing and whether data is used in accordance with that purpose
• To know the third parties in Türkiye or abroad to whom the data has been transferred
• To request correction of incomplete or inaccurate data
• To request deletion or destruction of your data ("right to be forgotten")
• To request that correction, deletion or destruction be notified to third parties to whom data has been transferred
• To object to any adverse outcome resulting from automated analysis of your personal data
• To claim compensation for damages suffered due to unlawful processing
• (GDPR) The right to data portability
• (GDPR) The right to withdraw previously given consent at any time

To exercise your rights you may file a request in accordance with the Turkish Communiqué on the Procedures and Principles of Application to the Data Controller. You can contact us through the following channels:

• In writing: sending a wet-signed petition to OSB Mh. Platin Sk. No:6, 16140 Işıktepe OSB / Nilüfer, Bursa / Türkiye
• By e-mail: sending a message to satis@grsroller.com from your registered e-mail address
• KEP (registered e-mail) address: our official KEP address, provided upon request

Your request will be answered, free of charge, within 30 (thirty) days at the latest. Where the transaction incurs an additional cost, a fee set by the Personal Data Protection Authority may be charged.

If your request is rejected, our response is insufficient or we fail to respond within the statutory period, you have the right to file a complaint with the Turkish Personal Data Protection Authority (KVKK Kurulu, www.kvkk.gov.tr). If you reside in the European Union, you may also lodge a complaint with the supervisory authority of your member state.

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of unlawful processing, unauthorised access or loss of your personal data. These measures include access controls, network security, encryption, backups, employee training, confidentiality undertakings and regular security assessments.

This Privacy Policy may be updated from time to time. Material changes will be published on our website and the effective date will be indicated at the top of this page. We recommend that you review the current version regularly.