Personal Data Retention and Destruction Policy
Publication Date: 01.11.2025
1. Introduction
1.1. Purpose
This Personal Data Retention and Destruction Policy ("Policy") has been prepared to determine the procedures and principles regarding the retention and destruction of personal data processed within the scope of the mobile dating application called "Amore" ("Application") operated by Fayra Media LLC ("Company"), in accordance with the Personal Data Protection Law No. 6698 ("Law" or "KVKK") and the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation").
1.2. Scope
This Policy covers all natural persons whose personal data is processed by the Company, including but not limited to Company employees, employee candidates, Application users (members), visitors and third parties, as well as all recording media in which such data is processed. In particular, special category personal data collected through the Application (sexual life, location data, etc.) falls within the priority protection scope of this policy.
2. Definitions
Recipient Group: The category of natural or legal persons to whom data is transferred.
Destruction: The deletion, destruction or anonymization of personal data.
Recording Medium: Any electronic or physical medium in which personal data is stored.
Periodic Destruction: The destruction process to be carried out ex officio at specified intervals when all processing conditions stipulated in the Law cease to exist.
Special Category Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, dress, association/foundation/union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
3. Responsibility and Task Distribution
The Personal Data Protection Committee established within the Company is responsible for the preparation, updating, execution and publication of this Policy. The IT department is responsible for the management of data recording systems, conducting penetration tests and implementing technical measures; the Legal and Human Resources departments are jointly responsible for implementing administrative measures.
4. Recording Environments
Personal data is securely stored by the Company in the following environments:
Electronic Environments
Servers (Database, Application Servers), Cloud Systems, Corporate Email Accounts, Document Management Systems, Information Security Devices (Firewalls, Intrusion Detection and Prevention Systems, DLP, etc.).
Physical Environments
Paper-based forms, archive rooms (locked cabinets).
5. Reasons Requiring Retention and Destruction
5.1. Legal and Technical Reasons Requiring Retention
The Company retains personal data for the following purposes and legal reasons: Fulfillment of obligations arising from legal regulations, primarily Law No. 6698, Law No. 5651 on the Regulation of Publications on the Internet, Law No. 6563 on the Regulation of Electronic Commerce, and the Turkish Penal Code. Performance of the Amore Application membership agreement and uninterrupted provision of services. Serving as evidence in potential future legal disputes (burden of proof). Ensuring information security and preventing malicious use.
5.2. Reasons Requiring Destruction
In the following cases, personal data is deleted, destroyed or anonymized upon the request of the data subject or ex officio by the Company: Cessation of legal or contractual reasons requiring processing. Withdrawal of explicit consent by the data subject (especially for special category data and marketing-purpose data). Acceptance of the deletion request made under Article 11 of the Law by the Company, or a decision by the Board ordering deletion. Expiration of the retention period and absence of any legitimate interest.
6. Technical and Administrative Measures
The Company takes the following measures to ensure data security pursuant to Article 12 of the Law:
6.1. Technical Measures
Penetration Testing and Auditing
Regular penetration tests and vulnerability scans are conducted on IT systems. Identified vulnerabilities are promptly remediated.
Access Logs and DLP
All system activities (access logs) are monitored and stored in a tamper-proof manner. Data Loss Prevention (DLP) systems are used to prevent unauthorized extraction of sensitive data (especially user lists, message contents) outside the company.
Cryptographic Protection
Passwords of Amore Application users, special category personal data such as sexual preferences and health information, and sensitive location data are stored using cryptographic methods (encryption).
Access Authorization Matrix
Employee access to data is limited to their job descriptions. The "need-to-know" principle is applied. Access rights of employees whose authorization is revoked are immediately terminated.
Cybersecurity
Up-to-date antivirus, Web Application Firewall (WAF) and intrusion detection systems are active 24/7. IP restrictions and account lockout mechanisms are in place against attacks such as brute force password spraying.
6.2. Administrative Measures
Separate Disclosure and Consent
Privacy Policy, Disclosure Notice and Explicit Consent declarations are presented as separate documents. Consent processes are linked to active approval mechanisms (opt-in) to prevent users from bypassing with the "Accept" button.
Employee Training
Regular training on KVKK, data security and cyber attack awareness is provided to all employees.
Confidentiality Commitments
Confidentiality agreements are signed with employees and data processing suppliers.
Data Breach Response Plan
Procedures have been established to ensure notification to the Board and data subjects within 72 hours at the latest from the detection of a potential data breach.
7. Personal Data Destruction Techniques
7.1. Deletion
Data stored on servers or in electronic media is rendered completely inaccessible and unusable for the relevant users. In deletion operations performed with database commands (DELETE), the data is overwritten (wiping) to ensure it cannot be recovered. "Blacklisting" or merely hiding from the interface is not accepted as destruction; the data is completely purged from the system.
7.2. Physical Destruction
Data in physical media (paper printouts) is destroyed using paper shredders in a manner that prevents reassembly. Optical and magnetic media are physically destroyed by melting, burning or pulverization methods.
7.3. Anonymization
The process of rendering personal data impossible to associate with an identified or identifiable natural person under any circumstances, even when matched with other data. The Company uses data masking and aggregation methods for statistical analyses.
8. Retention and Destruction Periods
| Data Category | Retention Period | Destruction Period/Method | Legal Basis |
|---|---|---|---|
| Membership Information (Name, Surname, Email) | During membership + 10 Years after membership ends | First Periodic Destruction Period following expiration | TCO, TCC (Commercial dispute statute of limitations) |
| Traffic and Log Records | 2 Years | First Periodic Destruction following expiration | Law No. 5651 |
| Special Category Data (Preferences, Health, etc.) | During membership | Immediately upon membership cancellation or account deletion request | KVKK Art. 6 (Withdrawal of Explicit Consent) |
| Messaging Content | During membership | Immediately upon membership cancellation or account deletion request | KVKK Art. 4 (Proportionality Principle) |
| Cookie Records | Depending on cookie type (Session end or max. 2 years) | Automatic deletion upon expiration | Cookie Policy |
Note: In the event of a legal dispute (lawsuit, investigation), retention periods are extended until the lawsuit/investigation is concluded.
9. Periodic Destruction Period
Pursuant to Article 11 of the Regulation, the Company performs periodic destruction of personal data whose retention period has expired every 6 (six) months. Periodic destruction operations are carried out in June and December of each year.
10. Deletion and Destruction Upon Data Subject Request
Users may request the deletion or destruction of their data by applying to the Company. If processing conditions have completely ceased, the Company concludes the request within 30 (thirty) days at the latest and deletes/destroys the data. If processing conditions continue (e.g., legal obligation), the request may be rejected with an explanation of the reason, and the data subject is notified in writing/electronically. In case of rejection or failure to respond within the deadline, the data subject may exercise their right to file a complaint with the Board.
11. Effective Date and Updates
This Policy becomes effective on the date it is published on the Company's website and within the Application. The Policy is updated in parallel with changes in legal regulations or Company processes. The current version is always accessible to users.
Fayra Media LLC
169 Madison Ave Ste 11534 New York, NY 10016-5101 United States
Perfect Match for You is Here
Join Amore today and start making real connections. Download for free, explore now.
