KVKK Disclosure Notice

VerifyBlind (hereinafter referred to as "VerifyBlind" or the "Company") acts as a data controller under Law No. 6698 on the Protection of Personal Data ("KVKK"). This notice has been prepared in accordance with Article 10 of KVKK to inform you about your rights regarding your personal data and the principles governing the Company's processing of such data.

1. Identity of the Data Controller

As the data controller, VerifyBlind is a technology company operating in the identity verification field. Contact: [email protected]

2. Our Privacy-Focused Architecture and Data Processing Approach

VerifyBlind is built on an architecture that enables identity verification without exposing your personal data. Your Turkish national ID number (TCKN), full name, date of birth, and biometric data are end-to-end encrypted on your device and transmitted only to an AWS Nitro Enclave.

AWS Nitro Enclave is a hardware-level isolated secure processing environment. No party — including VerifyBlind employees — can access data inside the Enclave; this guarantee is enforced by cryptographic attestation. Your identity data is permanently deleted immediately after being processed for verification inside the Enclave — it is never stored anywhere. The only things we retain are irreversible cryptographic hash (HMAC) values and yes/no verification results.

3. Personal Data Processed

3.1 Data Not Stored in Our System

The following data is processed temporarily in encrypted form within the secure Enclave environment during the verification process; it is immediately and permanently deleted upon completion. It is never stored in any format, logged, or shared with third parties:

• Turkish national ID number (TCKN)
• First and last name
• Date and place of birth
• Biometric data (facial image)
• Identity information read from the NFC chip

3.2 Data Processed as Part of Technical Infrastructure

• Anonymous verification proofs: Cryptographic hash values that cannot be associated with any individual. These values cannot be linked to a person.
• Session data: Short-lived (minute-level) and anonymous session keys.
• Technical log records: IP address, access time, and error logs. This data is retained for 90 days for system security purposes and then deleted.

4. Purposes of Personal Data Processing

• Providing the identity verification service
• Ensuring system security and integrity
• Fulfilling legal obligations
• Improving service quality (with anonymous statistical data)

5. Transfer of Personal Data

Since we do not store your personal data in our system, there is no personal data that could be transferred to third parties. Only Yes/No results such as "verification successful / failed" and "over/under 18" are transmitted to partner websites.

6. Retention Period of Personal Data

Technical log records are retained for 90 days and then automatically deleted. Anonymous verification proofs may be retained for the duration of service requirements; however, it is impossible to derive personal information from these values.

7. Your Rights Under KVKK

Under Article 11 of KVKK, you have the following rights:

• To learn whether your personal data is processed
• If processed, to request information about it
• To learn the purpose of processing and whether it is used in accordance with its purpose
• To know third parties to whom data is transferred domestically or abroad
• To request correction if data is incomplete or inaccurate
• To request deletion or destruction under the conditions specified in Article 7 of KVKK
• To object to results arising against you through automated analysis
• To claim compensation if you suffer damage due to unlawful processing

8. How to Apply

You can submit requests regarding your rights by email to [email protected]. Applications are concluded within 30 days at the latest.

9. Changes

This disclosure notice may be revised in line with regulatory changes or service updates. The current text is always published on this page.