Legal

Privacy Policy

Last updated: April 7, 2026

1. Controller

The controller responsible for data processing on this website is:

Atilla Kuruk
Antalya, Turkey
Email: info@smile-antalya.com

2. Data We Collect

We collect the following data when you use our website:

2.1 Contact Form Data

When you submit our contact form or send us a WhatsApp message, we collect:

  • Name
  • Email address
  • Phone / WhatsApp number
  • Desired treatment
  • Budget range (optional)
  • Preferred timeframe (optional)
  • Your message (optional)
  • Interface language and the page URL you submitted from
  • A short one-way hash of your IP address (8 bytes of SHA-256, salted) — used only for rate-limit and de-duplication, cannot be reversed to the original IP
  • Country code (from Cloudflare, e.g. "DE", "AT") — never a precise location

Purpose: To provide you with a personalized treatment plan and connect you with dental clinics in Antalya, and to prevent form abuse.

Legal basis: Your consent (Art. 6(1)(a) GDPR) and pre-contractual measures (Art. 6(1)(b) GDPR). The abuse-prevention hash is based on legitimate interest (Art. 6(1)(f) GDPR).

Storage: Inquiries are stored in our Cloudflare D1 database located in the EU.

Retention: Contact data is stored for up to 12 months after your last interaction, then deleted.

2.2 Patient Review Submissions

If you submit a review of a clinic via our review form (/reviews/), we process the following data:

  • Your name (we publish only the first name + last-name initial, e.g. "Sarah M.")
  • Clinic name and treatment type
  • Rating (1–5 stars) and review text
  • Language of submission and the source page
  • Short IP hash (same construction as 2.1) and country code
  • Optional: a photo you choose to upload (see 2.3)

Purpose: To help other users make informed decisions and to moderate submissions (spam, abuse).

Legal basis: Your consent (Art. 6(1)(a) GDPR). You can withdraw consent and request deletion at any time by emailing info@smile-antalya.com.

Moderation: All reviews are held as "pending" until manually approved. Rejected submissions are deleted.

Retention: Approved reviews remain published until you request removal. Rejected reviews are deleted within 30 days.

2.3 Photos Uploaded with Reviews (sensitive data)

Photos of teeth or treatment results are considered health data under Art. 9 GDPR and require your explicit consent. We therefore:

  • Only accept a photo if you actively tick the "I consent to the publication of this photo" checkbox in the review form
  • Store the photo in Cloudflare R2 object storage under a random, unguessable key
  • Only display a photo on the site after it passes manual moderation AND the consent flag is set
  • Delete the photo from R2 the moment you (or we) delete the review

Legal basis: Explicit consent (Art. 9(2)(a) GDPR). You can withdraw this consent at any time by emailing info@smile-antalya.com and we will remove the photo within 7 days.

Note: You do not need to upload a photo to submit a review. Reviews without photos are equally welcome.

2.4 Server Log Data

Our hosting provider (Cloudflare, Inc.) automatically processes:

  • IP address (used transiently by Cloudflare for DDoS protection, then discarded)
  • Browser type and version
  • Operating system
  • Referring URL
  • Date and time of access

Purpose: Security, performance optimization, and abuse prevention.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

Retention: Raw request logs are retained by Cloudflare for a short period as described in their privacy policy. We do not store raw IP addresses ourselves — only the short hash described in 2.1/2.2.

3. Third-Party Services

3.1 Google Analytics (GA4) — opt-in only

We use Google Analytics 4 (Measurement ID: G-Z7SVNXHVZT) to understand how visitors use our website, but only after you click "Accept analytics" in the cookie banner. If you click "Decline" or ignore the banner, no GA script is loaded and no GA cookies are set.

When enabled, Google Analytics collects:

  • Pages visited and time spent
  • Traffic sources (how you found us)
  • Device type, browser, and screen resolution
  • Approximate geographic location (country/city level)

We enable IP anonymization (anonymize_ip: true). Data is processed by Google LLC. See Google's Privacy Policy and opt out of Google Analytics.

Purpose: Website performance analysis and content optimization.

Legal basis: Your consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG).

Retention: 14 months. You can withdraw consent at any time by clearing cookie-consent from your browser storage and choosing "Decline" on your next visit.

3.2 Cloudflare

This website is hosted on Cloudflare Workers, with data stored in Cloudflare D1 (SQLite) and Cloudflare R2 (object storage). Cloudflare processes data as described in their Privacy Policy. Cloudflare is certified under the EU-US Data Privacy Framework.

3.3 Google Fonts

We use Google Fonts for typography. When you visit our site, your browser downloads font files from Google servers. Google may process your IP address. See Google's Privacy Policy.

3.4 WhatsApp

Our website contains links to WhatsApp (Meta Platforms, Inc.). When you click a WhatsApp link, you are redirected to the WhatsApp application. Data processing is governed by WhatsApp's Privacy Policy.

4. Cookies & Local Storage

This website uses the following storage:

  • cookie-consent (localStorage) — Stores your choice: accepted or declined. Essential, no expiry. Set by us, never shared.
  • _ga (Google Analytics) — Only set if you chose "Accept analytics". Distinguishes unique visitors. Expires after 2 years.
  • _ga_Z7SVNXHVZT (Google Analytics) — Only set if you chose "Accept analytics". Maintains session state. Expires after 2 years.

We do not use advertising cookies, cross-site tracking pixels, or sell data to third parties.

5. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR) — request a copy of your data
  • Right to rectification (Art. 16 GDPR) — correct inaccurate data
  • Right to erasure (Art. 17 GDPR) — request deletion of your data, including review photos
  • Right to restrict processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR) — at any time, without affecting prior processing
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise these rights, contact us at: info@smile-antalya.com. We will respond within 30 days.

6. Data Transfers

Your data may be transferred to servers in the United States (Cloudflare, Google). These transfers are protected by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs).

7. Data Security

We use SSL/TLS encryption for all data transmissions. Our website implements security headers including Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy to protect against common web vulnerabilities. Admin routes require a bearer token and never cache.

8. Automated Decision-Making

We do not use your data for automated decision-making or profiling under Art. 22 GDPR.

9. Changes to This Policy

We may update this privacy policy from time to time. The current version is always available on this page with the date of the last update.

10. Contact

For questions about data protection, contact us at:
Email: info@smile-antalya.com