PRIVACY POLICY
Section I: Introduction and Scope
1.1. Purpose, Scope, and Legal Framework of the Policy
This Privacy Policy (“Policy”) defines the commitments of Micromarin Software Inc. (“Micromarin” or “the Company”) regarding the protection and confidentiality of personal data processed through all software products and services (“Platform”) offered to the maritime industry. The Company’s primary objective is to ensure full compliance, as a data controller, with the Personal Data Protection Law No. 6698 (KVKK) and related secondary legislation. This compliance framework also incorporates the fundamental principles of international standards such as the European Union General Data Protection Regulation (GDPR) including transparency, purpose limitation, proportionality, and accountability in order to serve Micromarin’s global clientele.
The data subjects covered by this Policy are all natural people who use the Platform services, including customer personnel, seafarers (crew), job applicants, suppliers, and Platform users. This Policy aims to establish a global data privacy standard by addressing not only the requirements for protecting the data of EU citizens but also those outside the EU.
1.2. Software as a Service (SaaS) Architecture and the Distinction of Micromarin’s Legal Roles
As a Software as a Service (SaaS) provider, Micromarin assumes two distinct legal roles in the personal data processing lifecycle: Data Controller and Data Processor. This distinction is crucial for clarifying the responsibility matrix, particularly in ERP platforms where complex operational processes of maritime companies are managed.
Micromarin’s role as Data Controller applies in situations where the Company determines, alone or jointly with others, the purposes and means of processing personal data. These activities generally relate to ensuring the operational security, performance, and marketing of the Platform. Examples include processing data such as IP addresses, session logs, device information, transaction security details, and call center recordings from support processes directly initiated with Micromarin. Additionally, data collected through non-essential analytics cookies and advertising/targeting cookies are processed under this role, subject to the consent of the data subjects.
Micromarin’s predominant role, however, is that of Data Processor. This role covers all cases where Micromarin processes data on behalf of and in accordance with the written instructions of its client maritime companies (the actual Data Controllers). All personnel data maintained within ERP modules that relate to the client’s core business processes—such as payroll, crew management, travel planning, and certificate tracking—fall under this category. The purposes and legal bases for processing this data are entirely determined by the Client (Data Controller). Micromarin performs only technical management and storage activities on these data.
The importance of this distinction lies in the allocation of responsibilities. Under Article 82 of the GDPR, if multiple controllers or processors are involved in the same unlawful processing activity, each party may be held jointly and severally liable for the entire damage. Therefore, as long as Micromarin remains solely in the Processor role, the Client Data Controller is responsible for the adequacy of the purposes and legal bases for processing any special categories of data (such as seafarers’ health data) uploaded to the system. Micromarin, on the other hand, assumes absolute technical responsibility for ensuring the security and accessibility of these data.
| Data Category | Micromarin’s Legal Role | Scope of Responsibility | Data Source |
|---|---|---|---|
| Customer/Crew Data (Payroll, Certificates, Health) | Data Processor | The purposes and means of processing are determined by the Customer. | Customers (Ship Operators) |
| Platform User/Membership Information (Login, IP, Session, Cookies) | Data Responsible (Controller) | The purposes and means of processing are determined by Micromarin (Security, Performance, Marketing). | Directly from the Data Subject |
Section II: Collected Data
2.1. Data You Provided
Account and Profile Information: To create an account, you must provide your name, email address, date of birth, and password. You can decide which information appears on your profile for example, basic identity details, address and contact information, educational background, work experience, skills, profile photo, city or region of residence, and physical attributes. Completing these fields is optional; however, a complete profile makes it easier for employers to find you and match you with suitable job opportunities. Sharing sensitive information and whether it is publicly visible is entirely under your control. It is recommended that you do not add or share personal data you wish to keep private. Creating a complete profile allows you to make the most effective use of the opportunities offered by our platform.
Content You Provide Through Our Products: When you share content on the Platform, upload a résumé, or apply for a job through the Platform, we collect the personal data you provide, share, or upload. Publishing or uploading your personal data is entirely your choice; if you choose not to do so, your ability to connect and interact through the Platform may be limited.
2.2. Data We Collect Automatically
We collect information about the computer, phone, tablet, or other devices you use to access the Platform. This includes your connection type and device settings when you access or use the services. We also record data such as operating system, browser type, IP addresses, and device identifiers. To improve your service experience, we may determine an approximate location based on your IP address or country preference. The amount of data collected depends on the type of device you use and your device settings.
2.3. Cookies and Other Technologies
Micromarin’s Platforms use cookies and similar tracking technologies to improve user experience and ensure operational security. This Policy adopts international consent standards that prioritize transparency and user choice.
- Strictly Necessary Cookies: Used to perform essential functions such as maintaining sessions, preventing fraud, ensuring security, and load balancing. These cookies may not require explicit consent, and their legal basis is generally the performance of a contract (KVKK Art. 5/2-c) or legitimate interest (KVKK Art. 5/2-f).
- Functionality, Performance/Analytics, and Advertising/Targeting Cookies: These cookies (language preferences, visitor statistics, personalized campaigns) are not essential and therefore always subject to the explicit consent of the data subject. Micromarin undertakes that these cookies will not be activated without obtaining explicit consent.
- Micromarin provides a visible cookie management panel at the time of visit. This panel includes “Accept,” “Reject,” and “Preferences” options in a balanced manner to allow users to freely express their choices. Consent is not pre-selected for non-essential cookies, and the process for withdrawing consent is as easy as giving it. Furthermore, Micromarin does not implement a “Cookie Wall” that unnecessarily conditions access to services on cookie acceptance.
2.4. Special Categories of Data and Processing Purposes
Due to the unique requirements of international ship operations and crew safety, the maritime industry frequently processes Special Categories of Personal Data (SCPD) as defined in Article 6 of the Personal Data Protection Law (KVKK). Micromarin’s ERP system manages this sensitive data on behalf of its clients and supports compliance with international regulations.
Special Categories of Data processed on the Platform by Micromarin include:
- Health and Special Category Personal Data: Fitness for boarding, health visa dates, blood type, vaccination details, disability status, drug/substance (narcotics) test results, and psychometric test results. These data are critical for meeting Occupational Health and Safety (OHS) requirements and verifying the ability of crew members to work on international voyages.
- Legal and Military Status: Judicial records and military service information. These data are processed to meet security and compliance requirements in international companies, particularly for mandatory security checks under the ISPS Code (International Ship and Port Facility Security Code).
- Professional Information and Qualifications: Verification of STCW (Standards of Training, Certification, and Watchkeeping for Seafarers) and other international maritime certificates.
Additionally, Micromarin processes appearance-based personal data such as physical attributes and habits (height, weight, uniform size, hair color, eye color, smoking habits, tattoos, scars) for purposes related to uniform provision and health/safety requirements for ship personnel.
2.5. Legal Grounds for Processing Special Categories of Data and the Principle of Proportionality
Although the processing of special categories of personal data generally requires the explicit consent of the data subject (KVKK Art. 6/2), strict national and international obligations in the maritime and occupational health sectors necessitate certain legal exceptions.
Health Data Processing Exception: Under KVKK Article 6/3, health data may be processed without the explicit consent of the data subject by authorized persons bound by confidentiality obligations (such as workplace physicians or occupational health personnel) for the purpose of protecting public health. As a Data Processor, Micromarin ensures that these data are stored in the ERP system on behalf of its clients in compliance with this legal basis (e.g., maintaining occupational health and safety records).
Sectoral Necessity and Proportionality: Professional qualifications and certain identity data are processed under KVKK Art. 5/2-c (establishment/performance of a contract) and Art. 5/2-a (explicitly stipulated by law) to fulfill the requirements of maritime employment contracts and ensure crew members’ eligibility for international voyages.
The collection of appearance-based data requires careful assessment under the principle of proportionality. Micromarin collects physical attributes such as height, weight, uniform size, and even data like tattoos or scars. To demonstrate compliance with the general principle of being relevant, limited, and proportionate to the purpose of processing (KVKK Art. 4), it must be guaranteed that such details are used solely for strictly necessary and limited operational purposes—such as ship safety, provision of uniforms and protective equipment, or health and safety risk assessments for specific positions. This approach highlights the need for a comprehensive compliance process to manage data risks within the complex structures of the maritime industry.
Section III: Data Security and Infrastructure Commitments
Given the critical and sensitive nature of maritime operations, Micromarin provides the highest level of technical and administrative security commitments within the infrastructure of its SaaS platform. These commitments are designed to protect clients’ sensitive data in multi-tenant cloud environments.
3.1. Technical and Administrative Security Controls
The Company implements a series of technical and administrative measures in accordance with national and international standards to ensure the confidentiality, integrity, and availability of personal data (the core objectives of the Information Security Management System).
As part of these measures, penetration tests are conducted at regular intervals in compliance with national and international standards to proactively identify and address system vulnerabilities. Risk analyses related to data processing activities are performed periodically, and preventive and corrective actions are taken to mitigate identified risks. For data transmission security, personal data transmitted via the website, mobile application, and other digital platforms are encrypted using SSL (Secure Sockets Layer) technology to prevent unauthorized access. Additionally, advanced data masking techniques such as blocking access to sensitive database columns or encrypting data are employed to protect sensitive information at the database layer. Strict access control systems and authorization mechanisms are implemented to prevent unauthorized access.
In terms of access control, only permanent Micromarin personnel can access production environments that host customer data, and such access is limited to authorized staff whose regular job responsibilities require it. Infrastructure access is restricted to authorized personnel and, as the highest level of access control commitment, requires two-factor authentication (2FA). These stringent procedures demonstrate Micromarin’s utmost diligence in data security and its strong stance against cyber risks.
Section IV: Data Subject Rights and Global Request Management
4.1. Comprehensive Rights of Data Subjects
Micromarin grants all fundamental rights specified in Article 11 of the KVKK to data subjects and integrates advanced rights introduced by the GDPR into this Policy to meet the expectations of global clients.
Fundamental rights of data subjects include: Learning whether their personal data is being processed, knowing the purposes of processing and whether the data is used in accordance with those purposes, learning the third parties to whom data is transferred, requesting correction of incomplete or inaccurate data, and requesting compensation for damages incurred due to unlawful processing.
In addition to these fundamental rights, the following rights required by global data privacy standards are also recognized:
- Right to Erasure (“Right to be Forgotten”): The right to request immediate deletion of data when the purpose for processing no longer exists or when the data subject withdraws consent, subject to legal exceptions.
- Right to Data Portability: The right to receive personal data provided to the data controller in a structured, commonly used, and machine-readable format. This right ensures that user data can be easily transferred to another system, particularly in SaaS platforms.
- Right to Object to Processing: The right to object to decisions resulting from the exclusive analysis of data through automated systems that produce outcomes unfavorable to the data subject.
4.2. Application Methods and Procedural Principles
Data subjects may exercise their rights by applying to the Company in accordance with Article 13 of the KVKK and the “Communiqué on the Procedures and Principles of Application to the Data Controller.” To ensure the validity of the application and identity verification, the KVKK application form must be completed, and the requirements specified in the form must be followed:
The application content must mandatorily include the applicant’s name, surname, Turkish ID number (or passport/identity number for foreign nationals), address for official notifications (residential or workplace), email address/phone number for correspondence, and the subject of the request.
Section V: Data Retention, Destruction, and Anonymization
5.1. Retention Periods and Sectoral Obligations
Personal data is retained for the periods specified in applicable legislation or for as long as required by the relevant processing purposes. At the end of these periods, data is deleted, destroyed, or anonymized. In particular, the maritime sector and personnel management involve long-term legal retention obligations under the Turkish Commercial Code (TTK), Social Security Institution (SGK), and Occupational Health and Safety (OHS) regulations.
Micromarin applies the minimum legal retention periods for data stored on behalf of its clients in accordance with the regulations listed in the table below.
5.2. Deletion, Destruction, and Advanced Anonymization Methods
Personal data whose retention period has expired or whose processing purpose no longer exists are subject to periodic destruction processes in compliance with the Regulation on Deletion, Destruction, or Anonymization of Personal Data. Depending on the nature of the data, destruction is carried out using methods such as deletion (rendering data irretrievable), physical destruction, or anonymization.
Micromarin places great importance on anonymizing personal data, particularly for big data analytics and sectoral reporting needs. The anonymization process involves rendering data unidentifiable using advanced techniques such as masking, generalization, record deletion, or data shuffling. These masking approaches are implemented through a four-step methodology—discovery, classification, masking, and data management—aimed at eliminating data loss risks. This ensures that data shared with business partners can be maintained in an anonymized form in compliance with KVKK requirements.
Section VI: Policy Updates
6.1. Changes to the Privacy Policy
Our privacy policy is a dynamic process:
- It is updated at least once a year and whenever significant changes occur on the Platform, in line with evolving legal requirements, technological developments, and current industry practices.
- Each update is clearly announced on the website/application platform, and users are additionally notified when necessary.
- Regular internal audits are conducted to monitor compliance of processes with the updated policy and applicable laws.
- If changes involve new retention periods, new data categories, or new processing purposes, they are announced within the required timeframe.
6.2. Dual Reference Usage: Policy and Information Notice
Our Privacy Policy document is aligned with the Information Notice on the Protection and Processing of Personal Data and ensures full transparency for users regarding data processing activities. In the event of any discrepancy between the Policy and the Information Notice, the document that is most up-to-date and provides stricter protection shall prevail.