Effective date: 10 July 2025
Highlights & Key Sections
At-a-Glance (Layer 1)
| Key point | What it means for you |
|---|---|
| Who controls your data? | Petro Naft, No 211 & 117, Tower 3, Altinoran-Sinpaş Complex, Turan Güneş Blvd, Ankara 06550, Türkiye, [email protected], +90 552 693 1510 |
| What do we collect? | Details you enter in any form (name, business contact info, message); technical data from your device (IP, cookies, analytics, firewall logs). |
| Why? | To answer enquiries, perform contracts, secure and improve our site, comply with law, and—only with consent—send occasional B2B updates. |
| Your choices | Accept/decline non-essential cookies, honour Global Privacy Control or similar signals, opt out of marketing any time. |
| Your rights | Access, rectify, erase, restrict, port, or object to processing; additional rights under GDPR / KVKK / UAE PDPL / 2025 U.S. state laws. |
| Cross-border transfers | Protected by 2021 EU SCCs, UK IDTA, China PIPL SCCs, India DPDP clauses, or other recognised safeguards. |
| Security | TLS/SSL, Wordfence web-application firewall, MFA for admins, 24/7 threat monitoring. |
| How long? | Enquiry data 24 months; security logs 30 days; Google Analytics 13–26 months; contracts 10 years. |
Scroll down for the full (layer 2) details.
Definitions
-
“Personal data” – any information that identifies or could identify a natural person.
-
“Processing” – any operation performed on personal data (collection, use, storage, disclosure, etc.).
-
“Controller” / “we” / “Petro Naft” – Petro Naft and its affiliates.
-
“Site” – www.petronaftco.com and sub-domains.
-
“You” – visitors, customers, suppliers, job applicants, or any other natural person interacting with us online.
1. Who we are
| Entity | Role | Contact |
|---|---|---|
| Petro Naft (Türkiye) | Data Controller | [email protected] |
2. What personal data we collect
| Source | Typical data collected |
|---|---|
| Online forms (contact, purchase, RFQ, careers) | Name, company, role, business email, phone, country, message, attachments |
| Automatic logs & cookies | IP, browser & OS, language, referring URL, pages viewed, time spent, error logs |
| Analytics (Google Analytics 4, Matomo) | Pseudonymised user ID, city/region, engagement metrics |
| Security (Wordfence WAF) | IP, user-agent, attempted URLs, threat signatures |
| Social widgets (LinkedIn, X/Twitter, YouTube) | Interaction & view data when you play or share embedded content |
We do not intentionally collect special-category data or payment-card details through the Site.
3. Legal bases & business purposes
| Legal basis | Example processing |
|---|---|
| Contract performance | Issuing quotes, invoices, shipping orders |
| Legitimate interests | B2B marketing to existing clients, site security, service optimisation |
| Consent | Non-essential cookies, newsletter subscription |
| Legal obligation | Sanctions screening, tax & audit records |
| Vital / public interest | Safety alerts (rare) |
4. How we use your data
-
Respond to enquiries and fulfil contracts
-
Operate, secure and enhance the Site
-
Analyse aggregated trends to improve content
-
Comply with legal & regulatory duties
-
Send service messages or, with consent, marketing updates
We do not sell personal data and honour Global Privacy Control and other recognised universal opt-out signals.
5. Cookies & similar technologies
| Cookie name | Category | Purpose | Expiry |
|---|---|---|---|
| wordpress_test_cookie | Necessary | Checks if the browser supports cookies | Session |
| wp_lang | Functionality | Stores language preference | 1 day |
| elementor | Functionality | Retains page-builder state | Persistent |
| wf_log_level / wfvt_* | Security | Wordfence firewall logs | 30 minutes–30 days |
| _ga | Analytics | Google Analytics visitor ID | 13 months (EU/UK), 26 months (elsewhere) |
| _gid | Analytics | Google Analytics session statistics | 24 hours |
| _gat | Analytics | Limits request rate to Google Analytics | 1 minute |
| wp-wpml_current_language | Functionality | Stores current language for multilingual site | 1 day |
| cookieyes-consent (if used) | Consent Management | Records user cookie consent preferences | 1 year |
Manage preferences anytime via the Cookie Settings link in our banner. Blocking some cookies may impact functionality.
6. Data sharing & international transfers
| Recipient | Safeguard |
|---|---|
| Cloud hosting, CRM, email, analytics vendors (EU/US/Asia) | 2021 EU Standard Contractual Clauses + vendor ISO 27001 |
| Subsidiaries & support hubs (UAE, Türkiye, China, India) | Intra-group Data-Transfer Agreement; need-to-know access |
| Professional advisers, insurers, regulators, law enforcement | Only where legally necessary or to defend our rights |
| Ad- hoc third-country partners (e.g. China, India) | China PIPL SCCs, India DPDP 2024 Model Clauses, or equivalent certifications |
7. Security measures
-
TLS/SSL encryption in transit
-
Wordfence web-application firewall & malware scans
-
Multi-factor authentication for admin accounts
-
Role-based, least-privilege access controls
-
Encrypted backups stored off-site
-
Annual penetration tests & ISO 27001-aligned audits
8. Data retention
| Data set | Standard retention |
|---|---|
| Form submissions | 24 months after last contact |
| Uploaded CVs & RFQs | 6 months unless dialogue continues |
| Security logs | 30 days (live), anonymised stats 12 months |
| Google Analytics | 13 months (EU/UK) / 26 months (other) |
| Contracts & invoices | 10 years (statutory) |
We may keep data longer if required to establish or defend legal claims.
9. Your privacy rights
| Jurisdiction | Rights |
|---|---|
| EEA & UK (GDPR) | Access, rectification, erasure, restriction, portability, objection, withdraw consent |
| Türkiye (KVKK) | Learn if data processed, request info, rectification, erasure, object |
| UAE (PDPL) | Access, correction, erasure, restriction, portability, objection |
| U.S. States | Know, correct, delete, port, opt-out of sale/sharing/targeted ads; honour universal opt-out signals |
How to make a request
-
Email [email protected] (or use our web form).
-
We will verify identity (e.g., business email match or proof of ID).
-
Response in ≤ 30 days (may extend once by 60 days for complex cases).
Complaints may be lodged with your supervisory authority (e.g., Turkish KVKK Board, EU DPA, UK ICO, UAE Data Office, California Attorney General).
10. Breach notification
We assess every suspected incident. Where personal data is at risk we will notify the competent authority within 72 hours (GDPR/KVKK) or “without undue delay” (UAE PDPL), and affected individuals when legally required.
11. Children
Services target professionals; we do not knowingly collect data from children < 16. If we learn of such data, we will delete it promptly.
12. Automated decision-making
We do not make decisions with legal or similarly significant effects based solely on automated processing.
13. Changes to this Privacy Policy
We may update for legal or operational reasons. The latest version will always appear here with a new “Effective date”. Material changes will be flagged by a banner or email notice.
14. Contact
Privacy Officer – Petro Naft
No 211 & 117, Tower 3, Altinoran-Sinpaş Complex
Turan Güneş Blvd, Ankara 06550, Türkiye
Email: info@petronaftco.com
Tel./WhatsApp: +90 552 693 1510
15. Revision history
| Version | Date | Summary of changes |
|---|---|---|
| 1.0 | 10 Jul 2025 | Initial comprehensive notice reflecting 2025 state-law updates, EU/UK representation, GPC, layered design |