PULPOAR GDPR POLICY
INTRODUCTION
We, ARHub Bilişim Anonim Şirketi (“PulpoAR”), operate primarily in the sectors of cosmetics, accessories, skincare & health, and nail beauty. Through our artificial intelligence technologies, we provide our customers’ end users (“Data Subjects”) with the opportunity to try products online and create online filters using augmented reality technology (“Services”).
In PulpoAR, we integrate our services using a software as a service (SaaS) model, either as-is or customized according to our customers’ needs, into their own websites, mobile applications, and smart mirror platforms. Integration processes will vary based on the customer’s preferences and the specifics of the service offered. The integration methods we use include: i-frame for web applications, webview for mobile applications, and SDK (Software Development Kit).
DATA CONTROLLER – DATA PROCESSOR STATUS
Under the General Data Protection Regulation (the “Regulation”), a data controller is defined as “the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Under the Regulation, a data processor is defined as “a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.”
Within the framework of the Regulation, determining whether an entity is a data controller or a data processor requires considering who defines the personal data to be processed, the data processing activities to be carried out, and the purposes and means of such processing. In this context, as part of the data processing, only the data controller determines:
- The legal basis for the processing activity,
- The types of personal data to be processed,
- The purpose(s) for which the data will be used,
- Who the data subjects will be (target audience),
- Whether the data will be transferred and, if so, to whom,
- How to respond to requests made to the data controller in accordance with individuals’ rights, including the duration for which the data will be stored, altered, or anonymized.
And as part of the data processing, the data processor, in accordance with the agreement made with the data controller, determines:
- The technologies or methods that will be used for collecting personal data,
- The methods that will be used for storing personal data,
- The details of the security measures that will be implemented to protect personal data,
- The procedures that will be followed for transferring personal data between organizations,
- The methods that will be used for obtaining personal data about specific individuals (automated/non-automated methods),
- How compliance with retention periods will be ensured, and how data will be erased or destroyed.
At this point, an entity involved in data processing will only qualify as a data processor if it processes personal data on behalf of a data controller, based on the authority granted by the data controller, and within the framework of the data controller’s instructions. This entity is not responsible for deciding on the criteria outlined above or for the data processing activities themselves.
In the execution of contracts with our customers, we act as a data processor for the personal data processed in the provision of our Services to their users.
DATA SUBJECTS’ RIGHT TO BE INFORMED
In the context of providing our services to your users, the responsibility to inform Data Subjects about the purposes and legal bases for data processing, and to obtain their consent if required, lies with the data controller. Unless otherwise agreed between PulpoAR and the data controller, the texts for the privacy notice and consent forms to be presented to Data Subjects must be provided to PulpoAR by the data controller. PulpoAR will integrate these texts into the platform it provides to the data controller, adhering to the data controller’s specifications (e.g., checkboxes or pop-up notifications).
While the data controller is solely responsible for the legal compliance of the aforementioned texts, PulpoAR is only obligated, under the terms of the Contract, to upload the texts provided by the data controller to the online platform and/or other systems as requested by the data controller, and to ensure that these documents are accessible to the Data Subjects.
Since PulpoAR does not process personal data such as names, surnames, or contact details like email addresses or phone numbers of Data Subjects, PulpoAR cannot provide information on which texts the Data Subjects have approved or given consent for. PulpoAR stores only the unique ID assigned to the consenting individual, which is anonymized and does not qualify as personal data, as well as records of the date and time when the consent was obtained. In this context, PulpoAR cannot identify the Data Subject using the relevant ID number. However, upon request, we can store the IP addresses of the Data Subjects for the purpose of verifying the approval of the relevant checkboxes.
PROCESSING OF PERSONAL DATA
For PulpoAR Services, details regarding the personal data processed, including product-specific breakdowns, processing methods, aspects of transfer abroad, and destruction procedures, are specified in Appendix 1 – Product-Based Personal Data Processing Table.
SECURITY MEASURES
The security measures implemented by PulpoAR, including both administrative and technical aspects, are outlined in Appendix 2 – Administrative and Technical Measures Table.
RESPONDING TO REQUESTS FROM DATA CONTROLLER AND DATA SUBJECT
Regardless of the response times committed in the Service Level Agreement (“SLA”) provided to customers, should the data controller be subjected to any request for information and documents by the Authority, and if the data controller requests information or documents from PulpoAR regarding the processing of the Data Subject’s data, PulpoAR will respond to this request within 48 (forty-eight) hours at the latest from the moment the request is directed to us.
It is important to note that the response will be aligned with the scope of this Policy, as PulpoAR does not have access to the Data Subject’s personal data, does not store the virtual trial image during or after processing, and cannot determine to whom the virtual trial image belongs, as technically clarified in the SLA. Due to the absence of any records of the Data Subject or their actions, PulpoAR will not be able to provide any information or documents beyond the assigned ID numbers and, if IP addresses are processed as per the customer’s request, the corresponding log files.
As a general rule, under Regulation’s Chapter 3, the Data Subject can exercise the rights granted to them under the Regulation and outlined in the privacy notice only by submitting a request to the data controller. However, in line with PulpoAR’s company policy and the utmost importance given to the data privacy policies adopted by its customers, if PulpoAR receives a request from the Data Subject regarding a data processing activity performed under the contract, PulpoAR will forward this request to the data controller, i.e., its customer, within a reasonable period for evaluation. During this period, PulpoAR will neither contact the Data Subject directly or indirectly nor perform any identity verification to assess the validity of the request.
DATA BREACH
The security measures implemented by PulpoAR, including their administrative and technical aspects, are detailed in Appendix 2 – Administrative and Technical Measures Table. However, regardless of which product of our services is used, since virtual trial images are not stored or archived on any platform by us, in the event of a data breach, the personal data involved will not include virtual trial images or personal data of their owners. In the event of such an occurrence, PulpoAR will provide the requested information, documents, and explanations from the customer within 24 (twenty-four) hours, if applicable. In the case of a data breach, the affected Data Subjects will be notified by the data controller in accordance with applicable regulations. Notification will be made directly to the Data Subjects’ contact addresses if accessible, or through publicly accessible platforms such as the website or social media accounts, using appropriate methods if direct contact is not possible.
APPENDIX 1 – PRODUCT-BASED PERSONAL DATA PROCESSING TABLE
| Name of the Product | Definition of the Product | Personal Data Processed | Processing Method and Transfer Abroad | Storage and Destruction |
|---|---|---|---|---|
| PulpoAR MakeUp Virtual Try On v2 – Cloud Photo MakeUp | A cloud-based virtual makeup product that operates by having the user capture their own photograph. | Biometric Facial Data | Data is transferred abroad. During usage, the user’s facial biometric data is transferred in real-time to the remote servers of Google Cloud Platform and is erased after processing. | Personal data is erased following real-time processing; therefore, no data storage activities are undertaken. |
| Essential Cookies | PulpoAR uses Essential Cookies to provide the Services to users. These cookies are placed within the domain of the site and function exclusively there. The data collected through these cookies is not stored by PulpoAR. Instead, user activities are monitored using randomly generated identifiers that do not contain any personal or identifiable information (anonymized). The activities of the monitored users are reported to the customer. Therefore, the customer has access only to these randomly generated identifiers. For example, the duration of time a meaningless Unique ID remains on the page, the areas it clicks on, or the sections it visits, etc. | |||
| PulpoAR MakeUp Virtual Try On v2 – Real Time MakeUp | A virtual makeup product that the user utilizes in real time with the camera of their own device. | Biometric Facial Data | Data is not transferred abroad. All operations occur within the user’s own browser and on the GPU and CPU of the user’s device. Under no circumstances is data transferred to a cloud server or abroad. The PulpoAR SDK does not have access to this data. The entire process occurs within the browser using WASM. The user image is directly loaded into memory (RAM) and is subsequently erased by the garbage collection mechanism after processing. | No storage. Erased after real-time processing. |
| Essential Cookies | Same as above — anonymized identifiers only, reported to customer. | |||
| PulpoAR MakeUp Virtual Try On v3 – Real Time / Photo Makeup | A virtual makeup product that the user utilizes in real time with the camera of their own device or with a photograph they have captured. | Biometric Facial Data | Data is not transferred abroad. All operations occur within the user’s own browser using WASM. The user image is loaded into RAM and erased by garbage collection after processing. | No storage. Erased after real-time processing. |
| Essential Cookies | Same as above — anonymized identifiers only, reported to customer. | |||
| PulpoAR Skin AI v2 | A skin analysis and skincare product recommendation tool that operates by having the user take a photograph using their device’s camera. | Biometric Facial Data and User’s Skin Test Result Score | Data is transferred abroad. During usage, the user’s facial biometric data is transferred in real-time to the remote servers of Google Cloud Platform and is erased after processing. | No storage. Erased after real-time processing. |
| Essential Cookies | Same as above — anonymized identifiers only, reported to customer. | |||
| PulpoAR Skin AI v3 | A skin analysis and skincare product recommendation tool that operates by having the user take a photograph using their device’s camera. | Biometric Facial Data and User’s Skin Test Result Score | Data is not transferred abroad. All operations occur within the user’s own browser using WASM. No cloud transfer. | No storage. Erased after real-time processing. |
| Essential Cookies | Same as above — anonymized identifiers only, reported to customer. | |||
| PulpoAR Shade Finder | A skin tone analysis and skincare product recommendation tool that operates by having the user take a photograph using their device’s camera. | Biometric Facial Data and User’s Skin Tone Test Result Score | Data is not transferred abroad. All operations occur within the user’s own browser using WASM. No cloud transfer. | No storage. Erased after real-time processing. |
| Essential Cookies | Same as above — anonymized identifiers only, reported to customer. | |||
| PulpoAR Nail Virtual Try On – v1 Photo Makeup | A virtual nail polish or nail care application that operates by having the user take a nail photo or show their nail in real time to the device’s camera. | Non-matching nail photo (biometric data is not processed) | Data is not transferred abroad. During usage, the user’s non-biometric nail data is transferred in real-time to the remote servers of Google Cloud Platform and is erased after processing. | No storage. Erased after real-time processing. |
| Essential Cookies | Same as above — anonymized identifiers only, reported to customer. | |||
Note: Upon request by the Customer, the IP or MAC address of the device or network to which the user connects may be processed in all products.
APPENDIX 2 – ADMINISTRATIVE AND TECHNICAL MEASURES TABLE
| Administrative Measures | Technical Measures |
|---|---|
| Corporate Policies (Access, Information Security, Usage, Storage, and Disposal, etc.) | Authorization Matrix |
| Agreements (Between Data Controllers, and Between Data Controller and Data Processor) | Authorization Control |
| Confidentiality Undertakings | Access Logs |
| Internal Periodic and/or Random Audits | User Account Administration |
| Risk Analysis | Network Security |
| Employment Agreements, Disciplinary Regulations (Including Legally Compliant Provisions) | Application Security |
| Corporate Communication (Crisis Management, Board and Relevant Party Notification Processes, Reputation Management, etc.) | Encryption |
| Training and Awareness Activities (Information Security and Legal Compliance) | Key Management |
| Intrusion Detection and Prevention Systems | |
| Log Files | |
| Data Loss Prevention Solutions | |
| Firewalls | |
| Current Antivirus Systems | |
| Erasure, Destruction or Anonymization |