Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is entered into between the operator subscribing to the PickupTime service (the "Controller" or "Operator") and PickupTime (pickuptime.io) (the "Processor" or "PickupTime") and forms an integral part of the Terms of Service. This DPA is drafted with regard to Article 28 GDPR and the processor-related provisions of Turkish Law No. 6698 (KVKK).

1. Subject Matter and Duration

The subject matter of this DPA is the processing of personal data by PickupTime on behalf of the Operator in the course of providing the service. The DPA takes effect upon commencement of the subscription and remains in force until all Operator data has been deleted or returned.

2. Nature and Purpose of Processing

Processing comprises the recording, storage, display, transmission and deletion of personal data for the purposes of: planning and executing pickup runs; monitoring driver location only during active trips; providing guests with tokenized tracking links and estimated arrival times; propagating delays to subsequent stops; sending notifications (WhatsApp links, email); reading vehicle registration documents via OCR; and operational reporting.

3. Categories of Data Subjects and Personal Data

Data subjects: the Operator's drivers, guests (passengers) and staff. Data categories: driver identity and contact data and GPS location data during active trips; guest name (optional), hotel/pickup point and contact data; booking and trip data; vehicle registration data. The platform is not intended for special categories of personal data; the Operator undertakes not to enter such data.

4. Processing on Documented Instructions

PickupTime processes personal data only on the Operator's documented instructions; configuration of the service and commands issued through the interface constitute instructions. If PickupTime considers that an instruction infringes data protection law, it shall inform the Operator without delay. Processing required by Union or Member State law or by Turkish law is reserved; in such cases PickupTime shall inform the Operator in advance unless legally prohibited from doing so.

5. Confidentiality

PickupTime ensures that personnel and contractors authorised to access personal data are bound by contractual confidentiality undertakings or are subject to a statutory duty of confidentiality. Access is limited to the minimum necessary for the relevant role.

6. Security Measures

PickupTime implements technical and organisational measures appropriate to the risk in accordance with Article 32 GDPR, including at minimum:

• Per-tenant data isolation enforced through row-level security (RLS); access to one operator's data by another operator is prevented at the architectural level.
• TLS encryption for data in transit; encryption at rest for stored data.
• Guest tracking links generated as unguessable, personal tokens, scoped to the trip lifecycle.
• Role-based access control, authentication, and access and activity logging.
• Regular backups, environment separation (production/test) and timely application of security updates.

7. Subprocessors

The Operator grants general authorisation for PickupTime to engage the following subprocessors:

• Supabase / AWS (EU region): hosting, database, authentication
• Google Maps Platform: mapping, routing and ETA services
• Resend: transactional email delivery
• OpenAI: OCR processing of registration documents

PickupTime will give at least 14 days' prior notice of any intended addition or replacement of a subprocessor, and the Operator may object on reasonable grounds. If an objection cannot be resolved, the Operator may terminate the subscription without penalty. PickupTime imposes data protection obligations on subprocessors equivalent to those in this DPA and remains liable to the Operator for the acts of its subprocessors.

8. International Transfers

Transfers outside the EU/EEA or Türkiye carried out through subprocessors are made with appropriate safeguards, on the basis of Standard Contractual Clauses (SCCs), adequacy decisions, or the mechanisms provided in Article 9 of the KVKK.

9. Assistance with Data Subject Requests and Compliance

Taking into account the nature of the processing, PickupTime assists the Operator with appropriate technical and organisational measures in responding to data subjects' requests for access, rectification, erasure, portability and objection. Requests received directly by PickupTime are forwarded to the Operator without undue delay. PickupTime further provides reasonable assistance, insofar as information is available to it, with the Operator's obligations regarding security, breach notification and data protection impact assessments.

10. Personal Data Breach Notification

Upon becoming aware of a personal data breach affecting Operator data, PickupTime shall notify the Operator without undue delay and in any event within 72 hours. The notification shall, to the extent information is available, describe the nature of the breach, the categories and approximate number of records concerned, the likely consequences, and the measures taken or proposed. Notification to supervisory authorities and to data subjects is the Operator's responsibility; PickupTime will provide reasonable support in that process.

11. Audits

PickupTime shall make available to the Operator the information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections by an independent auditor mandated by the Operator, no more than once per year, on reasonable prior notice, during business hours and subject to confidentiality. Existing independent audit reports and certifications will be provided in the first instance to satisfy such requests.

12. Deletion and Return upon Termination

Upon termination of the subscription, PickupTime shall, at the Operator's choice, return the personal data in a machine-readable format and/or delete it together with all copies within 30 days. Data that must be retained under applicable law will be kept only for the period and to the extent required by the relevant obligation and will not be processed for any other purpose.

13. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to matters concerning the processing of personal data.