[/

]

Menu

[/

]

Menu

[/

]

Menu

Privacy Policy

Last updated May 5, 2026

8 MIN READ

Behoove Studio collects only the information needed to respond to your inquiry, run our website, and keep our services compliant. This page explains what we collect, why, how long we keep it, and the rights you can exercise wherever you are based - Turkey, the European Union, the United Kingdom, or California.

1. Who we are

Behoove Studio (the "Studio", "we", "us", "our") operates the website behoovestudio.com. Contact for any privacy question: ergun@behoovestudio.com.

The Studio is established in Istanbul, Türkiye. We are the data controller under GDPR Article 4(7) and UK GDPR (same definition); the veri sorumlusu under KVKK Article 3(1)(ı); and the business under CCPA / CPRA Section 1798.140(d).

We do not have an EU representative or a UK representative under GDPR Article 27 / UK GDPR Article 27. Our processing of EU and UK personal data is occasional, B2B in nature, and limited to website analytics and service inquiries; we have assessed the Article 27 exemption and concluded it applies. Counsel review confirms this.

2. What this policy covers

This policy describes how we collect, use, store, share, and protect personal data when you visit behoovestudio.com or interact with the contact and booking surfaces on the site. It covers the website only. Separate agreements govern client engagements once a project starts.

We provide design and development services to businesses. We do not target our services at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted data to us, write to ergun@behoovestudio.com and we will delete it.

3. Categories of personal data we collect

Identification and contact data - name, email, company name, optional project description, optional budget range. Collected when you submit the contact form or book a meeting.

Communication content - the message body and any attachments you send through the contact form.

Booking metadata - meeting time, time zone, attendee email when you book through Calendly.

Technical and usage data - IP address (truncated and IP-anonymised before storage by Google Analytics), device type, browser, operating system, screen size, referring URL, pages visited, time on page, click events. Collected via Google Analytics 4 only after you grant the Analytics consent category.

Behavioural data - heatmaps and anonymised session recordings via Microsoft Clarity. May be added in the future. Not active as of the date above. We will update this policy and the consent banner before any Clarity script loads on the site.

Hosting telemetry - basic server access logs (IP, timestamp, request path, response code) created by Framer's hosting infrastructure.

We do not collect special categories of personal data (GDPR Article 9), nor do we collect sensitive personal information (CCPA / CPRA 1798.140(ae)). We do not run profiling for automated decision-making (GDPR Article 22).

4. Sources

We collect personal data directly from you when you submit the contact form, book through Calendly, or email us; and automatically via cookies and similar technologies when you visit the site, subject to your consent for non-essential categories.

We do not buy contact lists. We do not enrich the data you give us with external data brokers.

5. Why we process your data and on what legal basis

The processing activities below map to a legal basis under each applicable regime.

Deliver the website (essential cookies, hosting, security logs)

GDPR / UK GDPR: Art. 6(1)(f) legitimate interest. KVKK: md. 5/2-f meşru menfaat. ePrivacy: Art. 5(3) "strictly necessary" exemption. CCPA / CPRA: operate the service.

Respond to contact form and Calendly inquiries

GDPR / UK GDPR: Art. 6(1)(b) pre-contractual measures and Art. 6(1)(f) legitimate interest. KVKK: md. 5/2-c sözleşme öncesi tedbir and md. 5/2-f meşru menfaat. ePrivacy: not engaged (no cookies). CCPA / CPRA: respond to consumer requests.

Engaged client communications (after contract)

GDPR / UK GDPR: Art. 6(1)(b) contract. KVKK: md. 5/2-c sözleşme. CCPA / CPRA: perform the contract.

Site analytics (Google Analytics 4)

GDPR / UK GDPR: Art. 6(1)(a) consent. KVKK: md. 5/1 açık rıza. ePrivacy: Art. 5(3) consent. CCPA / CPRA: service improvement. We do not sell or share personal information today; an opt-out link will be published if that ever changes.

Heatmap and session replay (Microsoft Clarity, planned)

GDPR / UK GDPR: Art. 6(1)(a) consent. KVKK: md. 5/1 açık rıza. ePrivacy: Art. 5(3) consent. CCPA / CPRA: service improvement.

Consent record-keeping (Cookie Script log)

GDPR / UK GDPR: Art. 6(1)(c) legal obligation and Art. 6(1)(f) legitimate interest. KVKK: md. 5/2-a kanunen açıkça öngörülmesi and md. 5/2-f meşru menfaat. ePrivacy: Art. 5(3) strictly necessary. CCPA / CPRA: compliance.

You can withdraw consent at any time. Withdrawal does not affect processing carried out before withdrawal.

6. Cookies and similar technologies

Detail and a per-cookie table is in the Cookie Policy. Headline: strictly necessary cookies are set without consent under all five regimes. Analytics cookies (_ga, _ga_QJYSK3HBTH for GA4; planned _clck, _clsk, MUID for Clarity) are set only after you grant the Analytics category in the Cookie Script banner. We do not run advertising cookies today. We will update this policy and the banner before any advertising tag is added.

7. Who we share your data with

We share personal data only with the processors listed below. Each operates under a written data processing agreement, the GDPR Article 28 contractual safeguards, and (where applicable) Standard Contractual Clauses for international transfers. We do not sell personal data. We do not share personal data for cross-context behavioural advertising as defined by CPRA Section 1798.140(ah).

Google LLC - Google Analytics 4

Site analytics. Located in the United States. Transfer mechanism: EU-US Data Privacy Framework (Google is certified); SCCs as backstop; KVKK md. 9 açık rıza for Türkiye visitors.

Calendly LLC

Meeting scheduling. Located in the United States. Transfer mechanism: EU-US Data Privacy Framework; SCCs; KVKK md. 9 açık rıza for Türkiye visitors.

Framer B.V.

Hosting and CDN. HQ in the Netherlands; CDN edges global. Transfer mechanism: within the EEA for primary processing; SCCs for any out-of-EEA edge cache.

Cookie Script (CookieScript UAB)

Consent banner and consent log. Located in Lithuania (EU). Transfer mechanism: within the EEA; UK adequacy decision covers UK visitors; KVKK md. 9 açık rıza for Türkiye visitors.

Microsoft Corporation - Clarity (planned, not active)

Heatmaps and session replay. Located in the United States. Transfer mechanism: EU-US Data Privacy Framework; SCCs; KVKK md. 9 açık rıza for Türkiye visitors.

Other tools we may add in the future (we will update this policy before they go live): Google Tag Manager (United States); Meta Pixel (only if paid Meta advertising starts); LinkedIn Insight Tag (only if paid LinkedIn advertising starts).

8. International transfers

The Studio is in Türkiye. Several of our processors are in the United States. We rely on the following safeguards.

For EU and UK visitors (GDPR / UK GDPR Chapter V): EU-US Data Privacy Framework where the processor is certified; otherwise the European Commission's 2021 Standard Contractual Clauses, supplemented by transfer impact assessments. The UK International Data Transfer Addendum is appended where required for UK visitors.

For Türkiye visitors (KVKK md. 9): processors in Türkiye are covered by KVKK md. 5 / md. 6 alone. Processors outside Türkiye rely on your explicit consent collected through the Cookie Script banner, in conjunction with the standard contractual safeguards each processor publishes. Türkiye does not yet have a published list of "safe countries" under KVKK md. 9; counsel review confirms açık rıza is the operative basis today.

For California residents (CCPA / CPRA): the law does not restrict cross-border transfers, but we still treat US-based processors as contractually bound service providers under 1798.140(ag) and disclose them above.

9. How long we keep your data

Contact form submissions and Calendly correspondence

24 months after last interaction. Reason: allow follow-up; respond to repeat inquiries; KVKK md. 7 deletion thereafter.

Engaged client records (after contract is signed)

Per contract terms (typically project duration plus 10 years for tax and commercial law). Reason: Turkish Tax Procedure Law, Turkish Commercial Code Article 82, similar EU member state and US state requirements.

Google Analytics 4 user-level data

14 months. Reason: GA4's maximum user-scoped retention; aggregated reporting persists indefinitely.

Microsoft Clarity recordings (planned)

30 days. Reason: Clarity's own auto-purge default.

Cookie Script consent log

36 months. Reason: burden-of-proof window under KVKK Kurul guidance and EDPB consent guidance, plus the Turkish Civil Code 10-year general limitation.

Server access logs

30 days. Reason: security and abuse handling, then auto-rotated.

When the period above ends we delete or fully anonymise the data.

10. Your rights (EU and UK - GDPR and UK GDPR)

Under GDPR Articles 15 to 22 and the matching UK GDPR provisions you have the right to access the personal data we hold about you and obtain a copy (Art. 15); rectify inaccurate or incomplete data (Art. 16); erase your data, subject to legal exceptions (Art. 17); restrict processing in defined circumstances (Art. 18); receive your data in a structured, machine-readable format and have it transmitted to another controller - portability (Art. 20); object to processing based on legitimate interest, including direct marketing (Art. 21); not be subject to a decision based solely on automated processing that produces legal effects (Art. 22) - we do not run such processing; and withdraw consent at any time without affecting prior lawful processing.

You also have the right to lodge a complaint with a supervisory authority. The lead authority for EEA visitors is the data protection authority of the country where you live or work. For UK visitors it is the Information Commissioner's Office (ICO), ico.org.uk.

We respond within one month of receiving a valid request, extendable by two further months for complex or numerous requests under GDPR Article 12(3) / UK GDPR Article 12(3). We will tell you within the first month if we extend.

11. Your rights (Türkiye - KVKK)

Under KVKK Article 11 you have the right to learn whether your personal data is processed; request information about the processing; learn the purpose of processing and whether the data is used in line with that purpose; learn the third parties to whom your data has been transferred, in or outside Türkiye; request correction of incomplete or inaccurate data; request deletion or destruction under KVKK Article 7; request that any correction, deletion, or destruction be notified to third parties to whom the data was transferred; object to outcomes derived from automated processing; and request compensation for harm caused by unlawful processing.

We respond within 30 days of receiving a valid request, in line with KVKK Article 13 and the Veri Sorumlusuna Başvuru Tebliği. The first request in a calendar year is free; subsequent requests may incur a fee per the Tebliğ.

You may lodge a complaint with the Kişisel Verileri Koruma Kurulu (KVKK Kurul) at kvkk.gov.tr. The Türkiye-specific application form is at /kvkk-basvuru-formu.

12. Your rights (California - CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, the categories, sources, purposes, and recipients (1798.100, 1798.110, 1798.115); delete the personal information we hold about you, subject to the exceptions in 1798.105(d); correct inaccurate personal information (1798.106); opt out of sale or sharing of your personal information (1798.120) - we do not sell personal information and we do not share it for cross-context behavioural advertising, so no opt-out is needed today; if that ever changes we will publish a "Do Not Sell or Share My Personal Information" link; limit the use and disclosure of sensitive personal information (1798.121) - we do not collect sensitive personal information, so this right is not engaged today; and non-discrimination - we will not deny service, charge a different price, or provide a lower quality of service because you exercised any of these rights (1798.125).

We respond within 45 days of a verifiable consumer request, extendable by another 45 days under 1798.130(a)(2) if we tell you within the first 45 days. There is no charge for these requests, except where 1798.130(a)(2) permits.

You may file a complaint with the California Attorney General (oag.ca.gov) or the California Privacy Protection Agency (cppa.ca.gov). We do not have actual knowledge that we sell or share the personal information of consumers under 16 (1798.120(c)). The CCPA opt-in for under-16s is therefore not engaged.

13. How to exercise your rights

Send your request to hello@behoovestudio.com. To help us verify the request and protect your data, please include the email address you used on the site; a clear description of the right you are exercising; and, if you are a California resident exercising a deletion or correction right, enough information to let us match the request to existing records.

For Türkiye-based KVKK requests, the formal başvuru kanalı and the form template are published at /kvkk-basvuru-formu. You may also use an authorised agent. We will ask the agent for written proof of authority and may ask you to confirm separately.

14. Security

We use HTTPS for all traffic. Form submissions go to processor endpoints over TLS. Access to engaged client records is restricted to studio staff under contractual confidentiality. We review processor security posture annually and renew DPAs when they change materially.

15. Changes to this policy

We will update this policy when our processing changes - for example, when Microsoft Clarity goes live, or if Google Tag Manager / Meta Pixel / LinkedIn Insight Tag is added. Material changes are flagged at the top of this page and reflected in the consent banner the next time you visit. The "Last updated" date at the top of the page is the authoritative version date.

16. Contact

hello@behoovestudio.com. For Türkiye-specific KVKK requests, please use the form at /kvkk-basvuru-formu.