This document sets out the terms under which Panilux processes personal data on behalf of the Customer as a processor.
Panilux processes data only in accordance with the controller’s documented instructions.
This DPA should be read together with the Privacy Policy. Website and panel use are governed by the Terms of Service.
For detailed retention periods and disposal principles, see the Data Retention Policy.
Panilux may engage sub-processors (hosting, payments, security, etc.) bound by obligations no less protective than this DPA.
Transfers outside Türkiye/EU occur with appropriate safeguards and as permitted by law, or with data subject consent.
Panilux assists the controller with data subject requests (access, rectification, erasure, etc.) within reasonable time.
Panilux promptly informs the controller of personal data breaches and shares impact assessments/logs where appropriate.
Panilux’s obligations are limited to this DPA and applicable law; the controller is responsible for lawful processing and notices/consent. Panilux is not responsible for incidents attributable to the controller’s infrastructure, third‑party networks/services, hosting/telecom or data center operations, nor for user error/misconfiguration.
Governing law: Republic of Türkiye. Jurisdiction: Istanbul Central Courts.
To the extent permitted by applicable law, Panilux may unilaterally update this DPA and its appendices with or without notice; updates take effect upon publication. Where notice or additional consent is required by law, Panilux will provide such notice and obtain consent as necessary. Panilux may define user/account/order/project‑specific supplemental provisions/instructions and update them individually for the relevant controller. In case of conflict, the controller‑specific written instructions/supplemental provisions prevail to the extent of the conflict.