Read the Privacy & Cookie Policy for By Tajiks, an independent personal fashion brand.
1. Introduction & Identity of the Data Controller
Identity: Lamis Abdurakhmonova (Operating as an individual operator of the independent brand "By Tajiks")
Operational Base: Istanbul, Türkiye
Contact Email: bytajiks@gmail.com
The Storefront utilizes a decoupled headless commerce architecture consisting of a Next.js 15 frontend, a MedusaJS headless commerce engine, and a PostgreSQL database.
2. Legal Bases for Processing
Performance of a Contract (Art. 6(1)(b) GDPR / Art. 5(2)(c) KVKK).
Compliance with Legal Obligations (Art. 6(1)(c) GDPR / Art. 5(2)(a) KVKK).
Legitimate Interests (Art. 6(1)(f) GDPR / Art. 5(2)(f) KVKK).
Explicit Consent (Art. 6(1)(a) GDPR / Art. 5(1) KVKK).
3. Types of Personal Data Collected
Identity & Contact Data: Name, email, telephone number, billing and shipping address.
Technical Logs: IP addresses, browser variants, device fingerprint indicators.
Financial Data Exclusion: We do NOT collect or store raw cardholder data. All payment flows leverage secure client-side tokenization routed to our external Payment Gateway Provider (***).
4. Purpose of Processing
Fulfilling logistics via ***, monitoring MedusaJS backend matrices, preventing API abuse/scraping, and satisfying tax compliance.
5. Data Recipients & Third-Party Processors
We share your personal data with verified partners critical to fulfilling your orders. These include:
• Compute & Frontend: Vercel Inc.
• Backend Compute: Railway.app
• Relational Database: PostgreSQL Provider
• Payment Gateway: ***
• Logistics & Delivery: ***
6. Cross-Border Data Transfers & Safeguards
Data is routed to Vercel/Railway instances outside your country of origin. Governed by Standard Contractual Clauses (SCCs) for EEA citizens and structural contractual protections satisfying the Turkish KVKK rules.
7. Data Retention, Backups, and Disaster Recovery
Invoices archived for 10 years per local tax mandates. Server logs purged within 90 days. Relational database snapshots are automated daily via our infrastructure hosts.
8. Rights of the User (GDPR & KVKK)
Access, rectification, data portability, processing restriction, and absolute deletion ("Right to be Forgotten") by emailing bytajiks@gmail.com.
9. Identity Verification Process for Privacy Requests
Requests must originate from the exact email address linked to the customer account or provide cryptographic proof of a recent order token to mitigate social engineering leaks.
10. Cookie Policy & Consent Management
Essential Cookies: Engineered with HttpOnly, Secure, and SameSite=Strict flags via Next.js 15 to prevent XSS/CSRF token theft. Mandatory for MedusaJS cart persistence.
Analytics & Marketing Cookies: Disabled by default. Only initialized if the user actively grants permission via the Cookie Consent Banner.
11. Cybersecurity, API Security, and Abuse Prevention
Encrypted via TLS 1.3/HTTPS. Edge gateways implement rate-limiting. MedusaJS API layer is strictly isolated behind access token validation walls.
12. Responsible Vulnerability Disclosure & Incident Notification
Safe harbor for ethical researchers disclosing bugs privately to bytajiks@gmail.com with 90 days patch windows. No monetary bounties. Data breach notification sent to authorities/users within 72 hours of confirmation.
13. Children's Privacy
Storefront curated for adults (18+). Minor data discovered will be immediately purged from active PostgreSQL clusters.
14. Automated Decision-Making & AI Transparency
No automated scoring or algorithmic profiling used. Generative AI tools are strictly supervised by human operators.
15. Open Source Software Notice
Built on open-source ecosystems (Next.js, MedusaJS, PostgreSQL) governed by MIT/Apache framework licenses.
16. Amendments & Security Contact Information
Official Contact: Lamis Abdurakhmonova (bytajiks@gmail.com).