On this page

Effective date:** 17 May 2026 **Website: luminadigitale.com

This notice explains how CarQR processes your personal data through the mobile app, website, and public QR alert pages. It is issued under Article 10 of Turkish Law No. 6698 ("KVKK") and aligns with the EU/UK GDPR transparency obligations.

1. Data controller

Your personal data is processed by CarQR as the data controller.

2. Categories of personal data

Identity / contact: email address.
Vehicle data: vehicle nickname, type, colour, QR slug, alert

preferences.

Transaction security: device notification (FCM) token; an

irreversibly hashed form of your IP address and user-agent; a hashed form of the anonymous device id minted on the public scan page.

Notification history: predefined alerts sent/received,

timestamps, status.

Shipping data (Premium/Ultimate physical products only): name,

delivery address, delivery phone.

Customer / subscription: purchase status, plan and renewal

info. We do not process card data — payments run through Google Play.

CarQR never shows the owner's phone number, name, or address to the stranger who scans the QR.

3. Purposes of processing

Delivering the vehicle-alert service (QR scan → owner notification).
Account creation, authentication, and security.
Preventing abuse, harassment, and spam (rate-limiting, device

blocking).

Producing and shipping Premium/Ultimate physical products (QR

sticker, car scent).

Managing subscriptions and purchases.
Sending marketing notifications only with your explicit consent.

Performance of a contract: account, alert service, physical

product delivery, subscription.

Legitimate interest: security, abuse prevention, service

improvement.

Legal obligation: tax, accounting, e-commerce law.
Explicit consent: marketing notifications only.

5. Recipients and international transfers

Data is shared, only to the extent necessary to provide the service, with:

Infrastructure / hosting: Google Firebase / Google Cloud

(authentication, database, messaging, functions). Data may be processed on Google servers outside Türkiye (EU and/or US regions).

Bot protection: Cloudflare Turnstile (verification token only;

no content is shared).

Shipping / fulfillment: for physical orders, only the delivery

name/address goes to the contracted courier and print supplier.

Payment / app store: subscriptions via Google Play Billing;

card data never reaches us.

Authorities: where legally required.

International transfers are carried out under KVKK art. 9 / GDPR Chapter V with appropriate safeguards.

6. Collection method

Data is collected electronically — automatically and semi- automatically — when you use the app/website, create an account, add a vehicle, when your QR is scanned, and when you order a physical product.

7. Retention

Account and vehicle data: while the account is active.
Notification history: a reasonable period for service delivery

(short by default; 6–12 months on Ultimate).

Security/log data: limited period for abuse investigation.
Tax/accounting records: the period required by law.

On account deletion, data outside legal retention duties is deleted or anonymised.

You may: learn whether your data is processed; request information and access; learn the purpose and whether it is used accordingly; know the recipients; have inaccurate/incomplete data corrected; request erasure or destruction; request that corrections/erasures be notified to recipients; object to outcomes produced solely by automated analysis; and claim compensation for damages. EU/UK users also have data-portability and the right to lodge a complaint with a supervisory authority.

9. How to exercise your rights

Use the contact page on luminadigitale.com. Including the email address linked to your CarQR account helps us verify the request. Requests are answered within 30 days (KVKK art. 13).

For deletion specifically, see the Data Deletion Request document.

---

Note: CarQR is not an emergency service, law-enforcement/towing service, or a guaranteed communication channel.

Data Protection Notice (KVKK)

1. Data controller

2. Categories of personal data

3. Purposes of processing

5. Recipients and international transfers

6. Collection method

7. Retention

9. How to exercise your rights

Data Protection Notice (KVKK)

1. Data controller

2. Categories of personal data

3. Purposes of processing

5. Recipients and international transfers

6. Collection method

7. Retention

9. How to exercise your rights

Data Protection Notice (KVKK)

Data Protection Notice (KVKK / GDPR)

1. Data controller

2. Categories of personal data

3. Purposes of processing

4. Legal bases (KVKK art. 5–6 / GDPR art. 6)

5. Recipients and international transfers

6. Collection method

7. Retention

8. Your rights (KVKK art. 11 / GDPR art. 15–22)

9. How to exercise your rights

Data Protection Notice (KVKK)

Data Protection Notice (KVKK / GDPR)

1. Data controller

2. Categories of personal data

3. Purposes of processing

4. Legal bases (KVKK art. 5–6 / GDPR art. 6)

5. Recipients and international transfers

6. Collection method

7. Retention

8. Your rights (KVKK art. 11 / GDPR art. 15–22)

9. How to exercise your rights