Clarification Text on Personal Data Processing

Published on Dec 1, 2023

Last Updated: 25.06.2025

Our company, OKX TR Kripto Varlık Alım Satım Platformu Anonim Şirketi ("Company" or "OKX TR"), in the capacity of the "Data Controller", pursuant to the Personal Data Protection Law No. 6698 ("LPPD ") published in the Official Gazette numbered 29677 on 07.04.2016, may process your personal data within the limits and for the instances determined under the LPPD. We, as the Company, would like to inform and enlighten you about our personal data processing activities in line with Article 10 of the LPPD.

As our company, in accordance with Article 10 of the Personal Data Protection Law, we would like to inform and enlighten you about our personal data processing activities. In accordance with LPPD as OKX TR acting in the capacity of a data controller, we may process, record, store, classify, update, and — where permitted by legislation and/or limited to the purposes for which they are processed — disclose/transfer your personal data to third parties, in a manner that is relevant, limited, and proportionate to the purposes described below, and in compliance with the law and the principles of honesty, accurately and in an up-to-date manner..

The term "processing" refers to any operation performed on data, including but not limited to those regulated in the LPPD , such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, wholly or partially automatic or, provided that it is a part of any data recording system, in non-automatic ways. Your personal data may be processed by personnel authorized within the Company.

1. Processed Personal Data

The data we process consists of the following main categories: 

  • Identity Data: Includes name, surname, place and date of birth, gender, marital status, nationality, type and serial number of the identity card, identity number, signature sample for Turkish citizens additionally mother's and father's name and T.C. identification number, passport details including passport number, as well as registry information, tax identification number, social security number, citizenship number, and other identity-related information.

  • Contact Data: Includes mobile phone number, email address, residential address, registered electronic mail (KEP) address, and address.

  • Location Data: Includes location information.

  • Legal Transaction Data: Includes information in the case file and correspondence with judicial authorities.

  • Customer Transaction Data: Includes the date, type, amount, and method, of transactions, the method in which the transaction was conducted, the device and access methods used to perform the transaction, information on the wallet or counterparty platform used for or involved in the transfer, and records of communications with customer service. 

  • Transaction Security Data: Includes the type of your device, its identity, tracking information related to its usage, IP address, customer credentials required for access to electronic channels, password and login information, website access codes, website login and logout details, biometric data processed based on the customer’s consent, electronic log records showing the source of the order, voice recordings related to customer orders received via telephone, information obtained from WLAN, transaction history, access dates and times, browser type and version, transactions between wallets, and checks conducted through publicly available sources.

  • Financial Data: Includes cryptocurrency balance, wallet number, address, account information, bank account information, IBAN numbers, bank account transactions, balance information, income status, information and experience related to investments and crypto assets, transaction volume/amount details, asset holdings, and financial performance data.

  • Visual and Audio Data: Includes selfie photographs, identity cards, national ID cards, driver's licenses, passports, residence permits, photographs, video data from video calls (visual and audio recordings), and for non-Turkish citizens, visual data found on any type of identification card deemed appropriate by the relevant Ministry. It also includes call center recordings, including those related to complaints.

  • Biometric Data: Includes selfie images and biometric photos included in official identification cards processed by the facial recognition system.

  • Criminal Conviction Data: Includes your criminal record and information related to any criminal convictions.

  • Other: Transaction volume/amount information, profile photo if uploaded on the platform in case of creation of a profile

2. Purpose of Processing

Processed Personal Data

The Purpose of Processing

Legal Reason

Identity Data

Contact Data

Location Data 

Legal transaction Data 

Customer Transaction Data 

Transaction Security Data 

Finance Data 

Visual Data


Execution of customer account opening processes, 

Verification of customer identity, 

Monitoring and confirmation of transactions performed by the customer, 

Fulfilling the obligations regarding the identification of the parties involved in the transaction,

Ensuring that our company’s activities are conducted in compliance with regulations, all legal and administrative measures,

Fulfilling retention and reporting obligations,

Detection, monitoring, and prevention of suspicious transactions, 

Identification and profiling of customers engaging in suspicious transactions, reporting of suspicious transactions to the Financial Crimes Investigation Board (“MASAK”), 

Provision of information requested by prosecutors, law enforcement officers, courts regarding customers, preparation of the supporting documents regarding the work and transactions to be performed,

Performing request procedures.

LPPD Article 5/2 (a):

" It is expressly provided for by the laws"

LPPD Article 5/2 (ç):


“It is necessary for compliance with a legal obligation to which the data controller is subject.”

Criminal Conviction Data

Execution and evaluation of customer account opening procedures, 

Ensuring that our company’s activities are conducted in compliance with regulations, all legal and administrative measures,

Fulfilling retention and reporting obligations,

Provision of information requested by prosecutors, law enforcement officers, courts regarding customers, preparation of the supporting documents regarding the work and transactions to be performed,

LPPD Article 6/3(b):

“It is expressly provided for by the laws”

LPPD Article 6/3(d):

“It is necessary for the establishment, exercise, or protection of a right.”

Biometric Data

Execution of customer account opening processes, 

Verification of customer identity, 

Monitoring and confirmation of transactions performed by the customer, 

Ensuring that our company’s activities are conducted in compliance with regulations, all legal and administrative measures,

Fulfilling retention and reporting obligations,

Detection, monitoring, and prevention of suspicious transactions, 

Identification and profiling of customers engaging in suspicious transactions, reporting of suspicious transactions to the Financial Crimes Investigation Board (“MASAK”), 

Provision of information requested by prosecutors, law enforcement officers, courts regarding customers, preparation of the supporting documents regarding the work and transactions to be performed,

LPPD Article 6/3(b):

“It is expressly provided for by the laws”

LPPD Article 6/2(d):

“It is necessary for the establishment, exercise, or protection of a right.”


Transaction Security Data

Execution of our company’s operation process, execution of customer support services,

Storage and archiving activities, ensuring the security of customer accounts, 

Preparation of supporting documents for intended tasks and transactions.

LPPD Article 5/2 (c):

“Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract”

Visual and Audio Data

Conducting video calls and verifying with the uploaded photo as part of the ‘Know Your Customer’ (KYC) processes carried out to ensure compliance with regulations in customer acquisition procedures,

Confirming the customer’s identity

LPPD Article 5/2 (a):

" It is expressly provided for by the laws"

LPPD Article 5/2 (ç):

“It is necessary for compliance with a legal obligation to which the data controller is subject.”

LPPD Article 5/2(e):

“It is necessary for the establishment, exercise, or protection of a right.”

Identity Data

Contact Data

Customer Transaction Data

Transaction Security Data

Financial Data


Ensuring customer account security and system security,

Ensuring the security of our products and services,

Tracking assets in customers’ cryptocurrency virtual wallet addresses,

Ensuring accessibility of our products and services across all operating systems,

Monitoring and verifying transactions conducted by customers,

Measuring system performance to improve services, modeling, reporting, scoring, risk monitoring, and conducting intelligence activities,

Carrying out activities related to identifying potential customers,

Conducting audit activities,

Managing our company’s operational processes,

Providing customer support services,

Managing contract processes,

Delivering services provided by our company.

LPPD Article 5/2 (a):

" It is expressly provided for by the laws"

LPPD Article 5/2 (ç):

“It is necessary for compliance with a legal obligation to which the data controller is subject”

Contact Data

Mandatory notification of customers regarding their transactions within the scope of our services via SMS and email,

LPPD Article 5/2 (ç):

“It is necessary for compliance with a legal obligation to which the data controller is subject”

LPPD Article 5/2 (a):

" It is expressly provided for by the laws"

Contact Data 

Identity Data


Conducting marketing processes related to the services provided by the company and managing advertising/campaign/promotion activities

Carrying out communication activities

LPPD Article 5/1:

Explicit Consent


Identity Data 

Financial Data

Contact Data 

Managing our company’s operational processes,


Providing services by our company,


Issuing invoices to customers,


Conducting finance and accounting operations,


Tracking assets in customers’ cryptocurrency virtual wallet addresses,


Preparing supporting documents related to the transactions to be performed,

Managing contract processes,

Organizing and updating customer account information,

Upgrading customer account levels.

LPPD Article 5/2 (c):

“Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract"

LPPD Article 5/2 (ç):

“It is necessary for compliance with a legal obligation to which the data controller is subject”


Legal Transaction Data

Follow-up and execution of litigation and other legal procedures,


Carrying out data retention and archiving activities,


Reporting to the competent authorities for the detection and prevention of violations of the membership agreement and the law,


Ensuring compliance with requests or decisions from competent authorities and conducting audit activities.

LPPD Article 5/2 (f):

“Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

LPPD Article 5/2 (ç):

“It is necessary for compliance with a legal obligation to which the data controller is subject”


Identity Data


Contact Data


Other: Transaction volume/amount information; profile photo if a profile is created and uploaded on the platform

Provision of services offered by the Company
Personalization of the User Account

LPPD Article 5/1:

Explicit consent


3. Transfer of Your Personal Data

Your personal data processed for the purposes described above may be transferred to, shared with and/or given access to persons listed below, in accordance with the basic principles stipulated in the LPPD and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the LPPD.

  • Your identity, transaction security, financial, and contact data — including your name, surname, Turkish ID number, IBAN information, IP address, email address, mobile phone number, nationality, mother’s name, and father’s name — may be shared with the Financial Crimes Investigation Board (MASAK), all public legal entities and authorities, as well as contracted legal advisors, based on the legal grounds of " It is expressly provided for by the laws" under Article 5/2(a) of the LPPD and “It is necessary for compliance with a legal obligation to which the data controller is subject” under Article 5/2(ç) of the LPPD , for the purposes of fulfilling our legal obligations, reporting suspicious transactions, conducting risk management processes, providing documents and information requested by public institutions and organizations, and fulfilling reporting obligations within this scope.

  • Your criminal conviction data, including your criminal record may be shared with the Financial Crimes Investigation Board, all public legal entities and authorities, based on the legal ground of " It is expressly provided for by the laws" under Article 6/3(b) of the LPPD , for the purposes of fulfilling our legal obligations and providing documents and information requested by public institutions and organizations, as well as fulfilling reporting obligations within this scope.

  • Your criminal conviction data, including your criminal record, may be shared with legal advisors and contracted law firms based on the legal ground of “It is necessary for the establishment, exercise or protection of any right” under Article 6/3(d) of the LPPD, for the purposes of the follow-up and conduct of litigation and other legal proceedings, and the execution of storage and archiving activities.

  • Your legal transaction data, including information contained in the case file and correspondence with judicial authorities, may be shared with contracted third parties and external service providers offering consultancy, support, or other services in the fields of law, taxation, or any other area, based on the legal ground of “Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” under Article 5/2(f) of the LPPD, for the purposes of the follow-up and conduct of litigation and other legal proceedings, and the execution of storage and archiving activities.

  • Your identity, financial, and contact data of users conducting deposit and withdrawal transactions — including name, surname, Turkish ID number, IBAN information, bank transaction records, and address — may be shared with business partners, affiliated institutions, banks and funds, and other natural or legal persons under contract with the Company, based on the legal grounds of “It is necessary for compliance with a legal obligation to which the data controller is subject” under Article 5/2(ç) of the LPPD , and “Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” under Article 5/2(f) of the LPPD, for the purposes of managing contract processes, conducting financial and accounting operations, managing services and operational processes, and carrying out audit activities.

  • Your identity, transaction security, financial, and contact data — including your name, surname, Turkish ID number, IBAN information, IP address, email address, mobile phone number, nationality, mother’s name, father’s name, account transactions, date of birth, and residence address — may be shared with authorized persons, institutions, and organizations under the applicable legislation, including public legal entities and authorities such as MASAK, public prosecutors, law enforcement agencies, and courts, based on the legal ground of " It is expressly provided for by the laws" under Article 5/2(a) of the LPPD, for the purposes of fulfilling our obligations regarding the retention of internet access logs under Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications, ensuring that our Company activities are carried out in compliance with the legislation and all legal and administrative measures, fulfilling reporting obligations within this scope, reporting suspicious transactions, conducting risk management processes, and providing requested documents and information to public institutions and organizations.

  • Your identity, transaction security, financial, and contact data — including your name, surname, Turkish ID number, IBAN information, IP address, email address, mobile phone number, nationality, mother’s name, father’s name, account transactions, date of birth, and residence address — may be shared with contracted third parties and external service providers offering legal, tax, or other consultancy, support, or services, based on the legal ground of “Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” under Article 5/2(f) of the LPPD, for the purposes of managing legal proceedings and other legal processes, executing storage and archiving activities, and carrying out customer relationship processes.

  • Your identity, contact, customer transaction, transaction security, financial, and visual data may be shared with contracted third parties and external service providers offering legal, tax, or other consultancy, support, or services, based on the legal ground of “Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” under Article 5/2(f) of the LPPD, for the purposes of ensuring customer account and system security, carrying out financial and accounting operations, and managing customer relationship processes.

  • Your identity data and biometric data may be shared with contracted external service providers, based on the legal ground of " It is expressly provided for by the laws" under Article 5/2(a) of the LPPD and the relevant legislative provisions, for the purpose of obtaining support services in the conduct of investigations related to suspicious transactions, including Know Your Customer (KYC), Know Your Business (KYB), Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and Transaction Monitoring (TM) processes, as well as any investigation and/or assessment processes to be carried out under the Regulation on Measures Regarding the Prevention of Laundering Proceeds of Crime and Financing of Terrorism, the relevant guidelines issued by MASAK, and/or applicable legislation.

  • Your visual and audio recordings collected during video calls within the scope of customer onboarding and “Know Your Customer” processes may be shared with third-party service providers contracted by the Company, based on the legal ground of ”Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” under Article 5/2(f) of the LPPD , due to the fact that the relevant service is provided by a contracted third-party service provider.

4. Transfer of Your Personal Data Abroad

  • Your identity information (name and surname, date of birth, place of birth, nationality, passport/ID number, mother’s and father’s names, signature), contact information (phone number, email address, address), financial data (IBAN details, account activity, banking information), IP address, photograph (selfie), biometric data, and criminal record certificate are transferred to OKC Holdings Corporation located abroad, provided that appropriate safeguards are ensured through the standard contractual clauses set forth under Article 9 of the LPPD and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad.

  • Your identity information (name and surname, date of birth, place of birth, nationality, passport/ID number, type and serial number of the ID document, mother’s and father’s names, signature), contact information (phone number, email address, address), location data, legal transaction data (information in case files and correspondence with judicial authorities), customer transaction data (date, type, amount, and method of transactions, and records of communication with customer services), visual data (selfie images, photographs), other data (volume/quantity information, profile photo if uploaded), and biometric data (ID documents processed via facial recognition systems) are transferred to Centauri Services and Technology Sdn. Bhd., located abroad, provided that adequate safeguards are ensured through standard contractual clauses drawn up in accordance with Article 9 of the LPPD and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad.

We collect and process your data through our website and mobile applications, conversations conducted with our call center or through third-party service providers we use, electronic means such as SMS or e-mail, in verbal, written, or electronic format, using fully or partially automated methods, relying on the legal reasons specified for processing and transfer in this notice.

6. Your Rights Under Article 11 of the LPPD

You may submit your written requests as personal data owners to exercise the rights related to your personal data, along with documents identifying your identity, and your written petition containing your explanations related to the right you wish to exercise, directly or via registered mail to our company's address at Maslak Mah., AOS 55. Sk. 42 Maslak B Blok Sitesi No: 4 İç Kapı No: 542, Sarıyer/İstanbul or to

kisiselveri@turkiye.okx.com
. Your request will be evaluated by OKX TR and concluded within a maximum of 30 (thirty) days in accordance with the provisions of the LPPD. In principle, no fee shall be charged in relation to requests; however, OKX TR reserves the right to charge a fee based on the tariff determined by the Personal Data Protection Board.

We inform you, as the "Data Controller" within the scope of LPPD, that subject to the exceptions stipulated in Article 28 of LPPD titled "Exceptions", you have the right to apply to our Company and;

  • Learn whether your personal data is processed,

  • Request information regarding your personal data if it has been processed,

  • Learn the purpose of processing your personal data and whether it is used appropriately for its purpose;

  • Know who the third parties are, both domestically and abroad, to whom your data is transferred; request to be informed about the operations performed by these third parties; 

  • Request the correction of your personal data in case it has been processed incompletely or inaccurately,

  • Request deletion or destruction of your data when the reasons necessitating its processing no longer exist;

  • Request notification of the processes carried out to third parties to whom your personal data has been transferred,

  • Object to the emergence of a result against you by means of analysis of your personal data exclusively through automated systems,

  • Demand compensation for the damages in case you incur damages due to the processing of your personal data against the law.

Within the scope of your right to obtain information as stated above, you may access information and the OKX TR Kripto Varlık Alım Satım Platformu Anonim Şirketi Data Owner Application Form at

https://tr.okx.com
.


Trade Name: OKX TR Kripto Varlık Alım Satım Platformu Anonim Şirketi

Address: Maslak Mah., AOS 55. Sk. 42 Maslak B Blok Sitesi No: 4 İç Kapı No: 542, Sarıyer/İstanbul

Mersis No: 0638068598100001