Last updated: April 2026
UCOS Technology & Consultancy ("UCOS", "we", "us") is the data controller for personal data collected through our website (getucos.com) and consulting services. UCOS is headquartered in Istanbul, Turkey with operational presence in the Netherlands, EU. Contact: contact@getucos.com.
We collect personal data that you provide directly to us, including: name, email address, company name, phone number, country, and any information included in your messages or documents shared during consulting engagements. We do not collect data through tracking cookies or third-party analytics beyond essential website functionality.
We process your personal data on the following legal bases in accordance with GDPR Article 6 and KVKK Article 5:
Performance of Contract (GDPR Art. 6(1)(b)): To provide consulting services, prepare quotations, issue invoices, and fulfill our contractual obligations including EU REP mandate duties.
Legal Obligation (GDPR Art. 6(1)(c)): To maintain records as required by EU MDR (technical documentation retention under Article 10(8)), tax legislation, and other applicable regulatory requirements.
Legitimate Interest (GDPR Art. 6(1)(f)): To respond to business inquiries, improve our services, and maintain professional relationships. We ensure our legitimate interests do not override your fundamental rights.
We do not use your data for marketing purposes without your explicit consent (GDPR Art. 6(1)(a)).
Technical documentation, quality records, and other files shared during consulting engagements are stored securely and treated as strictly confidential. Client files may contain sensitive commercial information and trade secrets; these are handled with the highest level of care.
For EU REP services, technical documentation is retained as required by EU MDR Article 10(8): at least 10 years after the last device has been placed on the market (15 years for implantable devices). During this legally mandated retention period, deletion requests for regulatory documentation cannot be fulfilled. Upon expiry of the statutory retention period, all documents are securely destroyed using industry-standard data destruction methods.
For other consulting engagements, documents are retained for the duration of the engagement plus any contractually or legally required retention period, after which they are securely deleted.
Due to the nature of our business, personal data and documents may be transferred between Turkey and the EU/EEA. Turkey is considered a "third country" under GDPR as the European Commission has not issued an adequacy decision for Turkey. These transfers are safeguarded through appropriate mechanisms including:
EU to Turkey: EU Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), and/or other transfer mechanisms permitted under GDPR Chapter V.
Transfers subject to KVKK: Compliance with KVKK Article 9 requirements for cross-border data transfers, including obtaining necessary consents or relying on applicable exemptions.
Our primary cloud infrastructure and data storage is hosted within the EU/EEA to minimize cross-border transfer requirements.
We do not sell or share your personal data with third parties for commercial purposes. Data may be shared with:
Regulatory authorities and Notified Bodies: As required by the scope of our EU REP or consulting services.
Essential service providers (sub-processors): We use the following categories of sub-processors under appropriate data processing agreements: cloud hosting and storage providers (ISO/IEC 27001 certified), email and communication infrastructure providers, and website hosting services. All sub-processors are contractually bound to maintain equivalent data protection standards. A detailed list of current sub-processors is available upon written request to contact@getucos.com.
Our website uses only essential cookies that are strictly necessary for the website to function (e.g., session management). We do not use advertising cookies, analytics tracking, or third-party marketing cookies. No cookie consent banner is required as only essential cookies are used, in line with ePrivacy Directive Article 5(3) and GDPR Recital 30.
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS 1.2+) and at rest, role-based access controls, secure storage, regular security assessments, and incident response procedures. Our security practices are aligned with ISO/IEC 27001 principles.
Under GDPR and KVKK, you have the following rights regarding your personal data:
Right of access — obtain confirmation and a copy of your personal data.
Right to rectification — request correction of inaccurate data.
Right to erasure — request deletion of your data. Please note: where retention is required by law (including MDR regulatory retention obligations as described in Section 4), deletion requests cannot be fulfilled until the statutory retention period expires.
Right to restriction — request limitation of data processing.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interests.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at contact@getucos.com. We will respond within 30 days in accordance with GDPR Article 12(3).
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority:
In Turkey: Kisisel Verileri Koruma Kurumu (KVKK) — www.kvkk.gov.tr
In the Netherlands: Autoriteit Persoonsgegevens — www.autoriteitpersoonsgegevens.nl
In other EU Member States: The competent Data Protection Authority (DPA) of the relevant Member State where you reside or where the alleged infringement occurred.
For questions about this privacy policy or to exercise your data rights, contact us at contact@getucos.com.