Legal

Data Processing Agreement

Last updated: 27 May 2026

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (“Agreement”) entered into between:

Navlo Teknoloji Limited Şirketi (“Navlo” or “Processor”)

and

the Customer / User (“Controller”)

(each a “Party” and together the “Parties”).

This DPA governs the Processing of Personal Data by Navlo in connection with the provision of the Navlo platform and related digital logistics services.

1. Purpose and Scope

This DPA applies where Navlo Processes Personal Data on behalf of the Controller in connection with the use of the Navlo platform and related services (the “Service”).

The Parties acknowledge and agree that:

  • the Controller determines the purposes and means of Processing Personal Data uploaded or submitted to the Service;
  • Navlo Processes Personal Data solely on behalf of the Controller and in accordance with documented instructions; and
  • this DPA is intended to comply with:
    • Article 28 of the GDPR, where applicable, and
    • applicable requirements under Law No. 6698 on the Protection of Personal Data (“KVKK”).

Navlo provides a digital logistics platform including:

  • container tracking,
  • air cargo tracking,
  • shipment analytics,
  • shipment collaboration features,
  • document management, and
  • AI-powered logistics assistant functionality (“Navlo AI”).

For the avoidance of doubt, Navlo is not a Software-as-a-Service (“SaaS”) provider in the traditional enterprise software licensing sense and operates as a digital logistics intelligence and operational visibility platform using a credit-based commercial model.

2. Definitions

For the purposes of this DPA:

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on Personal Data including collection, storage, organization, retrieval, analysis, transmission, disclosure, deletion, or destruction.

“Data Subject” means the individual to whom Personal Data relates.

“Sub-processor” means any third party engaged by Navlo to Process Personal Data.

“Supervisory Authority” means any competent data protection or privacy authority.

“Navlo AI” means Navlo’s AI-powered logistics assistant and analytical functionality.

“Credits” means digital usage units used within the platform for shipment tracking or optional service functionality.

3. Nature and Purpose of Processing

3.1 Nature of Processing

Processing activities may include:

  • collection,
  • recording,
  • storage,
  • organization,
  • retrieval,
  • structuring,
  • analysis,
  • transmission,
  • sharing,
  • deletion, and
  • archiving of Personal Data.

Processing may occur through:

  • the Navlo platform interface,
  • APIs and integrations,
  • analytics systems, and
  • Navlo AI functionality.

3.2 Purpose of Processing

Personal Data is Processed solely for purposes including:

  • providing shipment tracking services,
  • enabling shipment visibility and analytics,
  • supporting document management and collaboration features,
  • facilitating shipment sharing functionality,
  • providing customer support,
  • maintaining platform security,
  • operating the credit-based usage system, and
  • enabling Navlo AI functionality and AI-generated logistics insights.

Users may optionally activate Navlo AI functionality through recurring monthly credit usage as specified within the platform.

Users may deactivate Navlo AI at any time through the platform.

4. Categories of Personal Data and Data Subjects

4.1 Categories of Personal Data

Processed Personal Data may include:

  • full name,
  • email address,
  • phone number,
  • company information,
  • IP addresses and technical usage data,
  • shipment references,
  • uploaded shipment documents,
  • shipment notes and collaboration data,
  • payment and transaction-related information, and
  • communications with Navlo.

Where Users interact with Navlo AI, additional Processing may include:

  • prompts and queries submitted to Navlo AI,
  • AI-generated responses, and
  • operational analytical requests.

Navlo AI may analyze shipment-related data and operational information to generate:

  • summaries,
  • analytics,
  • forecasting outputs, and
  • logistics-related insights.

4.2 Categories of Data Subjects

Data Subjects may include:

  • Users,
  • customer employees,
  • logistics stakeholders,
  • shipment participants, and
  • third parties whose information is included within uploaded shipment data.

5. Processor Obligations

Navlo, acting as Processor, shall:

  • Process Personal Data solely on documented instructions from the Controller unless otherwise required by law;
  • ensure authorized personnel are subject to confidentiality obligations;
  • implement appropriate technical and organizational measures (“TOMs”);
  • assist the Controller in fulfilling data subject rights requests where applicable;
  • provide reasonable assistance regarding GDPR or KVKK compliance obligations; and
  • notify the Controller where legally prohibited instructions are identified.

Navlo shall not sell Personal Data to third parties.

6. Security Measures

Navlo shall implement commercially reasonable technical and organizational security measures, including:

  • encrypted communications (TLS/HTTPS),
  • access control systems,
  • authentication and authorization mechanisms,
  • logging and monitoring systems,
  • secure cloud infrastructure protections, and
  • backup and recovery procedures.

Navlo shall periodically review and update such measures based on operational and security requirements.

Despite such measures, no system can be guaranteed to be completely secure.

7. Navlo AI Processing

Where Users activate Navlo AI functionality:

  • shipment-related and operational platform data may be Processed to generate AI-powered analytics and responses;
  • AI-generated outputs may be probabilistic and may contain inaccuracies or incomplete information;
  • Users remain responsible for independently validating AI-generated outputs before operational or business use.

Navlo does not use customer data to train publicly available or third-party AI models unless explicitly authorized by the User.

Navlo AI activation may require recurring monthly credit consumption as specified within the platform.

Cancellation of Navlo AI:

  • prevents future recurring credit charges, but
  • does not reverse or refund previously consumed credits.

8. Sub-processors

The Controller authorizes Navlo to engage Sub-processors where reasonably necessary for provision of the Service.

Sub-processors may include:

  • cloud hosting providers,
  • analytics providers,
  • communication and email infrastructure providers,
  • infrastructure monitoring providers, and
  • payment processing providers.

Navlo shall:

  • impose data protection obligations substantially equivalent to this DPA on Sub-processors,
  • maintain appropriate oversight of Sub-processors, and
  • remain responsible for Sub-processor compliance to the extent required by applicable law.

The Controller may object to new Sub-processors on reasonable data protection grounds.

9. International Data Transfers

Where Personal Data is transferred outside Türkiye or the European Economic Area (EEA), Navlo shall implement appropriate safeguards, including:

  • Standard Contractual Clauses (“SCCs”),
  • secure transfer mechanisms, and
  • legally recognized transfer protections.

10. Data Subject Rights

Navlo shall reasonably assist the Controller in responding to Data Subject requests relating to:

  • access,
  • rectification,
  • erasure,
  • restriction,
  • portability, and
  • objection rights.

Unless legally required, Navlo shall not directly respond to Data Subject requests without authorization from the Controller.

11. Personal Data Breach Notification

In the event of a confirmed Personal Data Breach affecting Personal Data Processed under this DPA, Navlo shall:

  • notify the Controller without undue delay,
  • provide available relevant information regarding the breach, and
  • reasonably cooperate regarding mitigation and compliance obligations.

12. Data Retention and Deletion

Navlo shall retain Personal Data only for as long as reasonably necessary to:

  • provide the Service,
  • comply with legal obligations,
  • maintain security and operational integrity, and
  • resolve disputes.

Upon termination of the Agreement and subject to applicable law:

  • Personal Data may be deleted, anonymized, archived, or returned to the Controller where reasonably feasible.

Certain data may remain temporarily within secure backup systems.

Users may archive or delete shipment-related data through available platform functionality where applicable.

13. Audit and Compliance Rights

Upon reasonable written request, Navlo may provide:

  • compliance documentation,
  • security certifications,
  • summaries of technical and organizational measures, or
  • relevant audit information reasonably necessary to demonstrate compliance.

Navlo may:

  • limit audits to reasonable frequency and scope, and
  • reject requests that compromise confidentiality, security, or the rights of other customers.

14. Liability

Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the main Agreement and Terms and Conditions.

15. Governing Law

This DPA shall be governed by:

  • the laws of the Republic of Türkiye, and
  • GDPR requirements where applicable.

Any disputes arising under this DPA shall be subject to the jurisdiction provisions set forth in the main Agreement.

16. Order of Precedence

In the event of conflict between documents, the following order of precedence shall apply:

  1. This DPA
  2. Terms and Conditions
  3. Other applicable agreements or policies

Annex I — Processing Details

Subject Matter

Provision of digital logistics visibility, shipment tracking, analytics, document collaboration, and AI-powered logistics assistance services.

Duration

For the duration of the User’s access to the Service and any legally required retention period.

Nature and Purpose of Processing

Processing necessary to:

  • operate the Navlo platform,
  • provide shipment visibility services,
  • support shipment collaboration functionality,
  • manage credit-based platform access, and
  • provide Navlo AI analytical functionality.

Categories of Personal Data

  • Identification data
  • Contact information
  • Technical usage data
  • Shipment-related operational data
  • Uploaded documents and notes
  • Navlo AI interaction data

Categories of Data Subjects

  • Users
  • Customer employees
  • Logistics stakeholders
  • Third parties included within shipment-related data

Annex II — Technical and Organizational Measures (TOMs)

Navlo implements security measures including:

  • TLS/HTTPS encrypted communications
  • Role-based access controls
  • Authentication and authorization systems
  • Secure cloud infrastructure protections
  • Monitoring and anomaly detection systems
  • Backup and disaster recovery procedures
  • Logging and audit mechanisms
  • Infrastructure access restrictions