Legal Information
Privacy Policy
This privacy policy explains how Alphaheads AG collects, uses, and protects personal data submitted through turkiyetaxfree.com. It is designed to comply with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (revFADP, in force since September 2023), and the UK Data Protection Act 2018.
1. Data Controller
The data controller responsible for processing personal data on this website is:
Alphaheads AG
Gubelstrasse 19
6300 Zug, Switzerland
Email: contact@turkiyetaxfree.com
2. What Data We Collect
We process only the personal data you actively provide via our registration forms. Depending on which pathway you select (Individuals / Freelancers / Companies), this includes:
From Individuals
- Name and email address
- Country of residence and citizenship
- Estimated foreign income range and relocation timeline
- Household composition and number of children
- Required services (relocation, tax, schooling, housing etc.)
- Optional: preferred language for introductions
- Optional: free-text notes
From Freelancers
- Name, email, current country, profession
- Annual revenue range and relocation timeline
- Required services and business networks of interest
- Optional: free-text notes
From Companies
- Company name, contact person name, email, headquarters country
- Industry, annual turnover, primary area of interest
- Preferred location and headcount estimate
- Required local partners (lawyer, accountant, banking, etc.)
- Optional: free-text notes
Automatically Collected
- Technical data: IP address (anonymised before storage), browser type, referring URL, timestamp — for security and abuse prevention only
- No cross-site tracking, no advertising cookies, no third-party analytics by default (see Section 8)
3. Purposes & Legal Basis
We process your data for the following purposes, on the following legal bases:
- Sending the official effective-date notification and tailored briefing — based on your consent (Art. 6(1)(a) GDPR) given via the required consent checkbox.
- Introducing you to vetted local partners (lawyers, tax advisors, banks, headhunters, immigration specialists) — only if you separately consent via the optional partner-consent checkbox (Art. 6(1)(a) GDPR).
- Responding to your direct enquiries sent via email — based on our legitimate interest in responding to communications (Art. 6(1)(f) GDPR).
- Security, abuse prevention, and legal compliance — based on our legitimate interest (Art. 6(1)(f) GDPR) and legal obligations (Art. 6(1)(c) GDPR).
Withdrawal of consent is possible at any time without affecting the lawfulness of processing prior to withdrawal. To withdraw, email contact@turkiyetaxfree.com.
4. Data Sharing & Recipients
We do not sell, rent, or trade personal data. We share data only with:
- Vetted local partners in Türkiye (tax advisors, lawyers, banks, headhunters, immigration specialists) — only if you provided explicit optional consent via the partner-consent checkbox, and only with partners relevant to your stated needs.
- Service providers (data processors) acting on our instructions under Art. 28 GDPR data processing agreements:
- Netlify, Inc. (USA) — website hosting and form processing. Data Processing Agreement in place.
- Plausible Analytics (Hetzner, Germany) — privacy-friendly, EU-hosted, cookieless analytics. Aggregated, anonymous traffic only. Data Processing Agreement in place.
- Authorities — only when legally required (court order, statutory obligation).
We do not engage in automated decision-making or profiling under Article 22 GDPR.
5. International Data Transfers
Data may be transferred to:
- Switzerland — recognised by the EU as providing an adequate level of protection (adequacy decision).
- United States — Netlify, Inc. is certified under the EU-US Data Privacy Framework. Transfers are based on this framework and Standard Contractual Clauses where applicable.
- Türkiye — only with your explicit partner-consent. Türkiye does not have an EU adequacy decision; transfers are based on Standard Contractual Clauses (Art. 46 GDPR) and your explicit consent (Art. 49(1)(a) GDPR) for the specific introduction.
6. Retention Periods
- Registration data: retained until the active phase of the program ends or until you withdraw consent — whichever is earlier. Maximum default retention: 24 months from last interaction.
- Communications by email: retained for 24 months for documentation purposes, longer only if legally required.
- Server logs: 14 days, then automatically deleted.
You can request deletion at any time (see Section 7).
7. Your Rights
Under GDPR, Swiss revFADP, and equivalent laws, you have the following rights regarding your personal data:
- Right of access — receive a copy of the data we hold about you (Art. 15 GDPR).
- Right to rectification — correct inaccurate or incomplete data (Art. 16 GDPR).
- Right to erasure ("right to be forgotten") — request deletion when data is no longer necessary or consent is withdrawn (Art. 17 GDPR).
- Right to restriction — limit processing in specific circumstances (Art. 18 GDPR).
- Right to data portability — receive your data in a structured, machine-readable format (Art. 20 GDPR).
- Right to object — object to processing based on legitimate interests (Art. 21 GDPR).
- Right to withdraw consent at any time (Art. 7(3) GDPR).
- Right to lodge a complaint with a supervisory authority — in Switzerland, the FDPIC (edoeb.admin.ch); in the EU, your local data protection authority.
To exercise any of these rights, email contact@turkiyetaxfree.com. We respond within 30 days.
8. Cookies & Tracking
This site uses only strictly necessary cookies required for security and form submission. We do not use advertising cookies, behavioural tracking, or cross-site profiling.
We use Plausible Analytics, a privacy-friendly, EU-hosted analytics service that does not use cookies, does not track individuals across sites, and does not collect personal data. Only aggregated, anonymous traffic data (pageviews, referrers, country-level location, device type) is recorded. Data is processed in Germany and does not leave the EU.
No consent banner is required for strictly-necessary cookies under ePrivacy Directive Article 5(3). Should we add optional analytics or marketing cookies in the future, a consent management mechanism will be implemented before activation.
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include TLS encryption in transit, encrypted storage at rest, access controls, and regular security reviews.
No method of internet transmission is 100% secure. While we strive to use commercially acceptable means to protect personal data, absolute security cannot be guaranteed.
10. Updates to this Policy
We may update this privacy policy from time to time. Material changes will be communicated via email to registered users and announced on this page. The current version date is shown below.
Last updated: 26 April 2026