Legal
Privacy Notice
Last updated: · Reviewed quarterly and after every regulatory change
This notice explains the personal data Viru Consulting W.L.L. (“we”, “us”) processes about visitors to easyturkishcitizenship.com, the lawful bases we rely on, how long we retain that data, and the rights you can exercise. It is written to be read; lawyer-grade language is used only where the regulation requires the exact phrase.
If anything below is unclear or you would prefer a plain-language answer about your specific situation, write to etc [at] virugroup [dot] company and we will reply within seven days.
Who is the data controller
Viru Consulting W.L.L., registered in the Kingdom of Bahrain, is the controller of personal data collected through this site. Our registered office address and company number are published on the imprint page. For data-protection matters we read mail sent to etc [at] virugroup [dot] company.
We do not currently appoint a Data Protection Officer because we do not meet the threshold under Article 37 UK GDPR. The director responsible for data protection inside the company is named on the imprint page; that person reads every privacy enquiry personally.
What data we collect, and why
Five categories of personal data are involved in running this site.
Enquiry form submissions. When you fill in the eligibility-check form, or write to us by email, we receive the name, email address, nationality and any free-text content you provide, together with the timestamp of the submission and a server-side identifier from our form-processing vendor. The lawful basis is the performance of pre-contractual steps you have requested (Article 6(1)(b) UK GDPR) and, for free-text content that includes sensitive detail you choose to share, your explicit consent (Article 9(2)(a)).
We use this data to reply to you, to record what was asked and answered, and to follow up if your enquiry leads to engagement. We do not use it to contact you about anything else unless you tick the marketing-opt-in box (currently we don’t run that opt-in, so this is a forward-looking statement).
Analytics. If the build environment is configured with a Google Analytics 4 measurement ID, we receive pseudonymous information about page visits: pages viewed, country (derived from IP, then discarded), device family, referring source. We have configured GA4 with IP anonymisation switched on. The lawful basis is legitimate interest (Article 6(1)(f)) in understanding which pages help and which fail.
If you are based in the EEA, the UK or Türkiye and prefer not to be measured, the cookie banner gives you a one-click refusal that takes effect immediately. We also honour the Global Privacy Control browser signal.
Server logs. Our hosting platform records standard request logs: IP address, user-agent, requested URL, response status, timestamp. These are retained by the platform for up to 30 days for security and abuse-prevention purposes. Lawful basis: legitimate interest in operating a secure service.
Cookies and similar. A short list of cookies is documented on the cookies page. We do not run advertising cookies and we do not embed third-party tracking pixels.
Correspondence. When you write to us, your email and its content sit in our mailbox. We keep correspondence for as long as needed to handle the matter and for a reasonable period afterwards to maintain a record of what we said.
What we do not collect
We do not collect: passport copies through the website (those are only ever shared after engagement, over the secure channel we agree with you), payment card details (we are not a payment processor), browsing data from outside our site (no advertising remarketing), or behavioural data that would let us infer political opinion, religion, health or sexual orientation.
If your eligibility-check free-text answer happens to mention sensitive information, we treat it under the explicit consent basis above and you can withdraw that consent at any time by writing to etc [at] virugroup [dot] company.
How long we keep your data
| Data | Retention | Then what |
|---|---|---|
| Enquiry-form submissions | 24 months from last contact | Permanently deleted from active systems |
| Email correspondence | 3 years from last reply | Archived for a further 4 years, then deleted |
| Server access logs | 30 days | Rolling deletion at the platform layer |
| Analytics events | 14 months in GA4 (account default) | Auto-purged by Google |
| Backup snapshots | 90 days | Rolling deletion |
If you later become a client of any advisory or legal service we work with, those parties operate as separate controllers under their own retention rules. We will tell you who they are at the point we introduce them.
Who we share data with
We do not sell personal data. We do not share it with advertising networks or data brokers.
The narrow set of third parties involved in operating the site is:
- Form processing vendor (Formspree, Inc., United States) — receives the eligibility-check submission and forwards it to our mailbox. Their privacy notice is at formspree.io/legal/privacy-policy. The transfer to the US relies on the EU–US Data Privacy Framework / UK Extension, and a Data Processing Addendum is in force.
- Hosting (Cloudflare, Inc., United States, with edge presence in the UK and EU) — serves the static site and processes server logs. Standard Contractual Clauses are in force.
- Email provider (the mailbox host named on the imprint page) — receives correspondence.
- Analytics (Google LLC, United States) — only if a GA4 ID is configured and you have not refused analytics in the cookie banner.
If a competent regulator or court compels disclosure under valid legal process, we will comply. We will tell you about the request unless we are legally barred from doing so.
International transfers
Some of the vendors above process personal data outside the UK and EEA. Where this happens, we rely on the EU–US Data Privacy Framework (and the UK Extension for UK data subjects), or Standard Contractual Clauses with appropriate supplementary measures. The vendors’ transfer-risk assessments are on file and available on request.
Your rights
If UK GDPR applies to your data (typically because you submitted it from the UK or were resident in the UK when you did), you have the right to: access your data, correct it, have it deleted, restrict its processing, object to processing carried out on legitimate-interest grounds, receive a copy in a portable format, withdraw consent you have given, and complain to the Information Commissioner’s Office (ico.org.uk).
If EU GDPR applies, the same rights are in force under Articles 15–22 of EU Regulation 2016/679. The supervisory authority is the data-protection authority of your habitual residence; in Türkiye, that is the Kişisel Verileri Koruma Kurumu (KVKK).
To exercise any right, write to etc [at] virugroup [dot] company. We respond within one month, which is the regulatory standard. We will ask for proof of identity proportionate to what you are requesting; we do not require notarised documents for routine requests.
Children
The eligibility-check form is intended for adults. We do not knowingly collect personal data of children under 16. If you believe a child has submitted data, write to us and we will delete it.
Changes to this notice
When we make changes that affect how personal data is handled, we update the “Last updated” date at the top of this page, and material changes are summarised on our news page on the day they come into effect. Older versions of this notice are kept in our records and available on request.
Apply now
Ready to start your Turkish citizenship file?
Leave your name, email and phone. We come back within one working day with the next step for your specific case.
- · Lawyer-reviewed reply, not a sales pitch
- · Country-specific source-of-funds notes for your case
- · Honest answer if the programme is not the right fit