Last updated: April 22, 2026 · Effective date: April 22, 2026
This Privacy Policy explains, under the Turkish Personal Data Protection Law No. 6698 (the "Turkish PDPL") and the European General Data Protection Regulation (the "GDPR"), the purposes, legal bases, duration, and recipients for which your personal data is processed within the EmuDesk platform offered through the emudesk.com domain, as well as your rights as a data subject and how you can exercise them. References to "we", "EmuDesk" or "the platform" refer to the data controller identified below.
1. Data controller and contact information
Under Article 3 of the Turkish PDPL and Article 4 of the GDPR, the data controller is:
- Legal name: [To be completed before launch — commercial name of the EmuDesk operator]
- MERSIS / tax number: [To be completed before launch]
- Address: [To be completed before launch — the company's registered commercial address suitable for service of process]
- Email: support@emudesk.com
- Registered electronic mail (KEP): [To be completed before launch]
- Web: emudesk.com
For privacy-related requests, the primary channel is the form on our Contact page. If you prefer not to use the form, you may write to the email address above. To help us process your request quickly and accurately, please include, where possible, your username, the email address associated with your account, and the subject of your request (such as "Privacy Request", "Access", "Erasure", or "Data Portability"). For your security, additional identity verification may be required; however, we recommend that you do not share more personal data than necessary.
2. Scope of this policy
This policy applies to EmuDesk visitors, registered users, contributing members, commenters, streamer profile applicants, people who contact us through the contact form, and all data subjects who submit data protection rights requests. Websites outside EmuDesk, third-party download pages, the publishing policies of advertising networks, and the services of game or emulator developers themselves fall outside the scope of this policy.
3. Categories of personal data processed
Depending on how you use EmuDesk and the preferences you choose, the following data categories may be processed:
- Identity and account data: username, public profile slug, user ID, account role, account status, language and region preference, account creation method (password or Google sign-in).
- Contact data: email address, email verification status and timestamp, and the name, email, subject and message content you share through the contact form.
- Session and security data: the argon2id hash of your password, session token hash, CSRF token, re-issued password reset tokens, IP address, user-agent summary, rate-limit counters, and audit logs.
- Profile and reputation data: avatar, biography, social links, badges, reputation score, contribution counts, follow/follower relationships, and streamer profile fields (display name, title, about text, country code, platform links).
- Community content data: issue reports, solutions, guides, tool descriptions, keymap descriptions, comments, community posts, votes, content reports, notification preferences, and moderation-related decisions.
- File and download data: tool or keymap download events, file hash, file size, uploader, scan results, and download counters.
- Technical and device data: cookie identifiers, browser and operating system information, page navigation summaries, error message data, and limited security-purpose logging of IP and user-agent.
- Analytics and advertising data: page views, referrer URLs, interaction events, advertising interaction counters, and measurement cookie identifiers, collected only where you have given consent.
- Rights request and consent records: your data protection rights requests, identity verification traces, consent history, cookie banner version, withdrawal records, and DSR request records under the Turkish PDPL and GDPR.
Special categories of personal data (such as health, belief, political opinion, or biometric data) are not knowingly collected and are not processed under this policy. Please do not voluntarily share such data in the contact form or your community contributions.
4. Purposes and legal bases of processing
Your personal data is processed for the following purposes, relying on the legal bases set out in Article 5 of the Turkish PDPL and Article 6 of the GDPR shown alongside each purpose:
| Purpose of processing | Legal basis |
|---|---|
| Account creation, authentication, session management and prevention of identity theft. | Performance of a contract (Turkish PDPL 5/2-c, GDPR 6/1-b); legitimate interest (Turkish PDPL 5/2-f, GDPR 6/1-f). |
| Publication, display and search/discovery indexing of community content (issues, guides, tools, keymaps, comments, posts). | Performance of a contract (Turkish PDPL 5/2-c, GDPR 6/1-b); legitimate interest (Turkish PDPL 5/2-f, GDPR 6/1-f). |
| Moderation, content reporting, prevention of spam and abuse, and investigation of security incidents. | Legitimate interest (Turkish PDPL 5/2-f, GDPR 6/1-f); legal obligation (Turkish PDPL 5/2-ç, GDPR 6/1-c). |
| Sending email or in-app notifications according to your preferences; responding to support and contact requests. | Performance of a contract (Turkish PDPL 5/2-c, GDPR 6/1-b); explicit consent (Turkish PDPL 5/1, GDPR 6/1-a) for marketing communications. |
| Handling of data protection rights requests (access, rectification, erasure, objection, portability). | Legal obligation (Turkish PDPL 5/2-ç, GDPR 6/1-c). |
| Resolution of legal disputes, establishment of rights, defence, and fulfilment of legal obligations. | Legal obligation (Turkish PDPL 5/2-ç, GDPR 6/1-c); establishment of a right (Turkish PDPL 5/2-e, GDPR 6/1-f). |
| Analytics measurement and collection of visitor statistics in anonymous/aggregate form. | Explicit consent (Turkish PDPL 5/1, GDPR 6/1-a). |
| Ad serving, frequency capping and measurement of ad engagement. | Explicit consent (Turkish PDPL 5/1, GDPR 6/1-a). |
Analytics and advertising processing takes place only while the explicit consent you give through the cookie consent panel remains in effect. You may withdraw your consent at any time; withdrawal does not retroactively affect processing previously carried out on a lawful basis.
5. How personal data is collected
Your personal data is collected directly through your own actions, such as creating an account, adding content, writing comments, filling in forms and changing settings, and also technically through HTTP requests sent by your browser, cookies and server logs. If you choose to sign in with Google, basic profile information provided by Google (your name, email address and profile picture) is transferred to EmuDesk.
6. Transfer of personal data
Your personal data may be shared with the categories of service providers listed below, only to the extent necessary to provide the relevant service. Each service provider relationship is established as a data processor relationship, framed by contracts covering confidentiality, security and sub-processor obligations.
- Hosting and infrastructure: servers used for site hosting, the database and backups.
- Email delivery infrastructure: the email service provider used to deliver transactional emails (verification, notifications, DSR responses).
- Authentication: Google LLC when you choose to sign in with Google; Google Identity Services for the One Tap feature.
- Security verification: Cloudflare Turnstile for bot and spam protection.
- Analytics: Google Analytics 4, subject to your consent.
- Advertising: Google AdSense, subject to your consent.
- File security scanning: third-party scanning services used to inspect user-uploaded files.
- Error tracking and observability: error tracking services used for application error reports and observability (where applicable).
Some of these service providers may be established outside Türkiye or your country of residence. International transfers are carried out on the basis of (i) the safeguard mechanisms (undertakings, binding corporate rules) determined by the Board under Article 9 of the Turkish PDPL, or (ii) the standard contractual clauses (SCCs), an adequacy decision or your explicit consent, under Chapter V of the GDPR. Such transfers are limited to the minimum data necessary to provide the relevant service.
Legally valid and written requests from public authorities (judicial orders, official letters) are handled after assessing the legal basis and proportionality of the request. Where necessary to protect users, requests are refused or challenged through the courts.
7. Cookies and similar technologies
EmuDesk uses essential cookies along with analytics and advertising cookies that depend on your consent. A full breakdown of cookie categories, purposes, first-party/third-party distinction and durations, together with steps for changing your cookie preferences, is set out on our Cookie Policy page. You can also manage your cookie preferences via the Privacy & Cookie Settings link in the footer.
When essential cookies are disabled, core functions such as session management, CSRF protection and secure form submission may not work properly; no consent is sought in this case because these cookies are technically necessary to provide the service (Turkish PDPL 5/2-c, GDPR Article 6/1-b; technical storage exception under Article 5/3 of the ePrivacy Directive).
8. Retention periods
Personal data is retained for as long as necessary for the processing purpose or for the minimum retention period required by applicable legislation. The main retention principles applied at EmuDesk are as follows:
| Data type | Retention period |
|---|---|
| Account and profile information | For as long as the account is active; after a deletion request, following a 30-day recovery window, the data is deleted or anonymised. |
| Session and security logs | From the end of the session, for a reasonable period for security review (typically 90 days), extended where necessary up to 1 year. |
| Contact form messages | 12 months from the response to the request; those connected to a legal dispute until the applicable limitation period expires. |
| Community contributions (guides, solutions, comments, posts) | May continue to be stored in anonymised form after an account is deleted, in order to preserve the integrity of the knowledge base. |
| Audit logs and consent ledger | 1–5 years, depending on the risk level of the activity and legal obligations. |
| Email verification and password reset tokens | Destroyed immediately after use or expiration. |
| Analytics and advertising cookie data | The expiry period of the cookie itself; cleared at the next session when consent is withdrawn. |
| DSR (data protection rights request) records | Typically 3 years after the request is concluded, consistent with obligations under the Turkish PDPL and GDPR. |
For a complete table of retention periods and the current configuration, please see the Processing Records page.
9. Data security
EmuDesk applies technical and organisational measures including argon2id password hashing, httpOnly and Secure session cookies, CSRF protection, rate limiting, role-based access control, audit logging, security headers (CSP nonce, HSTS, X-Content-Type-Options), file upload checks and security scanning. Access by staff and service providers is restricted on a need-to-know basis and logged.
Despite all these measures, no online service can provide an absolute guarantee of security. If a potential data breach is identified, affected users and the relevant supervisory authorities are notified within the applicable legal notification obligations.
10. Automated decision-making and profiling
EmuDesk does not carry out automated decision-making that produces legal or similarly significant effects (GDPR Article 22) or profiling of that nature. Automated content scanning (for example, keyword or trigger filters) may be used in certain moderation steps; however, final publication or enforcement decisions are taken following human moderator review.
11. Data subject rights
Under Article 11 of the Turkish PDPL you have the following rights:
- To learn whether your personal data is processed.
- To request information about the processing of your personal data.
- To learn the purpose of processing and whether the data is used in line with that purpose.
- To know the third parties, within the country or abroad, to whom personal data has been transferred.
- To request correction of personal data that has been processed incompletely or inaccurately.
- To request erasure or destruction of personal data within the framework set out in Article 7 of the Law.
- To request that correction, erasure and destruction operations be notified to third parties to whom the data has been transferred.
- To object to a result that is to your detriment arising from the analysis of the processed data exclusively through automated systems.
- To claim compensation for damage arising from the unlawful processing of personal data.
Under the GDPR you additionally have the rights of access (Article 15), rectification (Article 16), erasure / right to be forgotten (Article 17), restriction of processing (Article 18), data portability (Article 20), objection (Article 21) and withdrawal of consent (Article 7/3).
12. How to exercise your rights
To exercise your rights you can use the form on our Contact page, write to support@emudesk.com, or create a DSR request directly from the Privacy & Data Requests section of your account settings.
So that your request can be handled effectively, you will be asked to share the minimum information needed to verify your identity. Under Article 13 of the Turkish PDPL, requests are in principle concluded within at most thirty (30) days; under the GDPR the request is generally answered within one month, extendable by up to two months for complex or multiple requests, with a reasoned notice of any delay.
If your request is refused or you find the response inadequate, you may lodge a complaint with the Turkish Personal Data Protection Authority under Article 14 of the Turkish PDPL. Users located in the EU/EEA have the right to lodge a complaint with the data protection authority of their country of residence (GDPR Article 77).
13. Public content and knowledge base integrity
Guides, solutions, comments, community posts, tool and keymap descriptions and profile information you publish on EmuDesk may be publicly accessible to the extent they are published. Such content may be indexed by search engines and viewed by other users.
When you delete your account, data attached to your personal identity is deleted or anonymised; however, to preserve the continuity of the knowledge base, your published community contributions may remain on the platform with the author information removed or displayed anonymously as "Deleted User". This practice is based on legitimate interest under Article 5/2-f of the Turkish PDPL and Article 6/1-f of the GDPR.
14. Children's privacy
EmuDesk is not directed at people under the age of 13 and does not knowingly collect personal data from users below this age. Users between 13 and 18 should use the service with the consent of a parent or legal guardian where required by the laws of their country. If you believe that personal data relating to a user under 13 has been processed inadvertently, please notify us immediately; the data will be deleted as soon as possible.
15. Account deletion and data portability
After signing in to your account you can export your data or start an account deletion request from Settings > Privacy & Data Requests. For security reasons, additional identity verification may be requested during the deletion process. Once confirmed, the request can be cancelled within a 30-day recovery window; at the end of this period the personal data is deleted or anonymised.
16. External links
EmuDesk contains various external links, such as to emulators, games, tools, communities, streamers and advertising destinations. EmuDesk cannot be held responsible for the privacy, security or download policies of external sites. Before following an external link, we recommend that you review the privacy policy and download warnings of the relevant site.
17. Changes to this policy
This policy may be updated from time to time due to product features, legal changes or service provider updates. Significant changes will be communicated through on-site notifications, email, or the cookie preference panel. The effective date of the current text is shown at the top of this page; the policy history is available on request.
18. Contact us
If you have questions about privacy, cookie preferences, data protection rights requests or complaints to a supervisory authority, you can use the form on our Contact page or write to support@emudesk.com.