1. Introduction
This Privacy Policy establishes how RegPEX (Regional Peering Exchange) processes, stores, and protects personal data. RegPEX maintains dual compliance: adherence to Turkish Law No. 6698 on the Protection of Personal Data (KVKK) and alignment with international best practices including the GDPR principles where applicable.
Data Controller: RegPEX – Regional Peering Exchange
Contact: privacy@regpex.net
2. Data Collected
2.1 Data Collected During Membership
| Data Category | Details | Purpose |
|---|---|---|
| Identity information | Name, surname, title | Membership management |
| Contact information | Email, telephone, postal address | Communication and notifications |
| Corporate information | Company name, tax ID, ASN | Contract and billing |
| Technical information | IP addresses, ASN, prefix list | Service delivery |
| Financial information | Bank account, payment card details | Payment processing |
2.2 Data Collected During Service Use
| Data Category | Details | Purpose |
|---|---|---|
| Traffic statistics | Aggregate bandwidth statistics | Service quality monitoring |
| BGP data | Announced routes, session status | Service delivery |
| Logs | Access logs, session information | Security and troubleshooting |
| Cookies | Session and preference cookies | Website functionality |
3. Processing Purposes
Personal data is processed for the following purposes:
- Service delivery: Fulfilment of membership and peering services
- Technical operations: Provision and maintenance of peering connectivity
- Billing: Invoicing, payment tracking, and collections
- Communication: Maintenance notices, security alerts, service updates
- Security: Network security monitoring, abuse detection and response
- Statistics: Production of anonymised aggregate statistics
- Legal obligation: Compliance with applicable legislation
4. Legal Bases Under KVKK Article 5
Processing is conducted under the following legal bases as defined in KVKK Article 5:
- Contract performance: Execution of the membership agreement and related services
- Legitimate interest: Network security, service quality, and operational needs
- Legal obligation: Tax law, telecommunications regulations, and other mandatory requirements
- Explicit consent: Marketing communications (optional; separate consent collected)
5. Retention Periods
| Data Type | Retention Period |
|---|---|
| Membership information | Duration of membership + 10 years |
| Billing records | 10 years (tax law requirement) |
| Traffic logs | 2 years |
| BGP session logs | 1 year |
| Web access logs | 1 year |
| Cookies | Session or up to 1 year |
Data exceeding retention periods is automatically deleted or anonymised.
6. Security Measures
6.1 Technical Measures
- Encryption: AES-256 for data at rest; TLS 1.2+ for data in transit
- Network security: Firewall, IDS/IPS, and regular security audits
- Access control: Role-based access, least-privilege principle
- Backup and DR: Regular backups and disaster recovery procedures
6.2 Administrative Measures
- Staff non-disclosure agreements (NDAs)
- Data protection and security training
- Access logging and audit trails
- Breach response plan and incident handling procedures
7. Data Transfers
7.1 Domestic Transfers
Personal data may be shared domestically with:
- POP operators (cross-connect coordination)
- Payment service providers
- Public authorities where required by law
7.2 International Transfers
- PeeringDB: Member information published with consent
- BGP data: Technical necessity for route propagation; no personal data
- All international transfers comply with KVKK Article 9 (adequate safeguards, contractual clauses, or explicit consent as applicable)
8. Data Subject Rights (KVKK Article 11)
Data subjects have the following rights under KVKK Article 11:
- Learn whether personal data is processed
- Request information if data has been processed
- Learn the purpose of processing and whether it is used accordingly
- Know to whom data has been transferred (domestic or international)
- Request rectification of incomplete or inaccurate data
- Request erasure where legal grounds for processing cease to apply
- Request that rectification or erasure be notified to third-party recipients
- Object to automated analysis that produces adverse effects
- Claim compensation for harm arising from unlawful processing
9. Applications and Contact
How to apply: privacy@regpex.net
Response time: Up to 30 days
Fee: No charge for electronic applications; written responses may incur a fee of 50 TL
Applicants may be required to verify identity before processing requests.
10. Cookie Policy
10.1 Cookies Used
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential / session | Authentication, security, core functionality | Session |
| Preference | Language, theme, user preferences | 1 year |
| Analytics | Anonymous visitor statistics | 1 year |
10.2 Cookie Management
- Essential and session cookies cannot be disabled without affecting core functionality.
- Preference and analytics cookies may be managed via the cookie preference panel.
- Browsers may be configured to block or delete cookies; this may limit website features.
11. Policy Updates
RegPEX may update this policy from time to time. Material changes will be communicated to members by email. The current version is always published on the RegPEX website.