Skip to content
holala
ShowcasePricing
EnglishENTürkçeTR
Log inStart for free

Platform

Platform overviewStudioEditorBulkLibraryMy Store

Platform overview

The whole workflow at a glance.

Every module — Studio, Editor, Bulk and more — in one connected canvas.

Explore

Studio

Studio-grade product shots

Create from your real products

Explore

Editor

Edit by typing

Perfect every detail

Explore

Bulk

Generate at volume

Scale to your whole catalog

Explore

Library

Inspiration, ready to remix

Browse holala's curated library — fresh ideas and starting points we keep stocked for you.

Explore

My Store

Your own assets, always ready

Upload your products, logos, and shots once — they stay in your store, ready to reuse anytime.

Explore

All 25 templates · swipe or use arrows

Background ReplacementModelProduct to On-ModelCloseup Texture GeneratorProductJewellery Image GenerationGhost Mannequin CreatorModelKids Image GenerationFace/Model GeneratorModelLingerie & Swimwear GenerationProductWhite BackgroundEditingAngle GenerationMulti Product / Multi ModelModelModel Face SwapperStyle/Pose DuplicatorModelModel Face GenerationView / Angle GeneratorEnhancementQuality EnhancerEditingBackground GenerationStyle/Pose Duplicator — v2EditingCloseup Textile GenerationKids Image GeneratorProductGhost Mannequin GenerationProductOn-Model to Flat-LayEditingSide GenerationModelModel RemoverProductNon-Model Generation
All templates
CustomersBrands building with holalaBlogStories and updatesAcademyTutorials and recipesFAQAnswers, from setup to billingDocumentationGuides for every moduleBrowse all resources

By industry

Fashion & ApparelJewelry & AccessoriesBeauty & CosmeticsKids & FamilyFood & Beverage

By product type

ApparelBags & Leather GoodsEyewearFootwearHijab & Modest WearWedding & Evening

By integration

ShopifyWooCommerceAmazon MarketplaceAPI & Zapier
LocalizeOne shoot, every market →

Platform

Platform overviewStudioEditorBulkLibraryMy Store

Templates

Background ReplacementProduct to On-ModelCloseup Texture GeneratorJewellery Image GenerationGhost Mannequin CreatorKids Image GenerationFace/Model GeneratorLingerie & Swimwear GenerationWhite BackgroundAngle GenerationMulti Product / Multi ModelModel Face SwapperStyle/Pose DuplicatorModel Face GenerationView / Angle GeneratorQuality EnhancerBackground GenerationStyle/Pose Duplicator — v2Closeup Textile GenerationKids Image GeneratorGhost Mannequin GenerationOn-Model to Flat-LaySide GenerationModel RemoverNon-Model Generation

Resources

CustomersBlogAcademyFAQDocumentationBrowse all resources

Solutions

Fashion & ApparelJewelry & AccessoriesBeauty & CosmeticsKids & FamilyFood & BeverageApparelBags & Leather GoodsEyewearFootwearHijab & Modest WearWedding & EveningShopifyWooCommerceAmazon MarketplaceAPI & ZapierOne shoot, every market
ShowcasePricing
Log inStart for free

Legal

Data Protection (KVKK) Policy

Our data protection commitments under Turkey's KVKK (Law No. 6698) — the binding regulation here, not the EU GDPR.

Last updated: 20 Haziran 2026

1. Introduction

1.1. General

The Holala platform is a software company that offers artificial intelligence (AI)-powered image and video generation services to corporate customers such as e-commerce brands, advertising agencies, and marketing teams under a B2B SaaS model. The protection of personal data is a fundamental principle at every stage of our technological infrastructure, and acting in compliance with Law No. 6698 on the Protection of Personal Data (the “KVKK” or the “Law”) and all relevant domestic law as well as international data protection standards (GDPR, etc.) is our Company's primary responsibility. Within this framework, our Company implements principles such as proportionality, transparency, accountability, and “privacy by design”, required by the data processing obligations brought about by digital transformation and artificial intelligence technologies, by encoding them into its systems.

1.2. Scope of the Policy

This Policy has been prepared so as to cover all of our Company's personal data processing operations. Within the framework of the platform's B2B structure, the data processing activities relating to the employees and officers of the companies using the platform, as well as to all natural persons who make contact through our marketing channels, fall within the scope of this Policy. Since data processing also encompasses the AI production processes in which users are able, in particular, to upload facial images of themselves or of third parties to the platform, the scope of processing has been kept as broad as possible. This policy regulates the categories of data collected, the purposes of data processing, the processing conditions, the technical/administrative measures, the retention periods, and the rights of data subjects.

1.3. Data Controller and Legal Basis

This Policy has been prepared with respect to the entire operation of the legal entity registered, in its capacity as data controller, as “

Company Title: ELİF SİMGE EREN Şahıs Şirketi (sole proprietorship),

Tax Office / Tax No.: Kozyatağı Tax Office - 3530980516,

Website: www.holala.ai,

Contact Person Name Surname: Att. Hande Karaman,

E-mail: av.handekaraman@gmail.com,

Telephone: 05422304929”. The specific identity and contact details stated above are provided only once, and in the remainder of this text the data controller will be referred to in short as “Holala” or the “Company”. Pursuant to the provisions envisaged by the Law, the legal regulations in force shall primarily be taken as the basis in the processing of personal data. In the event of a conflict arising between the provisions of the Law and this Policy, it is accepted that Law No. 6698 and the relevant secondary legislation (for example, decisions of the Personal Data Protection Board, regulations, etc.) shall apply directly.

1.4. Entry into Force and Updates

This Policy entered into force as of the date on which it was approved by Holala's management units. Our Company reserves the right to unilaterally update the policy in the face of changes occurring in the technological infrastructure, new integrations, or revisions in the applicable legislation. The updated policy text is published on the www.holala.ai website and in the platform interface, and is kept accessible to all data subjects.

2. Personal Data Subjects and Purposes of Processing

2.1. Data Subjects

The personal data processed by Holala belong to all natural persons to whom the Company provides services or with whom it comes into contact. Taking into account the structure of the platform and its acquisition channels, the following principal categories of data subjects have been defined:

  • Customer / Corporate User Officer: The natural person employees or officers who create an account on the platform, log in, and actually use the service on behalf of the companies, advertising agencies, or e-commerce brands that benefit from AI-powered image/video generation services by purchasing a subscription or tokens (credits) through the platform. The data collected in respect of these persons are under protection within the scope of the KVKK.
  • Prospective Customer / Demo User: Natural persons who request a quote or a demo by filling in a contact form via Holala's corporate website (www.holala.ai) or its social media channels, who sign up for the waitlist, or who open a trial account. Contact and identifying data are collected from these persons.
  • Visitor: All natural persons who visit the www.holala.ai website or the app.holala.ai application, use the platform interface, and from whom data are collected by means of cookies or analytics tools. Analytical data such as IP address and device information may be processed through the first- or third-party cookies used within the site.
  • Third Parties Featured in Content: The natural persons appearing in the images uploaded to the platform by our customers as references (inputs) for the production of product photographs, brand themes, or advertising creatives. Since users are able to upload content such as brand catalogs or model photographs, persons whose faces or bodies are recognizable in such content fall within the scope of biometric data processing.

All relevant natural persons falling within the categories stated above are under the protective umbrella of this Policy. Our organization processes the data belonging to its customers and to the persons it contacts within the framework of the legal grounds it has expressly stated.

2.2. Purposes of Processing

The personal data processed by Holala are processed within the legal framework envisaged by Law No. 6698 and the relevant legislation, and only for the specific, legitimate, and equitable purposes stated below:

  • Account and Identity Verification: User identity information (name, surname, corporate e-mail, telephone, etc.) is processed for the purpose of the secure creation and management of user accounts on the platform and the performance of login operations, as well as for user verification procedures (OTP- or TOTP-based multi-factor authentication). This is required by the performance of the service and by our contractual obligations (Article 5/1-b of the KVKK).
  • AI Image/Video Generation: The visual references received from the user, the guiding texts (prompts), and the data inputs relating to the brand are processed for the purpose of delivering the AI-powered image and video generation services to the user in real time. Since the product photographs, brand kit (logo, colors, fonts, etc.), and model facial images uploaded to the system by the user in this process may fall within the scope of special categories of data (facial images in particular are deemed biometric data), such data are processed solely for the purpose of generation, in accordance with the relevant statutory conditions, and for a limited period. In addition, in order to ensure transparency, users are informed in detail in the Privacy Notice as to the purposes for which and the manner in which the data belonging to them will be processed.
  • Payment and Invoicing: The processing of users' payment and invoicing information is necessary for the conduct of the transactions relating to the subscriptions and credit packages purchased within the platform and for the completion of the invoicing process in compliance with e-commerce legislation. In this context, the information required for the issuance of invoices, such as company name, tax identification number, tax office, and address, is processed. Payment card details are collected directly by the payment infrastructure provider (iyzico), and sensitive information such as card numbers is not stored within Holala. These activities are mandatory for the performance of the membership agreement and are conducted pursuant to Article 5/1-b of the KVKK.
  • User Experience and History: The production history created by users on the platform, the amount of credits spent, the content created, and the brand materials uploaded are securely stored on the platform, enabling the provision of a personalized service. In this way, users can re-access their previous content and their platform experience is preserved. The data processed for this purpose are processed on the basis of the performance of the contract and the improvement of the user experience.
  • Security and Fraud Prevention: In order to ensure platform security, infrastructures such as Cloudflare Turnstile and Web Application Firewall (WAF) are used to block bot attacks, distributed denial-of-service (DDoS) attacks, and fake account creation attempts. Data such as login/logout logs, IP address and session information, and transaction history are processed in order to ensure system security and prevent misuse. This processing is carried out on the basis of the existence of a legitimate interest, within the framework of our Company's legitimate interests (avoiding service interruptions, preventing malicious activity, etc.) (Article 5/2-f of the KVKK).
  • Analytics and Improvement: In-platform usage analysis is performed using analytics tools such as PostHog and Google Analytics. Statistical data — such as which features users use and how, and on which screens problems are experienced — are evaluated, and service quality is thereby improved. For these operations, depending on whether the data are anonymous or on the manner in which the collected data are processed, legitimate interest or user consent may be taken as the basis. For example, general usage analysis not requiring demographic segmentation may fall within legitimate interest, whereas obtaining explicit consent may be observed for detailed measurements for marketing purposes.
  • Marketing and Remarketing: Where users' explicit consent has been obtained, remarketing (retargeting) campaigns may be conducted and newsletters may be sent using digital marketing tools such as the Meta pixel, Google Ads, and LinkedIn Insight. The only data processed in this context are users' contact details and their campaign preference and consent data, and such processing is carried out acting within the framework of Article 5/2-f of the KVKK (legitimate interest) and the explicit consent provisions.
  • Fulfillment of Legal Obligations: Since the keeping of traffic records is a legal requirement pursuant to Law No. 5651 and the related regulations, IP addresses, session login/logout times, and other system records are retained for the periods envisaged in the laws. In addition, as required by accounting legislation, invoices and financial records are retained for the relevant periods (Tax Procedure Law, Turkish Commercial Code). The processing of such data is carried out for the purpose of fulfilling a legal obligation within the scope of Article 5/1-c of the Law.

No personal data processing activity outside the above purposes is carried out without the additional disclosure and explicit consent conditions envisaged by the Law being satisfied. Holala conducts its data processing activities in strict adherence to the principles of lawfulness, purpose limitation, data minimization, accuracy, storage limitation, transparency, and accountability set out in Article 4 of the Law.

3. Measures for the Protection of Personal Data

3.1. Technical and Administrative Measures

Pursuant to Article 12 of the Law, Holala takes every kind of technical and administrative measure to ensure the security of personal data. In this context:

  • All system communication is encrypted with HTTPS/TLS, preventing “Man-in-the-Middle” attacks and data interception.
  • User passwords are stored cryptographically hashed and salted with bcrypt; no authorized person, including database administrators, can view passwords in plaintext.
  • A presigned URL mechanism is used to reduce the load on the backend servers of the large-sized images and outputs uploaded to the system and to prevent data leaks; files are transferred directly to secure object storage areas (Cloudflare R2).
  • Two-factor authentication (OTP via e-mail/SMS and optional TOTP) has been made mandatory for the protection of user accounts.
  • The system infrastructure is supported by Cloudflare DDoS protection, bot detection mechanisms, and a Web Application Firewall (WAF).
  • Regular backups of the database and important files are taken, providing the ability to restore rapidly where necessary.
  • The principle of internal access authorization (least privilege / role-based access control) is applied; only authorized personnel can access the relevant data.
  • Regular penetration tests and security scans are performed on the data, and potential vulnerabilities are remediated.
  • Where and for how long recorded personal data are stored is regularly reviewed, and redundant data are deleted or anonymized in accordance with Article 14 of the Law.
  • KVKK awareness training is provided to employees, and data protection processes are regularly monitored through internal audit mechanisms (audit records, user activity logs, etc.).

All of these measures are aimed at preventing the unlawful processing of, or unauthorized access to, sensitive data within Holala's cloud-based SaaS structure. The Company furthermore acts within the framework of the Personal Data Security Guide published by the Personal Data Protection Board and follows best practices.

3.2. Protection of Special Categories of Data

Pursuant to Article 6 of the KVKK, special categories of personal data such as race, ethnic origin, political opinion, religion, health, and sexual life are under additional protection. Since biometric data in particular (for example, images containing facial recognition features) are assessed as falling within the scope of special categories of data, the processing of such data is possible only under the exceptional conditions envisaged in the Law. The facial and body information in the photographs uploaded for generation via the Holala platform is rapidly analyzed by artificial intelligence models and incorporated into the modeling process. However, the following are guaranteed in this process:

  • Biometric data such as facial images are uploaded to the system only with the user's explicit consent; otherwise, processing does not commence.
  • These special categories of data are in no way used in the general training of artificial intelligence models or for any other purpose; they are processed only momentarily in order to fulfill the user's service request, and this processing time is limited to seconds. Holala has strictly undertaken, in the agreements it has signed with third-party AI service providers, that user data shall not be used for model training purposes.
  • In all processes involving the processing of special categories of data, the data subject is specifically informed and their explicit consent is obtained pursuant to Article 7 of the KVKK. Furthermore, acting in accordance with the data minimization principle, such data are processed only when necessary and to the most limited extent possible.
  • The retention period of biometric data is limited to the shortest possible duration; the biometric data associated with production content deleted from the platform or anonymized are likewise deleted pursuant to Article 14 of the Law.

Holala acts with the highest level of diligence to ensure that, in the processing of special categories of data, the constitutional right to privacy is respected and the provisions of the relevant legislation are complied with in full. In accordance with the legal regulations in force and the decisions of the Board, it has been announced to data subjects through privacy notices that legal liability will be assumed in the event of a breach occurring within this scope.

4. Data Processing Conditions and Cross-Border Transfers

The data processing activities at Holala are conducted subject to the lawful processing conditions listed in Article 5 of the KVKK. Our Company processes personal data on the basis of the following legal grounds:

  • Performance or Preparation of a Contract (Art. 5/1-b): The data that are mandatory for the provision of the platform services (subscription management, content generation, technical support, etc.) and for the performance of the payment/invoicing processes are processed for this purpose. For example, the name, e-mail, and telephone collected for subscription registration, and the invoicing information for payment transactions, are processed as required by contractual obligation.
  • Legal Obligation (Art. 5/1-c): Data such as traffic records, invoice records, and financial documents requested due to a statutory requirement (Law No. 5651, the Tax Procedure Law, the Turkish Commercial Code, etc.) are processed within this scope.
  • Legitimate Interest (Art. 5/2-f): The data processing activities necessary for our Company to be able to conduct its legitimate business securely and effectively (system security, analytical improvement, fraud prevention, etc.) are carried out in reliance on this article. However, such operations are conducted in a manner that does not harm the rights of the data subjects, and a balance is observed.
  • Explicit Consent (Art. 5/1-a): For operations requiring explicit consent under the KVKK, such as the processing of special categories of data, marketing disclosures, and the use of cookies, informed explicit consent is obtained from the data subjects. Holala does not process special categories of data or data for marketing purposes without the data subject's consent; where the consent is withdrawn, the processing is stopped.

Cross-Border Data Transfers: Due to Holala's operational needs, some of the infrastructure services it uses are located abroad. The servers on which user account information is held are located in Finland (Hetzner), the infrastructure providing the storage service operates globally (Cloudflare R2), and the AI model providers are located in the USA and other countries. Pursuant to Article 9 of Law No. 6698, personal data within the scope of personal data protection may be transferred abroad only where one of the following conditions is met: the explicit consent of the data subject is obtained, or the data are transferred to a country in respect of which the Republic of Türkiye has determined that an equivalent level of protection exists. Holala undertakes that, for all personal data transferred to servers abroad, the appropriate level of security envisaged by the Board and, where necessary, by the European Union Standard Contractual Clauses is ensured. The data subject has been informed and their consent obtained within this scope; in other cases, the exceptional circumstances set out in the legal regulations (for example, being expressly envisaged pursuant to Article 9 of the Law, or processing subject to authorization from the competent authority) have been taken into account. Holala takes care to achieve full compliance with the provisions of the KVKK at every stage by ensuring the necessary coordination.

5. Data Retention Periods and Disposal

Personal data are deleted, destroyed, or anonymized when the purposes of processing cease to exist or when the retention period specified in the Law comes to an end. In determining the retention periods for the relevant data categories, our Company takes into account the periods envisaged in the Law and other legislation. For example, invoice and financial ledger records are retained for at least 10 years under the Tax Procedure Law and for 10 years under the Turkish Commercial Code (for company ledgers). User account information and production history, on the other hand, are deleted or anonymized at the end of the maximum period determined [in accordance with the Company's internal regulations] after the account is closed. Retention periods are determined taking into account the Personal Data Retention and Disposal Directive published by the Personal Data Protection Authority and the relevant legislation. Upon the completion of any data disposal or anonymization operation, notification is made to the data subject or to the relevant authorities; the secure destruction of data that have been backed up multiple times is also ensured.

6. Rights of the Data Subject

Pursuant to Article 11 of the KVKK, natural persons who are data subjects may exercise the following rights vis-à-vis our Company in relation to their personal data:

  • Right of Access: To learn whether their personal data are being processed and, if they have been processed, to request information in this regard.
  • Learning the Purpose of Processing: To learn the purpose for which the data are processed and on which ground under the KVKK they are processed.
  • Learning the Data Categories: To learn into which categories their processed personal data fall.
  • Rectification or Erasure: To request the rectification of their personal data if they have been processed incompletely or inaccurately, and their deletion or destruction if they have been processed contrary to the Law.
  • Deletion and Anonymization: To request that the data be deleted, destroyed, or anonymized at the end of the retention period envisaged in the Law.
  • Learning the Recipients of Transfers: To learn whether the processed data have been transferred to third parties and, if they have been transferred, to which recipient groups they have been transferred.
  • Right to Object: To object to data processing operations based on legitimate interest.
  • Withdrawal of Consent: To withdraw their consent in respect of data processed on the basis of explicit consent.
  • Requesting the Remedying of Damage: To request that the damage be remedied and/or to claim compensation in the event of suffering damage as a result of processing contrary to the law.
  • Right to Lodge a Complaint: To lodge a complaint before the Personal Data Protection Authority (KVKK) should they have a grievance.

Data subjects wishing to exercise these rights may submit their requests to our Company in writing [through the Company's communication channels]. Our Company undertakes to conclude the request as soon as possible and within 30 days at the latest. Where necessary, additional information or documents relating to the request may be requested.

7. Publication of the Policy and Training

This Policy is known and applied by all personnel and business partners working within Holala. Our Company continuously develops its data protection culture through regular internal training relating to its business processes and through audit mechanisms. Any change or update to be made under the Policy is announced to all data subjects by publication at the www.holala.ai address. As data controller, Holala assumes the legal responsibilities in the event of any situation contrary to its data processing activity, this Policy, or the provisions of Law No. 6698.

Questions? Email dpo@holala.ai.

holala

Visuals for every team — without the studio.

Platform

  • Platform overview
  • Studio
  • Editor
  • Bulk
  • Library
  • My Store

Templates

  • All templates
  • Background Replacement
  • Product to On-Model
  • Closeup Texture Generator
  • Jewellery Image Generation
  • Ghost Mannequin Creator
  • Kids Image Generation
  • Face/Model Generator
  • Lingerie & Swimwear Generation
  • White Background
  • Angle Generation
  • Multi Product / Multi Model
  • Model Face Swapper
  • Style/Pose Duplicator
  • Model Face Generation
  • View / Angle Generator
  • Quality Enhancer
  • Background Generation
  • Style/Pose Duplicator — v2
  • Closeup Textile Generation
  • Kids Image Generator
  • Ghost Mannequin Generation
  • On-Model to Flat-Lay
  • Side Generation
  • Model Remover
  • Non-Model Generation

Resources

  • Customers
  • Impact
  • Blog
  • Academy
  • FAQ
  • Documentation
  • Browse all resources

Company

  • About
  • Contact

Legal

  • Pre-information form
  • Distance service agreement
  • Cancellation & refunds
  • Terms of use
  • Information notice (Aydınlatma)
  • Privacy
  • KVKK
  • Cookies

© 2026 holala

ENTR