Skip to content
holala
ShowcasePricing
EnglishENTürkçeTR
Log inStart for free

Platform

Platform overviewStudioEditorBulkLibraryMy Store

Platform overview

The whole workflow at a glance.

Every module — Studio, Editor, Bulk and more — in one connected canvas.

Explore

Studio

Studio-grade product shots

Create from your real products

Explore

Editor

Edit by typing

Perfect every detail

Explore

Bulk

Generate at volume

Scale to your whole catalog

Explore

Library

Inspiration, ready to remix

Browse holala's curated library — fresh ideas and starting points we keep stocked for you.

Explore

My Store

Your own assets, always ready

Upload your products, logos, and shots once — they stay in your store, ready to reuse anytime.

Explore

All 25 templates · swipe or use arrows

Background ReplacementModelProduct to On-ModelCloseup Texture GeneratorProductJewellery Image GenerationGhost Mannequin CreatorModelKids Image GenerationFace/Model GeneratorModelLingerie & Swimwear GenerationProductWhite BackgroundEditingAngle GenerationMulti Product / Multi ModelModelModel Face SwapperStyle/Pose DuplicatorModelModel Face GenerationView / Angle GeneratorEnhancementQuality EnhancerEditingBackground GenerationStyle/Pose Duplicator — v2EditingCloseup Textile GenerationKids Image GeneratorProductGhost Mannequin GenerationProductOn-Model to Flat-LayEditingSide GenerationModelModel RemoverProductNon-Model Generation
All templates
CustomersBrands building with holalaBlogStories and updatesAcademyTutorials and recipesFAQAnswers, from setup to billingDocumentationGuides for every moduleBrowse all resources

By industry

Fashion & ApparelJewelry & AccessoriesBeauty & CosmeticsKids & FamilyFood & Beverage

By product type

ApparelBags & Leather GoodsEyewearFootwearHijab & Modest WearWedding & Evening

By integration

ShopifyWooCommerceAmazon MarketplaceAPI & Zapier
LocalizeOne shoot, every market →

Platform

Platform overviewStudioEditorBulkLibraryMy Store

Templates

Background ReplacementProduct to On-ModelCloseup Texture GeneratorJewellery Image GenerationGhost Mannequin CreatorKids Image GenerationFace/Model GeneratorLingerie & Swimwear GenerationWhite BackgroundAngle GenerationMulti Product / Multi ModelModel Face SwapperStyle/Pose DuplicatorModel Face GenerationView / Angle GeneratorQuality EnhancerBackground GenerationStyle/Pose Duplicator — v2Closeup Textile GenerationKids Image GeneratorGhost Mannequin GenerationOn-Model to Flat-LaySide GenerationModel RemoverNon-Model Generation

Resources

CustomersBlogAcademyFAQDocumentationBrowse all resources

Solutions

Fashion & ApparelJewelry & AccessoriesBeauty & CosmeticsKids & FamilyFood & BeverageApparelBags & Leather GoodsEyewearFootwearHijab & Modest WearWedding & EveningShopifyWooCommerceAmazon MarketplaceAPI & ZapierOne shoot, every market
ShowcasePricing
Log inStart for free

Legal

Privacy Policy

How holala collects, uses, shares, and protects information about you when you use our website, platform, and APIs.

Last updated: 20 Haziran 2026

1. Introduction and Purpose of the Policy

In today's business world, where digital transformation and artificial intelligence technologies are advancing at an unprecedented pace, ensuring the privacy, integrity, and security of personal data is not merely a legal obligation but also one of the most fundamental components of corporate reputation, transparency, and sustainable commercial trust. Protecting the privacy of all individuals and corporate representatives who benefit from the advanced artificial intelligence-powered services offered through the digital platform established, operated, and managed by ELİF SİMGE EREN Şahıs Şirketi (sole proprietorship), together with all subdomains connected to this domain name, mobile applications, software interfaces, and digital infrastructures (hereinafter referred to in short as the "Company", the "Platform", or "Holala"), constitutes one of our Company's highest corporate priorities.

This Comprehensive Personal Data Protection and Privacy Policy (the "Policy") regulates in the finest detail the scope within which, the legal bases upon which, and the legitimate purposes for which the personal data of all data subjects are processed — including guests visiting the Holala website, persons who register on the platform as individual or corporate users, those who use a demo or free trial account to test the system's capabilities, corporate customers who purchase credit (token) or subscription packages, users who perform image or video generation on the platform, and all data subjects who upload product photographs, brand logos, reference images, text inputs (prompts), or similar digital content to the system. This Policy has furthermore been drawn up in order to explain, in a transparent, accountable, and detailed manner, for how long and how such data are stored, by which technical and administrative measures they are protected, and in which cases they may be shared with third parties within the country or abroad to the extent permitted by legislation.

Holala is, at its core, an innovative digital platform for image and video generation that provides Business-to-Business (B2B) services and is powered by state-of-the-art artificial intelligence algorithms and deep learning models. The services offered within the Platform, which form the basis of its data processing activities, comprise highly advanced, complex, and data-intensive operations such as the generation of high-resolution product images optimized for e-commerce sites and digital advertising campaigns, images featuring models and ghost mannequin integration for the fashion industry, advertising creatives with multiple variations for performance marketing networks, the conversion of static images into product videos, bulk (batch) catalog image optimizations, and the training of AI templates/models tailored to corporate brand identity.

The performance of these artificial intelligence operations necessarily requires that data be transmitted in real time to cloud systems, databases, and third-party Application Programming Interface (API) providers, and that such data be processed and structured. In this context, the Company undertakes to act, at every stage of its data processing activities, in full compliance with Law No. 6698 on the Protection of Personal Data ("KVKK"), the relevant secondary legislation, the guidelines and principle decisions published by the Personal Data Protection Board, and international best data security standards (for example, ISO 27001 information security principles). The Company regards strict adherence to the fundamental KVKK principles of "lawfulness and fairness", "being accurate and, where necessary, kept up to date", "being processed for specific, explicit, and legitimate purposes", "being relevant, limited, and proportionate to the purposes for which they are processed", and "being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed" as an absolute corporate obligation.

2. Identity and Corporate Information of the Data Controller

As defined in Article 3 of the KVKK, the "Data Controller" means the natural or legal person who determines the purposes and means of processing personal data and who is responsible for the establishment and management of the data recording system. Within the scope of the relevant legislative provisions, the identity, registry, and contact information of the legal enterprise holding the status of Data Controller with respect to the personal data collected and processed on the Platform is expressly set out below:

  • Company Title: ELİF SİMGE EREN Şahıs Şirketi
  • Registered Tax Office: Kozyatağı Tax Office
  • Tax Identification Number: 3530980516
  • Head Office Address: Küçükbakkalköy Mah. Selvili Sk. No: 4/20 Ataşehir / İstanbul

As the Data Controller, the Company not only fulfills the notification, disclosure, and data security obligations envisaged under the KVKK in its personal data processing operations, but also considers it its duty to establish a corporate data governance culture, to itself create internal policies on data security, authorization matrices, access procedures, and regular audit mechanisms, and to ensure the sustainability of these systems. Respecting the privacy expectations of its users, the Company integrates the data protection culture into its systems from the design stage of all business processes onwards (privacy by design).

3. Conceptual Framework and Legal Definitions

In order for the text of this Policy to be understood correctly, completely, consistently, and without any room for doubt, it is a legal and technical necessity to define the concepts frequently referred to in the text within the framework of the KVKK, the relevant data protection legislation, and the technological nature of the platform:

  • Personal Data: Means any information relating to an identified or identifiable natural person. In addition to information that directly identifies a natural person, such as their name, surname, e-mail address, or telephone number, all information that makes a person identifiable when various pieces of data — such as IP address, device information, log records on the system, location data, and user behavior habits — are combined also qualifies as personal data.
  • Special Categories of Personal Data: Defines data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Such data are regarded as "sensitive data" under the legislation, and their processing is, as a rule, subject to the explicit consent of the person concerned or to far stricter legal conditions expressly stipulated by law.
  • Data Subject: Means the natural person whose personal data are processed. For the purposes of this Policy, the Data Subject includes authorized users who register on the Platform, guest visitors, persons submitting customer support requests, and the natural person employees or representatives of corporate customers who are authorized to use the platform.
  • Data Processing: Covers any algorithmic, administrative, and technical operation performed on personal data, such as the collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, takeover, making retrievable, classification, or prevention of the use of personal data by wholly or partially automated means or, provided that the data form part of a data recording system, by non-automated means.
  • Explicit Consent: Denotes a declaration of consent relating to a specific subject, based on detailed information, and expressed by the data subject of their own free will, without being under any external influence or pressure.
  • Anonymization: Means rendering personal data, in an irreversible technical form, incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data or different data sets.
  • Subscription System / Credit (Token) Model: Refers to the hybrid service delivery model, based on prepayment or periodic billing, used in consideration of the services offered on the Platform. Users' generation operations within the platform result in the expenditure of a certain amount of credits or tokens depending on the selected output quality and size.
  • User Content (UGC - User Generated Content): Covers the product photographs, reference images, brand assets, logos, written commands (prompts), and brief texts that users upload to the platform, request to have processed, or provide to the system.
  • Output: Defines any work in digital image, graphic, illustration, or video format that is synthesized, derived, and ultimately delivered to the User by means of third-party artificial intelligence algorithms and the Company's infrastructure, using the inputs provided by Users to the Platform.

4. Scope and Field of Application of the Privacy Policy

Owing to the multi-layered and technological infrastructure of the digital service operations conducted by the Company, data processing activities vary according to different user profiles and levels of interaction with the platform. This Comprehensive Privacy Policy places the following groups of persons and data subjects under its umbrella of legal protection:

1. Internet users who visit the website solely to obtain general information, examine the platform's interface, or learn about the scope of the services offered, without creating any membership account,

2. Persons who create a record on the Platform under an individual or corporate identity, become members of the system by setting a username and password, and gain access to the management panel,

3. Users who open a "demo" or "free trial" account in order to test the system's capabilities, image generation quality, and speed, and who provide their data to the platform in this context,

4. Corporate customer accounts defined within the framework of the B2B (Business-to-Business) business model, and the administrative employees or representatives authorized to act on behalf of these legal entities (brands, advertising agencies, e-commerce companies, etc.),

5. Natural person merchants or corporate officers who purchase the monthly/annual subscription packages that form the platform's core service mechanism, or the credit (token) packages operating on a pay-as-you-go basis,

6. Users who, as an integral part of the AI-powered image/video generation process, upload raw product photographs, brand logos, reference styles, brand identity documents (brand guidelines), written commands (prompts), or similar customized data sets to the Platform,

7. Persons who interact with the Company directly or indirectly via e-mail, contact forms, live support tools, social media channels, or other communication media within the scope of customer service, technical support, pre-sales information, cooperation proposals, or marketing activities.

It is a fact that, by virtue of its commercial model, the Platform has a B2B service structure focused predominantly on the corporate customer segment. Nevertheless, identity, contact, and security access information belonging to natural persons is necessarily collected during the initial registration processes on the platform. Within the system's corporate account management architecture, once a main company account has been created, there are sub-account authorization (role-based access) mechanisms that allow the credit and token pool allocated to that legal entity to be used jointly by multiple employees authorized by the company. This advanced architecture requires that the log records, transaction histories, and security stamps of each sub-authorized user be independently processed, monitored, and legally recorded in accordance with KVKK standards. The Company manages these data processing operations with the highest level of diligence.

5. Categories of Personal Data Processed and Methods of Collection

In order for the Platform to provide secure, uninterrupted, lawful, and optimum-quality service, personal data in various categories are collected by the Company in strict adherence to the general principles set out in Article 4 of the KVKK and the data processing conditions regulated in Articles 5 and 6 thereof. Data are obtained through users filling in registration forms, approving agreements online, using the platform interface interactively, uploading digital materials, completing payment steps, or by automated means via cookies and system logs. The personal data processed are classified in detail and comprehensively as follows:

5.1. Identity and Contact Data

In order for users to acquire a lawful and secure digital identity on the platform, for contractual relationships to be established on a sound footing, and for two-way communication to be maintained, the following data are processed: name, surname, e-mail address, telephone number, username, name of the company or institution worked for, and role/title information within the system. Particularly during user login and account creation processes, the accuracy and currency of these data are of great importance in order to enable identity verification (for example, via e-mail verification links or One-Time Password - OTP methods) and to prevent fake or bot accounts.

5.2. Corporate Account, Finance, and Billing Data

Various financial data are collected for the purpose of documenting, reporting, and taxing the commercial transactions conducted under the B2B service model in accordance with statutory accounting standards, the Turkish Commercial Code, and the Tax Procedure Law. These data include: company title, registered tax office, tax identification number (or Turkish ID Number for sole proprietorships / self-employed professionals), official billing address, authorized financial user details, the level of the subscription package to which the user belongs, current in-platform credit/token balance and consumption records, discount coupon (promotional code) usage history, and past purchase logs. Invoices are issued electronically in e-invoice or e-archive invoice format in accordance with the legislation, and the financial and administrative data obtained in these processes are retained in secure archives throughout the statutory retention periods.

5.3. Platform Usage and Technical Transaction Data (System Logs)

Technical data are collected by automated means for the purposes of fulfilling the mandatory legal obligations under Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publications, ensuring the information and cyber security of the platform, technically monitoring system performance, and continuously improving the user interface and experience (UI/UX). This category covers extremely detailed metrics including users' platform login and logout date/time stamps (timestamps), IP addresses, session durations, the type of device used for access, screen resolution and operating system information, browser type and version preferences, transaction logs relating to API calls, the AI templates viewed and selected on the platform, the amount of credits spent per individual image or video generation, the number of works generated, preferred resolution settings (for example 1K, 2K, 4K scaling), and various optimization parameters transmitted to the AI model.

5.4. Content Uploaded by Users (Inputs and Digital Materials)

Generative AI-powered image and video production, which is the Platform's fundamental reason for existence, by its nature requires users to provide specific visual and textual inputs to the system. This content, which users integrate into the system entirely on their own initiative and under their own control, may include:

  • Raw product photographs from brands' product catalogs, product detail shots, and background-removed (transparent) materials.
  • Reference images uploaded in order to guide the artificial intelligence algorithm as to the "style", "lighting", "composition", or "texture" of the work to be generated.
  • Copyright-protected brand logos, vector drawings, watermarks, and typographic brand identity guides reflecting customers' corporate identity.
  • Detailed written commands (prompts) that directly describe to the AI model how the image or video is to be created, negative prompts (details that are not to be generated), and project brief texts.
  • Lifestyle or model images (containing human figures) that may serve as references, particularly in the textile, e-commerce, and fashion sectors, for ghost mannequin applications, virtual fashion shows, or AI-assisted mannequin dressing processes.

These inputs constitute the backbone of the platform's production operations, and the processing of such materials has been made subject to special protection protocols and confidentiality umbrellas within the framework of the KVKK, the Law on Intellectual and Artistic Works (FSEK), and the universal principles of data privacy.

5.5. Payment and Transaction Security Data

Credit card collection transactions carried out by users on the Platform are conducted through the infrastructure of a licensed payment institution operating under the supervision of the Central Bank of the Republic of Türkiye (CBRT) and the Banking Regulation and Supervision Agency (BRSA) and holding high national and international security standards (in particular, PCI-DSS - Payment Card Industry Data Security Standard). In this context, the Company does not in any way store, process, or record in its databases users' critical and sensitive financial data such as credit card numbers, expiry dates, or CVC/CVV security codes. The Company's systems hold only limited transaction data documenting that the collection has been lawfully effected, such as the success or failure status of the payment transaction, the transaction reference codes of the order or subscription cycle (tokenization ID), refund or cancellation statuses, the amount collected, and payment verification logs relating to the performance of the service.

5.6. Tracking Technologies, Cookies, and Analytics Data

Advanced tracking technologies are used in order to keep the website's functionality at the maximum level, enhance cyber security, analyze usage habits statistically and anonymously, and conduct marketing strategies in a data-driven manner. In this context, session management, access verification tokens, users' in-page navigation routes, click maps, conversion rates, and advertising performance data are processed.

Main Data Category

Data Sub-Types and Contents

Data Source and Collection Method

Identity and Contact

Name, Surname, E-mail, Telephone, Corporate Title

Registration Forms, Demo Requests, Customer Support Channels

Corporate/Financial

Company Title, Tax ID No., Billing Address, Package Level

Purchase Modules and Invoicing Interfaces

User Input (UGC)

Product Photograph, Logo, Reference Image, Written Prompt

Active Upload by the User via the Platform Interface

System Logs

IP Address, Session Duration, Device Type, Resolution

Automated System Logging (Server and Security Infrastructure)

Payment Transactions

Transaction Reference No., Success Status, Refund Status

Licensed Payment Provider API Integration

6. Purposes of Processing Personal Data

The personal data collected through our Platform are processed by the Company within the scope of the specific, legitimate, proportionate, and lawful purposes each detailed below. The Company undertakes never to use data for purposes other than those for which they were collected.

1. Service Performance, Setup, and Account Management: The creation of platform membership, performance of user identity verification, management of the main company and sub-authorized account architecture as required by the B2B model, activation of demo (free trial) processes and allocation of free starter credits to accounts, the automatic cycles of monthly/annual subscription renewals, and the immediate integration into the system of pay-as-you-go credit (token) packages following purchase.

2. Conduct of Artificial Intelligence and Production Operations: The processing of the product photographs, reference images, brand identity files, and text commands integrated into the system by users in order to create aesthetic, marketing-ready, professional-quality digital outputs (image/video) by means of high-performance machine learning models and API bridges. The timely delivery of these outputs to the user in their preferred format (JPEG, PNG, WEBP, MP4) and resolution (for example, high-quality 4K).

3. Financial and Accounting Operations: Verification of customer purchases, secure payment collection through integration with a licensed payment infrastructure, conduct of accounting processes, issuance of e-invoices/e-archive invoices electronically and in compliance with the law, monitoring of corporate current accounts, and performance of financial reconciliations.

4. Customer Relations and Technical Support Processes: Resolution of technical problems encountered by users, responding to support requests (tickets), processing of refund, cancellation, and subscription suspension requests, provision of guidance on the use of the platform, and improvement of service quality through the evaluation of user feedback.

5. Security, Audit, and Legal Obligations: Keeping the mandatory traffic logs pursuant to Law No. 5651 and the relevant legislation, prevention of cyber security threats directed at the platform — such as unauthorized access, bot attacks, chargeback fraud, attempted intellectual property infringements, or misuse of the service — and conduct of information security processes.

6. Service Development, Statistics, and Analytics: Optimization of the user experience on the platform, detection and remediation of software errors (bugs), development of new AI templates and interface features in line with user trends, measurement of the conversion analytics of marketing and advertising campaigns, and production of statistical reports based on anonymized data.

7. Resolution of Legal Disputes and Protection of Rights: Establishing the Company's rights of defense against potential future intellectual property disputes, contractual disputes, consumer complaints, or requests from administrative/judicial authorities, preservation of evidence within statutory periods, and its sharing with competent institutions in accordance with the legislation.

7. Legal Grounds for the Processing of Personal Data

Articles 5 and 6 of the KVKK regulate the fundamental legal bases — in other words, the processing conditions — for the processing of personal data. The Company never carries out data processing activities arbitrarily or without a basis, and each of the data categories listed above is processed in direct reliance on one or more of the following legal grounds:

  • Establishment or Performance of a Contract (Article 5/2-c of the KVKK): The provision that "processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract" covers the platform's core operation. Upon acceptance of the Platform's Terms of Use and the Distance Service Agreement, the opening of accounts, the allocation of credits, the processing of product images through AI algorithms and delivery of the final outputs, and the completion of payment steps rest entirely on this legal ground. The processing of name, surname, e-mail, billing information, and uploaded content is essential for the performance of the contractual obligations between the parties.
  • Legal Obligation of the Data Controller (Article 5/2-ç of the KVKK): Under the provision that processing must be "mandatory for the data controller to be able to fulfill its legal obligations", the obligation to issue invoices, compliance with tax legislation, management of refund/cancellation processes arising from consumer legislation, provision of information to competent public authorities, and the obligation to keep time-stamped system logs pursuant to Law No. 5651 are based on this condition.
  • Establishment, Exercise, or Protection of a Right (Article 5/2-e of the KVKK): Within the framework of the provision that "data processing is mandatory for the establishment, exercise, or protection of a right", the retention of data throughout the statutory limitation periods for the purpose of proving, in potential commercial, consumer, or legal disputes, that contractual obligations have been performed (for example, transaction logs on the platform, approved contract records, or payment references) and of defending the Company's legal rights falls within this scope.
  • Legitimate Interests (Article 5/2-f of the KVKK): In line with the provision that "data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject", activities such as ensuring the platform's information security, preventing fraud, and analyzing and improving software performance and the user interface by means of analytics tools are conducted in a balanced and proportionate manner that does not prejudice users' fundamental rights and freedoms.
  • Explicit Consent (Article 5/1 of the KVKK): Explicit consent is obtained for activities falling outside the exceptional cases specified in the Law and listed above. In particular, marketing, profiling, delivery of personalized advertising, the sending of commercial electronic messages, and certain situations relating to cross-border data transfers (for example, transfers to servers abroad occurring as a result of the use of third-party global cloud service providers or foreign AI API providers) are carried out on the basis of the explicit, freely given, and informed consent to be provided by the data subject.

8. AI Production Processes, User Content (UGC), and Intellectual Property Ethics

Our Platform delivers its core added value through advanced "generative AI" systems. While this technological context requires the construction of a powerful technical infrastructure, it also makes it imperative to establish a flawless, ethical, and lawful balance between data privacy and AI integration.

8.1. Privacy and Security of User Inputs

All raw product images, brand logos, reference designs, brand identity files, and text commands (prompts) uploaded to the Platform by users are regarded by the Company as "confidential commercial information" and "personal data". Without the customer's prior explicit and written approval or a contractual reference permission, such content is under no circumstances used, displayed, or opened to the access of third parties in the Company's publicly accessible libraries, social media accounts, marketing materials, or case study presentations. Data uploaded by users are processed in isolated database areas solely in order to serve the production processes initiated by the users themselves.

8.2. Interaction Protocols with Third-Party AI Providers (APIs)

Behind the scenes of the AI-powered image and video creation operations, in addition to the Company's own in-house server architecture, the Application Programming Interfaces (APIs) of trusted, enterprise-grade third-party AI model providers that have proven their technological maturity worldwide are used. A specific image and written text input uploaded by the user is transmitted to these providers through encrypted API tunnels solely for the purpose of performing the generation operation (inference) at hand.

This sharing is an operation made mandatory by the technological nature of delivering such a high-level service. However, the Company relies on "Zero Data Retention for Training" protocols under which, pursuant to the B2B API agreements with the enterprise AI providers it has integrated, it is strictly guaranteed that the user data transmitted "shall not be used by these providers for the purpose of training their own base models/foundation models". After the generation operation is completed and the result is returned to our platform, the user data are removed from the relevant API provider's active processing queue within technical timeframes.

9. Prohibited Content and the Prevention of Unlawful Use

Users warrant in advance that all raw product photographs, model/face images, logos, brand files, briefs, or prompt content they integrate into the Platform are in full compliance with applicable national and international law.

In particular, given the nature of AI image generation technologies, when photographs containing the face, identity, or physically distinguishing features of real persons are uploaded to the Platform as reference models (a model face or a dressing mannequin), it is exclusively and absolutely the User's legal responsibility to ensure that the personality rights of those persons (privacy of private life, rights over one's own image) are not violated and that all necessary copyright, license, and KVKK explicit consent permissions have been obtained in advance by the User personally, in writing and in a provable manner. Incorporating registered trademarks, logos, watermarks, or copyrighted works belonging to third parties or institutions into AI modeling without the permission of the rights holder is prohibited.

Accordingly, under Company policy, the uploading to the Platform, generation, or commissioning of the generation of any input containing pornographic or obscene content, materials involving child abuse or pedophilia, images containing violence, terrorism, or hate speech, unlawful generation commands inciting crime (including prompt injection or jailbreak attempts), content involving discrimination on the basis of race, religion, or gender, or content manifestly infringing the personality rights or intellectual property of others is strictly and uncompromisingly prohibited.

The Company reserves, in the broadest terms, the right to immediately delete from its servers any such infringing content that bypasses the AI safety filters or is subsequently detected by system administrators, to reject the production queue, to unilaterally suspend or immediately close the account of the User committing the relevant infringement without compensation, to cancel the credit balance, and, where deemed necessary, to file a criminal complaint with the judicial authorities, law enforcement units, or public prosecutors.

10. Transfer of Personal Data Within the Country and Abroad

The Company may transfer the personal data it obtains and hosts in its systems to authorized third parties and institutions only within the strict security protocols and legal conditions of the Domestic Transfer rules set out in Article 8 of the KVKK and the Cross-Border Transfer rules regulated in Article 9 thereof. The Company does not sell any user's personal data to third parties for the purpose of commercial gain.

Domestic Transfer Processes:

In order for users' financial transactions to be conducted securely, payment statuses, invoice details, and transaction references are shared with the infrastructures of BRSA-licensed and PCI-DSS-certified payment institutions. Likewise, data are shared with e-transformation integrators compliant with the applicable legislation for e-invoice issuance, with Certified Public Accountants for accounting and tax obligations, and with the Company's legal advisors (attorneys) so that legal representation, defense, and advisory services may be obtained in potential legal matters. These disclosures are limited to only as much data as the task requires and are carried out within the "need-to-know" principle. In addition, transfers may be made to competent public institutions for the purpose of fulfilling legal obligations on the basis of legally binding and duly issued court/prosecution orders received from judicial, administrative, or law enforcement authorities.

Cross-Border Transfer Processes:

World-class technological infrastructures and cloud architectures are used so that the Platform can operate without interruption with High Availability, Low Latency, and superior cyber security standards. Owing to technical necessities, this constitutes a cross-border data transfer within the meaning of Article 9 of the KVKK.

  • Database and Server Infrastructure: The Platform's main databases, user records, and system logic are hosted on high-security VPS servers and cloud infrastructures located within the borders of the European Union and compliant with the GDPR (the European General Data Protection Regulation).
  • Cloud Storage and Content Delivery Networks (CDN): The heavy media files uploaded by users and the high-resolution outputs generated are stored in encrypted form on cloud object storage and a Content Delivery Network (CDN), which is a global structure, so that they can be uploaded and served quickly.
  • Artificial Intelligence Integrations: During generation, images and commands are transmitted in real time via API to industry-leading AI model providers, which are predominantly based abroad.
  • Corporate Communication and Analytics Tools: Foreign-based analytics infrastructures and communication systems are used for customer relationship management (CRM), the tracking of support tickets, internal company communication, product performance, and traffic analyses.

These international transfers are carried out with the utmost care within KVKK compliance processes, on the basis of the principles that they constitute an absolute necessity arising from the technical nature of the service, that the required explicit consent mechanisms are operated with respect to the data subjects, that the status of countries deemed safe by the Personal Data Protection Board is assessed, or that adequate protection is undertaken (through the use of legal instruments such as the execution of Standard Contracts).

Recipient Party / Provider Type

Primary Purpose and Function of the Transfer

Transfer Direction

Licensed Payment Service Providers

Credit card collection, subscription cycle, and refund management

Domestic

Financial and Legal Advisors and Integrators

Accounting records, e-invoice notification, and legal defense/advisory

Domestic

Competent Public Institutions and Courts

Legal audits, court orders, and legal obligations

Domestic

Cloud Server and Database Providers

Main database hosting, account management, and software infrastructure

Abroad

Media Storage and CDN Providers

Media file storage, access acceleration, and web security

Abroad

AI Model/API Providers

Image/video inference operations and content generation

Abroad

Analytics, CRM, and Marketing Tools

UX analysis, support management, site traffic measurement, and marketing

Abroad

11. Retention Periods of Personal Data

Pursuant to Article 4 of the KVKK, the Company does not keep personal data in its systems randomly or indefinitely for an unlimited period. The data retention cycle is strictly bound by the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data and by the corporate disposal policies determined by the Company. The retention periods determined according to the type and legal basis of the data processed are as follows:

  • Active User Accounts: As long as the membership continues, the contractual relationship remains in force, and there is an active credit/subscription on the account, the user's profile data, contact information, and production history are retained on the platform.
  • Closed Accounts and Production Data (UGC): Where the user deletes their account on their own initiative, terminates their membership, or the Company terminates the contract for just cause, the data are not destroyed immediately and irreversibly at once. For the purposes of resolving chargeback processes frequently encountered in the e-commerce environment, examining objections, security audits, or retroactively remedying technical errors, account data, uploaded images, brand kits, and past production outputs are generally subjected to an operational suspension transition period. At the end of this transition period, all visual materials, user inputs, and database records in the cloud storage areas are permanently and irreversibly deleted.
  • Financial and Legal Records: Contract approval records, IP-supported logs, credit purchase transaction statements, e-invoices, and payment receipts are, as a rule, retained in secure digital archives for a period of 10 years pursuant to the binding legal obligations under the Turkish Commercial Code (Art. 82) and the Tax Procedure Law (Art. 253).
  • Traffic and Access Logs: Access records kept pursuant to Law No. 5651 on the Regulation of Publications on the Internet and the relevant regulations (IP addresses, port information, target URL, timestamps) are stored, cryptographically signed, for a minimum of 6 months and a maximum of 2 years in accordance with the legislation, and are destroyed from the system by automated scripts upon expiry of the statutory period.
  • Marketing and Communication Consents: Records relating to the consents given by users for the sending of commercial electronic messages are retained for evidentiary purposes for a further period stipulated by the legislation as from the date on which the consent is withdrawn (cancelled), and are thereafter deleted from the marketing database.

12. Deletion, Destruction, and Anonymization of Personal Data

Where the legal grounds and legitimate purposes requiring the processing of personal data cease to exist entirely, or where the relevant statutory retention periods expire, personal data are deleted, destroyed, or anonymized by the Company ex officio or upon the duly submitted request of the Data Subject.

  • Deletion: The process of rendering personal data in no way accessible or reusable for the relevant users and company personnel. It is applied through soft-delete (software-based deletion) or direct record removal methods in the database.
  • Destruction: Rendering personal data inaccessible, irretrievable, and non-reusable by anyone, by means of any hardware or software tool. It covers the cleansing of disks on physical or cloud servers using secure wipe algorithms.
  • Anonymization: Rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data, using techniques such as masking, aggregation, data corruption, or generalization. Since anonymized data lose their status as personal data under the KVKK, they may continue to be used by the Company in R&D activities, AI performance measurements, or statistical reporting without being subject to legal restrictions.

13. Technical and Administrative Measures Taken for Data Security

Within the scope of Article 12 of the KVKK, the Company has put into effect the highest level of technical and administrative security measures in order to prevent the unlawful processing of, and unlawful access to, personal data, and to ensure the legal and physical protection of the data:

Technical Measures Taken:

  • Encryption: All data transfers on the Platform and all traffic between the user and the server are encrypted end to end and conducted over mandatory HTTPS / TLS (Transport Layer Security) cryptographic protocols.
  • Password Security: User passwords are never stored in the databases as plaintext; they are irreversibly hashed (encrypted) using strong, industry-standard algorithms.
  • Authentication: Authentication processes are supported by e-mail-based One-Time Password (OTP) or, optionally, Multi-Factor Authentication (MFA/2FA) mechanisms in order to maximize security.
  • Cyber Threat Protection: Advanced firewalls (WAF - Web Application Firewall) and anomaly detection systems are in operation 24/7 against DDoS (Distributed Denial of Service) attacks, malicious bot traffic, and cyber threats.
  • Secure Media Upload: The uploading of large media files has been isolated through secure URL mechanisms that directly bypass the backend architecture so as not to create code vulnerabilities on the server side.
  • Access Control and Logging: Role-Based Access Control (RBAC) is applied within the framework of an authorization matrix; standard users and system administrator (admin) accounts are strictly separated from one another. Session management is kept encrypted, and structured logging records are taken for critical operations on the platform. Penetration testing is planned on a regular basis.

Administrative Measures Taken:

  • Internal access to data is bound by a strict "need-to-know" and least privilege rule. Server and production data can be accessed only by authorized system engineers and the founding team within security protocols.
  • Confidentiality and Non-Competition Agreements (NDA - Non-Disclosure Agreement) containing severe penal clauses and sanctions have been executed with all personnel and third-party subcontractors. Periodic training is provided to raise personnel awareness of the KVKK.
  • Pursuant to the data minimization principle, only the data strictly necessary for the performance of the service are collected.
  • In the event of a possible unlawful access, cyber attack, or data breach scenario, the Company accepts its legal obligation to immediately activate its internal breach response procedures and to notify the situation to the Personal Data Protection Board and the affected Data Subjects within 72 hours.

14. Cookies and Tracking Technologies

The Holala website and web-based interface application use cookies, pixel tags, web beacons, and analytical tracking tools in order to provide visitors and registered users with the most efficient, fast, and personalized digital experience, to ensure session security, and to strengthen the platform architecture in the light of statistical data.

Cookies are small text files, mostly consisting of letters and numbers, that are saved to your computer or mobile device via your browser when you visit a website. The types of cookies used on our Platform are as follows:

  • Mandatory (Technical) Cookies: Cookies that are strictly necessary for the website to function properly and completely. They are essential for the user to be able to log in to the platform securely, for payment steps to be verified, for the session to continue without interruption, and for the firewall to operate. Rejecting these cookies causes the system's basic functions to stop, and they do not require consent.
  • Performance and Analytics Cookies: Used to measure user interactions on the Platform, identify the most visited pages, analyze page load speeds, and detect friction points in the user interface (UX). In this way, the overall performance of the platform is improved.
  • Functionality Cookies: Cookies that remember users' preferences on the site (for example, language selection, theme preference, most recently used tools), enabling a more personalized experience to be provided.
  • Marketing and Remarketing (Retargeting) Cookies: Advanced advertising measurement codes integrated, in line with Holala's B2B growth strategy, in order to measure the effectiveness of advertising campaigns and to be able to serve personalized advertisements suited to their interests to the target audience visiting the site on other digital advertising networks and social media platforms (retargeting).

Users may, of their own free will, configure all analytics, functionality, and marketing cookies other than the Mandatory Cookies as they wish via the Cookie Management Panel (Cookie Banner) presented to them upon their first access to the website, through the "Accept", "Reject", or "Manage/Customize" options. In addition, it is always possible to completely block, delete, or restrict cookies through the privacy or security settings menu of the internet browser used (Chrome, Safari, Firefox, Edge, etc.).

15. Commercial Electronic Messages and Marketing Communications

On the basis of the transparent, informed, and explicit consents to be provided by users during or after registration, the Company may send, via e-mail, SMS, or other digital communication channels, commercial electronic messages containing information on new platform features, updates regarding AI templates added to the system, subscription model campaigns, discounts, credit package offers, industry newsletters, webinars, and free trial entitlements.

Data Subjects have the right at any time, without stating any reason and without paying any fee, to withdraw (cancel) the consent they have given to commercial messages, by clicking the "Unsubscribe" link located at the bottom of each marketing e-mail sent to them or by applying to the Company directly through its communication channels. Marketing-related sendings will be stopped immediately, as soon as possible following the receipt of the opt-out request by our systems. However, this opt-out will not prevent password reset e-mails, invoice deliveries, security alerts, system maintenance notifications, credit depletion warnings, or the mandatory administrative/transactional communications based on the performance of the contract (transactional emails).

16. Children's Privacy and the Requirement of Legal Age

By virtue of its core philosophy, service caliber, and commercial positioning, Holala is a B2B (Business-to-Business) SaaS (Software as a Service) platform directed at companies, e-commerce brands, creative advertising agencies, and commercial professionals. The platform interface, the advanced AI tools it offers, its complex prompt structures, and its contractual service terms have not been designed as suitable for use by individuals under the age of 18 (children).

The Company does not knowingly or intentionally collect personal data enabling identification from persons under the age of 18. If the Company determines that a person under the age of 18 has used the platform, created a membership, or had personal data processed into the platform databases without the legal consent of a parent/guardian, the Company shall have the absolute right to immediately close that account, cancel the associated subscriptions, and immediately destroy all data uploaded to the system.

17. Third-Party Websites and External Integrations

Within the Holala website, user interface, blog posts, or technical documentation pages, there may be external referral links (hyperlinks) to third-party resources for the purposes of providing further information, redirecting to payment integrations (for example, secure payment page interfaces), integration guides for third-party e-commerce platforms, social media platforms, or the technical documentation of independent API providers.

Such third-party websites and external platforms have entirely independent server architectures, commercial terms of use, and distinct data processing policies of their own, and are outside the Company's actual or legal control. The Company cannot under any circumstances be held legally liable for the data collection practices, cookie policies, security vulnerabilities, content accuracy issues, or privacy violations to which users may be exposed during redirections to these external sites. When users leave the boundaries of our platform and pass to a third-party digital property, it is of high importance for their own data security that they carefully review the legal "Privacy Policy" and "Terms of Use" texts specific to that platform before carrying out any transaction or entering their personal data.

18. Rights of the Data Subject and Application Procedure

Article 11 of the KVKK grants natural persons whose personal data are processed strong rights of oversight, control, and transparency over their own data. Data subjects have the right to apply to the Company in accordance with the legislation and to make the following requests:

1. To learn whether their personal data are being processed,

2. To request detailed information in this regard if their personal data have been processed,

3. To learn the purpose of the processing of their personal data and whether they are used in accordance with that purpose,

4. To know the third parties within the country or abroad to whom personal data are transferred (payment institutions, infrastructure providers, AI models),

5. To request the rectification of personal data if they have been processed incompletely or inaccurately, and to request that this be notified to the third parties to whom the data have been transferred,

6. To request the deletion or destruction of personal data within the framework of the conditions envisaged in Article 7 of the KVKK (such as the grounds requiring processing ceasing to exist), and to request that this operation also be notified to the third parties to whom the data have been transferred,

7. To object to the occurrence of an adverse legal consequence against the person concerned as a result of the analysis of the processed data exclusively by means of automated systems,

8. To request, through legal means, the remedying of the damage incurred in the event of suffering damage due to the unlawful processing of personal data.

Application Procedure and Method:

In order to exercise these rights under Article 11 of the KVKK, data subjects must submit their requests to the Company in a clear, comprehensible, and specific written form, together with official documents verifying their identity beyond any doubt (the data subject's name, surname, Turkish ID or Passport number, residential address for service, and contact details).

Applications may be submitted to the Company's address at Küçükbakkalköy Mah. Selvili Sk. No: 4/20 Ataşehir/İstanbul in person by means of a wet-signed petition, or via registered mail with return receipt / through a notary, or they may be submitted electronically to the Company's official e-mail address or Registered Electronic Mail (KEP) address using a secure electronic signature or mobile signature. The other methods set out in the Communiqué on the Procedures and Principles of Application to the Data Controller are also valid.

Depending on the nature of the request submitted, the Company will conclude the application as soon as possible and, as required by the applicable legislation, within 30 (thirty) days at the latest, as a rule free of charge, and will respond to the Data Subject in writing or electronically. However, if the requested operation entails an additional cost (for example, where it is requested that the application be answered on a physical recording medium such as a flash drive or CD), the statutory fee basis in the tariff published by the Personal Data Protection Board may be requested from the applicant. If the request is rejected, the grounds for rejection shall be communicated to the applicant together with their legal bases.

19. Updates to the Policy and Entry into Force

The artificial intelligence ecosystem, cloud computing infrastructures, and the digital technology sector in general have an extremely dynamic structure and are constantly evolving. Accordingly, this Privacy and Personal Data Protection Policy may at any time be unilaterally updated, expanded, or amended by the Company's management due to potential legal updates in the national KVKK legislation, reforms in international data transfer rules, decisions of the Personal Data Protection Board, new generative AI service models to be integrated into the Platform, changes in the payment infrastructure, the addition of new third-party API services, or strategic revisions to the Company's overall business and revenue model.

Any material change or revision made to the Policy shall enter into force immediately as of the moment the updated text is published publicly on the https://holala.ai/ domain, and shall begin to have effect for all users. Users' continued use of the platform, their memberships, their subscriptions, or the services shall mean that they have read and understood the provisions of the renewed Privacy Policy and accepted the new data processing terms. In the event of significant changes in the legal legislation or fundamental deviations in the data processing purposes, the Company reserves the right to additionally provide proactive notice to registered users via an e-mail newsletter or an in-system pop-up consent screen.

20. Contact Information

For any questions, opinions, feedback, KVKK application requests, and legal communication needs regarding the implementation of this Privacy Policy, the platform's data operations, the processes by which your personal data are processed, the cyber security measures applied, the confidentiality commitments regarding user content, or cookie preferences, you may at any time contact the Company, which holds the status of Data Controller and whose details are provided below, through its official communication channels:

  • Data Controller Title: ELİF SİMGE EREN Şahıs Şirketi
  • Head Office and Correspondence Address: Küçükbakkalköy Mah. Selvili Sk. No: 4/20 Ataşehir / İstanbul
  • Affiliated Tax Office: Kozyatağı Tax Office
  • Tax Identification Number: 3530980516
  • Official Website: https://holala.ai/

We thank you for the sensitivity you show to the security of your personal data and for the trust you place in the Holala artificial intelligence platform in your professional production processes.

Questions? Email privacy@holala.ai.

holala

Visuals for every team — without the studio.

Platform

  • Platform overview
  • Studio
  • Editor
  • Bulk
  • Library
  • My Store

Templates

  • All templates
  • Background Replacement
  • Product to On-Model
  • Closeup Texture Generator
  • Jewellery Image Generation
  • Ghost Mannequin Creator
  • Kids Image Generation
  • Face/Model Generator
  • Lingerie & Swimwear Generation
  • White Background
  • Angle Generation
  • Multi Product / Multi Model
  • Model Face Swapper
  • Style/Pose Duplicator
  • Model Face Generation
  • View / Angle Generator
  • Quality Enhancer
  • Background Generation
  • Style/Pose Duplicator — v2
  • Closeup Textile Generation
  • Kids Image Generator
  • Ghost Mannequin Generation
  • On-Model to Flat-Lay
  • Side Generation
  • Model Remover
  • Non-Model Generation

Resources

  • Customers
  • Impact
  • Blog
  • Academy
  • FAQ
  • Documentation
  • Browse all resources

Company

  • About
  • Contact

Legal

  • Pre-information form
  • Distance service agreement
  • Cancellation & refunds
  • Terms of use
  • Information notice (Aydınlatma)
  • Privacy
  • KVKK
  • Cookies

© 2026 holala

ENTR