Skip to main content


Card tokenization agreement

1. Parties to the agreement

This Card Tokenization Service Customer Agreement (“Agreement”) has been executed by and between Nomupay Odeme ve Elektronik Para Hizmetleri A.S., having its registered office at Maslak Mah.  AOS 55. Sokak 42 Maslak B Blok Sitesi No:4 Kat:18 D:2 – Sarıyer / Istanbul address (“NomuPay”)and the person who accepted this Agreement online (“Customer”) on the date of approval by the Customer.

2. Subject of the agreement

For the purposes of the Agreement, NomuPay shall provide services  (“Service”) that are aimed at allowing the Customer to record the information on credit card, bank card, pre-paid card and similar other payment instruments (“Card”) and use of the recorded Card in payments to be made before NomuPay contracted merchants (“Member Merchant”) and the Agreement has been executed to specify the relevant rights and obligations of parties.

Pursuant to this Agreement, NomuPay does not provide payment services or act as an intermediary for any payment.

3. Terms and conditions on card tokenization service

The Customer discloses card information with NomuPay voluntarily so they can be used for facilitating the payment transactions subject to the approval for transactions to be made under this Agreement. The disclosed information is limited with the institution/ organization that issued the Card (to the extent applicable), name, surname, Card number and expiry date on the front side of the Card.

Customer acknowledges and covenants that information provided within the scope of this service belongs to him/her it is true and accurate, s/he shall have sole responsibility about all transactions made with Card and s/he assumes any legal and criminal liability in connection with such transactions.

The Customer can register to the system with the first valid payment transaction by entering the Card number, expiry date and security code information into the system or can benefit from the card tokenization service by directly registering the Card without making a payment transaction. In this context, the Customer may add any number of Cards to the system at his/her discretion. The Customer accepts that this Agreement is valid for all these Cards and the transactions made by using them.

The information distinguishing Card(s) (card name, last 4 digits of the card number, etc.) shall be listed, a question will be asked as to whether these Card(s) will be used for transaction or not, the transaction shall be completed with the approval given by NomuPay to an identification system in case Customer desires to make a transaction with the Card in one of the payment channels. NomuPay may change the procedural flow and take additional actions (password, etc.) for the security of Customer. Customer agrees and covenants that s/he shall have the sole responsibility about the security and confidentiality of all passwords set and used in this system; passwords shall not be disclosed to any third person, s/he shall have the sole responsibility in connection with all transactions made with the Card entered into the system.

Customer is responsible for contacting the relevant bank and procuring the cancellation of the stolen Card in case the Card registered in the channels owned by any group company and business partner of NomuPay is lost or stolen.

NomuPay may provide this service free of charge, make it subject to various campaigns or offer the service against certain amount of fees provided that Customer is informed. Customer consents to be bound by price policy of NomuPay while using the service. In case price policy and fees payable for the service are changed, Customer shall be served a prior notice of 7 (seven) days in connection with such changes.

The Customer is obliged to act in accordance with this agreement and the applicable legislation during the use of the Service. NomuPay may suspend the Service or terminate this agreement if there is any suspicion of a breach on the part of NomuPay. The Customer shall indemnify all damages incurred by NomuPay as a result of its breach of this agreement or legislation.

NomuPay, which provides payment services within the scope of Law No. 6493 with the authorisation obtained from the Banking Regulation and Supervision Agency (“BRSA”), performs payment services in compliance with PCI-DSS security systems. NomuPay takes reasonable measures for the security of the Card tokenized under the Agreement by using applicable legislation and current technologies. The Customer agrees that NomuPay shall not be liable for any damages that may occur in the event that the tokenized Card information is intercepted by third parties in the absence of gross negligence or intent to be attributed to NomuPay, including cyber-attacks.

4. Principles regarding the processing of personal data

The Customer consents to the recording of the information he/she shares and all information generated by the Merchants in relation to the transactions carried out with the use of this information during the effective period of this Agreement, to be shared with the Merchants in order to ensure the provision of the Service, the realisation of the relevant payments and the provision of campaigns to the Customer, and to be processed by these parties for the same purposes. In addition, by approving this Agreement, the Customer consents to the processing of the information necessary for the provision of the Service such as telephone number, Turkish ID number, address information, location information, etc. of mobile phone subscription  lines in order to ensure the provision of the Service during the term of the Agreement. The use of such information will cease upon the termination of the Agreement; without prejudice to legal obligations, the data will be stored for the duration of the Service and will be deleted at the end of this period. In addition to the term of the Agreement,  NomuPay shall be entitled to store personal data for the durations specified under the applicable legislation and to the extent required to make defence in case of any dispute that may arise from this Agreement.

The Customer agrees that he/she may revoke his/her consent to the tokenization of his/her information and delete the tokenized information at any time through the channels managed by NomuPay such as the Call Centre etc. However, the Customer agrees that in this case, he/she cannot benefit from the services offered based on the information he/she has shared in the same way. Pursuant to paragraph 2, Article 11 of the Personal Data Protection  Law No. 6698, Customer may apply to NomuPay and:

  1. Get information as to whether personal data are processed or not;
  2. Get information on the extent of processing if data are processes;
  3. Get information on the purpose of processing personal data and as to whether they were used in accordance with the purpose;
  4. Get information on local and foreign third parties who were transferred personal data;
  5. Request correction if personal data were processed inaccurately or incompletely;
  6. Request deletion or destruction of personal data in accordance with the conditions stipulated in the applicable legislation;
  7. Request notification of deletion, correction and destructions made in accordance with the applicable legislation to third persons;
  8. File objection against unfavourable results obtained through analysis using automatic systems only;
  9. Claim compensation of losses and damages that may arise from illegal processing of personal data

By submitting an application to the data supervisor. The rights in question may be exercised by submitting a written application to  AOS 55. Sokak 42 Maslak B Blok Sitesi No:4 Kat:18 D:2 – Sarıyer / Istanbul address.

NomuPay may respond to the aforementioned inquiries in writing or through the digital media by specifying  positive/ negative response together with the reasons thereof. Essentially, operations in connection with inquiries are carried out free of charge. However, in case costs are incurred in connection with operations, fees may be charged based on tariff determined by Personal Data Protection Board in accordance with article 13 of Personal Data Protection Law.

The Customer may cancel the consent for data processing at any time via NomuPay Call Centre at (0850 210 5659) or by sending an e-mail to address. Cancellation of the data processing consent does not prevent the processing and sharing of the information shared in accordance with this agreement, but the Customer agrees that NomuPay may not be able to provide the contractual Service fully and properly in case of cancellation of the data processing permission.

NomuPay undertakes to perform and procure the performance of technical and administrative measures aimed at ensuring appropriate security level for the purposes of:

  • Prevent processing of personal data in breach of the law;
  • Prevent illegal access to personal data; and ensuring storage of personal data that is communicated electronically over the Site under conditions specified in the applicable legislation or this agreement.

NomuPay is prohibited from disclosing personal information to any other person in breach of this agreement and provisions of the Personal Data Protection Law and cannot use such information for any purpose other than processing. NomuPay acknowledges that in the event that personal data of the  Customers are shared with external service providers in accordance with the provisions of this Agreement, such external service providers will also comply with the commitments under this article and will conclude a contract with these persons to provide the necessary security.

In addition to the foregoing, each of the Parties hereby agrees that it will keep and keep confidential the information it obtains about the other under this Agreement. NomuPay represents and agrees to comply with the information security obligations specified in the Legislation applicable to services provided under this Agreement and not to disclose information under the Agreement to any 3rd person unless such disclosure is required by an official authority, organization or agency, except for the events expressly specified under the Agreement. However, NomuPay may disclose the information of Customer on all services performed over NomuPay Services including Mobile Payment Service and Electronic Money to the Representative and/or Payment Service Provider or person who is the provider of the product or services or person who is transferred funds in the events requiring detailed review of the transactions and in case of doubtful transaction and complaint.

For detailed information regarding the processing of personal data of the Customers by NomuPay, please see NomuPay Privacy Policy and Information and Consent Notice on Processing of Personal Data at address.

5. Effective date and termination of the service agreement

The scope and continuation of the Service subject to this Agreement is at the discretion of NomuPay. NomuPay may at any time stop providing the Service, in whole or in part, for a period of time or indefinitely, without any obligation to notify the Customer.  The Customer agrees that access to the Service and application may be temporarily blocked in order to implement improvements and other changes to be made in the application.

This Agreement remains in effect unless it is terminated by NomuPay or the Customer in accordance with the applicable legislation.

6. Limitation of liabilities

Its responsibility under the Agreement is limited to the provision of the Service and nothing in this Agreement shall be interpreted as NomuPay having any responsibility for the transactions made with the Card tokenized within the scope of the Service. Full liability for the said transaction and the goods and/or services provided as a result of the transaction shall be assumed by the real or legal person that is a party to the sales transaction. The Customer acknowledges and accepts that any requests and complaints within this scope must be submitted directly to the relevant real or legal person.

NomuPay shall not have any liability for the inability to make transactions due to reasons not caused by NomuPay, such as the Card information provided by the Customer is not complete, accurate and up-to-date, the Card is invalid or unusable. The Customer is solely responsible for ensuring that the Cards tokenized within the scope of the Service are current and valid and that complete, accurate and up-to-date information is provided.

The Services are provided on “as is” basis and NomuPay makes no commitment that the Service will meet the Customer’s personal expectations or be suitable for any particular purpose. NomuPay shall not be liable for any indirect, special, incidental, punitive damages incurred as a result of the use of the Service, including but not limited to loss of profit, loss of goodwill and reputation, expenditure for the provision of substitute products and services, etc.

7. Miscellaneous

This Agreement is subject to Turkish Laws. Parties represent, agree and covenant that disputes shall be settled by Istanbul Centre (Caglayan) Courts and Enforcement Offices. About Consumers: Consumers are entitled to refer disputes to the authorized consumer boards and consumer courts.

In disputes that may arise from the Agreement, electronic and system records, commercial records, books and other records, microfilm, microfiche and computer records kept by NomuPay in its database, servers, shall constitute binding, conclusive and exclusive evidence and this article shall constitute conclusive evidence within the meaning  of Article 193 of the CCP.

Invalidity of a provision under this Agreement shall not affect the validity of the remaining provisions under the Agreement provided that such invalidity does not substantially change the objective of Agreement or damage the interests of Parties.

  • Non-Application: In case Customer purchases services under this Agreement for professional and commercial purposes, Customer shall be excluded from provisions of this Agreement about consumers even if Customer approves this Agreement.
  • Notifications: NomuPay shall serve notifications under this Agreement to Customer by sending mail or e-mail to the postal address or e-mail address notified time by time by Customer or by sending SMS to mobile phone of Customer or calling the Customer via Call Centre. In case Customer requires any information in addition to notifications specified in this Agreement and this request is accepted by NomuPay, such information shall be provided against fees.
  • Intellectual Property: This Agreement does not constitute an agreement for the transfer or licensing of any intellectual property right between Parties. Any use subject to intellectual property rights owned and/or possessed by either Party shall be possible and limited with an express written agreement for that purpose.
  • Force Majeure: Human-induced and natural disasters, war, martial law, fire, strike, lockout, temporary suspension of NomuPay license that do not exist on the date of signing the Agreement; cannot be foreseen and arise beyond control of Parties and interrupt a part or all of works performed by Parties or one Party shall be considered as force majeure event. A Party that suffers from force majeure event shall serve a written notice to the other Party immediately and undertakings of Parties are suspended for the duration of the force majeure event. Agreement is resumed upon elimination of the force majeure event. Liabilities shall also be suspended for the Party whose rights cannot be used for the duration of the force majeure event. In case any force majeure event continues for a period of more than 90 (ninety) days, the suffering Party shall be entitled to terminate the Agreement without obligation to pay damages.

The Customer represents, agrees and covenants in advance that in the event that NomuPay applies for legal proceedings or a lawsuit is filed against NomuPay in the event that the Customer fails to pay its debts that arise / may arise from the Agreement and fails to fulfil its obligations, it shall indemnify NomuPay against all kinds of execution, litigation costs and attorney’s fees.