PRIVACY POLICY

This Privacy Policy explains how personal data is collected, used, stored, shared, and protected in compliance with applicable data protection laws, including the Turkish Law on the Protection of Personal Data No. 6698 (“Personal Data Protection Law” / “PDPL”) and, where relevant, the EU General Data Protection Regulation (“GDPR”).

1. Scope and Purpose

This policy governs the collection, processing, transfer, storage, and protection of personal data of individuals who interact with our services, website, mobile applications, or other channels.

The purpose is to ensure transparency and to inform data subjects of their rights and our obligations regarding the protection of personal data.

2. Data Controller

The organization acting as the data controller undertakes to process personal data in compliance with applicable laws and this policy. No specific company name is included here; however, the data controller assumes full responsibility for implementing this policy.

3. Categories of Personal Data Processed

We may process the following categories of personal data, depending on the services provided and the nature of our interaction:

Identity Information: Name, surname, ID or passport number, date of birth, nationality, gender.

Contact Information: Email address, telephone number, physical address, communication preferences.

Customer Transaction Information: Purchases, orders, payment details, billing history.

Financial Information: Bank account details, IBAN, credit/debit card details (processed securely and, where applicable, tokenized).

Transaction Security Data: IP addresses, log records, device identifiers, login credentials.

Visual and Audio Data: Photographs, video recordings (e.g., CCTV for security), call center voice recordings.

Location Data: GPS or city/country-level location data.

Health Data (with explicit consent or where permitted by law): Medical history, prescriptions, reports.

Special Categories of Data: Health, biometric data, criminal convictions/security measures (where legally permitted and with appropriate safeguards).

4. Legal Basis for Processing Personal Data

Personal data is processed on the following legal grounds:

Explicit consent of the data subject.

Performance of a contract or taking steps at the request of the data subject prior to entering into a contract.

Compliance with a legal obligation.

Protection of vital interests of the data subject or another person.

Public interest or exercise of official authority (where applicable).

Legitimate interests of the data controller, provided such processing does not harm fundamental rights and freedoms.

For special categories of personal data: Explicit consent, public health, occupational health and safety obligations, or other lawful exceptions under applicable data protection law.

5. Purposes of Processing Personal Data

Personal data may be processed for the following purposes:

Provision of products and services

Management of customer relations

Processing of orders, payments, and deliveries

Responding to inquiries, complaints, or requests

Execution and management of contracts

Ensuring security of services, facilities, and systems

Fraud detection and prevention

Compliance with legal obligations and responding to lawful requests by authorities

Conducting internal audits and investigations

Managing financial and accounting processes

Human resources and employment processes (for employee data)

Marketing activities (based on consent), such as sending newsletters, promotions, and surveys

Analysis for service improvement, personalization, and customer experience enhancement

Website and mobile application management, including use of cookies and similar technologies (with appropriate consent mechanisms)

6. Methods of Data Collection

Personal data may be collected through:

Online forms, website and mobile applications

Email, SMS, and other electronic communications

Telephone calls and call center services

Contracts, orders, and other commercial documents

CCTV and other security systems

Cookies and similar technologies

Social media platforms and integrations

Third-party business partners, suppliers, and service providers

7. Transfers and Sharing of Personal Data

Personal data may be shared with:

Authorized public institutions and regulatory authorities

Courts and enforcement agencies

Business partners and affiliates

Suppliers and service providers (including cloud, hosting, IT support, call centers, payment processors)

Financial institutions and banks

Legal advisors, auditors, and consultants

Third parties involved in mergers, acquisitions, or asset transfers (with appropriate safeguards)

Other parties when required by law or with the data subject’s explicit consent

8. International Transfers of Personal Data

Where personal data is transferred outside the country, such transfers will comply with applicable data protection laws. This may involve:

Transfers to countries deemed to provide adequate protection by the relevant data protection authority

Transfers subject to standard contractual clauses or other legally recognized safeguards

Transfers based on the data subject’s explicit consent

We will take all reasonable steps to ensure that recipients of personal data maintain appropriate security and confidentiality.

9. Retention of Personal Data

Personal data will be retained for:

Periods required by applicable law

As long as necessary to fulfill the purposes outlined in this policy

Relevant statutory limitation periods

At the end of the applicable retention period, personal data will be securely deleted, destroyed, or anonymized in accordance with internal policies and legal requirements.

10. Data Subject Rights

Data subjects have the following rights under applicable data protection laws:

To learn whether personal data is being processed

To request information about such processing

To learn the purposes of processing and whether personal data is used in accordance with those purposes

To know the third parties to whom personal data is transferred domestically or abroad

To request correction of incomplete or inaccurate personal data

To request deletion or destruction of personal data under legal conditions

To request notification of correction, deletion, or destruction to third parties to whom personal data has been transferred

To object to decisions based solely on automated processing

To request compensation for damages arising from unlawful processing

11. Exercising Your Rights

Data subjects may submit requests to exercise their rights in writing or via other methods accepted by the applicable data protection authority. Requests will be evaluated and answered within the legally prescribed timeframe.

Requests should include:

Name and surname

Signature if submitted in writing

Turkish ID number (for Turkish citizens) or passport number/nationality (for foreigners)

Residential or business address for notification

Email address, telephone number, or fax number

The subject and details of the request

Where legally permitted, a fee may be charged based on the applicable tariff set by the relevant authority.

12. Security of Personal Data

We implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data. Measures include:

Access controls and authorization management

Encryption and secure storage

Secure transmission protocols

Monitoring and logging

Employee training and confidentiality obligations

Incident response and breach notification procedures

13. Updates to This Policy

This Privacy Policy may be updated to reflect changes in legal requirements, business practices, or technology. Any updates will be made available through appropriate channels. Data subjects are encouraged to review the policy periodically.