Personal Data Protection Law

RMATION TEXT (DATA PROTECTION NOTICE)

1- Data Subjects

Customers

DATA CATEGORIES

1.1.1 - Identity Information

Personal Data Processed:
Name - Surname, Date of Birth, Gender, Turkish Identity Number

Purposes of Processing Personal Data:
Carrying out finance and accounting activities, communication activities, managing customer loyalty processes related to the company/products/services, legal processes, ensuring business continuity, sales and after-sales services, customer relationship management, customer satisfaction activities, advertising, campaign and promotional activities, data storage and archiving, contract and membership processes, tracking requests and complaints, planning and executing commercial and/or business strategies, performing necessary work for providing products and services, and informing authorized persons, institutions, and organizations.

Legal Grounds for Processing:
The aforementioned personal data are processed based on the legal grounds specified in Article 5 of the KVKK (Personal Data Protection Law), including: explicit legal provision, necessity for the establishment or performance of a contract, legal obligation of the data controller, and legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject. For cases outside this scope, your personal data is processed based on your explicit consent as detailed in the Consent Form.

Method of Data Collection:
Collected via membership forms on our website, optional fields on the account page, your requests and applications, contracts, campaigns, and third-party authentication systems (e.g., Google Login, Facebook Login).

1.1.2 - Contact Information

Personal Data Processed:
Email address, Billing & Delivery addresses, Mobile phone number

Purposes and Legal Grounds:
Same as listed under "Identity Information".

Method of Data Collection:
Same as listed under "Identity Information".

1.1.3 - Legal Transaction Information

Personal Data Processed:
Information from court files in case of dispute, notices, correspondence with judicial and administrative authorities

Purposes of Processing:
Following up and conducting legal processes, auditing business activities, informing authorized persons/institutions, complying with regulations, storage and archiving, risk management, contract processes, handling requests/complaints, ensuring security of data controller operations.

Legal Grounds:
As per Article 5 of the KVKK: legal obligation of the data controller, necessity of data processing for establishment, exercise or defense of legal claims, and legitimate interests of the data controller provided it does not harm fundamental rights and freedoms.

Method of Data Collection:
Through official letters and physical/electronic documents received from judicial and administrative authorities.

1.1.4 - Customer Transaction Information

Personal Data Processed:
Invoice information, Request information, Order information, Customer comments

Purposes and Legal Grounds:
Same as under "Identity Information", with the addition of marketing analysis and post-sales services.

Method of Data Collection:
Collected through physical/electronic forms, call center records, emails, and SAP systems.

1.1.5 - Transaction Security Information

Personal Data Processed:
IP address data, Website entry-exit logs, Username information, Traffic data (e.g., connection time/duration)

Purposes and Legal Grounds:
Includes data security management, audit/ethics activities, ensuring security of data controller operations, compliance with laws, legal process follow-up, product/service sales, complaint handling.

Method of Data Collection:
Collected through information security systems and electronic devices.

1.1.6 - Financial Information

Personal Data Processed:
Encrypted credit card details, Bank account/IBAN details

Purposes of Processing:
Includes regulatory compliance, legal follow-up, finance/accounting, refund processes, business operations, product/service sales, storage/archiving, risk management, contracts, informing authorized institutions.

Legal Grounds:
Article 5 of KVKK – necessity of data processing for contract establishment/performance, and legal obligations of the data controller.

Method of Data Collection:
Through physical/electronic forms, emails, and requests/messages submitted via the website.

1.1.7 - Location Information

Personal Data Processed:
Location data

Purposes of Processing:
Customer relationship management, marketing analysis, advertising/campaign/promotions, customer satisfaction efforts, marketing of products/services, sales and operations management.

Legal Grounds:
Processed based on your explicit consent as detailed in the Consent Form, under Article 5 of KVKK.

Method of Data Collection:
Through your internet browser and the mobile app of our company, based on your preferences.

TRANSFER OF PERSONAL DATA

Personal data of customers may be transferred in accordance with Articles 8 and/or 9 of KVKK, with necessary technical and administrative measures in place, limited to the purpose of processing and only when necessary, to:

Affiliates and subsidiaries
Product sellers (for product delivery)
Shipping companies
Banks (for payment processing)
Business partners for bulk SMS/email communication
Suppliers and authorized service providers for after-sales services
Legally authorized institutions and official bodies
Technology infrastructure providers (to the extent that they provide and/or manage systems and software)

2- Data Storage, Rights, and Application Process

2.1 - Retention and Disposal

Our company has a Data Retention and Disposal Policy. Personal data are stored and disposed of in accordance with this policy and applicable legal retention periods. If a legal period is defined, the data are stored at least for this duration. An additional period of 6 months to 1 year may be added for legal defense purposes.

If no legal retention period exists, personal data are stored for a maximum of 10 years following the end of the legal relationship, then deleted, destroyed, or anonymized.

If data processing conditions no longer exist or the stated retention period has expired, data will be deleted, destroyed, or anonymized at the first periodic destruction date or within 6 months at the latest. If you request deletion, your data will be erased within 30 days unless legally prohibited.

2.2 - Your Rights

Under KVKK and relevant legislation, you have the right to:

Learn whether your personal data are processed
Request information regarding such processing
Learn the purpose of processing and whether data are used accordingly
Learn the third parties to whom data are transferred
Request correction if data are incomplete or incorrect
Request deletion or destruction of personal data under legal conditions
Request notification of the correction/deletion to third parties
Object to decisions made solely through automated systems
Demand compensation if you suffer damage due to unlawful data processing

2.3 - Application

You may submit requests regarding your personal data by:

Sending a signed petition and ID copy to our registered office address
Personally applying with a valid ID
Sending an email to our registered email address using a secure e-signature or mobile signature
Sending an email from your previously notified and registered email address

According to the “Communiqué on the Principles and Procedures for the Request to Data Controller”, your application must include:
Full name, signature (if in writing), Turkish ID number (passport number if foreign), address for notifications, email address (if any), phone number, and subject of the request.

If acting on behalf of someone else, you must submit a notarized power of attorney. Applications must include identity verification documents and must relate to the applicant.

Unauthorized third-party applications will not be considered.

Your request will be evaluated and answered within 30 days of receipt. If denied, the reasons will be provided via the same method used in your application.