Personal Data Protection Policy

1. Information as Data Controller

As Webtures Dijital Bilişim Anonim Şirketi (“WEBTURES”), with Mersis No. 0800053943700021, residing at Esentepe Mahallesi Milangaz Caddesi No:77 A2 Blok Kat:32-33 D:219 Kartal – Istanbul, we show utmost sensitivity to the security of your personal data. Your personal data is processed and stored in accordance with the Law No. 6698 on the Protection of Personal Data (hereinafter referred to as “KVKK”). The KVKK was published in the Official Gazette dated 7 April 2016 and numbered 29677. The relevant law has been enacted to protect the fundamental rights and freedoms of natural persons, including the privacy of private life, which is also protected by our Constitution and the Turkish Penal Code, and to determine the obligations of natural and legal persons processing personal data.

The purpose of our personal data protection and processing policy (“KVK Policy”) is to establish management instructions and procedural requirements to ensure that Webtures processes and protects personal data in compliance with the KVKK.

Pursuant to the KVKK, your personal data may be collected and processed by us as the data controller within the scope explained below. As Webtures, in accordance with the KVKK and in the capacity of Data Controller, your personal data may be recorded, stored, updated, disclosed/transferred to third parties where permitted by legislation, classified, and processed in the ways listed in the KVKK, within the framework explained on this page.

2. Definitions

Explicit Consent

Refers to consent expressed with free will, based on being informed, regarding a specific matter.

Obligation to Inform

Pursuant to Article 10 of the KVKK, during the acquisition of personal data, the obligation of the data controller or the person authorized by it to inform the data subjects about the identity of the data controller and its representative, if any; the purpose for which personal data will be processed; to whom and for what purpose the processed personal data may be transferred; the method and legal basis of personal data collection; and the rights within the scope of Article 11 of the KVKK.

Data Subject

Refers to the natural person whose personal data is processed.

Law / KVKK

Refers to the Law No. 6698 on the Protection of Personal Data.

Personal Data

Refers to any information relating to an identified or identifiable natural person.

Processing of Personal Data

Refers to any operation performed on data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data.

Board

Refers to the Personal Data Protection Board.

Authority

Refers to the Personal Data Protection Authority.

Data Processor

Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Controller

Refers to the natural or legal person who determines the purposes and means of processing personal data and who is responsible for the establishment and management of the data recording system.

3. Processing of Personal Data

Webtures may generally collect and process personal data collected via web pages, events, trainings, or the portal for the following purposes:

Collecting personal information to ensure interaction via web pages, events, trainings, or the portal,
Providing personalized services to our users,
Contacting users and informing them about services and opportunities,
Performing the services we provide pursuant to contracts,
Sending newsletters or making promotions/notifications via email,
Making promotions/notifications via SMS,
Answering incoming calls and responding to support needs,
Developing our current and R&D-stage applications and establishing the management process,
Finalizing complaints upon your request, where there are complaints on social media, or where there is a complaint regarding the services we provide,
Collecting and processing your data for use in various statistical evaluations, database creation, and market research without disclosing the user’s identity.

4. To Whom and For What Purpose Personal Data May Be Transferred

By accepting this Personal Data Protection Policy, you grant permission for the collection, storage, processing, use, transfer within Türkiye or abroad of your personal data for which you have given explicit consent to be shared within the scope of Webtures applications and services with Webtures and Webtures’s domestic and international business partners and with platform users, and for transfer to third parties with whom we have a contractual relationship and who carry the same legal and technical responsibilities with us regarding data protection and security and comply with the relevant legislation.

Webtures may share your data regarding your website visit or application and your traffic information such as browsing information with public institutions and organizations legally authorized to request such information, for your security and for Webtures to fulfill its obligations before the laws (including, but not limited to, combating crime and threats to state and public security, and where Webtures has a legal or administrative obligation to notify or provide information).

5. Method of Collecting Personal Data and Legal Reasons

Pursuant to the KVKK, your personal data that you share with Webtures may be processed by us by being obtained (in whole or in part) automatically or non-automatically provided that it is part of any data recording system; recorded, stored, changed, reorganized, in short, subject to any processing performed on the data. Your personal data may be collected in written/physical or electronic environments and via cookies when you receive services or products from Webtures, participate in trainings or events, use Webtures services, submit entry/application to advertising or marketing postings, become a member or register.

DATA CATEGORIES

PERSONAL DATA TYPES COLLECTED WITHIN THIS SCOPE AND GROUNDS

Identity Information

When you receive a product or service from Webtures, register for trainings or events, apply to advertising or marketing postings, become a member or register, you voluntarily share information such as “Your Name”, “Your Surname”, “Your Date of Birth”, “ID” with Webtures. We process identity information to fulfill our obligations under the legislation, to carry out necessary operational activities, and to enable interaction.

Contact Information

When you receive a product or service from Webtures, register for trainings or events, apply to advertising or marketing postings, become a member or register, you voluntarily share information such as “Your Email Address”, “Your Address”, “Province and District of Residence”, and “Mobile Phone” with Webtures. Sharing contact information is important to enable communication between Webtures and service recipients, training or event participants, and users.

Visual and Multimedia Data

When you receive a product or service from Webtures, register for trainings or events, apply to advertising or marketing postings, become a member or register, you voluntarily share your photos, multimedia records, and visuals related to your work with Webtures. Sharing visual and multimedia data is important for Webtures to communicate with the user.

Location and Position Information

When you receive a product or service from Webtures, register for trainings or events, apply to advertising or marketing postings, become a member or register, you voluntarily share location information such as live location, address, and markers with Webtures. Sharing this data aims to identify users and participants across the country.

Non-Personal Data and Information Collected Automatically

Via cookies or our other programs and software, we may collect information about your in-site use, such as the number of clicks, how often you open tabs, or your digital behaviors regarding the headings you are interested in.

Device Information

Through the electronic devices you use (computer, laptop, tablets, smartphones, smart TVs, etc.), we may collect data related to your device that may or may not be associated with you (e.g., location data).

Cookie Information

Cookies are small text files stored on your device or network server by websites you visit via your computer or mobile device. Depending on the type of cookies on websites, data about your browsing and usage preferences on the device you visit the site from is collected. This data includes many pieces of information such as the pages you access, the services and products you review, the language option you prefer, and your other preferences. We use many types of cookies to provide our users and visitors with a better experience. In this scope, we use:

Essential and important cookies such as session, load balancing user identity, and security cookies for proper operation of web pages,
Preference cookies such as password, language, location, history, flash, and mobile cookies that increase usage efficiency according to users’ and visitors’ preferences,
Functional and analytical cookies that collect analytics data and allow obtaining information about website visits,
Targeting and marketing cookies that include advertising, market analysis, targeting, fraud detection, and campaign promotion cookies frequently used today especially for advertisements,
Third-party cookies that include cookies in advertisements or plugins related to another web page, generally encountered on websites that display advertisements.

Unless the user changes these settings, the user is deemed to have given explicit consent to the use of cookies.

Through Webtures, we may provide links to third-party websites or mobile applications. However, we have no responsibility for the implementation of privacy policies on these sites or to which third parties are subject. Privacy policies within the scope of third-party websites or mobile applications may differ from this Personal Data Protection Policy.

Other Information

You voluntarily share with Webtures information you prefer as a user or visitor, Smatch (automatic matching) information, and other similar information.

If you share your information or data in a way that you choose to disclose publicly and that other members can access and see, it is considered disclosed by you and may be used for statistical, advertising, or promotional purposes. We have no responsibility in cases where personal data you disclose is used by third parties or other sites.

Customer Transaction

This data category refers to data types such as call center records, invoices, promissory notes, check information, cashier receipts, order information, and request information.

This data is processed based on the grounds that it is directly related to the establishment or performance of a contract, mandatory for the data controller to fulfill its legal obligation, necessary for the processing of personal data belonging to the parties of the contract, mandatory for the establishment, exercise, or protection of a right, and mandatory for the legitimate interests of the data controller.

Marketing

This data category refers to data types such as shopping history information, surveys, cookie records, and information obtained through campaign work.

6. Personal Data Retention and Disposal Policy

6.1. Purpose

Webtures undertakes to comply with the KVKK, relevant regulations, and other personal data protection, processing, and disposal regulations. Webtures aims to inform data subjects regarding deletion, destruction, or anonymization of personal data within the scope of Article 7 of the KVKK and the Regulation on Deletion, Destruction or Anonymization of Personal Data dated 28 October 2017 and numbered 30224.

6.2. Definitions

Disposal: Deletion, destruction, or anonymization of personal data.

Recording Medium: Any medium where personal data processed wholly or partially by automated means or by non-automated means provided that it is part of any data recording system is kept.

Anonymization of Personal Data: Rendering personal data such that it cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data: Rendering personal data inaccessible and unusable for relevant users in any way.

Destruction of Personal Data: Rendering personal data inaccessible, irretrievable, and unusable for anyone in any way.

Periodic Disposal: The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the retention and disposal policy, where all conditions for processing personal data in the Law cease to exist.

6.3. Scope and Recording Media

Your personal data is retained for the retention periods specified in applicable legislation; if no period is specified, for the period required by the purposes of processing. Personal data obtained during registration with Webtures or benefiting from Webtures services is retained within the scope of our personal data inventory and obligations set out in KVKK legislation, and then deleted, destroyed, or anonymized in accordance with the KVKK.

Our recording media for personal data are as follows.

Electronic Media

Non-Electronic Media

Servers (domain, backup, email, database, web, file sharing, etc.)

Software (office software, portal, VERBIS) Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) Personal computers (desktop, laptop) Mobile devices (phone, tablet, etc.) Optical disks (CD, DVD, etc.) Removable memory (USB, memory card, etc.) Printer, scanner, photocopier Trainings Paper Manual data recording systems (survey forms, visitor entry book) Written, printed, visual media

6.4. Legal and Technical Grounds for Retention of Personal Data

Pursuant to Article 7 of the KVKK and Article 138 of the Turkish Penal Code, Webtures retains personal data it processes only for the period stipulated in relevant legislation, or if no period is stipulated, for the period required for the purpose of processing personal data. If the purpose of processing personal data ends or retention periods expire, personal data may only be retained to the extent required and mandated by possible law.

Personal data processed in accordance with the KVKK and other relevant provisions must be deleted, destroyed, or anonymized by Webtures, either ex officio or upon the request of the data subject, in a way that it will not be used and cannot be retrieved, where the reasons requiring processing cease to exist. Procedures and principles regarding lawful destruction or anonymization of personal data will be fulfilled in accordance with the principles and rules specified in the regulation.

6.5. Retention and Disposal Periods

Records	Period	Legal Basis
Membership and sales records	10 years	Law No. 6698
All accounting and financial transaction records	10 years	Law No. 6102, Law No. 213
Cookies	Up to 540 days	EU Cookie Law
Commercial electronic communication consent records	3 years from the date consent is withdrawn	Law No. 6563 and secondary legislation
Traffic information regarding online visitors	2 years	Law No. 5651
Personal data related to Webtures	10 years after legal relationship ends	Law No. 6102, Law No. 6098, and Law No. 213

7. Technical and Administrative Measures Regarding Personal Data

Pursuant to Article 12 of the KVKK, Webtures’s obligations regarding data security as the data controller include:

Preventing unlawful processing of personal data,
Preventing unlawful access,
Taking all necessary technical and administrative measures to ensure protection,
Carrying out or commissioning necessary audits within the organization.

Webtures pays attention to lawful processing and data security in line with the obligations above. Webtures takes necessary measures to prevent employees from sharing personal data with third parties and, in case of a contrary situation, notifies the data subject and the Board.

At Webtures:

Network security and application security are provided.
A closed system network is used for personal data transfers over the network.
Key management is implemented.
Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
Security of personal data stored in the cloud is ensured.
Disciplinary regulations including data security provisions for employees exist.
Training and awareness activities on data security are conducted for employees at certain intervals.
An authorization matrix has been created for employees.
Access logs are kept regularly.
Corporate policies on access, information security, use, retention, and disposal have been prepared and put into practice.
Data masking measures are applied when necessary.
Confidentiality undertakings are executed.
Authorizations in this area are removed for employees whose role changes or who leave employment.
Up-to-date anti-virus systems are used.
Firewalls are used.
Signed agreements include data security provisions.
Additional security measures are taken for personal data transferred via paper and relevant documents are sent in the format of confidential documents.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
Security of environments containing personal data is ensured.
Personal data is minimized as much as possible.
Personal data is backed up and the security of backed up personal data is also ensured.
User account management and authorization control system are implemented and monitored.
Periodic and/or random internal audits are conducted or commissioned.
Log records are kept in a way that does not allow user intervention.
Existing risks and threats are identified.
Protocols and procedures for the security of special category personal data are determined and implemented.
If special category personal data is sent by email, it is sent encrypted and using KEP or a corporate mail account.
Secure encryption/cryptographic keys are used for special category personal data and are managed by different units.
Intrusion detection and prevention systems are used.
Penetration testing is performed.
Cyber security measures are taken and continuously monitored.
Encryption is applied.
Special category personal data transferred on portable memory, CD, DVD media is transferred encrypted.
Periodic audits of data processors/service providers regarding data security are ensured.
Awareness of data processors/service providers regarding data security is ensured.
Data loss prevention software is used.

Webtures takes the technical and administrative measures specified in the Law and Board decisions and in guides to prevent unlawful access to personal data, as well as all technical and administrative measures against cyber attacks by third parties regarding personal data. Webtures audits the security of its data inventory, system and software security, and reports to authorized persons or, if requested, to the Board, ensuring the protection of personal data as stipulated in legislation.

8. Rights of the Data Subject

Article 11 of the KVKK entered into force on 07 October 2016, and pursuant to the relevant article, the rights of the Data Subject after this date are as follows:

By applying to Webtures, the Data Subject has the right to:

Learn whether personal data is processed,
Request information if personal data has been processed,
Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
Know the third parties to whom personal data is transferred domestically or abroad,
Request correction of personal data if it is incomplete or incorrectly processed,
Request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
Request notification of the operations carried out as a result of correction, deletion, or destruction to third parties to whom personal data has been transferred,
Object to the occurrence of a result against the person by analyzing processed data exclusively through automated systems,
Request compensation for damages in case of damages due to unlawful processing of personal data.

9. Application to the Data Controller and Application Method

As Webtures Dijital Bilişim Anonim Şirketi (“WEBTURES”), with Mersis No. 0800053943700021, residing at Esentepe Mahallesi Milangaz Caddesi No:77 A2 Blok Kat:32-33 D:219 Kartal – Istanbul, operating in compliance with the KVKK as data controller, we respect the rights of you, our valued data owners, and strive to assist in fulfilling your requests in your application. The right to apply to our company via this form prepared pursuant to Article 11 of the KVKK belongs directly to the personal data owner. For applications made on behalf of third persons, a power of attorney appropriate for representing the relevant person must be submitted.

Pursuant to paragraph 1 of Article 13 of the KVKK, applications to our company, acting as the data controller, regarding these rights must be submitted in writing or by other methods determined by the Personal Data Protection Board (“Board”).

After filling out and signing the KVK application form available at Webtures (“KVK Application Form”) completely and clearly, and delivering it to our address specified below by hand or via registered mail with return receipt, we will respond to your application within 30 (thirty) days at the latest. Applications regarding these rights must be submitted in writing via the Data Subject Application Form or by other methods determined by the Board.

In this context, “written” applications to our company may be submitted by taking a printout of this form and:

Personal application by the applicant,
Via a notary public,
By signing with a “secure electronic signature” as defined in the Electronic Signature Law No. 5070 and sending to our company’s registered electronic mail (KEP) address.

Our Company Information

Trade Name: WEBTURES DİJİTAL BİLİŞİM ANONİM ŞİRKETİ Address: ESENTEPE MAH. MİLANGAZ CAD. KARTAL VİZYON ST. A-2 BL. 77/219 KARTAL / ISTANBUL Mersis No: 0800053943700021 KEP Address: Email Address: hello@webtures.com Website: webtures.com Phone: +90 216 599 0495

10. Effective Date

This Policy enters into force on the date it is published and remains in force until it is removed from the website. Our Website Personal Data Protection and Data Policy is dated 01.01.2021. If all or certain articles of the Policy are renewed, the effective date of the Policy will be updated.