GDPR Policy

PROTECTION AND PROCESSING OF PERSONAL DATA POLICY

1. PURPOSE

As Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti. (Namdaris Technology Ltd.) company - registered in Turkey -; to be processed of personal data of natural persons’, including our employee candidates’, our users’, members’, customers’, visitors’ and employees’ in accordance with the relevant legislation of the Constitution of the Republic of Turkey and the international conventions to which the parties of the country on human rights and 6698 numbered Law on the Protection of Personal Data ( "GDPR or KVKK") and ensuring the effective use of the rights of the persons whose data is processed is our priority.

For this reason, we perform, without limitation, the processing, storage, transfer of all personal data we have acquired from our users, members, customers, visitors, employees and employee candidates in accordance with this Personal Data Protection and Processing Policy ("Policy").

The protection of personal data and the observance of fundamental rights and freedoms of natural persons whose personal data is processed is the basic principle of our policy on the processing of personal data. For this reason, we carry out all activities in which personal data are processed by pursuing of the protection the privacy of private life, confidentiality of communication, freedom of thought and belief, and the right to use effective remedies.

For the protection of personal data, we take all administrative and technical protection measures required by the nature of the data in accordance with the legislation and current technology.

This Policy describes the methods we use to process, store, transfer and delete or anonymize personal data shared during our commercial or social responsibility and similar activities in accordance with the principles set forth in the GDPR.

2. SCOPE

This Policy covers all personal data, processed by our company, including our users, members, customers, business contacts, business partners, employees, employee candidates, consumers, potential customers, and third parties.

Our policy is applied in the activities for the processing of all personal data managed by our company and has been dealt with and prepared in accordance with GDPR and other relevant legislation on personal data and international standards in this field.

3. DEFINITIONS AND ABBREVIATIONS

In this section, special terms and expressions, concepts, abbreviations, etc. used in the Policy are briefly explained.

• Company: Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti. (Namdaris Technology Ltd.) company - registered in Turkey - (www.kulucka.io)

• Clear Consent: Consent given to a specific subject, based on information and free will, without any hesitation, limited to only that transaction.

• Anonymizing: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

• Employee: Company Personnel.

• Personal Data Owner (Data Subject): The natural person, whose personal data is processed.

• Personal Data: All the information relating to an identified or identifiable natural person.

• Sensitive Personal Data: Data and biometric and genetic data about persons’ race, ethnicity, political thought, philosophical belief, religion, sect, or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction, and security measures.

• Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

• Data Processor: The natural or legal person who processes personal data on behalf of the controller upon his authorization.

• Data Officer: The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.

• GDPR Board: Personal Data Protection Board.

• GDPR Institution: Personal Data Protection Authority.

• GDPR: Law No. 6698 on Personal Data Protection published in the Official Gazette dated April 7, 2016 and numbered 29677.

• Policy: Namdaris Teknoloji Tasarım ve Danışmanlık Ltd. Şti. (Namdaris Technology Ltd.) company - registered in Turkey - Company General Data Protection and Processing Policy.

4. LEGAL LIABILITIES

The legal obligations for the protection and processing of personal data as data officer in accordance with GDPR are as follows:

• When collecting personal data as Data Officer, we have an obligation to clarify the Data Subject as follows;

• The purpose of processing of your data,

• Information about our identity, our representative's identity, if any,

• To whom and for what purposes the processed data may be transferred,

• Our method and legal reason of collection of data,

• The rights and issues arising from the law.

• As "Company” we are attentive to make this Policy, which is open to the public, is clear, understandable and easily accessible.

• Our obligation to ensure data security

As data officer, we take administrative and technical measures stipulated in the legislation in order to ensure the security of the personal data that we have. Data security obligations and measures are detailed in sections 9 and 10 of this Policy.

5. CLASSIFICATION OF PERSONAL DATA

Personal data

Personal data is any information related to an identified or identifiable natural person. The protection of personal data is only related to natural persons and the information of legal persons that does not contain any information about the natural person is excluded from personal data protection. Therefore, this Policy does not apply to data of legal persons.

Sensitive personal data

Data and biometric and genetic data about persons’ race, ethnicity, political thought, philosophical belief, religion, sect, or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction, and security measures.

Categories of personal data

We collect the following data for our purposes of membership in licensing and other services:

Credentials

Contact information

Other data

Data Category Credentials Explanation It is the data about the identification of the identity of the person. Collects From We collect identity information from employees, employee candidates, customers, people who use our website / online store and mobile applications, licencors, visitors and business contacts. Content Name-surname, T.C. identification number, photo, photocopy of identity. Purpose of Data Collection We collect personal data from our customers with the purpose of invoice issuance, product delivery or performance of services and advertising and marketing; from people who use and visit the website and mobile application with the purpose of increasing the number of visitors and to improving the service provided within the scope of subjected platforms; from business contacts within the scope of the execution of the service provided, such as product delivery, and in accordance with our legal obligations. We are obliged to record employee identification information in accordance with the labour and social security legislation. We collect the data of our employee candidates for job applications in order to evaluate the applicants' identification information; the data of our suppliers, subcontractors and other persons with whom we have business relations in order to fulfil our commercial requirements and obligations and, if applicable, our obligations in the contracts. Data Category Contact Information Explanation It is personal data that enables communication with the person. Collects From We collect contact information from employees, employee candidates, customers, licencors, people who use our website / online store and mobile applications, visitors and business contacts. Content It is the data such as home and work address, mobile phone number, home phone number, postal address, e-mail address and IP address. Purpose of Data Collection We collect personal data from our customers, business contacts within the scope of our services and commercial activities carried out in our online store, in order to ensure communication, from individuals who use the website and mobile applications within the scope of our legal obligations. We are obliged to record the contact information of our employees in accordance with the labour and social security legislation. We collect the data of our employee candidates in order to disclose the result of the application; the data of our suppliers, subcontractors and other persons with whom we have business relations in order to fulfil our commercial requirements and obligations and, if applicable, our obligations in the contracts. We collect the data of our employee candidates for job applications in order to evaluate the applicants' identification information; the data of our suppliers, subcontractors and other persons with whom we have business relations in order to fulfil our commercial requirements and obligations and, if applicable, our obligations in the contracts. Data Category Other Data Explanation Other data collected within the scope of our commercial activities. Collects From We collect this data from employees, employee candidates, customers, visitors to our website and the registration form to purchase products and services on our website and from the business contacts. Content This data is identity information, contact information, financial information, movements during the web browsing, searches and visitor movements for all the pages visited, identification and contact information of the personnel of our business contacts and financial information, data collected within the scope of the event and organisation, the data collected within the scope of training and the application to be included as a vendor on the web site, the data collected during the complaint and company communication processes and the data collected while registering to the e-mail subscription system. Purpose of Data Collection We collect the data to evaluate the eligibility of applications for training and events, to organise events and organisations, to evaluate the eligibility of applicants who apply for registration with the seller, to confirm the accuracy of applications made under academic identity, to carry out marketing and promotional activities, to fulfil our commercial requirements and obligations and our obligations in contracts of the people we are in.

Legal reason for the collection of personal data

We are processing the data within the scope of personal data, services we provide, software licensing, file downloads and the employment we provide; with the legal reasons arising from our obligations in the relevant legislation, contractual relations and legitimate interests.

6. PROCESSING PERSONAL DATA Our personal data processing principles We process personal data in accordance with the following principles. Processing in accordance with the law and honesty We process personal data in accordance with the rules of honesty, transparency and within the framework of our obligation to enlighten. Ensure that personal data is accurate and up-to-date when necessary We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also provide the Personal Data Holder with opportunity to contact us to update their data and correct any errors in the processed data. Processing for specific, clear and legitimate purposes We process personal data in accordance with our legitimate aims to maintain our activities within the framework of the legislation and the usual flow of business life, with clearly defined scope and content. Personal data is linked, limited and measured for the purpose for which it is processed We process personal data in a limited and measured manner in relation to the purpose we set, clearly and precisely. We avoid the processing of personal data that is not relevant or does not need to be processed. Therefore, we do not process sensitive personal data unless we have a legal obligation to do so, and we obtain explicit consent to the matter when necessary. Storing personal data for the duration of our legitimate commercial interests and foreseen by statutory regulations Many regulations in the legislation require that personal data be stored for a certain period of time. Therefore, we store the personal data that we process for a period of time required by the relevant legislation or for the purposes for which the personal data are processed. We will delete, destroy or anonymize personal data in the event that the storage period provided for in the legislation expires or the purpose of processing disappears. Our principles and procedures for storage periods are detailed in Article 8 of this Policy. Our personal data processing purposes We process personal data for purposes similar to, but not limited to, the following: Carrying out our licensing activities, Providing support services to customers within the scope of contract and service standards, Determining the preferences and needs of our customers and shaping and updating the services to be provided to our customers in this context, Fulfilling our legal obligations as required or necessitate by legal regulations, Implementing the instructions and procedures within the "Company", Improvement management and planning, Following the approval of the applications made by seller, Organisation of events and organisations, Ensuring security, Creation and management of visitor records, Management of website and mobile applications, Measuring customer satisfaction, Carrying out market research and statistical studies, Surveys, contests, promotions and sponsorships, Evaluation of job applications, Establishing contact with persons who are in business relationship with the “Company” Marketing, Compliance management, Vendor / supplier management, Advertising, Legal reporting, Planning and carrying out risk management and quality improvement works, Billing. Processing of sensitive personal data Sensitive personal data are processed by us by taking administrative and technical measures stipulated in the laws and by the GDPR Board and if there is explicit consent or if required by the legislation. Sensitive personal data relating to health and sexual life, protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing could be processed with the obligation of secrecy of persons or authorised institutions and organisations without explicit consent. Processing of personal data collected through cookies on our website We use cookies to improve the way our website’s operation and usage, and we try to make the time you spend on our website more efficient and enjoyable. In addition, we use some cookies to remember your preferences on our website and thus providing you with an enhanced and personalised experience. We may collect, process, transfer and store your personal data through the cookies on our website. For detailed information about the cookies we use on our website, you can review our "Cookie Policy". Processing of personal data collected on our website Information below are collected, through communication and / or licensing, purchase forms through our website; Name, surname and E-mail and telephone information Full Address Invoice information of purchaser/institution (Identity Number, Tax Number, and Tax Office) Information below is collected through the application forms on our website. Applicants’; Name surname, Place of birth, Date of birth, Contact information and Processing of your personal data for security purposes We collect process and store your personal data to ensure the security of our electronic media (website, server and domain) systems. In this context; Website visitor movements and transactions, The information in the form filled out during the registration phase of the website, Visitor (name-surname, identity number, tax number, tax office) information is collected. Processing of personal data within the scope of suggestions, requests and complaints management In order to improve our services, personal data are collected and processed through the forms available on our website within the scope of suggestions, requests and complaints. In this context; Name surname, Electronic mail, The contents of the message are collected. Processing of personal data through explicit consent As per the legislation, personal data cannot be processed without the explicit consent of the person concerned. The explicit consent is defined in the law as the consent given to a certain subject based on information and free will. In the event of the processed data is of a sensitive personal nature, the explanations in section 6 are valid. Exceptional cases where explicit consent is not sought in the processing of personal data We may process personal data without explicit consent in the following exceptional circumstances arising from the law: Clearly foreseen by law The personal data of the data subject may be processed in accordance with the law, if it is clearly foreseen by law. Failure to obtain explicit consent of the data subject due to actual impossibility Personal data may be processed without explicit consent if it is compulsory for the protection of the life or physical integrity of the person who is unable to disclose his or her consent due to the impossibility or whose legal consent is not granted. To be directly related to the establishment or execution of the contract Processing of personal data is possible if it is necessary to process the personal data of the parties of the contract an on the condition that it is directly related to the establishment or execution of a contract. To be obligatory for “Our Company” to fulfil its legal obligation Our Company, as the data officer, will be able to process the data which is necessary for the fulfilment of its legal obligation, even without the explicit consent of the Data Subject. The personal data owner has been publicised by himself/herself Personal data publicised by the data subject, in other words, disclosed to the public in any way, may be processed without explicit consent. Data processing is compulsory for the establishment, use or protection of a right Personal data may be processed without explicit consent if data processing is compulsory for the establishment, use or protection of a right. Data processing is compulsory for the legitimate interests of “Our Company” Without prejudice to the fundamental rights and freedoms of the Data Subject, personal data may be processed without the need for explicit consent in the event that it is compulsory to process data for the legitimate interests of “Our Company”. For example; the employer has a legitimate interest in controlling the employee's entry and exit times. There is no need to obtain the explicit consent of the Employee within this scope, on the condition that the practices performed by the employer are measured for these reasons. Exceptions to which sensitive personal data may be processed without the explicit consent of the Data Subject are set out in Article 6 of this Policy. 7. TRANSFER OF PERSONAL DATA Transfer of personal data to the country Our company acts in accordance with the decisions and regulations foreseen in GDPR and taken by the GDPR Board for the transfer of personal data. Without prejudice to the exceptional circumstances contained in the legislation, personal data and sensitive personal data are not transferred to other natural persons or legal persons without the explicit consent of the Data Subject. In exceptional cases foreseen by GDPR and other legislation, data may be transferred to the authorised administrative or judicial institution or organisation without the explicit consent of the Data Subject, depending on the boundaries and in the manner stipulated in the legislation. In addition, in exceptional cases stipulated by the legislation; In cases described in Article 6 of the Policy, In the cases mentioned in Article 6 regarding sensitive personal data, Personal data relating to the health and sexual life of the Data Subject with taking the measures stipulated by the Board of the GDPR and the relevant legislation could only be transferred without explicit consent to the persons under confidentiality obligation or authorised institutions and organisations on the purpose of the protection of public health, the execution of preventive medicine, medical diagnosis, treatment and care services, planning and managing of health services and financing. Transfer of personal data abroad As a rule, personal data is not transferred abroad without the explicit consent of the Data Subject. However, in cases of where only one of the exceptional cases referred to in Articles 6 of this Policy exists, third parties may transfer abroad personal data without explicit consent: Where third parties are located in countries where there is adequate protection declared by the GDPR Board In case of to take place in countries there is inadequate protection, when data officers in Turkey and in the subjected foreign country undertake sufficient protection in writing and have GDPR Board permission Institutions and organisations where personal data are transferred Personal data may be transferred to the below listed, without limitation according to the principles and rules described above. Our suppliers, Our business partners and business contacts, Legally authorised public institutions and organisations, Legally authorised private law persons.

Contact Category	Description	Purpose of Transfer
Business Partner	Refers to the parties with which it has established business partnerships to obtain licenses, goods, services, etc. within the scope of our company's activities.	For the purpose of realising the activities planned within the scope of business partnership
Supplier	Refers to the parties that provide services against the contract in accordance with the needs and instructions of our Company.	For the purpose of the continuity of the service to be provided from the supplier
Authorised	Refers to the authorised people of our Company.	For the purpose of planning and carrying out the activities of our company
Legally Authorised Public Institutions and Organisations	Refers to the authorised public institutions and organisations to receive information and documents from our Company within the scope of the relevant legal regulations.	For the purposes of subjected foreseen regulation
Legally Authorised Private Law Persons	Refers to authorised private law persons to receive information and documents from our Company within the scope of the relevant legal regulations.	For the purposes of subjected foreseen regulation

Measures we have taken to transfer personal data in accordance with the law
Technical measures
To protect personal data, but not limited to, our company perform;
In-house technical organisation for the processing and storage of personal data in accordance with the legislation,
Establishing the technical infrastructure to ensure the security of the databases where your personal data will be stored,
Following the processes and auditing of the technical infrastructure,
Determining the procedures for reporting the technical measures and audit processes we have taken,
Updating and renewing technical measures periodically,
Producing technological solutions through re-examining risky situations,
Using virus protection systems, firewalls and similar software or hardware security products and installing security systems in line with technological developments.
Administrative measures
To protect personal data, but not limited to, our company perform;
Establishing policies and procedures for accessing personal data,
Informing and educating our employees and the persons we receive consultancy on business development about the legal protection and processing of personal data,
Recording the measures to be taken in case of unlawful processing of personal data by our employees and the persons we receive consultancy on business development in the agreements and / or the policies we have established with our employees and the persons we receive consultancy services on business development,
Auditing the processing of personal data of the data processors or partners of the data processors with whom we work.

8. STORAGE OF PERSONAL DATA
Storing personal data for as long as required by the relevant legislation or for the purpose for which they are processed
We store personal data for as long as required for the purpose of processing personal data, without prejudice to the storage periods stipulated in the legislation. In cases where we process personal data for more than one purpose, the data is deleted, destroyed or stored by anonymizing at the request of the Data Subject(the relevant request must be carried out clearly by mail and with a wet signature) if there is no obstacle in the legislation to delete the data. In terms of destruction, deletion or anonymization, the provisions of the legislation and decisions of the Board of the GDPR shall be complied with.
Measures we take for the storage of personal data
Technical measures
Establishing technical infrastructure and audit mechanisms for the deletion, destruction and anonymization of personal data,
Taking necessary measures for the safe storage of personal data,
Employing employees with technical expertise,
Establishing business continuity and emergency plans against possible risks and developing systems for their implementation,
Establishing security systems in accordance with the technological developments regarding the storage areas of personal data.
Administrative measures
Raising awareness by informing the employees and the persons we consult for business development about the technical and administrative risks related to the storage of personal data,
In case of cooperation with third parties for the storage of personal data; we include the necessary security measures for the protection and safe storage of the personal data transferred to the persons to whom the personal data are transferred.

9. SECURITY OF PERSONAL DATA
Our obligations regarding the security of personal data:
We take following administrative and technical measures of personal data, according to technological facilities and implementation costs in order to;
Prevent unlawful processing,
Prevent illegal access,
Ensure that they are stored in accordance with the law
Measures we take to prevent unlawful processing of personal data
Performing and having the necessary inspections within our company
Educates and informs our employees and the persons we receive business development consultancy on the processing of personal data in accordance with the law
The activities carried out by our company are evaluated in detail in all business units, and as a result of this assessment, personal data are processed in accordance with the commercial activities carried out by the related units
Providing provisions for the necessary security measures taken by persons processing personal data in the agreements with companies that process personal data in case of cooperation with third parties for the purpose of processing personal data
Carry out the investigations and measures taken by the legislation, in case of realising an unlawful disclosure of personal data or data leakage and informing the GDPR Board about the situation
Technical and administrative measures taken to prevent unlawful access to personal data
We take following actions to prevent unlawful access to personal data;
Employing employees with technical expertise and work with people with whom we receive consultancy services on business development with technical expertise,
Updating and renewing technical measures periodically,
Establishing access authorisation procedures within our company,
Determining the procedures for reporting the technical measures and audit processes we have taken,
Establishing the data recording systems used in our company in accordance with the legislation and auditing periodically,
Establishing emergency aid plans against potential risks and developing systems for the implementation of these risks,
Educating and informing our employees and the persons we receive consultancy on business development about access to personal data and authorisation,
Providing provisions for the necessary security measures taken by persons processing personal data in the agreements with companies that process personal data in case of cooperation with third parties for the purpose of such activities as processing and storing personal data
Measures we take in case of unlawful disclosure of personal data
We take administrative and technical measures to prevent unlawful disclosure of personal data and update them in accordance with our relevant procedures. We set up infrastructures to report this to the Person and the GDPR Board, if we find unauthorised disclosure of personal data.
In case of an unlawful disclosure despite all the administrative and technical measures taken, it may be announced on the website of the GDPR Board or other means if deemed necessary by the GDPR Board.

10. RIGHTS OF THE PERSONAL DATA OWNER (DATA SUBJECT)
We inform the Personal Data Owner within the scope of our disclosure obligation and establish systems and infrastructures for this information. We make the necessary technical and administrative arrangements for the Personal Data Owner to exercise its rights with respect to your personal data.
Personal Data Owner has the following rights on his/her personal data;
Learning whether personal data is processed or not
Requesting information if personal data is processed
Learning the purpose of processing personal data and whether they are used in accordance with their purpose or not
Knowing the third parties to whom personal data is transferred in the country or abroad
Requesting correction of personal data in case of incomplete or incorrect processing
Requesting the deletion or destruction of personal data in case the reasons that require the processing of personal data disappear.
Requesting notifying the third parties to whom the personal data are transferred about correction, deletion or destruction procedures, above mentioned
Objecting to the emergence of a against result by analysing the processed data exclusively through automated systems
Demanding the loss of the damage in the event of damage due to unlawful processing of personal data
Exercise of personal data rights
The concerned person may send its request for personal data through a separate method in case determined by the KVK Board or through a clear written and original signed petition to İçerenköy Mh. Değirmenyolu Cad. Kutay İş Merkezi B Blok No: 18 K: 4 D: 9 34752, Atasehir / Istanbul address or sent to our e-mail address info@kulucka.io signed with a secure electronic signature.
The request bearing explanations of the right for using the rights mentioned above should include a clear and understandable demand, the requested matter is relevant to the applicant or in case of acting on behalf of someone else the person should be specially authorised and document this authority, submit identification and address information of the applicant and supporting identity documents of the applicant. Such requests shall be made on an individual basis and requests made by unauthorised third parties regarding personal data will not be considered.
Evaluation of the application
Response time of the application
Requests for personal data are finalised as soon as possible according to their nature and in any event within 30 (thirty) days free of charge or in case of the conditions in the tariff to be published by the GDPR Board regarding the fee. Additional information and documents may be required during or during the application process.
Our right to reject the application
Personal data applications shall be rejected in the following cases by providing justification;
Processing of personal data for purposes such as research, planning and statistics by making it anonymous with official statistics
On condition that it does not infringe the privacy or personal rights of private life or constitute a crime; processing of personal data with artistic, historical, literary or scientific purposes or within the context of  freedom of expression
Processing of personal data publicised by the Personal Data Owner
In the case the application is not being based on a valid ground
In the case the application contains a claim contrary to the relevant legislation,
Failure to comply with the application procedure shall be justified and rejected.
Procedure for evaluating the application
In order to commence the response period stated in Article 10 of this Policy, you must send the application form with the written and wet signed or electronically signed Application Form via REM or other methods determined by the GDPR Board with the supporting information and documents. If it is accepted, the related transaction is applied and notification is made in writing or electronically. If the request is rejected, the justification is explained and notified to the applicant in writing or electronically.
Right to file a complaint with the Personal Data Protection Board
In case the application is rejected, our answer is found to be insufficient or no response is given in due time; the applicant is entitled to lodge a complaint with the GDPR Board within 30 (thirty) days from the date of receipt of the reply and in any event within 60 (sixty) days from the date of application.

11. PUBLISHING AND STORING THE POLICY
This Policy shall be kept in two different media: printed paper and electronic media.

12. ENFORCEMENT
This Policy shall be deemed to have entered in force upon publication on the Company website.