Customer Privacy Notice

Introduction

This privacy notice has been prepared by Ones Bilişim Teknolojileri Anonim Şirketi (“Company”) pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”) and the “Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform.” It aims to inform our customers about the collection, processing, transfer and protection of their personal data.

Under Article 10 KVKK, the Company, as data controller, provides you with information on:

• the purposes for which personal data are processed;
• the parties to whom personal data may be transferred and the purposes thereof;
• the method and legal grounds for collecting personal data;
• the rights listed in Article 11 KVKK.

Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Special Categories of Personal Data: Sensitive data such as race, ethnic origin, political opinion, religious belief, health, sexual life, criminal conviction, biometric and genetic data.
• Data Controller: The legal entity that determines the purposes and means of processing personal data.
• Explicit Consent:  A freely given, informed statement of approval relating to a specific matter.
• VERBİS: The Data Controllers’ Registry Information System managed by the Personal Data Protection Board.

Types of Personal Data Processed

Depending on business requirements and legal obligations, the following categories of personal data may be processed. Special-category data are processed only with your explicit consent and for limited purposes; no such processing is carried out without consent.

• Identity Data: Name, surname, Turkish ID number, date of birth, passport details, etc.
• Contact Data: Telephone, e-mail, postal address
• Financial Data: Bank details, payment and debt information
• Visual/Audio Data: Photograph, voice recording, CCTV footage
• Other Data: Invoice and order details, IP address, log records, signature, credit-card information, etc.

Purposes of Processing Personal Data

Your personal data may be processed—on the legal grounds in Article 5 KVKK—for the following purposes:

• Establishment and performance of the sales contract and fulfilment of obligations
• Customer satisfaction, complaint management and support services
• Fulfilment of legal obligations
• Conduct of sales and marketing activities
• Execution of invoicing, accounting and financial transactions
• Organisation, event and promotional activities
• Management of IT systems and information-security processes
• Ensuring physical-area security

(For the detailed purpose list, see Personal Data Processing and Protection Procedure.)

Purposes of Processing Special Categories of Personal Data

The Company currently does not process any special-category personal data of customers. Should such processing become necessary in the future, explicit consent will be obtained in accordance with Article 6 KVKK.

Methods and Legal Grounds for Collecting Personal Data

Your personal data may be obtained—in written, verbal or electronic form—directly from you, from third parties or from public authorities within your legal or commercial relationship with the Company. Collection tools include application forms, contracts, e-mails, correspondence, CCTV/system records, surveys and online transactions.

Processing is carried out where at least one of the following conditions in Articles 5 and 6 KVKK applies:

• It is expressly required by law;
• It is directly related to the conclusion or performance of a contract;
• It is mandatory for the Company to fulfil its legal obligation;
• It has been made public by the data subject;
• It is necessary for the establishment, exercise or protection of a right;
• It is necessary for the Company’s legitimate interests, provided fundamental rights and freedoms are not harmed;
• The data subject has given explicit consent.

Parties to Whom Personal Data May Be Transferred and Purposes

Personal data may be shared—within the scope of Articles 8 and 9 KVKK and with necessary technical and administrative safeguards—with:

• Suppliers and service providers (after-sales services, support, consultancy, training, legal, event and other outsourced services)
• Affiliates and business partners (joint projects, commercial activities)
• Financial institutions and independent auditors (collection, accounting, audit and reporting)
• IT service providers (hosting, software support, cloud services, data security)
• Authorised public bodies (upon request or where required by law)

Data may also be transferred abroad with your explicit consent or under KVKK exceptions.

Data Security

Technical and administrative measures—such as encryption, access control, log management, confidentiality agreements and periodic audits—defined in the Personal Data Processing and Protection Procedure are applied.

Retention Period of Personal Data

Your personal data are retained for the period stipulated by legislation or required by the processing purpose. After that period, they are deleted, destroyed or anonymised in accordance with the retention and destruction schedule defined in the Personal Data Processing and Protection Procedure / Deletion, Destruction and Anonymisation of Data.

Rights of the Data Subject

Under Article 11 KVKK you have the right to:

• Learn whether your personal data are processed;
• Request information if they are processed;
• Learn the purpose of processing and whether they are used appropriately;
• Know the third parties to whom they are transferred at home or abroad;
• Request correction of incomplete or inaccurate data;
• Request deletion, destruction or anonymisation when processing reasons cease;
• Request notification of corrections or deletions to third parties to whom data were transferred;
• Object to results produced solely by automated processing;
• Claim compensation for damages arising from unlawful processing.

Application Procedure

You may submit requests regarding your rights under Article 11 KVKK—pursuant to the “Communiqué on the Principles and Procedures for Applications to Data Controllers”—in writing or via registered electronic mail (KEP), secure electronic signature or your e-mail address registered in our system:

• Written application: Send the completed KVKK Application Form to the Company address.
• KEP: Send via our KEP address.
• E-mail: Send from your registered e-mail address to ik

Your request will be concluded free of charge within 30 days of receipt. If the action requires a cost, the tariff set by the Board will be applied.