PRIVACY POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA

We, as Akıllı Kutu Teknolojileri A.Ş. (“MobiQu”, “us” or “Company”), prepared this Privacy Policy on Processing and Protection of Personal Data (“the Policy”) for the purpose of informing individuals whose personal data is processed by our Company pursuant to the Law No. 6698 on Protection of Personal Data (“the Law”) and the related secondary legislation.

We care about protection of your personal data, and we value the trust you put in us. Therefore, MobiQu explains with this Policy the general principles that it follows with respect to processing of personal data while conducting its business activities and operations.

Scope of the Policy

The Policy covers all the natural persons, employees and representatives of legal entities of whom we process personal data such as our employees, employee candidates, business partners and suppliers. The issues regarding employees’ personal data processing are governed by another policy named Privacy Policy on Processing and Protection of Employees’ Personal Data and therefore this Policy does not include MobiQu employees’ personal data processing activities. In addition to this, since information with respect to legal entities are not considered as personal data under the Law, data regarding legal entities does not fall within the scope of this Policy.

Updating of the Policy

MobiQu has the right to update the Policy, when necessary, by publishing the new version on its website. Therefore, we advise you to check the latest version of the Policy by visiting our website from time to time or to request it from us whenever desired. The latest update date of the Policy that you are currently reviewing may be found on the first page of the Policy.

Definitions

The terms used in this Policy shall have the following meanings:

Explicit Consent: The consent related to a specific subject, which is given freely upon informing,

Data subject: The natural person, whose personal data is processed,

Personal Data: Any information relating to an identified or identifiable natural person,

Personal Data Processing: Any operation which is performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transfer, taking over, making available, classification, or preventing the use thereof, data through fully or partially automatic means or through non-automatic means provided that the processing is a part of any data registry system,

Board: The Personal Data Protection Board,

Authority: The Personal Data Protection Authority,

Data Processor: Any natural or legal persons who process personal data on behalf of and under the authority given by the data controller,

Data Controller: Any natural and legal person which determines the purposes and means of processing personal data and is responsible for the establishment and management of the data register system.

The terms not defined herein shall be deemed to be used as defined by the Law and the relevant legislation.

Data Controller

In many of the processes regarding your personal data, MobiQu acts as the data controller pursuant to the Law. As the data controller, we determine the purposes of your personal data processing and the means for such processing.

In certain personal data processing activities, there may be business partners which we are jointly responsible as data controllers and may process your personal data as data controller for their own purposes. This Policy informs you about the MobiQu’s personal data processing purposes and means; and for you to be informed on the manners of personal data processing of other data controllers, we advise you to review the policies found on each relevant data controllers’ own websites.

You may find the details MobiQu as the data controller below:

Title: Akıllı Kutu Teknolojileri A.Ş.

Adress: Ahi Evran Cad. No:6, Kat:1, No:1, 42 Maslak Ofis 3 34485 SARIYER/Istanbul

Purposes of Processing Your Personal Data

Before collecting your personal data or at our first contact upon the receipt of your personal data by us, we will inform you about our purposes and we ask whether you give your explicit consent for such processing when your explicit consent is legally required. We process your personal data for the purposes stated in this Policy.

Your personal data may be processed generally as defined below and for the following purposes:

Your Personal Data Processed Within the Scope of Communications Services

We may process certain data with respect to you through “Communications Services” channels which we established to provide you a better service and for the purposes of enabling you to benefit from our products and services, resolving request/complaint and considering suggestions, providing information and evaluating your applications.

1- Processing Your Personal Data Through our Websites

Your information such as name, surname, e-mail, mobile phone, address, request/complaint information may be collected and processed through communication forms on the websites of our Company and sub-brands.

On our certain websites, it is asked whether you would like to be informed about our campaigns. If you indicate that you would like to be informed about our campaigns, we may process your identity and contact information provided by you to us for the purpose of informing you about our campaigns, discounts, new products and opportunities. You may withdraw your consent that you gave in order to be informed about the campaigns and the news about us, at any time you desire.

On our websites which we use cookies, some of your personal data such as your habit of use, likes, frequency of your visits to website may be collected through the cookies used. For detailed information regarding the type of cookies used and steps to be taken to remove cookies, we suggest you visit the Cookie Policy of the relevant website.

Your personal data collected through our websites for the purposes such as conducting communication activities, planning and conducting request, complaint, information request processes, conducting firm/product/services loyalty processes, conducting communication services, conducting customer relations management processes, conducting customer satisfaction activities and similar purposes and based on legal grounds of establishing or performance of an agreement, performing our legal obligations, establishing, exercising or protecting a right or legitimate interests of our Company.

2- Processing Your Personal Data through Our Social Media Accounts

MobiQu may publish content on social media platforms through “organic” or “paid” means to reach out to current and potential customers.

“Organic means” refers to the publishing social media content on the MobiQu’s official account/accounts on the social platforms or the appearance of social media content on your social media feed because you follow MobiQu’s social media accounts. For instance, when you follow MobiQu’s Instagram account.

“Paid means” refers to the showing social media content generally to the users, who do not follow MobiQu’s official account/accounts. For instance, display of ad posts in the Instagram feed of a user who does not follow MobiQu’s account.

In addition to this, when you contact us through our social media accounts such as Instagram, Twitter, Facebook, and etc. you might share your personal data such as name, surname, username, e-mail address, phone and/or mobile phone number, request/complaint information with us. In that case, such personal data may be processed for the purposes of conducting firm/product/services loyalty processes, conducting communication processes, conducting customer relations management processes, conducting customer satisfaction activities, prosecution of legal requests, conducting contractual processes, planning and/or executing processes for establishing and/or increasing loyalty to product and/or services provided by the Company, prosecution of requests/complaints, ensuring information to be accurate and up-to-date and similar purposes and based on legal grounds of establishing or performance of an agreement, legal obligation, establishing, exercising or protecting a right or legitimate interests of our Company.

However, we would like to remind you with emphasis that MobiQu does not have direct access to your personal data on your social media accounts. In addition to this, MobiQu is not responsible for personal data processing, personal data protection and data security policies of the stated social media platforms. In order to obtain detailed information as to how these social media platforms use your personal data, we advise you to review the privacy policies on their websites.

Processing Personal Data of Supplier Representative and/or Employees

Due to day-to-day operations, MobiQu processes certain personal information of its Supplier’s representatives and/or employees.

Processed personal data of those Suppliers’ representative and employees may differ depending on the process. However generally personal data such as name, surname, address, mobile phone, title, username, log records, process security information such as IP information, instruction and records relating thereto, TRID, information indicated on specimen of signature, instructions and records, education information may be processed. Even though information with respect to legal entities is not considered as personal data, in case our suppliers are partnership companies, your personal data such as IBAN number, account number, receivable and debt balance, financial activity information may be processed.

Your personal data may be processed based on the legal grounds of establishing or performing an agreement, legal obligation, establishing, exercising or protecting a right and legitimate interests of MobiQu for the purposes indicated below:

• Conducting communication activities,
• Maintaining security of MobiQu’s operations,
• Following up and/or auditing business operations of supplier employees,
• Planning and performing business operations,
• Prosecution of request/complaints,
• Ensuring information to be accurate and up-to-date,
• Planning and/or performing activities for maintaining business continuity,
• Conducting advertisement/campaign/promotion processes,
• Conducting supplier relations management,
• Conducting product/service manufacturing and operation processes,
• Conducting finance and accounting works,
• Following up and performing legal works,
• Conducting risk management processes,
• Conducting operations in accordance with the legislation,
• Planning and/or performing activities for realizing analysis of effectiveness/efficiency and/or suitability of business activities
• Planning and performing market research activities for sales and marketing processes of products and services,
• Conducting audit/ethic activities,
• Conducting product/services marketing processes,
• Conducting access authorities,
• Conducting storage and archive activities,
• Conducting internal audit/investigation/security intelligence activities,
• Conducting firm/product/services loyalty processes,
• Management of organizations and events,
• Conducting training activities,
• Conducting logistics activities,
• Conducting processes for sales and after sales services of products and services,
• Planning and performing corporate communication activities.

Processing Personal Data of Sub-Contractor Representative and/or Employees

In case you are a representative or an employee of a company, which serves as a sub-contractor to MobiQu, we may have to process your personal data due to the business relationship and some of our obligations. We may process your personal data generally for the below purposes:

• Conducting communication activities,
• Planning and performing business operations,
• Management of organization and events,
• Informing authorized persons/corporations and institutions,
• Planning and performing manufacturing and/or operation processes,
• Planning and/or performing workplace health and/or security processes,
• Conducting finance and accounting works,
• Prosecution and conduction of legal processes,
• Conducting risk management processes,
• Conducting contractual processes,
• Management of relationship with sub-contractors,
• Planning and/or performing activities for maintaining business continuity,
• Planning human resources processes,
• Conducting internal audit/investigation/intelligence activities,
• Fulfilling obligations arising from legislation for employees of the sub-contractor,

Processing Personal Data of Business Partner Representative and/or Employees

We have business partners that we enter into business relationship with for the purpose of providing services, providing support to MobiQu in relation to certain matters. In that respect, for us to fulfill our mutual obligations under the business relationship, we may have to process some of your personal data due to you being an employee or authorized signatory of such companies. For instance, in order to contact you within the scope of the services received by us, your personal data such as your e-mail address, phone number may be processed. Due to you being a representative or an employee of our suppliers or business partners, we may process your personal data for the purposes of conducting and auditing business activities, conducting communication activities, conducting finance and accounting works, conducting manufacturing & service operation and sales processes, conducting operations in accordance with the legislation and similar purposes and based on the legal grounds of legal obligation, establishing or performing an agreement and legitimate interests of MobiQu.

Processing Visitors’ Personal Data

In case you come as a visitor to the buildings and facilities of MobiQu, before entering to the premises or at the time of entry to the premises, some of your personal data may be processed in order to keep visitor records. Processing activities of such personal data is explained below:

1- Processing Your Personal Data Through Keeping Visitor Web Access Records

When you connect to MobiQu’s web to access internet as visitor, MobiQu is required to record your web access records in its systems electronically and store these for two years.

Within the scope of this obligation, in your web access records, MobiQu may record and store your personal data such as start and end time of web usage, IP address, MAC address, websites you visited, log records.

MobiQu processes your personal data as indicated for the below purposes or similar purposes:

• Conducting activities in accordance with the legislation,
• Prosecution and conduction of legal processes,
• Informing authorized persons/corporations and institutions,
• Maintaining security of MobiQu’s operations, data base and web access,
• Establishing and operating infrastructure of information technologies,
• Planning and performing information security processes.

Your personal data may be processed through keeping visitor web access records based on legal grounds of being explicitly envisaged in the law (Law numbered 5651), legal obligation (Regulation Regarding Web Collective Usage Providers – Official Gazette Date and Number: 11.04.2017, 30035), establishing, exercising or protecting a right (providing you a web access as a visitor).

2- Processing Your Personal Data Through Keeping Video Records

For the purpose of providing security by MobiQu, MobiQu’s building, and facilities are monitored by the surveillance cameras. In that respect, your personal data may be processed through recording of the images of our visitors by the camera surveillance system at the entrance of MobiQu’s building and facilities and inside of the facilities.

Your personal data collected through such processing activity may be processed for purposes such as maintaining security of the MobiQu’s premises, buildings and/or facilities, keeping visitor records, informing authorized institutions pursuant to the legislation and based on the legal grounds of establishing, exercising or protection of a right, legitimate interests and processing personal data being mandatory in order to fulfill legal obligation of MobiQu.

Processing Your Personal Data in Respect of Job Applications

To join MobiQu and to become a part of our team you share certain personal data with us when you apply for a job. In this respect, your personal data is transferred to us through the job application channels in our websites and via the firms which support us during the job application process or through other channels.

Your personal data collected during the job application process, may include, without limitation, your name, surname, address, phone, e-mail, birthday, birthplace, educational background, knowledge of foreign language, reference information, information relating to certificate and professional competence, information present in your CV, prior job experience. Together with these, if you disclose to us, your criminal record information and health information may be processed from time to time. Such information may be used for the purpose of evaluating your suitability for the job (for example, whether your health situation suits the relevant position or your criminal record legally preventing you from working at certain jobs).

Your personal data disclosed to us may be processed for the purposes such as the conduction of the recruitment process, evaluation of your suitability for the job, conduction of reference processes, conduction of human resources processes, conduction of application processes of employee candidates and based on the legal grounds like the establishment, exercise or protection of a right, establishment or performance of your employment agreement and legitimate interests of MobiQu.

Principles Complied with in Processing of Personal Data

As MobiQu, we take into consideration the below principles in all processes where we process your personal data, and we process your personal data in compliance with these principles:

Compliance with the Law and Good Faith principle

While processing your personal data, we pay attention to act in accordance with our obligations set forth in all legal regulations in effect, especially the legislation on protection of personal data.

Processing of personal data in accordance with good faith principle means the processing of your data for the purposes for which you disclosed your personal data to us, i.e. in a way foreseeable by you.

Being Accurate and, When Necessary, Up-To-Date

In case your personal data is processed incompletely or incorrectly, you have the right to ask MobiQu to correct. In accordance with this principle, our Company always keeps open the channels which procure that the information of the relevant person is correct and up-to-date. You may obtain detailed information in relation to the channels through which you can reach us in the section titled “Your Rights in Respect of Protection of Your Personal Data” of our Policy.

Processing for Clear, Explicit and Legitimate Purposes

In parallel to the principle of compliance with the Law and good faith principle, MobiQu determines for what purposes your personal data will be processed and will inform you on what these purposes are. In this way, our Company aims to procure that our activities or processing of personal data in our Company is comprehensible by you. In addition to this, while determining our purposes for processing of personal data pursuant to the principle of processing for legitimate purpose, we care that such purposes relate to the business we conduct or with the services we provide.

The Principle of Being Connected with, Limited to and Proportionate to the Purpose for Processing

In its activities of processing of personal data, MobiQu observes whether the processed data is suitable to realize the purposes determined by it and pays attention to not processing your personal data which is not related to the realization of the purposes or is not needed. Pursuant to such principles also known as the data minimization principle, our Company obtains from your sufficient data aimed at the realization of the purpose for processing of personal data; so, it does not process your personal data which is not required.

The Principle of Storage for the Period Stipulated in the Relevant Legislation and Required for the Purpose for Processing

MobiQu takes technical and organizational measures to procure the appropriate security level for the purpose of preventing the illegal processing of your personal data, prevention of illegal access to your personal data and providing the storage of your personal data. In this context, MobiQu stores your personal data taking into consideration the periods stipulated in the relevant legislation and required for the purpose for processing. After the purpose for processing your personal data ceases to exist, unless there is another legal ground for storing, they are destructed by MobiQu.

Legal Grounds for Processing Your Personal Data

MobiQu processes your personal data based on one or more reasons stipulated in the Law. In this section of our Policy, we aim to inform you on what such legal grounds may be.

Your information relating to race, ethnical origin, political opinion, philosophical belief, religions, sect and other beliefs, dress and appearance, membership in foundation, association or union, health, sexual life/orientation, criminal convictions and security measures and biometric and genetic data are defined as 

Legal Grounds for the Processing Special Categories of Personal Data

We can process your special categories of personal data based on the below legal grounds:

• All your special categories of personal data excluding health and sexual life/orientation is processed only as explicitly envisaged under the laws. According to this legal ground, if our activity of processing such special categories of data is explicitly envisaged under applicable law, in this case we may process this data based the legal ground of “being explicitly envisaged under the law” without your explicit consent. If the case of being explicitly envisaged under a law is not present, it is asked whether your explicit consent is given for the processing of such personal data.
• We can only process your special categories of personal data in relation to health and sexual life/orientation by persons under the obligation of confidentiality such as a doctor, workplace doctor, pharmacist when one of the purposes of protection of the public health, conduction of medicine, medical diagnosis, treatment and care services, the planning and management of healthcare service and financing is present. If one of these legal grounds is not present, it is asked whether your explicit consent is given for the processing of such personal data.

Legal Grounds for Processing Your Other Personal Data

We base our process of processing all your personal data other than your special categories of personal data on one or more legal grounds given below:

• Being explicitly envisaged under the laws,
• Factual impossibility,
• Processing of your personal data being required for the established of an agreement between us or for the performance of an agreement between us,
• The activity of data processing being required to fulfill our legal obligations as MobiQu,
• Data processing being required for the establishment, exercise or protection of a right,
• Data processing being required for legitimate interests of MobiQu,
• Your explicit consent given to us in cases where at least one of the legal grounds mentioned above are not present.

In cases where your explicit consent is not sought for the processing of your personal data, your personal data is processed based on the other legal grounds mentioned above for the purposes specified in this Policy.

In cases where your personal data is processed based on your explicit consent, we would like to remind you that you may withdraw your consent anytime you wish. In such case, your withdrawal of your explicit consent does not affect the compliance with the Law of the data processing activities based on your consent prior to the date of withdrawal.

Storage of Personal Data

Your personal data may be stored;

1. for the periods stipulated in the legislation in effect (or other periods which legally require us to store longer) or
2. for the period required to provide our services and products to you or
3. for the periods required for the purposes of processing your personal data.

MobiQu reviews the storage periods for your personal data at certain intervals. According to these intervals, if there is no other legal ground requiring our processing of your personal data, they are destructed.

If you do not wish us to contact you anymore, for example if you do not wish to receive commercial messages to be informed on our campaigns, we will store a minimal amount of information of yours. Such keeping of minimal information is necessary to prevent us from contacting with you in the future. If you request us to delete all your information but want to use our products or take advantage of our services at a later date, we would like you to note that your request for not communicating with you earlier may not be recognized. Therefore, together with your request to not be able to communicate, your minimum personal data should be kept in order to keep your request in our records.

Sharing Your Personal Data

We may be required to share your personal data with third parties to provide a service or to deliver a product or to assist us to develop your experience with us or within the scope of the obligations in respect of the relevant agreements or within the scope of legal obligations. With “third parties”, social media agencies, subcontractors, sponsors, business partners, suppliers, legally authorized public institutions, manufacturers are meant. Such third parties may be in the country or abroad. In cases where we share with third parties aboard, we take the required legal actions and ensure the security of your personal data in accordance with the Law.

We regulate our relationships regarding the limited use by the parties which we share your personal data with and regarding data sharing for provision of data security. In processes in relation to sharing your personal data, we usually based on the legal grounds of legal obligation, the establishment, exercise or protection of a right and the legitimate interests of our Company to maintain our business activities. Your explicit consent is asked regarding sharing if these or one of the other legal grounds specified in the Law are not present.

We would like to present below to your attention about some example processes regarding sharing your personal data:

• We may share some of your personal data with authorized public institutions within the scope of auditing, investigation activities.
• From time to time we may organize campaigns with other establishments. When you wish to join such campaigns, your personal data may be shared with third parties such as business parties together with which we organize the campaign, media organizations, advertising agencies which promote the campaign within the scope of the consent given by you.
• We may receive professional services from third party service providers to conduct statistical analyses, make surveys for the purpose of supporting our advertisement and content production efforts.

The subjects in relation to the collection, use, sharing of your personal data by third parties in such manners are explained in their own policies of such third parties. The issues regulated in the policies of third parties may differ from MobiQu’s Policy. For this reason, reminding that MobiQu is not responsible for the policies of the third parties, we recommend that before you disclose your personal data to third parties, you should ensure that you read and understand the applicable policies of all third parties.

The Security of Your Personal Data

We value the security of your personal data and as MobiQu, we implement the required policies and procedures to provide the safe storage of your personal data processed by us. In this context, we limit the persons having access to your personal data and if there are third parties with which we shared your personal data, we regulate our relationships with the necessary instruments to limit the usability and accessibility of your personal data by such parties and to provide the security of your data.

The main organizational and technical measures we have taken for the security of your personal data are as follows:

• Network security and application security are provided.
• A closed system network is used for personal data transfers via the network.
• There are disciplinary regulations that include data security provisions for employees.
• An authorization matrix has been created for employees.
• Access logs are kept regularly.
• Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
• Confidentiality commitments are made.
• The authorizations of employees who have a change in duty or quit their job in this field are removed.
• Firewalls are used.
• The signed contracts contain data security provisions.
• Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
• Personal data security policies and procedures have been determined.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• Personal data is reduced as much as possible.
• Log records are kept without user intervention.
• Existing risks and threats have been identified.
• Protocols and procedures for special quality personal data security have been determined and implemented.
• If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
• Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and their implementation is constantly monitored.

Encryption is done.

1. x) Personal data transferred in portable memory, CD and DVD media are encrypted and transferred.

Your Rights in Respect of Protection of Your Personal Data

You have the below rights in respect of your personal data processed by MobiQu as explained in the Policy:

1. To learn whether your personal data is processed and if we processed, to obtain information regarding these,
2. To learn the purpose for processing your personal data and whether these are processed in accordance with intended purposes,
3. To learn the third parties, if any, in the country or abroad with which we shared your personal data,
4. In case your personal data is processed incompletely or inaccurately, to request rectification of these and to request the notification of the transactions made in this respect, if any, to third parties which we shared your personal data,
5. Even though we processed your personal data in compliance with the Law and the relevant legislation, to request the deletion or destruction of your personal data in case where the ground of processing is no longer present and to request the notification of the transactions made in this respect, if any, to third parties which we shared your personal data,
6. To object to occurrence of any unfavorable consequence for you by means of analysis of the processed personal data exclusively through automated systems,
7. If you incurred losses due to the unlawful processing of your personal data, to request the compensation of your loss.

If you wish to use one or more of the rights mentioned above, you can fill in the “Data Subject Application Form” published in our website of www.MobiQu.com and send it to us in one of the ways provided below:

• You can send it by post to Ahi Evran cad. No:6 Kat:1 No:1 42 Maslak Office SARIYER/Istanbul with an original (wet-ink) signature application in person or through notary public services.
• You can send an e-mail to info@mobiqu.com by bearing your mobile/electronic signature or using your e-mail address, provided that it already exists on our records (through a subscription or other correspondence, etc.).
• You can send an e-mail to our registered electronic mail (REM – KEP) address MobiQu@hs02.kep.tr, through your own registered electronic mail (REM – KEP) address.

MobiQu will reply to your application as soon as possible and at the latest within 30 (thirty) days.

Certain additional information may be requested from you to determine whether you are authorized to make an application and to reply to your request more quickly. Detailed explanation as to this is present in the Data Subject Application Form.