INFORMATION TEXT ON THE PROCESSING OF PERSONAL DATA

The purpose of this Information Text on the Processing of Personal Data is to establish the terms and conditions regarding the processing of personal data shared with our company by users who benefit from our company's services wıth or without becoming members of our mobile app(Heybie) www.heybie.com website ("Site") operated by HEYBİE BİLİŞİM TEKNOLOJİLERİ VE DİJİTAL HİZMETLER ANONİM ŞİRKETI ("Our Company") as the data controller, and/or visit the Site, and to inform Users in accordance with the Personal Data Protection Law No. 6698 ("Law").

Under this information text, you are provided with information about which personal data is processed, for what purpose your personal data may be processed, the method and legal basis for collecting your personal data, the parties to whom your personal data may be transferred, and your rights.

Which Personal Data Do We Process?

1. What Are Your Personal Data?

Your personal data means information that identifies or can identify you. The following personal data may be processed:

Identity Information: Name, Surname, and Turkish ID Number, Contact Information: Phone number, email address, and other contact information, Visual Records: Profile photo, face verification video User Transaction: Ratings, reviews, tips, photos, comments, likes, bookmarks, lists, etc. created by the user to be published or displayed in public areas. Marketing: Survey, Cookie records, Information obtained through campaign work, etc.

Apart from those listed above, Our Company may obtain information about the user's Site usage through cookies (Cookie), which is a technical communication file, and IP information is collected through cookies for access and usage habits of services offered on the application. This information includes which IP address the application user connects from, where they go on the application and site, what they click on, as well as statistics such as number of visitors, user type, visit frequency, user behaviors and habits, which countries users visit the site from, etc. Information that may be collected and processed includes: which site users came from and which site they visited after, users' geographical locations, reactions to advertising banners on the site, personal information users voluntarily provided to the application and business partners' sites, preferences made on the site, actions related to our site and business partners' pages on social sharing sites.

2. Purposes of Processing Your Personal Data:

Your personal data may be processed for the following purposes:

  • Implementation of services and operations,

  • Fulfilling rights and obligations arising from the contract signed with the customer,

  • Providing information about changes in services,

  • Planning, tracking and execution of finance and accounting activities,

  • Planning and execution of commercial works, studies, operations for development, monitoring, control,

  • Planning and execution of physical/electronic security works of the Company,

  • Planning and execution of advertising, sales and marketing operations for customers,

  • Planning and execution of activities for developing and/or customizing products and services by analyzing customers' usage habits and tendencies,

  • Planning and execution of demand and complaint management activities for receiving, evaluating and finalizing demands and complaints,

  • Execution of strategic planning activities,

  • Improving services and managing operational requirements,

  • Risk management,

  • Detection of malicious transactions and measurement of risk levels,

  • Fulfilling legal obligations or resolving disputes

3. Method and Legal Basis for Collecting Your Personal Data

Your personal data is collected through our website, mobile application and social media accounts, electronically filled communication forms, membership application forms, cookies and similar tracking technologies, information and documents you have sent to our Company through mail, cargo or courier services, any contracts you have signed with our Company, and partially or fully automated or non-automated methods verbally, in writing or electronically in accordance with the legislation and agreements to the extent permitted by law. Your personal data collected from these channels is processed based on the following legal grounds:

  • Being explicitly provided for in the laws,

  • Being mandatory for the protection of life or physical integrity of the person or of any other person who is unable to express their consent due to physical impossibility or whose consent is not legally valid,

  • Being necessary for the establishment, exercise or protection of a right,

  • Being necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject,

  • The data subject has given their explicit consent,

  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract,

  • It is mandatory for the data controller to fulfill their legal obligation,

  • The data has been made public by the data subject themselves.

4. Parties to Whom Your Personal Data May Be Transferred and Purposes of Transfer

Your personal data may be transferred to our Company's affiliates, business partners, suppliers, banks, financial institutions, and other real or legal persons and their business partners, regulatory and supervisory institutions and other official institutions, public institutions or organizations authorized to request your personal data, including but not limited to, necessary and authorized persons and organizations in Turkey and abroad, in accordance with the personal data processing conditions specified in Articles 8 and 9 of Law No. 6698 within the scope of the aforementioned Purposes.

5. Rights of the Personal Data Subject Under Article 11 of Law No. 6698

As personal data subjects, you have the following rights:

  1. To learn whether your personal data is being processed,

  1. To request information if your personal data has been processed,

  1. To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,

  1. To know the third parties in Turkey or abroad to whom your personal data has been transferred,

  1. To request rectification in case your personal data has been processed incompletely or inaccurately and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,

  1. To request deletion or destruction of your personal data in the event that the reasons requiring their processing cease to exist, although they have been processed in accordance with the provisions of Law No. 6698 and other relevant legal provisions, and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,

  1. To object to any outcome against you by analyzing your processed data exclusively through automated systems,

  1. To claim compensation if you suffer damage due to unlawful processing of your personal data.

You have the right to exercise these rights. As data subjects, if you submit your requests regarding your rights to our Company through info@heybie.com, your request will be concluded as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee determined by the Personal Data Protection Board will be charged.

Personal Data Protection and Processing Policy

According to Article 20 of the Constitution of the Republic of Turkey, everyone has the right to request the protection of their personal data. This right includes being informed about personal data concerning themselves, accessing this data, requesting its correction or deletion, and learning whether it is being used for its intended purposes.

Law No. 6698 on Protection of Personal Data ("Law"), which came into force upon publication in the Official Gazette on 07.04.2016, regulates the protection of fundamental rights and freedoms of individuals in processing personal data and the obligations and procedures that must be followed by real and legal persons processing personal data. The purpose of this Policy is to ensure compliance with the obligations under the Law.

This Personal Data Protection and Processing Policy ("Policy") contains HEYBİE BİLİŞİM TEKNOLOJİLERİ VE DİJİTAL HİZMETLER ANONİM ŞİRKETI's ("Company") declarations and explanations regarding the processing of personal data under the Law belonging to real persons other than Company employees, primarily customers, visitors, suppliers, and other third parties.

Our Company reserves the right to make changes to the Policy to provide up-to-date information about our practices and legal regulations regarding the protection of Personal Data. In case of substantial changes to the Policy, Data Subjects will be informed through various channels.

The definitions of concepts used within this Policy are given below, taking into account personal data protection legislation:

CONCEPTS

DEFINITIONS

Explicit consent

Refers to consent declaration made freely by the Data Subjects regarding a specific subject, based on information.

Anonymization

Refers to rendering personal data impossible to link with an identified or identifiable natural person, even through matching with other data.

Related person/Data subject

Refers to the natural person whose personal data is processed.

Personal data

Refers to any information relating to an identified or identifiable natural person.

Special categories of personal data

Refers to data that, if disclosed or lost, could cause the Data Subject to suffer or face discrimination, which is subject to stricter protection under the Law.

Processing of personal data

Refers to any operation performed upon personal data such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification or preventing the use thereof, whether fully or partially through automatic means or provided it is part of a data filing system, through non-automatic means.

Data filing system

Refers to the filing system where personal data is processed by structuring according to certain criteria.

Data controller

Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system.

Data processor

Refers to the natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller.

Principles Regarding Data Privacy

According to Article 3 of the Law, any operation performed on personal data such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification or preventing the use thereof, whether fully or partially through automatic means or provided it is part of a data filing system, through non-automatic means, falls within the scope of personal data processing. Our Company acts in accordance with the following general principles regarding Personal Data Processing activities:

Acting in accordance with law and good faith: Our Company carries out personal data processing activities in accordance with the Constitution, primarily the Law on Protection of Personal Data and relevant legislation, in compliance with the law and rules of good faith.

Accuracy and being up to date: Our Company provides Data Subjects with the opportunity to update their Personal Data and takes necessary measures to ensure accurate transfer of data to databases.

Processing for specific, explicit, and legitimate purposes: Our Company limits Personal Data Processing activities to specific and legitimate purposes and informs Data Subjects clearly about these purposes through information texts.

Being connected, limited, and proportionate to the purpose for which they are processed: Personal Data is processed by our Company to the extent necessary for the purpose notified to the Data Subject at the time of collection, connected and limited to this purpose.

Being stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed: Our Company stores personal data for the period stipulated in the applicable legislation or required by the purposes of the data processing activity. In this context, if legal obligations regarding the processing time of Personal Data exist, these are strictly followed. If such periods expire, the data is deleted, destroyed, or anonymized in accordance with Company procedures.

Personal Data Processing Conditions

Apart from the data subject's explicit consent, personal data processing activity may be based on only one or more of the conditions specified below. If the processed data is special category personal data, the conditions specified below for such data will apply.

(i) Data Subject's Explicit Consent Exists One of the conditions for processing personal data is the data subject's explicit consent. The data subject's explicit consent must be specific to a particular subject, based on information, and expressed freely. In the presence of the personal data processing conditions listed below, personal data may be processed without obtaining the data subject's explicit consent.

(ii) Explicitly Provided for by Laws If the processing of the data subject's personal data is explicitly provided for by law, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data, the existence of this data processing condition can be mentioned.

(iii) Unable to Obtain Explicit Consent Due to Physical Impossibility Personal data of the person who cannot express their consent due to physical impossibility or whose consent cannot be considered legally valid may be processed if it is necessary to protect their own life or physical integrity or that of another person.

(iv) Direct Connection with the Establishment or Performance of a Contract This condition will be considered fulfilled if the processing of personal data is necessary for the establishment or performance of a contract to which the data subject is a party.

(v) Fulfillment of Legal Obligation by Our Company Personal data of the data subject may be processed if processing is mandatory for our Company to fulfill its legal obligations.

(vi) Data Subject Makes Their Personal Data Public If the data subject has made their personal data public, the relevant personal data may be processed limited to the purpose of making it public.

(vii) Data Processing is Mandatory for Establishment or Protection of a Right Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise, or protection of a right.

(viii) Data Processing is Mandatory for Our Company's Legitimate Interest Personal data of the data subject may be processed if data processing is mandatory for our Company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

a. Processing of Special Categories of Personal Data Special categories of personal data are processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including methods to be determined by the Board, and in the presence of the following conditions:

(i) Special categories of personal data other than health and sexual life may be processed without seeking the explicit consent of the data subject if it is explicitly provided for by laws, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, the data subject's explicit consent will be obtained.

(ii) Special categories of personal data relating to health and sexual life may be processed without seeking explicit consent for purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons under obligation of confidentiality or authorized institutions and organizations. Otherwise, the data subject's explicit consent will be obtained.

b. Informing the Personal Data Subject Our Company informs data subjects about who processes their personal data as a data controller, for what purposes it is processed, with whom and for what purposes it is shared, by what methods it is collected and the legal reason, and the rights of data subjects regarding the processing of their personal data in accordance with Article 10 of the Law and secondary legislation.

Personal Data Collected by Our Company

Personal Data collected by our Company varies according to the nature of the relationship and legal obligations with our Company.

Our collected Personal Data can be listed as follows:

  • Identity Information: Name surname, Date of birth, Place of birth, Marital status, etc.

  • Contact Information: Location information, Email address, Contact address, Phone Number, etc.

  • Legal Transaction Information: Information in correspondence with judicial authorities, Information in case files, etc.

  • Customer Transaction Information: Call center records, Invoice, Request information, etc.

  • Transaction Security: IP address information, Website and mobile application login/logout information, Password information, etc.

  • Risk Management: Information processed for managing commercial, technical, administrative risks, etc.

  • Finance: Balance sheet information, Financial performance information, Credit and risk information, Asset information, etc.

  • Marketing: Shopping history information, Survey, Cookie records, Information obtained through campaign work, etc.

  • Visual and Audio Records: Photographs, camera recordings, etc.

  • Special Categories of Personal Data (association, foundation or union membership information, health-related data, biometric data)

  • Family Members and Relatives Information: Information about the Data Subject's children, spouses, contact information and professional, educational information, etc.

  • Employee Candidate Information: Resume, personality test results, etc.

  • Area of Interest Information: Particularly information about the interests of users and user candidates.

  • Request/Complaint Management Information (information and records related to requests and complaints made to our Company about our products and services associated with the person, and information about reports where the results are evaluated by relevant business units, etc.)

Our Personal Data Processing Purposes

Your personal data may be processed within the scope of Articles 5 and 6 of the Law regarding Personal Data Processing conditions and:

  • Within the scope of designing, coordinating, developing, executing, and planning business development activities specific to the Company:

  1. Carrying out necessary transactions/records/notifications, fulfilling obligations, communicating with official institutions, providing information to authorized institutions

  1. Establishment and performance of contracts, conducting, managing, planning, and executing customer relations, and providing post-contract services

  1. Monitoring, planning, and executing activities related to external service/consultancy procurement

  1. Planning, monitoring, and executing finance and accounting activities

  1. Execution of strategic planning activities

  1. Carrying out, planning, and executing activities/developments and analyses for system access

  1. Planning and executing information technology and data security activities

  1. Planning and executing activities for developing, monitoring, controlling commercial works, studies, operations

  1. Carrying out reporting for control, data management, analysis, social activities, process development, and similar activities

  1. Planning and executing crisis and emergency management activities

  1. Planning and executing works for physical/electronic security of the Company

  • Within the scope of designing and executing activities for personalizing, profiling, promoting, and marketing products and services:

  1. Planning and executing actions to increase brand perception level and brand management activities

  1. Planning and executing advertising, sales, and marketing operations for customers

  1. Planning, managing, and executing organizations, meetings, invitations, and events

  1. Conducting and analyzing studies on liking, loyalty, profiling, satisfaction regarding products and services

  1. Planning and executing special campaigns and promotions for customers

  1. Planning and executing activities for developing and/or customizing products and services by analyzing customers' usage habits and tendencies

  1. Planning and executing market research activities related to products and services

  • Within the scope of designing and/or executing demand and complaint management and after-sales processes:

  1. Planning and executing demand and complaint management activities for receiving, evaluating, and finalizing demands and complaints

  1. Carrying out operations, research, analysis, reporting activities for entering into or renewing contracts with customers

  1. Carrying out and monitoring transactions and activities for after-sales services and fulfilling contractual obligations

  • Within the scope of planning, executing, and managing corporate relationships:

  1. Management, development, planning, and execution of supplier/business partner relationships

  1. Design, development, and execution of corporate governance and communication activities

  1. Planning and/or executing business continuity activities

  1. Execution of strategic planning activities

  • Within the scope of ensuring legal, technical, and commercial-business security of the Company and related persons in business relationship with the Company, and activities for fulfilling legal obligations:

  1. Planning and executing organizational structuring, monitoring, and studies for carrying out Company activities in accordance with Company policies, directives, articles of association, and relevant legislation

  1. Providing information to authorized institutions and organizations due to legal obligations and/or fulfilling activities and obligations related to auditing

  1. Ensuring security of physical and/or electronic environments of the Company and parties with whom the Company has relationships

  1. Keeping records of participants in organizations and events

  1. Planning and executing record-keeping and listing activities related to parties with whom the Company has business relationships

  1. Carrying out activities to ensure data is kept accurate and up-to-date

  1. Planning and/or executing Occupational Health and/or safety processes

  1. Planning and executing operations and studies in accordance with the law regarding all types of visitors entering and exiting the Company

  1. Organizing, planning, executing, and auditing studies for commercial security of the Company and/or persons with whom the Company has business relationships

Storage of Personal Data

When determining personal data storage periods, our Company makes determinations by considering the current legislation and the purposes of processing the data involved in the process. In this context, legal obligations related to Personal Data Processing activities and statute of limitations periods, if any, are always taken into consideration. If the purpose of Personal Data Processing ceases to exist, the data is deleted, destroyed, or anonymized unless there is another legal reason or basis for keeping the Personal Data. You can find detailed information about this in the PERSONAL DATA STORAGE and DESTRUCTION POLICY at wwwheybie.com.

Transfer of Personal Data

Your Personal Data may be shared with our Company's affiliates located in Turkey or abroad, our business partners, any supplier companies with whom we cooperate and/or receive services for the provision of services to you by our company, banks, financial institutions, and other real or legal persons and their business partners, regulatory and supervisory institutions and other official institutions, public institutions or organizations authorized to request your personal data, including but not limited to, necessary and authorized persons and organizations in Turkey and abroad, in accordance with the personal data transfer conditions specified in Articles 8 and 9 of Law No. 6698, within the scope of the above purposes. In cases where your Personal Data is shared, our Company takes necessary measures to ensure that the party receiving the data processes and transfers in accordance with the rules in this Policy and the provisions in the legislation.

Your Personal Data may also be subject to transfer in case of partial or complete change of ownership of our Company through means such as share sale or merger, division, or type change. In case your Personal Data is transferred in this context, necessary steps will be taken to ensure that the party receiving the data also acts in accordance with the processing and transfer rules in this Policy.

Transfer of your Personal Data abroad can only occur if:

  • You have given explicit consent, or

  • In cases where one or more of the other data processing conditions specified in the Law are met;

  1. There is adequate protection in the country where the data is transferred, or

  1. In case there is not adequate protection in the country where the data is transferred, our Company and the Data Controller in the relevant foreign country jointly commit to providing adequate protection in writing and permission is obtained from the Personal Data Protection Board.

Data Security

Our Company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data losses, deliberate deletion, or damage to your Personal Data. You can find detailed information about this in the PERSONAL DATA STORAGE and DELETION POLICY.

Rights of Data Subjects

According to Article 11 of the Law, Data Subjects have the following rights against the Data Controller:

  • Learning whether their Personal Data is being processed, requesting information if it has been processed.

  • Learning the purpose of processing Personal Data and whether they are used in accordance with their purpose.

  • Knowing third parties to whom Personal Data is transferred domestically or abroad.

  • Requesting correction if Personal Data is processed incompletely or inaccurately.

  • Requesting deletion or destruction of Personal Data within the framework of conditions stipulated in relevant legislation.

  • Requesting notification of the operations carried out to third parties to whom Personal Data has been transferred.

  • Objecting to the emergence of a result against themselves by analyzing the processed data exclusively through automated systems.

  • Demanding compensation for damages if they suffer damage due to unlawful processing of Personal Data.

Article 28(2) of the Law lists cases where data subjects do not have the right to make claims, and in this context:

  • Processing Personal Data is necessary for prevention of crime or criminal investigation,

  • Processing of personal data made public by the data subject themselves,

  • Processing Personal Data is necessary for supervisory or regulatory duties and disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status, based on the authority given by the law,

  • Processing Personal Data is necessary for protecting the State's economic and financial interests regarding budget, tax, and financial matters,

In these cases, the rights listed above cannot be used except for the right to claim compensation for damages.

Exercise of Rights by Data Subjects

For effective exercise of these rights, you must fill out the form at www.heybie.com with necessary information identifying you and other required information, including your explanations about your right that you want to exercise among the rights specified in Article 11 of the KVKK, and you can:

  • Personally deliver a signed copy of the form to FENERBAHÇE MAH. İĞRİP SK. NO: 13 INTERNAL DOOR NO: 1 KADIKÖY/ISTANBUL with documents verifying your identity,

  • Send by registered mail with return receipt,

  • Send through notary, or

  • Send through other methods specified in the KVKK, or

  • Send the relevant form to info@heybie.com with secure electronic signature.

For third parties to make application requests on your behalf, you must have given them a special power of attorney issued by a notary.

Our Company may request information from the Related Person to determine whether the applicant is the Data Subject and may ask questions to the Data Subject about their application to clarify the matters stated in the application.