ICRYPEX BİLİŞİM A.Ş. CLARIFICATION TEXT FOR PERSONAL DATA

Dear Users; as ICRYPEX BİLİŞİM A.Ş., we would like to inform you about the rights of our Company for the methods of obtaining, processing, transferring, processing time of your personal data and your personal data.

As ICRYPEX BİLİŞİM A.Ş. (ICRYPEX), we show utmost sensitivity to the security of your personal data. With this awareness, we would like to state that we continue our activities with the awareness that the security of your personal data is particular importance in all the products and services we offer and shall offer to you, by giving the utmost importance to the security of your personal data.

As per the provisions of the Law on Protection of Personal Data No. 6698 and related regulations (PPD Regulations), any information that makes your identity specific or identifiable, including your sensitive personal data, is defined as Personal Data and they are processed by ICRYPEX in the capacity of Data Supervisor as described below and within the limits ordered by the legislation.

"Processing of Your Personal Data" refers to all actions taken on the data such as obtaining, saving, storing, maintaining, changing, reorganizing, disclosing, transferring, taking over, making it available, classifying or preventing this data use.

1. Method of Collecting Your Personal Data

   1. Your personal data is obtained by all agreement/information forms and other documents issued with your approval and/or signature, electronic confirmation and/or notifications with your signature, Our General Directorate, physical environments, call centres, internet sites, mobile applications, internet transactions, social media, and other public channels, user interviews, written/digital applications made to sales teams, companies providing call centre services, scanning forensic records, market intelligence, SMS channels and verbal, written, video, sound recording or electronic channels.

2. Our Purpose to Process Your Personal Data, Processing Time and Legal Reasons

   1. Your collected personal data is processed to fulfil legal and administrative obligations by our company, to conclude and execute the agreements with our Company, to be used in the products and services you buy/will buy from our Company, to be able to communicate about the products and services you buy/will buy, to provide an effective user service, to be used in marketing activities if you have given consent in this regard, to offer, model, report, score product/service, monitor risk, analyse, to detect current or new product studies and potential user, to ensure the legal and commercial security of people who have a business relationship with the Company, to determine and apply the commercial and business strategies of the Company, to ensure and develop coordination, cooperation and efficiency in the units and between units within the body of our Company, to settle current and future legal disputes, to reply requests and questions from our users, to ensure the security of our Company's website and other electronic systems and physical environments, to report changes in legislation or the rules and policies accepted by our Company, or to make other notifications that concern you and to investigate, detect, prevent violations of the agreement and law in order to perform activities we provide you and to fulfil our legitimate interests such as notifying the administrative or judicial authorities. It is not possible to share your personal data with another person and/or organization residing domestically or abroad for commercial purpose, without your explicit consent.
   2. ICRYPEX performs such processing activity, based on your explicit consent, in cases where;
      1. The processing activity is clearly prescribed by law,
      2. It is virtually impossible to obtain consent, but the processing activity is mandatory to protect the life or integrity of you or someone else,
      3. It is directly related to the establishment or performance of agreements to which ICRYPEX is a party;
      4. It is mandatory for ICRYPEX to fulfil its legal obligations;
      5. The relevant personal data has been shared by you personally;
      6. Data processing is mandatory for ICRYPEX to establish, exercise or protect a right;
      7. Data processing is mandatory for the legitimate interests of ICRYPEX, provided that it does not harm your fundamental rights and freedoms.

      However, your sensitive personal data is processed only for the purpose of the provision of health services with your explicit consent and if the processing is clearly prescribed by law.

   3. Your personal data shall be processed as limited to the duration of your relationship with ICRYPEX in general. After the end of the mentioned relationship, your data shall continue to be kept for 10 years that is general timeout period unless otherwise another period is legally foreseen and requested by you. In the event that such periods expire, your relevant personal data shall be deleted and subsequently destroyed. However, although it is not desired, if we have a dispute or process of a lawsuit with you, your personal data is subject to be stored and processed during the relevant dispute or litigation.

3. Transfer of Your Personal Data

   1. Your personal data may be transferred to the administrative and official authorities that need to be transmitted legally, third parties providing services to carry out our activities, program partner institution and organization we cooperate with, domestic/international organizations we cooperate with, domestic/abroad/international organizations from which services/ support/consultancy is provided or to which we are project/program partner, third parties we receive support in areas such as security, call centre, subcontractors, legal entities like organizations with independent auditing and support services, third parties we cooperate with in order to ensure the legal and commercial security and/or security of electronic and physical environments due to legal obligations and within legal restrictions.
   2. As ICRYPEX, we may transfer, process and store your personal data in servers, hosting companies and other electronic media such as software, cloud computing, etc. which provide storage, archiving, the support of information technology in Turkey or especially EU countries, America, Britain, foreign countries including OECD countries,

4. Security Measures

   1. The most important matters for your personal data are ensuring the security of your personal data kept both physically and digitally, and preventing illegal processing and illegal access to such data. For this purpose, ICRYPEX has taken all administrative and technical measures, including but not limited to signing of confidentiality agreements with the personnel, building authority hierarchy, creating relevant internal policies and processes, using encryption, virus or trojan software and secure data transfer mechanisms such as STP or similar, creating a security wall, within the framework of cost and effectiveness criteria, taking into consideration the risks of possible violations and losses. Despite of all these measures taken, “ICRYPEX Data Breach Response Plan” was prepared and put into practice regarding the processes to be implemented in case of a data breach.

5. Your Rights Regarding Your Personal Data

   1. By applying to the Company, you have the right to I) learn whether your personal data is processed, II) request information if it is processed, III) learn the purpose of processing and whether it is used for intended purpose, IV) know the third parties in Turkey/abroad to whom it is transferred, V) request correction if it is processed deficiently/wrongly, VI) request the deletion or destruction of personal data if the reasons requiring the processing of personal data are removed, VII) request to notify third parties, to whom data is transferred, of the transactions made in accordance with the clauses (V) and (VI) mentioned above, VIII) object to the occurrence of a result against you because it is analysed exclusively by automated systems, IX) claim the loss if you suffer damage due to illegal processing.

6. Application Method

   1. You may submit your requests regarding your rights stated in article (4) to ICRYPEX's address below in person or through a notary public or to the e-mail address stated below under the application you will make by using your e-mail address that you notified during the account opening and registered in the ICRYPEX system. You can obtain "Information Request Form" regarding the applications here.
   2. Although your requests shall be concluded free of charge as a rule; if the answer to your application exceeds 10 pages, 1 TL per page exceeding and the cost incurred by our Company to meet this request if you request a copy of the relevant information and documents to be sent to you, shall be collected by our Company.

7. Anti-Money Laundering Officer

   1. Anti-Money Laundering Officer is an Icrypex employee charged with ensuring compliance with AML Policy: Anti-Money Laundering Officer is charged with,
      1. Collection of customer identification information;
      2. Creating, reviewing and supplying all necessary reports in accordance with current laws and regulations, and creating and updating internal policies and procedures for maintaining;
      3. Monitoring and analysing significant deviations from customers' unusual activities;
      4. Implementing a record management system for recording and retrieving documents, files, forms and daily session entries and exits;
      5. Updating risk assessments regularly;

8. Training, Updating and Internal Audit

   1. Icrypex fulfils personnel policy and procedures in accordance with the applicable legislation, and all obligations within the scope of training. In this context, it provides much training to its personnel, especially the Anti-Money Laundering Procedure, and ensures that this information is kept up to date.
   2. Icrypex periodically audits whether activities regarding “Law on Money Laundering and Terrorism Financing”, regulations and communiqués are in compliance with the applicable legislation, Company policies and procedures.

In written applications ICRYPEX Bilişim A.Ş.

Maslak Neigh. Maslak Meydan Str. Spring Giz Plaza N:5/57 34396, Sarıyer, Istanbul TURKEY

In applications by an electronic mail

[email protected]