Peraxion

Privacy Notice on the Processing of Personal Data

Last Updated: June 16, 2025

1. Identity of the Data Controller

PeraPole Yazılım ve Bilişim Tek. San. Tic. A.Ş. (“PeraPole”) carries out data processing activities as the “Data Controller” within the scope of the Personal Data Protection Law No. 6698 (“KVKK”).

This Privacy Notice has been prepared to inform the data subjects about the processes and principles of processing personal data within the scope of the Peraxion mobile application and related services developed by PeraPole.

2. Definitions

Explicit consent: Consent that is based on information regarding a specific subject and is freely given.

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching it with other data.

Data subject: The natural person whose personal data is processed.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of such data, whether fully or partially by automated means or by non-automated means provided that it is part of any data recording system.

Board: The Personal Data Protection Board.

Authority: The Personal Data Protection Authority.

Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data recording system: The recording system in which personal data is structured and processed according to certain criteria.

Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

3. Legal Grounds for Data Processing Activities

Personal data processed within the scope of the Peraxion application is stored for the period stipulated by the current legislation and is processed based on the following legal grounds. In this context, personal data is processed within the framework of:

• Personal Data Protection Law No. 6698
• Turkish Code of Obligations No. 6098
• Social Insurance and General Health Insurance Law No. 5510
• Law No. 5651 on Regulating Broadcasts Made on the Internet and Combating Crimes Committed Through Such Broadcasts
• Occupational Health and Safety Law No. 6331
• Labor Law No. 4857
• Turkish Commercial Code No. 6102
• Public Procurement Law No. 4734
• Public Procurement Contracts Law No. 8529
• Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Extensions
• Regulation on Archive Services
• Other relevant laws and secondary regulations

and stored for the retention periods stipulated under the relevant laws.

4. Conditions for Processing Personal Data

Except for the exceptions defined in the KVKK, PeraPole processes personal data by obtaining the explicit consent of the data subjects. The cases where data can be processed without the explicit consent of the data subject under the provisions of Article 5 of the KVKK are:

• It is expressly provided for by the laws.
• It is necessary for the protection of the life or physical integrity of the person or of any other person who is unable to express their consent due to physical disability or whose consent is not legally valid.
• It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of that contract.
• It is necessary for the data controller to fulfill its legal obligation.
• The data has been made public by the data subject themself.
• Data processing is necessary for the establishment, exercise, or protection of a right.
• Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

According to Article 6(2) of the KVKK, the explicit consent of the data subjects must be obtained for the processing of special categories of personal data. Special categories of personal data other than health and sexual life data may be processed without the explicit consent of the data subject in cases stipulated by law.

Personal data concerning health and sexual life may only be processed without seeking the explicit consent of the data subject by persons under the obligation of confidentiality or by authorized institutions and organizations, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

5. Purposes of Processing Personal Data

Personal data that may be collected during your use of the Peraxion application is processed by PeraPole for the following purposes:

• Execution of Emergency Management Processes
• Execution of Information Security Processes
• Execution of Employee Candidate / Intern / Student Selection and Placement Processes
• Execution of Employee Candidates' Application Processes
• Execution of Employee Satisfaction and Loyalty Processes
• Fulfillment of Obligations Arising from Employment Contracts and Legislation for Employees
• Execution of Fringe Benefits and Interests Processes for Employees
• Execution of Training Activities
• Execution of Access Authorizations
• Ensuring Activities are Conducted in Accordance with Legislation
• Execution of Finance and Accounting Affairs
• Ensuring Physical Space Security
• Execution of Assignment Processes
• Follow-up and Execution of Legal Affairs
• Execution of Communication Activities
• Planning of Human Resources Processes
• Execution / Audit of Business Activities
• Execution of Occupational Health / Safety Activities
• Execution of Logistics Activities
• Execution of Goods / Services Purchasing Processes
• Execution of After-Sales Support Services for Goods / Services
• Execution of Goods / Services Sales Processes
• Execution of Goods / Services Production and Operation Processes
• Execution of Customer Relationship Management Processes
• Execution of Activities for Customer Satisfaction
• Organization and Event Management
• Execution of Marketing Analysis Studies
• Execution of Performance Evaluation Processes
• Execution of Advertising / Campaign / Promotion Processes
• Execution of Storage and Archive Activities
• Execution of Contract Processes
• Execution of Sponsorship Activities
• Follow-up of Requests / Complaints
• Ensuring the Security of Movable Property and Resources
• Ensuring the Security of Data Controller Operations
• Providing Information to Authorized Persons, Institutions, and Organizations
• Creation and Follow-up of Visitor Records

6. Retention Periods of Personal Data

Personal data processed by PeraPole is stored and preserved within the framework of the legal periods specified in the table below.

• Identity: 10 Years
• Contact: 10 Years
• Personnel: 10 Years
• Legal Transaction: 10 Years
• Customer Transaction: 10 Years
• Transaction Security: 2 Years
• Finance: 10 Years
• Professional Experience: 10 Years
• Visual and Auditory Records: 2 Years
• Photographs: 10 Years
• Health Information: 10 Years
• Criminal Conviction and Security Measures: 10 Years

7. Transfer of Personal Data

PeraPole complies with the KVKK and relevant legislation regarding the sharing of personal data with third parties. In this context, personal data is not transferred by PeraPole to third parties without the explicit consent of the data subject. However, in the presence of one of the following conditions defined by the KVKK, personal data may be transferred by PeraPole to third parties without the explicit consent of the data subject.

• It is expressly provided for by the laws.
• It is necessary for the protection of the life or physical integrity of the person or of any other person who is unable to express their consent due to physical disability.
• It is directly related to the establishment or performance of a contract.
• It is necessary for the data controller to fulfill its legal obligation.
• The data has been made public by the data subject themself.
• Data processing is necessary for the establishment, exercise, or protection of a right.
• Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Your personal data may be transferred without explicit consent for special categories of personal data other than health and sexual life, provided that adequate measures are taken, in cases stipulated by law; and for special categories of personal data concerning health and sexual life, for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

In the transfer of special categories of personal data, the conditions specified for the processing of such data are also complied with.

8. Obligation to Inform

Within the framework of the obligation to inform under Article 10 of the KVKK, the information that must be provided to data subjects is as follows:

• The identity of the data controller and, if any, its representative.
• The purpose for which personal data will be processed.
• To whom and for what purpose the processed personal data can be transferred.
• The method and legal reason for collecting personal data.
• Other rights listed in Article 11 of the KVKK.

Within the framework of Article 28(1) of the KVKK, PeraPole does not have an obligation to inform in the following cases:

• Processing of personal data by natural persons entirely within the scope of activities related to themselves or their family members living in the same residence, provided that it is not given to third parties and the obligations regarding data security are complied with.
• Processing of personal data for purposes such as research, planning, and statistics by anonymizing it with official statistics.
• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights.
• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
• Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution proceedings.

Other cases where there is no obligation to inform under Article 28(2) of the KVKK:

• The processing of personal data is necessary for the prevention of crime or for criminal investigation.
• Processing of personal data made public by the data subject themself.
• The processing of personal data is necessary for the disciplinary, supervisory, or regulatory duties of public institutions and professional organizations with public institution status, based on legal authority.
• The processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax, and financial matters.

9. Rights of the Data Subject

Everyone has the right to apply to the data controller and to:

1. Learn whether personal data is processed,
2. Request information if personal data has been processed,
3. Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
4. Know the third parties to whom personal data is transferred at home or abroad,
5. Request the correction of personal data if it is incomplete or incorrectly processed,
6. Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
7. Request notification of the operations carried out in compliance with subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
8. Object to the occurrence of a result against the person themself by analyzing the processed data exclusively through automated systems,
9. Request the compensation of the damage in case of loss due to the unlawful processing of personal data.

They have the rights.

10. Data Subject Application Process

PeraPole will process your legal requests through the “PeraPole Personal Data Subject Application Form”. PeraPole will conclude your application requests free of charge within 30 (thirty) days at the latest, depending on the nature of the request, in accordance with Article 13 of the KVKK. If the request is rejected, the reason for rejection will be notified to you in writing or electronically with justifications.

Within the framework of Article 28(1) of the KVKK, data subjects cannot exercise the rights defined in Article 11 of the KVKK in the following cases:

• Processing of personal data by natural persons entirely within the scope of activities related to themselves or their family members living in the same residence, provided that it is not given to third parties and the obligations regarding data security are complied with.
• Processing of personal data for purposes such as research, planning, and statistics by anonymizing it with official statistics.
• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, or does not constitute a crime.
• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
• Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution proceedings.

The rights defined in Article 11 of the KVKK cannot be used in the following cases:

• The processing of personal data is necessary for the prevention of crime or for criminal investigation.
• Processing of personal data made public by the data subject themself.
• The processing of personal data is necessary for the disciplinary, supervisory, or regulatory duties of public institutions and professional organizations with public institution status, based on legal authority.
• The processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax, and financial matters.

Data subjects can send their legal applications regarding the processing of personal data to the address PeraPole PERPA Tic. Mer. B-Blok Kat:2 No:65 34385 Okmeydani – İSTANBUL / TÜRKİYE in person / via a notary, or to the email address bilgi@PeraPole.com.tr with the subject line “KVKK Data Subject Application” from their e-mail addresses registered in our system.

11. Measures Taken to Ensure Data Security

11.1. Administrative Measures

• Disciplinary regulations containing data security provisions for employees are available.
• Training and awareness activities on data security are conducted for employees at regular intervals.
• An authorization matrix has been created for employees.
• Corporate policies on access, information security, use, storage, and disposal have been prepared and implemented.
• Confidentiality agreements are made.
• The authorizations of employees who change their duties or leave their jobs are revoked.
• Signed contracts include data security provisions.
• Extra security measures are taken for personal data transferred on paper, and the relevant document is sent in a confidential document format.
• Personal data security policies and procedures have been determined.
• Personal data security problems are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entries and exits to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Internal periodic and/or random audits are conducted and commissioned.
• Existing risks and threats have been identified.
• Protocols and procedures for the security of special categories of personal data have been determined and implemented.
• The data security of data processing service providers is audited at regular intervals.
• The awareness of data processing service providers on data security is ensured.

11.2. Technical Measures

• Network security and application security are provided.
• A closed system network is used for personal data transfers via the network.
• Key management is applied.
• Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• Access logs are kept regularly.
• Data masking measures are applied when necessary.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• Personal data is backed up and the security of the backed-up personal data is also ensured.
• A user account management and authorization control system is implemented and monitored.
• Log records are kept in a way that prevents user intervention.
• Existing risks and threats have been identified.
• If special categories of personal data are to be sent via e-mail, they are sent encrypted and using a KEP or corporate e-mail account.
• Secure encryption / cryptographic keys are used for special categories of personal data and are managed by different units.
• Intrusion detection and prevention systems are used.
• Penetration testing is applied.
• Cybersecurity measures have been taken and their implementation is continuously monitored.
• Encryption is performed.
• Special categories of personal data transferred on portable memory, CD, DVD media are transferred encrypted.
• Data loss prevention software is used.

12. Other Matters

The policy is published in two different media, wet-signed (printed paper) and electronic, and is made public on the website.

In case of any inconsistency between the provisions of the KVKK and the relevant legislation and this Policy, the provisions of the KVKK and the relevant legislation will be applied first.

The policy is announced to the relevant persons by being published on the PeraPole corporate website.

In the event of an update to the Policy, the new policy document will come into force by being announced and published in the same way.

This Policy has been prepared for the Peraxion product developed by PeraPole Yazılım ve Bilişim Teknin San. Tic. A.Ş. and entered into force on 16.06.2025.