FINAPP - Privacy, Personal Data Protection, Processing and Destruction Policy

Chapter - Introduction

Introduction, Purpose and Scope

Personal Data Protection Law No. 6698 ("PDP Law"), prepared over many years to comply with European Union criteria, was published in the Official Gazette on April 7, 2016, and entered into force. The PPD Law largely includes regulations aligned with the European Union's Directive 95/46/EC, and with the enactment of the PPD Law, the holistic protection of individuals' personal data has been legally regulated.

The protection of personal data is of great importance to FINAPP MOBILE OU ("FINAPP"). According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of their personal data. Personal data protection is a top priority for FINAPP, and FINAPP takes due care to protect the personal data of applicants, FINAPP officials, visitors, collaborating institutions and their employees, shareholders, and officials, as well as third parties, as governed by this Personal Data Protection, Processing, and Destruction Policy ("Policy").

Within the framework of FINAPP's principles of superior service quality, respect for individual rights, transparency, and integrity, and in line with the new regulations stipulated by the Personal Data Protection Law, FINAPP prioritizes regulating FINAPP's internal operations within the scope of the Personal Data Protection Law, secondary regulations, the decisions and regulations of the Personal Data Protection Board, and other relevant legislation. Therefore, this Policy has been drafted and implemented to ensure that our customers benefit from the rights granted by the Personal Data Protection Law and to ensure compliance with the Law. In this context, FINAPP takes the necessary administrative and technical measures to protect personal data processed in accordance with the relevant legislation.

The purpose of this Policy is to ensure that the regulations to be introduced by FINAPP within the framework of the principles set forth above for compliance with the Personal Data Protection Law are effectively implemented by FINAPP, its employees, and its business partners; to provide explanations regarding the personal data processing activities carried out by FINAPP in accordance with the law and the systems adopted for the protection of personal data; to ensure that all administrative and technical measures are taken for the processing and protection of personal data within the operation of FINAPP; to establish necessary internal procedures; to determine all necessary training to raise awareness; and to ensure that appropriate and effective control mechanisms are established by taking all necessary measures to ensure compliance of employees and business partners with the Personal Data Protection Law processes.

This Policy is related to the protection of personal data of job candidates, FINAPP officials, our visitors, the institutions we cooperate with and their employees, shareholders and officials, and third parties, whether processed automatically or non-automatically as part of any data recording system.

Definitions

Term	Definition
Explicit Consent	Consent based on informed consent and expressed freely on a specific matter.
Anonymization of Personal Data	Making personal data in no way identifiable with an identified or identifiable natural person, even by matching it with other data using techniques such as masking, aggregation, data corruption, etc.
Application form	"Application Form for Applications to be Made to the Data Controller by the Relevant Person (Personal Data Owner) in Accordance with the Personal Data Protection Law No. 6698", which includes the application to be made by personal data owners to exercise their rights.
Employee Candidate	Natural persons who have applied for a job with FINAPP by any means or who have made their CV and related information available for FINAPP's review.
Employees, Shareholders, and Officials of the Institutions We Collaborate With	Natural persons working in institutions with which FINAPP has any kind of business relationship (such as, but not limited to, business partners, suppliers), including shareholders and officials of these institutions.
Business Partner	Parties with which FINAPP establishes business partnerships for purposes such as carrying out various projects and receiving services while carrying out its commercial activities.
Processing of Personal Data	Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Personal Data Owner	The natural person whose personal data is processed.
Deletion of Personal Data	Deletion of personal data; rendering personal data inaccessible and reusable for Relevant Users in any way.
Destruction of Personal Data	The process of making personal data inaccessible, irretrievable and reusable by anyone.
Personal Data	Any information relating to an identified or identifiable natural person.
Personal Data Protection Board	Personal Data Protection Board
Special Personal Data	Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress code, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	In case all the processing conditions of personal data specified in the Personal Data Protection Law are eliminated, the deletion, destruction or anonymization process, which will be carried out ex officio at recurring intervals and as specified in the personal data storage and destruction policy.
FINAPP Official	Member of the FINAPP board of directors and other authorized natural persons.
Supplier	Parties that provide services to FINAPP on a contractual basis or without any contractual relationship in accordance with the orders and instructions of FINAPP while FINAPP is carrying out its business activities.
Third Party	Natural persons whose personal data are processed within the scope of the Policy and who are not defined differently within the scope of the Policy
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the place where data is systematically kept (data recording system).
Visitor	Natural persons who have entered physical premises owned by FINAPP for various purposes or visited our websites.
Members and Mobile App Visitors	Real persons who become members of the FINAPP application to benefit from the content or who view the content without being a member.

Section -- Issues Related to the Processing of Personal Data

Generally

In accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law, FINAPP processes personal data in accordance with the law and principles of fairness; accurate and, where necessary, up-to-date; and for specific, clear, and legitimate purposes; in a purpose-related, limited, and proportionate manner. FINAPP retains personal data for the period prescribed by law or required for the purpose of processing personal data.

In accordance with Article 20 of the Constitution and Article 5 of the Personal Data Protection Law, FINAPP processes personal data based on one or more of the conditions in Article 5 of the Personal Data Protection Law regarding the processing of personal data.

In accordance with Article 20 of the Constitution and Article 10 of the Personal Data Protection Law, FINAPP informs personal data owners and provides the necessary information when personal data owners request information.

FINAPP acts in accordance with the regulations regarding the processing of special categories of personal data in accordance with Article 6 of the Personal Data Protection Law.

In accordance with Articles 8 and 9 of the Personal Data Protection Law, FINAPP acts in accordance with the regulations stipulated in the law and set forth by the Personal Data Protection Board regarding the transfer of personal data.

Processing of Personal Data in Accordance with the Principles Set Forth in the Legislation

Processing in Accordance with Law and Fairness

FINAPP acts in accordance with the principles set forth in legal regulations and the general rule of trust and integrity in the processing of personal data. In this context, FINAPP takes proportionality into account in the processing of personal data and does not use personal data for purposes other than those required.

Ensuring that Personal Data is Accurate and Up-to-Date when Necessary

FINAPP ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. It takes the necessary measures to this end.

Processing for Specific, Clear and Legitimate Purposes

FINAPP clearly and precisely defines the legitimate and lawful purposes for processing personal data. FINAPP processes only to the extent necessary for and in connection with its commercial activities.

Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed

FINAPP processes personal data in a manner that enables it to achieve its designated purposes and avoids processing personal data that is not relevant or necessary to achieve the purposes. For example, personal data processing is not conducted to meet needs that may arise later.

Preservation for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed

FINAPP retains personal data only for the period specified in relevant legislation or necessary for the purposes for which it is processed. In this context, FINAPP first determines whether relevant legislation stipulates a retention period for personal data. If so, it complies with this period. If no such period is specified, it retains personal data for the period necessary for the purposes for which it is processed. Upon expiration of this period or the elimination of the reasons requiring processing, FINAPP deletes, destroys, or anonymizes personal data.

Processing Personal Data Based on One or More of the Personal Data Processing Conditions Specified in Article 5 of the PDPL and Limited to These Conditions

The protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted only by law, without prejudice to their essence, and solely for the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the individual's explicit consent. Accordingly, and in accordance with the Constitution, FINAPP processes personal data only in cases stipulated by law or with the individual's explicit consent.

Enlightenment and Information of Personal Data Owners

In accordance with Article 10 of the Personal Data Protection Law, FINAPP provides information to Personal Data Subjects when collecting personal data. In this context, FINAPP provides information on the identity of its representative, if any, the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of personal data subjects.

Article 20 of the Constitution establishes that everyone has the right to be informed about personal data concerning them. Accordingly, Article 11 of the Personal Data Protection Law lists the right to "request information" among the rights of personal data owners. In this context, FINAPP provides the necessary information when a Personal Data Owner requests information, in accordance with Articles 20 of the Constitution and 11 of the Personal Data Protection Law.

Processing of Special Nature Personal Data

FINAPP strictly complies with the regulations stipulated in the Personal Data Protection Law when processing personal data designated as "special" by the Personal Data Protection Law.

Article 6 of the Personal Data Protection Law identifies certain personal data as "special categories" if it is processed unlawfully and carries a risk of causing victimization or discrimination. This data includes data related to race, ethnicity, political views, philosophical beliefs, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data.

In accordance with the Personal Data Protection Law, FINAPP processes special personal data in the following cases, provided that adequate measures are taken, as determined by the Personal Data Protection Board:

If the personal data owner has explicit consent, or
If there is no explicit consent of the personal data owner;
Special personal data, other than the health and sexual life of the personal data owner, in cases prescribed by law,
Sensitive personal data regarding the health and sexual life of the personal data owner are processed only by persons or authorized institutions and organizations under an obligation of confidentiality for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

Transfer of Personal Data

FINAPP may transfer personal data and sensitive personal data of the data subject to third parties by taking the necessary security measures set forth in this Policy in accordance with the lawful purposes for processing personal data. In this regard, FINAPP complies with the regulations stipulated in Article 8 of the Personal Data Protection Law.

Transfer of Personal Data

FINAPP may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Personal Data Protection Law listed below, by creating the necessary confidentiality conditions and taking security measures in line with legitimate and lawful personal data processing purposes:

If the personal data owner has explicit consent,
If there is a clear regulation in the law regarding the transfer of personal data,
If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to give his consent due to actual impossibility or if his consent is not legally valid;
If it is necessary to transfer personal data of the parties to a contract, provided that it is directly related to the establishment or execution of a contract,
If personal data transfer is mandatory for FINAPP to fulfill its legal obligations,
If personal data has been made public by the personal data owner,
If personal data transfer is mandatory for the establishment, exercise or protection of a right,
If the transfer of personal data is necessary for the legitimate interests of FINAPP, provided that it does not prejudice the fundamental rights and freedoms of the personal data owner.

Transfer of Special Personal Data

By taking due care, taking the necessary security measures and taking the adequate measures prescribed by the Personal Data Protection Board, FINAPP may transfer the personal data of the personal data owner to third parties in the following cases in line with the legitimate and lawful personal data processing purposes.

If the personal data owner has explicit consent, or
If there is no explicit consent of the personal data owner;
Personal data of a personal nature other than the data subject's health and sexual life (data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or unions, criminal convictions and security measures, as well as biometric and genetic data), in cases prescribed by law,
Sensitive personal data regarding the health and sexual life of the personal data owner may only be disclosed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

Categorization of Personal Data Processed by FINAPP, Processing Purposes and Storage Period

In accordance with Article 10 of the Personal Data Protection Law, FINAPP informs the personal data owner about which personal data groups it processes, the purposes of processing the personal data of the personal data owner, and the retention periods within the scope of the obligation to inform.

Categorization of Personal Data

At FINAPP; in line with FINAPP's legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Personal Data Protection Law, in compliance with the general principles set forth in the Personal Data Protection Law, especially the principles set forth in Article 4 regarding the processing of personal data, and all obligations set forth in the Personal Data Protection Law, and limited to the groups of persons covered by this Policy, personal data in the categories specified below is processed by informing the relevant persons in accordance with Article 10 of the Personal Data Protection Law.

Personal Data Categorization	Personal Data Categorization Explanation
Identity Information	Data that clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of a data recording system; includes information about the identity of the person; name-surname, email address, telephone number, etc.
Contact Information	Information that clearly belongs to an identified or identifiable natural person, partially or fully processed automatically or non-automatically as part of a data recording system; such as telephone number, address, e-mail address, fax number, IP address.
Visual Information	Photograph that clearly belongs to an identified or identifiable natural person
Transaction Security Information	Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and FINAPP while carrying out FINAPP's activities.
Request/Complaint Management Information	Personal data that clearly belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; related to the receipt and evaluation of any requests or complaints directed to FINAPP

Purposes of Processing Personal Data

FINAPP processes personal data limited to the purposes and conditions set forth in the personal data processing conditions specified in Article 5, paragraph 2, and Article 6, paragraph 3, of the Personal Data Protection Law. These purposes and conditions are as follows;

FINAPP's activity regarding the processing of your personal data is clearly prescribed by law.
The processing of your personal data by FINAPP is directly related to and necessary for the establishment or performance of a contract.
The processing of your personal data is necessary for FINAPP to fulfill its legal obligations.
The processing of your personal data by FINAPP is necessary for the establishment, exercise or protection of the rights of FINAPP or you or third parties.
It is necessary to process personal data for the legitimate interests of FINAPP, provided that it does not harm your fundamental rights and freedoms.
If FINAPP's personal data processing is necessary to protect the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to give his consent due to actual or legal invalidity.

In this context, FINAPP processes your personal data within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to the following purposes:

Planning and execution of corporate sustainability activities
Event management
Reputation research processes,
Management of relationships with business partners or suppliers
Execution/follow-up of FINAPP legal affairs
Planning and execution of corporate communication activities
Execution of corporate governance activities
Determination, planning and implementation of FINAPP's commercial policies
Ensuring the legal and commercial security of FINAPP and real or legal persons who have a business relationship with FINAPP
Correct planning, execution and management of commercial partnerships and strategies,
Request and complaint management
Carrying out activities to protect FINAPP's reputation
Providing information to authorized institutions arising from legislation

If the processing carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Personal Data Protection Law, your explicit consent to the relevant processing is obtained by FINAPP.

Storage Period of Personal Data

If stipulated in relevant laws and regulations, FINAPP stores personal data for the period specified in these regulations.

Unless legislation specifies a specific period for which personal data must be stored, personal data will be processed for the period required by FINAPP's practices and business practices, depending on the activity carried out by FINAPP while processing the data, and will then be deleted, destroyed, or anonymized. Detailed information on this matter is provided in Section 9 of this Policy.

If the purpose of processing personal data has expired, and the retention periods specified by relevant legislation and FINAPP have expired, personal data may only be retained as evidence in potential legal disputes or for the purpose of asserting or defending a relevant right related to personal data. Retention periods are determined based on the statute of limitations for asserting the aforementioned right and examples of previous requests submitted to FINAPP regarding the same matters despite the expiration of the statute of limitations. In this case, stored personal data is not accessed for any other purpose and is only accessed when it is necessary to resolve the relevant legal dispute. After this period, personal data is deleted, destroyed, or anonymized.

Data Category	Data Storage Period
1. Identity	10 YEARS
2. Communication	10 YEARS
4. Customer Transaction	10 YEARS
5. Transaction Security	1 YEAR
7. Visual Information	10 YEARS

Categorization of Owners of Personal Data Processed by FINAPP

While FINAPP processes the personal data of the personal data subject categories listed below, the scope of application of this Policy is limited to Business Partners, Suppliers, Supplier Employees, Supplier Authorized Personnel, Customers, Potential Product or Service Buyers, Mobile Application Members, Mobile Application Visitors, Visitors, Third Parties, Employees, Employee Candidates, Employee Relatives, Interns, FINAPP Authorized Personnel, Employees, Shareholders and Authorized Personnel of Institutions with Which We Collaborate.

While the categories of persons whose personal data are processed by FINAPP are within the scope specified above, persons outside these categories may also direct their requests to FINAPP within the scope of the Personal Data Protection Law; their requests will also be evaluated within the scope of this Policy.

Section -- Third Parties to which Personal Data is Transferred by FINAPP and the Purposes of Transfer

In accordance with Article 10 of the Personal Data Protection Law, FINAPP notifies the personal data owner of the groups of persons to whom personal data is transferred.

In accordance with Articles 8 and 9 of the Personal Data Protection Law, FINAPP may transfer the personal data of data owners governed by the Policy to the following categories of persons:

To FINAPP business partners and suppliers,
To FINAPP FINAPP officials,
Legally authorized public institutions and organizations
To legally authorized private law persons

The scope of the above-mentioned persons to whom data is transferred and the purposes of data transfer are stated below.

Data Transfer Possible People	Definition	Purpose of Data Transfer
Shareholders	FINAPP's Stakeholders are natural persons.	In accordance with the relevant legislation, data may be transferred limited to the purposes of the activities carried out by FINAPP within the scope of Company law, event management and corporate communication processes.
FINAPP Officials	FINAPP board members and other authorized real persons	Designing strategies for FINAPP's commercial activities in accordance with the relevant legislation, ensuring their management at the highest level and limited to auditing purposes.
Legally Authorized Public Institutions and Organizations	Public institutions and organizations authorized to receive information and documents from FINAPP in accordance with the relevant legislation.	Limited to the purpose requested by the relevant public institutions and organizations within their legal authority.
Natural Persons or Private Law Legal Entities	According to the relevant legislation provisions Information and documents from FINAPP private legal entities authorized to receive	It can be transferred to a limited extent for the purpose requested by the relevant private legal persons within their legal authority in accordance with the provisions of the legislation.

Processing of Personal Data Based on and Limited to the Processing Conditions Stated in the Law

FINAPP informs the personal data owner about the personal data it processes in accordance with Article 10 of the Personal Data Protection Law.

Processing of Personal Data and Special Nature Personal Data

Processing of Personal Data

The data subject's explicit consent is only one of the legal bases enabling the lawful processing of personal data. In addition to explicit consent, personal data may also be processed if one of the conditions listed below is met. While the basis for processing personal data may be only one of the conditions listed below, more than one of these conditions may also be the basis for the same personal data processing activity. If the data being processed constitutes sensitive personal data, the conditions set forth in section 7.1.2 below apply.

Although the legal bases for processing personal data by FINAPP vary, all personal data processing activities are carried out in accordance with the general principles set out in Article 4 of the Personal Data Protection Law.

Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the data subject's explicit consent. The data subject's explicit consent must be specific, informed, and freely given.

For personal data processing activities (secondary processing) other than the processing purpose for which personal data is obtained (primary processing), at least one of the conditions set out in clauses b, c, d, e, f, g and h of this title is required; if one of these conditions is not met, these personal data processing activities by FINAPP are carried out based on the explicit consent of the personal data owner to these processing activities.

In order for personal data to be processed based on the explicit consent of the personal data owner, the explicit consent of the personal data owners is obtained through relevant methods.

Clearly Provided in Laws

The data owner's personal data may be processed in accordance with the law if it is clearly provided for in the law.

Failure to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility

If the processing of personal data is necessary to protect the life or physical integrity of the person or another person who is unable to give his consent due to a de facto impossibility or whose consent cannot be validated, the personal data of the data owner may be processed.

Direct Interest in the Establishment or Execution of the Contract

Processing of personal data is possible if it is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract.

FINAPP's Fulfillment of Its Legal Obligations

The data subject's personal data may be processed if processing is necessary for FINAPP to fulfil its legal obligations as the data controller.

Personal Data Owner's Making His/Her Personal Data Public

If the data owner has made his/her personal data public, the relevant personal data may be processed.

Data Processing is Necessary for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the personal data owner may be processed.

Data Processing is Necessary for FINAPP's Legitimate Interest

Data may be processed if data processing is necessary for the legitimate interests of FINAPP, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

Processing of Special Personal Data

FINAPP processes special personal data in the following cases, provided that the data owner does not give his/her explicit consent and that adequate measures are taken, as determined by the Personal Data Protection Board:

Special personal data, other than the health and sexual life of the personal data owner, in cases prescribed by law,
Sensitive personal data regarding the health and sexual life of the personal data owner may only be disclosed by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

Mobile Application Members and Visitors

Third parties wishing to access the system and content of the FINAPP mobile application offered by FINAPP can either become members of the application or benefit from certain content without becoming members. In this context, the Personal Data Processing Activities required for FINAPP members and visitors to access the Mobile Application are carried out in accordance with the Constitution, the Personal Data Protection Law, and other relevant legislation.

In order to ensure security, FINAPP carries out personal data processing activities such as LOG records and storage of IP addresses in the FINAPP application.

In the Mobile Application owned by FINAPP, internet activities within the Application may be recorded using technical means in order to ensure that members or visitors visit the Application in accordance with the purposes of their visit, to show them customized content and to engage in online advertising activities.

Conditions for Deletion, Destruction and Anonymization of Personal Data

Although FINAPP has processed data in accordance with the relevant legal provisions as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data will be deleted, destroyed or anonymized based on FINAPP's own decision or upon the request of the personal data owner, if the reasons requiring processing are eliminated.

FINAPP's Obligation to Delete, Destroy and Anonymize Personal Data

As regulated in Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data may be deleted, destroyed, or anonymized upon FINAPP's decision or upon the request of the data subject, even if the data has been processed in accordance with the relevant legal provisions, and the reasons requiring processing no longer apply. In this context, FINAPP fulfills its obligations through the methods described in this section.

Techniques for Deletion, Destruction and Anonymization of Personal Data

Techniques for Deletion and Destroying Personal Data

FINAPP may delete or destroy personal data at its own discretion or upon the request of the personal data owner, if the reasons requiring processing no longer exist, even if the data has been processed in accordance with the relevant legal provisions.

The most commonly used deletion or destruction techniques by FINAPP are listed below:

Physical Destruction

Personal data may also be processed non-automatically, provided it is part of a data recording system. When such data is deleted/destroyed, a system is implemented to physically destroy the personal data so that it cannot be used later.

(ii) Secure Deletion from the Software

When deleting/destroying data that is processed by fully or partially automatic means and stored in digital environments, methods are used to delete the data from the relevant software in a way that it cannot be recovered again.

(iii) Secure Deletion by an Expert

In some cases, FINAPP may engage an expert to delete personal data on its behalf. In this case, the personal data will be securely deleted/destroyed by the expert in such a way that it cannot be recovered.

Techniques for Anonymizing Personal Data

Anonymizing personal data refers to rendering personal data incapable of being linked to an identified or identifiable natural person, even when combined with other data. FINAPP may anonymize personal data when the reasons requiring processing of legally processed personal data no longer exist.

In accordance with Article 28 of the Personal Data Protection Law, anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of the Personal Data Protection Law, and the explicit consent of the personal data owner is not required. The anonymization techniques most commonly used by FINAPP are listed below.

i) Masking

Data masking is a method of anonymizing personal data by removing the basic identifying information of personal data from the data set.

Example: Transforming the personal data into a data set that makes it impossible to identify the personal data owner by removing the name, email and telephone number information that enable the identification of the personal data owner.

ii) Consolidation

With the data aggregation method, many data are aggregated and personal data is made unrelated to any person.

Example: Revealing that there are Z employees aged X without showing the ages of the employees one by one.

iii) Data Generation

With the data generation method, a more general content is created from the content of personal data and personal data is made unrelated to any person.

Example: Indicating ages instead of dates of birth; indicating the region of residence instead of the full address.

iv) Data Hashing

Data hashing method is used to break the connection between values and individuals by mixing the values in the personal data set.

Issues Related to the Protection of Personal Data

In accordance with Article 12 of the Personal Data Protection Law, FINAPP takes the necessary technical and administrative measures to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data and to ensure the preservation of data, and to ensure an appropriate level of security, and to conduct or have conducted the necessary audits within this scope.

Ensuring the Security of Personal Data

Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

FINAPP takes technical and administrative measures in accordance with technological possibilities and implementation costs to ensure the lawful processing of Personal Data.

(i) Technical Measures Taken to Ensure Lawful Processing of Personal Data

The main technical measures taken by FINAPP to ensure the lawful processing of Personal Data are listed below:

Personal Data processing activities carried out within FINAPP are supervised by established technical systems.
The technical measures taken are periodically reported to the relevant party as required by the internal audit mechanism.
Personnel knowledgeable in technical matters are employed.

(ii) Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The main administrative measures taken by FINAPP to ensure the lawful processing of Personal Data are listed below:

Employees are informed and trained about Personal Data Protection Law and the lawful processing of Personal Data.
All activities carried out by FINAPP are analyzed in detail across all business units, and as a result of this analysis, Personal Data processing activities are revealed specifically for the activities carried out by the relevant business units.
Personal Data processing activities carried out by FINAPP's business units; the requirements to be fulfilled to ensure that these activities comply with the Personal Data processing conditions sought by the Law are determined specifically for each business unit and the detailed activity it carries out.
To ensure that legal compliance requirements are determined on a business unit basis, awareness is raised and implementation rules are determined for the relevant business units; the necessary administrative measures to ensure the control and continuity of implementation of these matters are implemented through internal FINAPP policies and training.
The contracts and documents governing the legal relationship between FINAPP and employees include clauses that impose the obligation not to process, disclose or use Personal Data, except for the instructions of FINAPP and exceptions stipulated by law. Employees are made aware of this and their obligations arising from the Law are fulfilled by conducting audits.

Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

FINAPP takes technical and administrative measures, depending on the nature of the data to be protected, technological possibilities and implementation costs, to prevent the reckless or unauthorized disclosure, access, transfer or any other unlawful access of Personal Data.

(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by FINAPP to prevent unlawful access to Personal Data are listed below:

Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.
Access rights are limited and reviewed regularly.
The technical measures taken are periodically reported to the relevant parties as required by the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.
Software and hardware including virus protection systems and firewalls are installed.
Personnel knowledgeable in technical matters are employed.
Applications that collect Personal Data are regularly scanned to identify security vulnerabilities. Any vulnerabilities found are resolved.

(ii) Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by FINAPP to prevent unlawful access to Personal Data are listed below:

Employees are trained on technical measures to prevent unlawful access to Personal Data.
Access and authorization processes for Personal Data are designed and implemented within FINAPP in accordance with legal compliance requirements for processing Personal Data on a business unit basis.
Employees are informed that they cannot disclose the Personal Data they have learned to anyone else in violation of the provisions of the Law and cannot use it for purposes other than those for which it was processed, and that this obligation will continue after they leave their job, and the necessary commitments are obtained from them in this regard.
Provisions are added to the contracts concluded by FINAPP with the persons to whom Personal Data is lawfully transferred, stipulating that the persons to whom Personal Data is transferred will take the necessary security measures to protect the Personal Data and ensure that these measures are complied with in their own organizations.

Storing Personal Data in Secure Environments

FINAPP takes the necessary technical and administrative measures, in accordance with technological possibilities and implementation costs, to store Personal Data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.

(i) Technical Measures Taken to Store Personal Data in Secure Environments

The main technical measures taken by FINAPP to store Personal Data in secure environments are listed below:

Systems compatible with technological advancements are used to store Personal Data in secure environments.
Personnel specialized in technical matters are employed.
Technical security systems are established for storage areas, security tests and investigations are conducted to identify security vulnerabilities in information systems, and any existing or potential risks identified as a result of these tests and investigations are addressed. The technical measures taken are periodically reported to the relevant parties as required by the internal audit mechanism.
Backup programs are used in accordance with the law to ensure the safe storage of Personal Data.
Access to the environments where Personal Data is kept is restricted, allowing only authorized persons to access this data limited to the purpose for which the personal data is stored. Access to the data storage areas where Personal Data is located is logged, and any improper access or access attempts are instantly communicated to the relevant parties.

(ii) Administrative Measures Taken to Store Personal Data in Secure Environments

The main administrative measures taken by FINAPP to store Personal Data in secure environments are listed below:

Employees are trained to ensure that Personal Data is stored securely.
Legal and technical consultancy services are provided to follow developments in the field of information security, privacy and personal data protection and to take necessary actions.
In the event that FINAPP outsources services due to technical requirements for the storage of Personal Data, the contracts concluded with the relevant companies to which Personal Data is lawfully transferred shall include provisions stipulating that the persons to whom Personal Data is transferred shall take the necessary security measures to protect the Personal Data and ensure that these measures are complied with in their own organizations.

Audit of Measures Taken for the Protection of Personal Data

FINAPP conducts or commissions the necessary internal audits in accordance with Article 12 of the Law. The results of these audits are reported to the relevant department within the scope of FINAPP's internal operations, and necessary actions are taken to improve the measures taken.

Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

FINAPP operates a system that ensures that if personal data processed in accordance with Article 12 of the Law is obtained by others through unlawful means, this situation is reported to the relevant Personal Data Owner and the Personal Data Protection Board as soon as possible. If deemed necessary by the Personal Data Protection Board, this situation may be announced on the Personal Data Protection Board's website or by another method.

Protecting the Rights of the Data Owner and Evaluation of the Requests of the Data Owners

FINAPP carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law in order to assess the rights of personal data owners and to provide the necessary information to personal data owners.

If personal data subjects submit their requests regarding the rights listed below to FINAPP in writing, FINAPP will process the request free of charge as soon as possible and within thirty days, depending on the nature of the request. However, if the Personal Data Protection Board stipulates a fee, FINAPP may charge the fee set by the Personal Data Protection Board. Personal data subjects;

Learning whether personal data is being processed,
To request information regarding the processing of personal data,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
Knowing the third parties to whom personal data is transferred, either domestically or abroad,
To request correction of personal data if it is processed incompletely or incorrectly and to request that the action taken in this context be notified to third parties to whom personal data has been transferred,
To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the Personal Data Protection Law and other relevant laws, and to request that the action taken within this scope be notified to third parties to whom personal data has been transferred,
To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
In case of damages incurred due to unlawful processing of personal data, data owners have the right to demand compensation for the damages, and more detailed information on the rights of data owners is provided in the following sections of this Policy.

Protection of Special Nature Personal Data

The Personal Data Protection Law places special emphasis on certain personal data due to the risk of victimization or discrimination when processed unlawfully. This data includes data related to race, ethnicity, political views, philosophical beliefs, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data.

FINAPP is meticulous in protecting special personal data, which is designated as "special" by the Personal Data Protection Law and processed in accordance with the law. In this context, FINAPP diligently implements the technical and administrative measures taken to protect personal data, and the necessary controls are maintained within FINAPP. Detailed information regarding the processing of special personal data, as well as the rights of data subjects, is provided in the following sections of this Policy.

Rights of Personal Data Subjects; Exercise and Evaluation of These Rights

In accordance with Article 10 of the Personal Data Protection Law, FINAPP informs personal data owners about their rights and guides personal data owners on how to exercise these rights. FINAPP carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law to assess the rights of personal data owners and to provide the necessary information to personal data owners.

Data Owner's Rights and Exercise of These Rights

Rights of Personal Data Owners

Personal data owners have the following rights:

Learning whether personal data is being processed,
To request information regarding the processing of personal data,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
Knowing the third parties to whom personal data is transferred, either domestically or abroad,
To request correction of personal data if it is processed incompletely or incorrectly and to request that the action taken in this context be notified to third parties to whom personal data has been transferred,
To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the Personal Data Protection Law and other relevant laws, and to request that the action taken within this scope be notified to third parties to whom personal data has been transferred,
To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
To request compensation in case of damages due to unlawful processing of personal data.

Cases in which the Personal Data Owner cannot assert his rights

Since the following situations are excluded from the scope of the Personal Data Protection Law in accordance with Article 28 of the Personal Data Protection Law, personal data owners cannot assert their rights listed in Article 9.1.1. regarding these matters:

Processing of personal data by making them anonymous with official statistics for purposes such as research, planning and statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

In accordance with Article 28/2 of the Personal Data Protection Law, personal data owners cannot assert their other rights listed in Article 9.1.1, except for the right to demand compensation for damages, in the following cases:

Processing personal data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the personal data owner.
The processing of personal data is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.
Processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.

Personal Data Owner's Exercise of Rights

Personal Data Owners may submit their requests regarding their rights listed under section 9.1.1 of this section to FINAPP free of charge by completing and signing the Application Form, along with information and documents that will establish their identity, using the methods specified below or other methods determined by the Personal Data Protection Board:

on Finapp.websit , a signed copy must be sent personally or via a notary to info@finapp.websit .
On the mobile app settings page After the form is filled out and signed with your "secure electronic signature" within the scope of Electronic Signature Law No. 5070, the secure electronically signed form Registered at info@finapp.websi sending by e-mail.

In order for third parties to request an application on behalf of personal data owners, the data owner must have a special power of attorney issued through a notary public on behalf of the person who will make the application.

Personal Data Owner's Right to Complain to the Personal Data Protection Board

In accordance with Article 14 of the Personal Data Protection Law, if the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the personal data owner may file a complaint with the Personal Data Protection Board within thirty days from the date on which he/she learns of FINAPP's response and, in any case, within sixty days from the date of application.

FINAPP's Responses to Applications

Applications regarding personal data processing activities must be made to FINAPP.

FINAPP's Procedure and Timeframe for Responding to Applications

If the personal data subject submits their request to FINAPP in accordance with the procedure set forth in section 10.1.3 of this section, FINAPP will process the request free of charge within thirty days at the latest, depending on the nature of the request. However, if the Personal Data Protection Board stipulates a fee, FINAPP will charge the applicant the fee set by the Personal Data Protection Board.

Information that FINAPP may request from the Personal Data Owner who applies

FINAPP may request information from the data subject to determine whether the applicant is the subject of personal data. FINAPP may ask questions regarding the personal data subject's application to clarify the matters included in the personal data subject's application.

FINAPP's Right to Reject the Application of the Personal Data Owner

FINAPP may reject the applicant's application, explaining the reason, in the following cases:

Processing of personal data by making them anonymous with official statistics for purposes such as research, planning and statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
Processing personal data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the personal data owner.
The processing of personal data is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.
Processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.
The request of the personal data owner may interfere with the rights and freedoms of other persons.
Requests have been made that require disproportionate effort.
The requested information is publicly available information.

FINAPP Personal Data Protection and Processing Policy Governance Structure

FINAPP has established a governance structure to ensure compliance with the Personal Data Protection Law regulations and the enforcement of the Personal Data Protection and Processing Policy.

In accordance with the decision of FINAPP's senior management, the Personal Data Protection Supreme Board ("Supreme Board") was established and the Personal Data Protection Committee ("Committee") was established within FINAPP to manage this Policy and other policies related to and related to this Policy.

The duties of this Committee are stated below;

To prepare and implement basic policies regarding the protection and processing of personal data and amendments when necessary, and to submit them to the Supreme Board for approval by the senior management.
To decide how the policies regarding the protection and processing of personal data will be implemented and audited, and to convey the matters of assigning tasks within FINAPP and ensuring coordination within this framework to the Supreme Board for the approval of the senior management.
To determine the matters that need to be done to ensure compliance with the Personal Data Protection Law and relevant legislation and to submit them to the approval of the senior management, to oversee their implementation and to forward them to the Supreme Board to ensure coordination.
To raise awareness within FINAPP and the institutions with which FINAPP cooperates regarding the protection and processing of personal data.
To identify risks that may arise in FINAPP's personal data processing activities and ensure that necessary measures are taken; to submit improvement suggestions to the Executive Board for approval by the senior management.
To inform the Supreme Board to ensure that training is organized to ensure that personal data owners are informed about personal data processing activities and their legal rights regarding the protection of personal data and the implementation and dissemination of policies.
To forward the applications of personal data owners to the Supreme Board for decision-making at the highest level.
To follow the developments and regulations regarding the protection of personal data; to submit its recommendations to the Supreme Board on what should be done within FINAPP in accordance with these developments and regulations.
To manage relations with the KVK Board and Institution under the coordination of the Supreme Board.
To carry out other duties assigned by FINAPP senior management and the Executive Board regarding the protection of personal data.