Within the scope of Protection and Processing of Personal Data

Clarification Text

1. Purpose

The purpose of this document, which is prepared within the scope of the protection and processing of personal data, is to explain the administrative and technical measures for the processing and protection of the personal data obtained by the zeynepbuyukbay.com during the ongoing commercial activities on the website zeynepbuyukbay.com carried out in the https://www.zeynepbuyukbay.com/ (referred to as the ) in accordance with the law, Our company personnel, company partners, company officials and third parties, especially within the scope of the Law on the Protection of Personal Data No. 6698 (KVKK) 10. Fulfillment of the disclosure obligation imposed by the article, as well as when users visit the www.zeynepbuyukbay.com site,

To inform the relevant parties in a transparent manner about the purposes, legal reasons and rights of processing the data collected by zeynepbuyukbay when they log in to the system, in order to provide more effective service to its visitors and customers, such as product order, delivery, payment, administration, advertising, marketing, etc.

As zeynepbuyukbay, it has taken the highest level technical and administrative measures to ensure the security and confidentiality of the data it collects in order to provide better service at www.zeynepbuyukbay.com address. The KVKK Policy document, in which the duties and responsibilities of zeynepbuyukbay are explained within the scope of KVKK, has been published at https://www.zeynepbuyukbay.com/protection-and-processing of personal-data.

2. Identity of the Data Controller

Data Controller in accordance with KVKK: Istanbul Chamber of Commerce Directorate İSTANBUL-299022-5 registered with registration number, 0193079615400001 MERSİS numbered, corporate headquarters Turgut Özal Mah. Su Yolu Cad. 74. Sok. No: 3 Daire:4 Esenyurt-İstanbul located at Zeynep Büyükbay’ dır.

3. Personal Data We Process

Personal data is collected in the following data categories for the continuity of our services.

● Audio visual data

● Identity Data

● Communication Data

● Financial Data

● Location Data

● Customer Data

● Customer Transaction Data

● Special Quality Personal Data

● Marketing Data

● Request and Complaint Management Data

● Risk Management Data

● Personal Data

● Ancillary Rights and Benefit Data

● Physical Space Security Data

Personal Data Provided by You: Name-surname, date of birth, T.R. Identity number, telephone number, e-mail address, address, photographs transmitted within the scope of surveys and competitions, video recordings, voice data recorded due to calls made via corporate e-mail or call center, other data and all other Personal Data that you share with us in any way through other channels in order to benefit from our products or services.

Personal Data Collected by Automatic Means: Your Personal Data collected automatically through automatic search machines, video and sound recording devices, Cookies or other means.

Personal Data from Other Sources: Updated membership account information, purchase, page view information that social media tools, business partners, suppliers and other third parties share with us based on your previously given consent; information such as the term searched and search results is your Personal Data, such as paid listings (such as Sponsored Links).

4. Retention Periods of Personal Data

Your Personal Data is kept in accordance with the other legislation on the protection of personal data, especially KVKK, and the periods stipulated, in any case and if a period is not stipulated in the legislation, for the period required by the purpose of processing Personal Data. The retained data is deleted, destroyed or anonymized after the reasons that require the processing of the data have ended. Detailed information about the retention periods is included in the KVKK Policy Document.

5. Purposes of Processing Personal Data

As a rule, your Personal Data is processed by us based on your explicit consent. However, in accordance with the basic principles stipulated by the KVKK, it can also be processed without your explicit consent in order to fulfill our legal obligations under Articles 5.2 and Article 6.3, to establish or perform a contract, to fulfill our legal obligations, to establish, exercise or protect a right and to protect our legitimate interests without harming your fundamental rights and freedoms, and in terms of the personal data you make public.

In this context, if the above situations exist, the performance of the products and services provided by our Company, contacting you when necessary in this context, making shopping transactions through the www.zeynepbuyukbay.com website and mobile application, payment transactions, return transactions, transportation services, establishing a distance sales contract within the scope of electronic commerce, selling, supplying, delivering, receiving your questions and complaints to you, We process your Personal Data in order to protect our legitimate interests such as being able to respond, using them in a possible dispute when necessary, reducing costs, efficient use of resources, monitoring call center service quality. In addition, we may process your Personal Data that you have made public through means such as competitions and Social Media channels you have participated in to the extent permitted under KVKK without seeking your consent again.

Your Personal Data may be processed within the scope of Article 5.1 and Article 6.2 of KVKK within the scope of the purposes specified in this Clarification Text provided that your explicit consent is obtained. In addition, in cases where you give your explicit consent, our existing programs and memberships offer special advantages to their members, so your data may be processed with your inclusion / membership in the programs in order to benefit from the program / membership advantages. Based on this explicit consent, processing for the purpose of providing you with opportunities for special products and services such as internet advertising, targeting, re-targeting, cross-selling, campaigns, opportunities and product/service advertisements, using cookies for this purpose, making commercial offers taking into account your preferences and recent purchases, as well as using the www.zeynepbuyukbay.com website and mobile applications according to your previous records during your visit tracking your habits and offering you customized products; processing for the purpose of providing special advertising, campaigns, advantages and other benefits to you for sales and marketing activities and carrying out other marketing and customer service activities, processing for the purpose of creating new product and service models, sending electronic commercial messages (such as campaigns, newsletters, customer satisfaction surveys, product and service advertisements); sending gifts and promotions; corporate communication and other events and invitations within this scope can be processed for the purpose of organizing and informing about them.

6. Transfer of Personal Data to Third Parties and/or Abroad

Your personal data is stored and archived by our business partners who are secured by contracts for various purposes at home and / or abroad in accordance with your explicit consent within the scope of Article 5.1 and Article 6.3 of the KVKK without seeking your explicit consent in the presence of the purposes determined within the scope of Article 5.2 and Article 6.3 of the KVKK above, without seeking your explicit consent or in cases where your explicit consent is obtained in the Clarification Text, information technology support (server, hosting, program, cloud computing), security, call center, sales, marketing to third parties we receive support in areas such as, cooperation and / or service received group companies, business partners, suppliers, banks, financial institutions, legal and tax etc. support in the fields of consultancy firms, sales, marketing, targeting (targeting, re-targeting) and may be transferred to third parties (e-mail sending, advertising firms for the purpose of creating campaigns, companies providing CRM support and the like) and institutions and organizations that provide support in other areas related to zeynepbuyukbay's activities, may be processed to a limited extent by these third parties in order to make the necessary evaluation during the transaction process, and in case of transfer, the Data Controller will be the Data Controller of your Personal Data, which are the values connected to these assets together with the transferee party assets. way.

7. Collection of Personal Data and Legal Reasons

Your Personal Data is processed through channels such as application forms, websites membership and contact forms, websites e-newsletter registration forms, cookies, job application forms www.zeynepbuyukbay.com by zeynepbuyukbay and delivered to us via the mobile application; In order for zeynepbuyukbay to continue its activities based on the relevant websites and different legal reasons, it can also be collected, processed and transferred for the purposes specified in this Clarification Text in accordance with the principles and procedures stipulated by the KVKK and other relevant legislation.

8. Your Rights Under KVKK

In accordance with Article 11 of the Law on the Protection of Personal Data, by applying to zeynepbuyukbay as the relevant person;

● To learn whether your Personal Data is processed or not,

● If your Personal Data has been processed, to request information about it,

● To learn the purpose of processing your Personal Data and whether they are used in accordance with their purpose,

● To know the third parties to whom your Personal Data is transferred at home or abroad,

● To request the correction of your Personal Data if it is incomplete or incorrectly processed and to request that the transaction carried out within this scope be notified to the third parties to whom your Personal Data is transferred,

● Although it has been processed in accordance with KVKK and other relevant legislation; In the event that the reasons requiring the processing of your Personal Data to be evaluated within the purpose, duration and constitutional principles disappear, to request the deletion or destruction of your Personal Data and to request that the transaction carried out within this scope be notified to the third parties to whom the Personal Data is transferred,

● To object to the occurrence of a result against the person himself by analyzing the processed data exclusively by means of automated systems,

● If your Personal Data is damaged due to unlawful processing, you have the right to request compensation for the damage.

In this context, you can submit your request regarding your above rights to us through the communication methods specified in the form by filling out the procedures and principles determined in the zeynepbuyukbay Related Contact Form (https://www.zeynepbuyukbay.com/iletisim.aspx).

According to the nature of the request, zeynepbuyukbay will conclude the request free of charge as soon as possible and within 30 (thirty) days at the latest. However, if a fee is stipulated by the Personal Data Protection Board and if there is an additional cost related to the conclusion of the requests by zeynepbuyukbay, the fees in the tariff determined by the Personal Data Protection Board may be requested by zeynepbuyukbay. In cases where your Personal Data is processed with explicit consent, we would like to emphasize that if you withdraw your explicit consent, you will be removed from the membership program where such explicit consent-based processing is required and you will not be able to benefit from the advantages you have benefited from as of the relevant date.

You can always follow the changes in the legislation and practice related to Personal Data from the relevant page of our website.

Working Hours

Weekdays: 09:00-18:00

Saturday: 09:00 to 13:00

For any questions, you can contact us at +90 531 785 62 79.

Data Controller: Halil İbrahim BÜYÜKBAY

Address : Turgut Özal Mah. Su Yolu Cad. 74. Sok. No: 3 Daire:4 Esenyurt-İstanbul

E-mail for your requests regarding your personal data: [email protected]

Email for other support and information requests: [email protected]

PERSONAL DATA PROTECTION POLICY

1.Purpose

The purpose of this policy is; To make a statement about the administrative and technical measures for the processing and protection of the personal data obtained by zeynepbuyukbay (hereinafter referred to as zeynepbuyukbay) from various sources during the commercial activities carried out by zeynepbuyukbay in accordance with the law in accordance with the Law on the Protection of Personal Data No. 6698, GDPR and other legal requirements; thus, to provide information about the KVK processes in our Company to real and legal persons, especially to our existing customers, potential customers, website visitors, working company personnel, company partners, company officials and third parties.

2.Scope

All personal data of our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties processed by automatic or non-automatic means provided that they are part of any data recording system, including all physical locations and digital environments where zeynepbuyukbay carries out its commercial activities. Covers.

Physical Locations

1- Holistic Healing and Natural Products and Consulting San. Tic. Ltd. Şti. Merkez Office: Turgut Özal Mah. Su Yolu Cad. 74. Sok. No: 3 Daire:4 Esenyurt-İstanbul

2- Holistic Healing and Natural Products and Consulting San. Tic. Ltd. Şti. İstanbul Office: Turgut Özal Mah. Su Yolu Cad. 74. Sok. No: 3 Daire:4 Esenyurt-İstanbul

Digital Media: including digital media included in zeynepbuyukbay's asset inventory;

1- zeynepbuyukbay.com

2- Local servers

3- Cloud media servers

4- User computers

5- Data hosting and transport environments

3. Terms and Definitions

KVKK	:	6698 Law on the Protection of Personal Data
GDPR	:	European Union Data Protection Directive (EU General Data Protection Regulation
Explicit Consent	:	Consent to a specific subject, based on being informed and explained with free will.
Anonymization		These are the operations performed on personal data in order to ensure that personal data loses its personal data quality and that this situation cannot be undone. Ex: Making personal data unassociative with a natural person through techniques such as masking, aggregation, data corruption, etc.
Deletion and Destruction	:	KVKK and although it has been processed in accordance with the provisions of other relevant laws, the personal data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person in the event that the reasons requiring the processing disappear.
Employee Candidate	:	Real persons who have applied for a job in our company in any way or who have opened their resumes and related information to the examination of our company.
Employees, Shareholders and Officials of the Institutions We Cooperate with	:	Real persons working in institutions with which our Company has all kinds of business relations (such as business partners, suppliers, but not limited to), including shareholders and officials of these institutions,
Processing of Personal Data	:	Any operation performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosure, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Contact Person	:	The natural person whose personal data is processed. For example; Customers and employees.
Data subject contact group:	:	The category of data subjects whose personal data the data controllers process
Personal data	:	Any information relating to an identified or identifiable natural person. Therefore, the processing of information related to legal entities is not covered by the Law. For example; name-surname, TCKN, e-mail, address, date of birth, credit card number, etc.
Customer	:	Natural persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company or not
Special Quality Personal Data	:	Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are data of special nature.
Potential Customer	:	Natural persons who have requested or have been interested in using our products and services or who have been evaluated in accordance with the rules of commercial practice and good faith in which they may have this interest
Company Shareholder	:	Real persons who are shareholders of our company
Company Representative		Board member of our company and other authorized real persons
Third party	:	Third-party natural persons associated with such persons in order to ensure the security of the commercial transaction between our Company and the aforementioned parties or to protect the rights and benefit of such persons (e.g. Guarantor, Accompanying Person, Family Members and Relatives)
Data Processor	:	It is the natural and legal person who processes personal data on behalf of the data controller based on the authority given by him/her. For example, the cloud computing company that holds our Company's data, the call-center company that makes the call, etc.
Data Controller	:	The data controller is the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).
Data Controller Contact Person	:	Regarding the obligations of legal entities resident in Turkey and the representative of the legal entity data controller not resident in Turkey within the scope of the Law and the secondary regulations to be issued based on this Law, the real person notified by the data controller during registration in the Registry for communication to be established with the Authority
Visitor	:	Real persons who have entered the physical premises owned by our Company for various purposes or who have visited our websites

4. Legal Basis

This policy has been prepared in order to fulfill the requirements of the Personal Data Protection Law No. 6698, related legal regulations and the EU General Data Protection Regulation (GDPR). In the face of changes or regulations that will occur in the relevant laws and regulations, zeynepbuyukbay will adopt all changes and complete the necessary improvement works as soon as possible.

5. Procedures and Principles for the Protection of Personal Data

5.1. Principles regarding the Processing of Personal Data

zeynepbuyukbay processes personal data in accordance with the procedures and principles stipulated in KVKK and other relevant laws. In this context, zeynepbuyukbay fully complies with the following principles in the KVKK while processing personal data.

● Compliance with the law and good faith; In accordance with this principle, zeynepbuyukbay's data processing processes are carried out within the limits required by all relevant legislation, especially the Constitution and KVKK, and the rules of honesty.

● Correct and timely day-to-day; Necessary measures are taken to ensure that the personal data processed by zeynepbuyukbay are correct and in accordance with the current situation, and the necessary opportunities are provided to the data owners by providing information in order to ensure that the data being processed reflect the real situation.

● Processing for specific, explicit and legitimate purposes; zeynepbuyukbay processes personal data only for clear and precisely determined legitimate purposes; does not engage in data processing activities other than for these purposes. In this context, personal data are processed zeynepbuyukbay.com only in connection with the business relationship established with the data owners and if necessary for them.

● Be relevant, limited and proportionate to the purpose for which they are processed; Our Company processes personal data in a manner conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to or needed for the realization of the purpose. For example, no personal data processing activities are carried out to meet the needs that may arise later.

● To keep it for the period stipulated in the relevant legislation or necessary for the purpose for which they are proposed; Our Company retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, acts in accordance with this period if a period is determined, and if a period is not determined, it stores the personal data for the period required for the purpose for which they are processed. At the end of the period or if the reasons requiring its processing disappear, the personal data are deleted, destroyed or anonymized by our Company. Personal data are not stored by our Company with the possibility of using it in the future.

5.2. Ensuring the Security of Personal Data

In accordance with Article 12 of the KVK Law, zeynepbuyukbay takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent the unlawful access to the data and to ensure the protection of the data, and to carry out or have the necessary audits carried out in this context.

5.2.1. Technical and Administrative Measures Taken to Ensure the Legal Processing of Personal Data and to Prevent Unlawful Access

5.2.1.1. Technical Precautions

a. Technical measures are taken in accordance with the developments in technology and the measures taken are periodically updated.

b. Necessary firewalls, blocking hardware and software are used against attacks that may damage the system such as virus protection, external attacks, system slowdown attacks, hijacking attacks.

c. Performs the necessary internal controls within the scope of the established systems.

d. Within the scope of the established systems, information technologies carry out risk assessment and business impact analysis.

e.It provides the technical infrastructure to prevent or observe the leakage of data outside the organization and the creation of relevant matrices (authorization matrix, etc.)

f. It provides control of system vulnerabilities by receiving penetration testing services regularly and when the need arises.

g. The entrances and exits to the physical areas are monitored by security camera systems.

h. Finger reading systems and card reader systems have been installed in critical data processing areas.

i. TS/ISO 27001 Information Security Management Systems Security standards are utilized.

j. It ensures that the access authorizations of employees in information technology units to personal data are kept under control.

k. Only authorized persons were designated to process the data obtained from digital media, only authorized persons were provided with access to and processing of the data.

l. The destruction of personal data is ensured in such a way that it cannot be recycled and does not leave an audit trail.

m. In accordance with Article 12 of the Law, all kinds of digital media in which personal data are stored are protected by encrypted or cryptographic methods to meet information security requirements.

n. 5651 The necessary log records are kept within the framework of the procedures and principles of the Law on the Regulation of Publications on the Internet and the Fight Against Crimes Committed Through These Publications.

o. All our information systems in use, Penetration Tests, Vulnerability Tests are carried out regularly and our improvement studies related to the risky issues are carried out urgently.

5.2.1.2. Administrative Measures

a. Restricts the internal access to the stored personal data to the personnel required to access it by the job definition. In limiting access, whether the data is of special nature and its importance are also taken into account.

b.In the event that the processed personal data is obtained by others through unlawful means, it notifies the relevant person and the Board as soon as possible.

c. Regarding the sharing of personal data, it signs a framework agreement on the protection of personal data and data security with the persons with whom personal data is shared or ensures data security with the provisions added to the existing contract.

d. Employs personnel who are knowledgeable and experienced about the processing of personal data and provides the necessary trainings to its personnel within the scope of personal data protection legislation and data security.

e. It carries out and has the necessary audits carried out in order to ensure the implementation of the provisions of the Law before its own legal entity. It eliminates the privacy and security vulnerabilities that arise as a result of the audits.

f.As zeynepbuyukbay, we act with the principle of preparing and signing all legal employment contracts, additional undertakings and Confidentiality Agreements within the scope of Information Security required within the scope of the Personal Data Protection Law with all our suppliers working as zeynepbuyukbay.

g. We act with the principle of preparing and signing employment contracts, undertakings and confidentiality agreements covering all legal requirements on a company basis with the companies with which we share data abroad.

h. zeynepbuyukbay employees or the 3rd parties belonging to the suppliers from whom zeynepbuyukbay receives services are also acted with the principle of preparing and signing employment contracts, undertakings and confidentiality agreements.

i.It has been ensured that the requests from our customers are met, a process has been established that will enable the process to be able to process within the legal periods valid within the scope of KVKK and to return to the applicant.

The processes of all units operating under the roof of j. zeynepbuyukbay have been determined and the risk assessments of these processes have been made and the necessary administrative and technical measures have been taken.

k. Employees are provided with the necessary trainings to prevent their access to personal data unlawfully.

l. Paper grinding machines are used for the destruction and destruction of documents and documents containing personal data in the physical environment.

5.3. Ensuring the Security of Personal Data of Special Nature

In Article 6 of the Law on the Protection of Personal Data, Personal Data of Special Nature is defined. In this context, biometric and genetic data related to race, ethnic origin, political opinion, philosophical belief, religion, sect, other beliefs, clothing and clothing, association or union membership, health, sexual life, criminal conviction and security measures are accepted as special quality personal data.

The data determined by our Institution as "special quality" by KVKK are protected by administrative and technical measures taken to protect personal data processed in accordance with the law..

5.4. Purposes Regarding the Processing of Personal Data

In accordance with the Law, personal data cannot be processed without the explicit consent of the data owner as a rule. However, within the scope of Articles 5 and 6 of the Law, data can be processed without explicit consent in terms of personal data and special quality personal data.

5. personal data in accordance with the clause;

•Data processing is explicitly stipulated in the laws,

• It is mandatory to process the relevant data for the protection of the life or bodily integrity of the person who is unable to explain his/her consent due to actual impossibility or whose consent is not recognized as legally valid,

• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

• Data processing is mandatory for the data controller to fulfill its legal obligation,

• The personal data has been made public by the person concerned,

• Data processing is mandatory for the establishment, use or protection of a right,

• Provided that it does not harm the fundamental rights and freedoms of the data subject, the data processing is mandatory for the legitimate interests of the data controller, and in such cases, it can be processed even if the explicit consent of the data owner has been obtained in advance (provided that the necessary clarification has been made).

Special quality data are defined in clause 6.3 of this policy document. Accordingly, personal data of special nature may only be processed under the following conditions, except in cases where explicit consent has been obtained from the data owner:

• Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership of associations, foundations or trade unions, criminal convictions and data on security measures, and biometric and genetic data may be processed in the cases stipulated in the laws.

• Personal data related to health and sexual life may only be processed by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

5.5. Principles Regarding the Sharing of Personal Data

In accordance with the processing in our institution, the sharing (transfer) of personal data with a third party is not shared without the explicit consent of the data owner. However, data transfer can also be carried out under the conditions permitted for data processing in Article 8 of the KVKK and in this direction, personal data or personal data of special nature will be transferred even if the consent of the data owner is not present in the presence of the conditions specified under the title of article 6.4 of this policy document.

The law stipulates that the transfer abroad in relation to the transfer of personal data to third parties is subject to special conditions.

• If there is explicit consent of the data subject, or

• In cases where there is no explicit consent of the data owner but one or more of the other conditions mentioned above are met;

• There is adequate protection in the country to which the data is transferred, and

• In the event that there is no adequate protection in the country where the data is transferred, it may be transferred abroad provided that the data controller undertakes adequate protection in writing together with the data controller in the relevant foreign country and the permission of the Personal Data Protection Board is obtained.

5.6. Situations Outside the Scope of the Law

In accordance with Article 28 of the Law, it is stated that the conditions of the Personal Data Protection Law may be ignored in the following cases. In this context;

• Processing of personal data by natural persons within the scope of activities related entirely to themselves or family members living in the same residence, provided that they are not given to third parties and the obligations regarding data security are complied with.

• Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.

• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.

• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations mandated and authorized by law in order to ensure national defense, national security, public security, public order or economic security.

• Processing of personal data by judicial or enforcement authorities in connection with investigation, prosecution, trial or execution proceedings.

6. zeynepbuyukbay also Data Subject Contact Groups

As zeynepbuyukbay within the scope of KVKK, our actors in personal data processing processes and the Data Subject Person Groups expressed within the framework of the Regulation on the Registry of Data Controllers dated December 30, 2017 and numbered 30286 are defined below.

DATA SUBJECT PERSON GROUP	EXPLANATION
Working Personel	Real persons employed in our company within the scope of labor law
Candidate personel	They are real persons whose applications are received for employment in our company or provided by 3rd party human resources companies / platforms.
Intern	They are real persons who are employed part-time in our company to support theoretical training and to support practical knowledge in the professional sense.
Partners	They are the real persons who own the shares that make up the material asset of our company.
Shareholder	Şirket hisselerini almak suretiyle şirkete hissedar olan gerçek kişilerdir
Administrators	zeynepbuyukbay are real people who take part in the management.
Public Servant	The real person representing the authority that carries out the relations of our Company with official institutions and organizations (audit, investigation, trial, other public services, etc.) is a public official.
Supplier	They are real and legal persons who provide outsourced services in order for our Company to carry out its activities.
Supplier Candidate	These are real and legal persons who are evaluated to provide outsourced services in order for our Company to carry out its activities.
Supplier Staff	A natural person working under a supplier or supplier candidate with whom our Company has a relationship.
Online Visitor	Real persons who visit our Company's web pages or other electronic sales channels without registering as a member and without purchasing products.
Online Member	Real persons who register as a member through our Company's web pages or other sales channels.
Customer	Real persons who purchase products through the web pages of our company or through other sales channels.
Visitor	Real persons who are not subject to any contract that comes to the physical environment of the company.
Applicant	Real persons who submit their requests, requests and complaints regarding the activities of our Company without being subject to a contract with our Company.

7. Categories of Data Processed in zeynepbuyukbay

zeynepbuyukbay collects various personal and special quality data from its employees, customers and suppliers in order to carry out its commercial activities in accordance with the procedures and principles specified in this policy document.

zeynepbuyukbay performs data processing according to the data category given in the table below.

Data Category	Category Description
Identity Data	Information contained in documents such as driver's license, identity card, residence, passport, lawyer's ID, marriage certificate (eg. TCKN, passport no., identity card serial no., Name-Surname, photograph, place of birth, date of birth, age, place of registration in the population, copy of valid identity card)
Communication Data	Information used to contact the person (e.g. e-mail address, telephone number, mobile phone number, address)
Location Data	Data used to determine the location of the data subject (e.g. location data obtained during vehicle operation)
Customer Data	Information about customers who benefit from our products and services (e.g. customer ID, profession information, etc.)
Customer Transaction Data	Information on any transactions carried out by customers benefiting from our products and services (e.g. requests and instructions, order and cart information, etc.)
Physical Space Security Data	Personal data related to the records and documents taken at the entrance to the physical space, during the stay in the physical space (e.g. entry and exit logs, visit information, camera records, etc.)
Transaction Security Data	Personal data processed in order to ensure the technical, administrative, legal and commercial security of our Company and related parties (e.g. information such as website password and password that show that the person is authorized to match the transaction associated with the personal data owner and that the person is authorized to perform that operation)
Risk Management Data	Personal data processed in order to manage the commercial, technical and administrative risks of our Company (eg. IP address, Mac ID, etc. records)
Financial Data	Personal data within the scope of information, documents and records showing any financial results created according to the type of legal relationship with the personal data owner (For example: information showing the financial result of the transactions made by the data owner, invoice, etc.)
Personal Data	Personal data that is the basis for the formation of the personal rights of the employees of the Company's suppliers (all kinds of information and documents that are required to be entered into the personnel file by law))
Employee Candidate Data	Personal data used in the application evaluation process (e.g. resume, interview notes, personality test results, etc.) belonging to the data owners who share their information to apply for a job with our company.
Worker Process Data	Personal data related to all kinds of transactions carried out by the Company's supplier employees related to the work (e.g. entry-exit records, business trips, information about the meetings attended, security query, mail traffic monitoring information, vehicle usage information, company card spending information)
Employee Performance and Career Development Data	Personal data processed for the purpose of measuring the performance of the Company's employees and planning and conducting their career development within the scope of human resources policies (e.g. performance evaluation reports, interview results, trainings for career development)
Benefits and Benefits Data	Personal data processed for the purpose of monitoring the ancillary rights and benefits offered to the employees of the Company and benefiting from them (e.g. private health insurance, vehicle allocation)
Marketing Data	Data to be used by our Company in marketing activities (e.g. reports and evaluations showing the habits and tastes of the person collected for marketing purposes, targeting information, cookie records, data enrichment activities)
Legal Transaction and Compliance Data	Personal data processed for the purpose of determining and following up legal receivables and rights and performing debts and legal obligations (e.g. data contained in documents such as court and administrative authority decisions)
Audit and Inspection Data	Personal data processed within the scope of our Company's legal obligations and compliance with company policies (e.g. audit and inspection reports, relevant call records and similar records)
Special Quality Personal Data	Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and data on security measures, and biometric and genetic data
Request/Complaint Management Data	Personal data related to the receipt and evaluation of any request or complaint directed to our Company (e.g. requests and complaints against the Company, records and reports related to them)
Audio Visual Data	Visual and audio recordings associated with the personal data subject (e.g. photographs, camera recordings and audio recordings)

8. Purposes of Processing Personal Data in zeynepbuyukbay

zeynepbuyukbay is an e-commerce company operating in 74 countries internationally focused on the online sales of natural cosmetic products. Zeynepbuyukbay, which started its activities in 2018, is Turkey's first comprehensive e-commerce site in terms of web page views with the new standards it brings to the sector and the technical solutions it has developed in the field of e-commerce.

It produces its own products and has always focused on technology production in the field of e-commerce. This success of our company, which has reached a significant turnover level by doubling its sales every year on average, is based on the fact that it has developed most of its processes in the retail online sales organization with its own software R&D team. In Zeynepbuyukbay, all processes such as procurement, warehouse-inventory, cargo-logistics-return, customer communication management, call center, sales-marketing, payment systems, accounting-invoicing, etc. are provided with integrated equity resources.

zeynepbuyukbay ensures that the data is processed according to the category of data detailed in Article 7 of this Policy document. These processing operations are processed for the following purposes.

In accordance with our commercial activities, it is processed in order to fulfill the requirements of the laws related to our activity such as the Commercial Code, Tax Law, Code of Obligations, Labor Law at the beginning of the laws of the Republic of Turkey. On the other hand;

● To fulfill business requirements in accordance with commercial purposes,

● To fulfill the obligations of employees under the labor law

● Planning and realization of employee benefits and benefits

● Carrying out the necessary authorization studies within the scope of the protection of personal data of users, customers, employees, suppliers

● Execution of Accounting and Finance business and transactions

● Execution of legal business and transactions

● Operation and sustainability of business processes in the institution within the scope of business activities

● In order to ensure information security and physical security within the institution

● Ensuring the provision, operation and sustainability of communication and managerial activities as a corporate

● Logistics, Storage, Transportation and transportation activities, ensuring the sustainability of the operation

● Planning, operation and sustainability of the management process of customer relations

● For survey studies carried out to monitor customer satisfaction statuses

● Meeting customer expectations and demands

● In order to plan, realize and maintain call center activities

● In order to manage the requests or complaints from customers and to increase customer satisfaction

● For corporate continuity and sustainability of services

● In order to fulfill the obligations of the personnel of the institution arising from the employment contract or legislation

● For the planning of the audit activities of the institution

● Realization of planned or unplanned training activities within and outside the institution

● For the use of information technology and system security

● Realization and continuity of corporate operations

● In order to evaluate contract processes or legal requests

● To ensure and creep supply chain management process activities

● For the planning and maintenance of market research activities for the marketing of product and service sales

● In order to make product introductions

● In order to carry out advertising and promotional activities on social media platforms of product promotions

● Within the framework of marketing and sales activities, customer website movements are recorded by automated means and to make evaluations and analyzes in order to create marketing and sales strategies

● In order for the products to be delivered to the customer abroad within the promised times

● In order to be able to effectively carry out and maintain product return and cancellation processes by customers

● In order for product payments to be received internationally, in accordance with the payment systems in the world, in accordance with the laws of the Republic of Turkey

● To ensure that the data is accurate and up-to-date

● In order to fulfill the demands arising from the legislation to the competent authorities

● In order to create and follow the records of the visitors coming to the institution

● In order to manage the customer management of the website being used more effectively

● Updating corporate applications as a result of various requirements, or creating modules again, for testing the modules created

● To ensure database security

● In order to ensure system and network security

● Penetration and Penetration or service slowdown tests to be carried out

● For testing secure software implementation requirements

Processed.

9. Procedures for the Destruction of Personal Data

Although the person has been processed in accordance with the provisions of other relevant laws within the scope of the Data Protection Law, it is stated that the personal data or the data controller will delete or destroy or anonymize upon the request of the relevant person if the reasons requiring the processing disappear.

In our Institution, the Deletion, Destruction and Anonymization of Personal Data are carried out according to the following techniques and methods.

9.1. Deletion, Destruction and Anonymization of Personal Data

KVKK is in accordance with Article 7 of the law. Pursuant to the statement "Although processed in accordance with the provisions of this Law and other relevant laws, personal data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person in the event that the reasons requiring the processing of personal data disappear" as zeynepbuyukbay, our policy on the deletion, destruction and anonymization of the data we process in accordance with the data processing purposes we have determined in accordance with our commercial activities explained below.

In order to effectively follow up the cases where the legal retention period has expired or the purpose of data processing has disappeared in our company, periodically the research and scans of the data that need to be deleted and anonymized are carried out every 6 months. LOG records of deletion, destruction and anonymization carried out by our systems automatically or manually are kept for 3 years by keeping them.

9.1.1. Deletion and Destruction of Personal Data

9.1.1.1. Deletion and Destruction of Personal Data in Physical Environments

Your personal data may be processed by non-automated means, provided that it is part of any registration system. When deleting or destroying such data, it is ensured that the personal data is physically destroyed in a way that it is not used again later.

In cases where physical hardware and devices belonging to personal data in digital environments need to be destroyed, the relevant device is rendered completely unusable by our technical experts.

The personal data on paper are completely destroyed with the help of paper shredding machines when requested by the data owner or when the retention periods stipulated by the laws expire or when the activities of zeynepbuyukbay end.

9.1.1.2. Deletion and Destruction from Applications and Databases

In order to carry out its activities, zeynepbuyukbay collects data through various channels, digital platforms, using various application software, and processes them according to the procedures and principles specified within the framework of this policy.

Inventory work was carried out in databases containing personal data kept in zeynepbuyukbay application software. An inventory has been prepared regarding all databases containing personal data, the relevant tables of these databases and the areas in which they are kept in the tables. On the other hand, tables and fields that do not directly contain personal data in the inventory, but which are likely to match any person if matching, are also determined.

Regarding the request for deletion of personal data made by the owner of personal data, personal data other than personal data in groups (such as invoice information) determined in accordance with the laws regulating commercial life in the Republic of Turkey such as Turkish Commercial Code, Code of Obligations, Code of Obligations and not expired according to the retention periods specified in this policy document are deleted.

Deletion of relevant data in the cloud system by issuing a delete command; removal of the access rights of the respective user on the file or directory where the file is located on the central server; deletion of relevant rows in databases with database commands or deletion of data on removable media (flash disk, etc.) using appropriate software can be counted within this scope.

However, if the deletion of personal data will result in the inability to access and use other data within the system, the personal data will be deemed deleted if the personal data are archived by making it unassociable with the relevant person, provided that the following conditions are met.

− It is closed to the access of any other institution, organization or person,

− Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons.

The equipment of digital platforms belonging to zeynepbuyukbay information technologies is destroyed by the following methods.

De-magnetization: It is a method of unreadable distortion of the data on the magnetic media by passing it through special devices where it will be exposed to high magnetic fields. It should be noted that if the destruction is not successful by this method, the destruction process can only be completed by physically destroying the media.

Physical Destruction: Personal data can also be processed by non-automated means, provided that it is part of any data recording system. When such data is destroyed, the system of physical destruction of personal data in a way that cannot be used afterwards is applied. The destruction of data in paper and microfiche media should also be carried out in this way, since it is not possible to destroy them in any other way.

Overwrite: Overwriting method is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0s and 1s at least seven times over magnetic media and rewritable optical media through special software.

In some cases, zeynepbuyukbay may agree with an expert to delete personal data on his own behalf and may ensure the deletion of personal data. In such cases, personal data is securely destroyed so that it cannot be used again by experts in the field.

If a study is to be carried out with the expert employment method, the necessary supplier contracts and confidentiality agreements are made with the person or institution that will carry out the study.

9.1.2. Anonymization of Personal Data

9.1.2.1. Masking

Data masking; for fixed length or variable length personal data and personal data of special nature, 70% of the relevant fields are covered by "*" (star character), "?" (question mark character) is a form of anonymization by replacing it with special characters. As an example, the anonymization of the T.R. Identity Number, which is 11 digits, will be as follows. TCKN : 12345678910 Masked Version: Like 1234xxxxxxx or xxxxxxx8910.

In non-fixed fields, 70% of the word characters are covered.

9.1.2.2. Variable Subtraction

It is a method of extracting one or more columns in the form of a "high-grade identifier" in the database tables where Personal Data or Personal Data of Special Nature are stored. For example, in a table where personal data such as name, surname, tckno, address, province, district are kept, surname and tckno fields are determined as a high-grade identifier. In the relevant table, anonymization will be made by deleting the columns containing these fields completely from the table and by removing the variable.

9.1.2.3. Changing Data

It is the process of randomly changing the data in the same type of columns in the database tables where Personal Data or Special Quality Personal Data are stored on the basis of rows. For example, the data modification method will be applied by replacing the data belonging to another record row in the name, surname, tckno, address, province, district columns.

10. Clarification and Information of the Personal Data Owner

10.1. Data Controller Contact Person Our Company Data Controller Contact Person has been determined. The contact person was held responsible for the execution of the works and transactions required to be carried out within the scope of the Law on the Protection of Personal Data No. 6698 on behalf of the institution. The job description of the contact person is detailed in the Data Controller Liaison Job Description document.

10.2. Clarification Text and Information

Our Company is to enlighten the data owners regarding the data it collects and processes in accordance with the provisions of the personal data protection law determined by this policy. In this context, Article 10 of KVKK During the acquisition of personal data in accordance with the article, the data owners are enlightened with "zeynepbuyukbay KVKK Clarification Text".

In the clarification text, it is clearly stated how zeynepbuyukbay processes the data collected within the scope of personal data and special quality personal data and for what purpose. According to the determined data categories, it is stated which type of data is collected and processed.

zeynepbuyukbay KVKK Clarification Text has been announced at www.zeynepbuyukbay.com, which is the website of our institution, and has been opened to the access of all relevant parties. It is given as a document printout to our employees and suppliers whose explicit consent must be obtained.

10.3. Rights of the Data Subject (Data Subject)

Article 11 of KVKK In accordance with the provision of the article, the rights of the relevant person (Data Owner) regarding the personal and special quality data shared are defined. In this context, the relevant person;

a) Whether personal data is processed or not,

b) If the personal data is processed, to request information about it,

c) To learn the purpose of processing personal data and whether they are processed in accordance with their purpose,

d) To learn about the third parties with whom personal data and special quality personal data are shared abroad and at home,

e) In case of incomplete or incorrect processing of personal data, to request their correction,

f) Article 7 of the Law Requesting the deletion and destruction of personal data within the framework of the conditions stipulated in the article,

g) Article 11 of the Law The transactions carried out in accordance with subparagraphs (d) and (e) in the article 3 where the personal data are transferred. Requesting to be notified to persons,

h) To object to the occurrence of a result against the person himself by analyzing the processed data exclusively by means of automatic systems,

i) To request the elimination of the damage in case of damage in case of unlawful processing of personal data,

They have rights.

The relevant persons are subject to our institution in accordance with Article 11 of the KVKK. Within the framework of the issues specified in the article, it can apply to us with the following methods and channels.

Working Hours

Weekdays : 09:00 – 18:00

Saturday : 09:00 – 13:00 hours

Call Center

+90 531 946 0 511

Data Contact Person

Halil İbrahim BÜYÜKBAY

Address

Turgut Özal Mah. Su Yolu Cad. 74. Sok. No: 3 Daire:4 Esenyurt-İstanbul

E-Mail

[email protected]

Information requests received by us through the specified channels and methods are evaluated by the data contact person and according to the request, the relevant person is informed within 30 days at the latest through the communication and contact channel specified by the data subject.

10.4. Explicit Consent

Article 3 of the KVK Law It is defined in the article. In this context, explicit consent is defined as "consent based on information on a specific subject and explained with free will".

In accordance with zeynepbuyukbay's commercial activities, data are collected in the relevant data categories from the Employees, Candidate Employees, customers to whom it sells products and services, suppliers from whom it provides products in accordance with its commercial activity or from suppliers to which it receives services in order to ensure the quality of service it undertakes to provide to its customers in order to continue its commercial activity.

In cases that are not based on any contract or where there is no legal obligation, the explicit consent of the relevant parties is obtained in the data processing processes carried out within the framework of the issues specified in the KVKK Open Consent document prepared within the framework of the provisions of the KVKK.

11. Retention Periods of Personal Data

As a requirement of the "principle of limitation of purpose", personal data must be kept in accordance with the period required for the purpose for which they are processed. zeynepbuyukbay data controller has taken the necessary legal and administrative measures regarding this issue. Details on the subject are given in this policy document.

In cases where the purpose of data processing is eliminated or upon the application of the data owner within the framework of Article 11 "rights of the data subject" of the KVKK, the personal data collected will be deleted, but the personal data and personal data of special nature in physical environments or in our digital environments will be kept during the retention periods clearly specified in the laws of the Republic of Turkey and all legal regulations arising from the commercial activity we have carried out as zeynepbuyukbay.

Personal and special quality personal data whose legal retention periods have expired are subject to Article 9 of this policy document. It is deleted, destroyed or anonymized within the framework of the details adopted in the article title.

zeynepbuyukbay shall be kept for the period of limitation determined in accordance with the relevant legislation, limited to the purpose of realizing the necessary defenses within the scope of the dispute in case of any dispute that may arise from employment contracts. In order to fulfill the obligations arising from the nature of the employment contract between us and our employees, the personal data of our employees will be stored for the period necessary for the purpose for which they are processed.

The retention periods of the personal data processed in our company are determined as follows. The specified retention periods begin after the legal relationship with the groups of persons ends. Any legal liability not specified herein

PERSON GROUP	DATA CATEGORY	RETENTION PERIOD	LEGAL BASIS
Working Personnel, Intern Partners Shareholders Administrators	Identity Data, Communication Data, Worker Process Data, Transaction Security, Financial Data, Personal Data, Ancillary Rights and Benefits, Legal Transactions and Compliance Data, Audit and Inspection	15 Year	During the Term of the Contract Pursuant to the Contract, 10 years according to the Labor Law and Social Security Institution (SSI) legislation, 15 years according to the legislation of the Occupational Health and Safety Law (OHSG), 10 years within the scope of the Social Insurance and General Health Insurance Law No. 5510 (SSK, GSSK), 5 years according to the Tax Procedure Code (VUK), 10 years according to the Turkish Code of Obligations (TBK), During the statute of limitations under the employer's burden of proof
	Risk Management Data, Transaction Security Data, Physical Space Security Data	2 Year	5651 2 years under the law
Working Personel, Intern	Employee Performance and Career Development Data	10 Year	Pursuant to the Contract, Labor Law, SSI Legislation
Candidate Personel	Identity Data, Communication Data, Employee Candidate Data	10 Year	KVKK (Data received within the scope of explicit consent)
Working Personnel (model)	Audio Visual Data	70 Year	Sözleşmeye İstinaden, Fikir ve Sanat Eserleri Md. 27’ye istinaden 70 yıl
Working Personnel (model)	Special Quality Personal Data	During the Term of the Contract	Pursuant to the Contract
Supplier Supplier Candidate, Supplier Personnel	Identity Data, Communication Data, Financial Data, Location Data, Demand Complaint Management Data	10 Year	Pursuant to the Convention, TTK, TBK, VUK
Visitor	Risk Management Data, Transaction Security Data Identity Data	2 Year	5651 Within the scope of the law numbered
Online Member, Customer	Identity Data, Communication Data, Customer Data, Customer Transaction Data, Location Data, Financial Data	10 year	Pursuant to the Contract, TTK, TBK, VUK
Online Visitor, Online Member, Customer	Identity Data, Marketing Data, Communication Data, Customer Data, Customer Transaction Data, Location Data, Financial Data	10 Year	KVKK (Data received within the scope of explicit consent)
Applicant	Identity Data, Communication Data, Request/Complaint Management Data	10 Year	KVKK, During the statute of limitations under the employer's burden of proof

12. Enforcement of the Policy

This policy, which was prepared within our company, was approved and accepted by our authorized bodies on 22/09/2019 and published on the www.zeynepbuyukbay.com address of our company. It will also be made available upon the requests of the personal data owners. Previous versions are repealed upon the entry into force of this policy document.