PRIVACY AND PERSONAL DATA PROTECTION POLICY

1. PURPOSE AND SCOPE

These Privacy and Personal Data Protection Policy (hereinafter referred to as the “Policy”) set out the principles adopted by ASTOPIA TECH OÜ and its group companies (hereinafter referred to as the “Company”) regarding the protection of personal data, and aim to inform all relevant data subject groups within the scope of Law No. 6698 on the Protection of Personal Data (hereinafter “Law No. 6698”).

2. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

As the Company, acting in the capacity of Data Controller, we process your personal data in accordance with the following principles.

2.1 Processing in Accordance with Law and the Rule of Good Faith

Your personal data is processed in accordance with the principles established by legal regulations, as well as the general principles of trust and good faith. In line with this principle, while pursuing our personal data processing purposes, we take into account your interests and reasonable expectations, refrain from abusing our rights, and act in accordance with the principle of transparency in our data processing activities.

2.2 Ensuring Personal Data is Accurate and Up to Date Where Necessary

In line with this principle, which emphasizes the importance of the accuracy and currency of personal data, periodic checks and updates are carried out, and necessary measures are taken to ensure that processed data is accurate and up to date, with your legitimate interests taken into account. In this context, systems for verifying the accuracy of personal data and making necessary corrections are established within the Company. Furthermore, the accuracy of the sources from which personal data is collected is checked, and requests arising from inaccurate personal data are taken into consideration. Accordingly, this principle is applied in a manner consistent with your right under Law No. 6698 to request the correction of your personal data.

2.3 Processing for Specific, Explicit and Legitimate Purposes

Your personal data is processed based on explicit, specific and legitimate data processing purposes. In this context, we ensure that our personal data processing activities are clearly understandable by data subjects, and we determine and clearly state the purposes and legal grounds on which they are based in Article 3 of this Policy.

2.4 Being Relevant, Limited and Proportionate to the Purpose for which Processed

Your personal data is processed in a limited and proportionate manner relevant to the purpose(s) to be achieved, and the processing of personal data that is not related to or not needed for the fulfillment of the purpose is avoided. Under this principle, personal data is not collected or processed for purposes that do not currently exist but may be considered in the future.

2.5 Retention for the Period Stipulated by Applicable Legislation or Required for the Purpose of Processing

Your personal data is retained only for the period stipulated by applicable legislation or required for the purpose for which it is processed. In this regard, the Company takes and implements the relevant administrative and technical measures. In this context, it is first determined whether a retention period for personal data is stipulated in the relevant legislation; if a period has been determined, that period is complied with, and if no period has been determined, personal data is retained for the period necessary for the purpose for which it is processed.

In the event that the relevant processes are no longer necessary, access to your personal data by unrelated departments is prevented within the scope of the deletion action specified in Law No. 6698. Upon the expiry of the period or the disappearance of the reasons requiring processing, in the absence of another legal reason permitting longer processing, your personal data is destroyed or anonymized in accordance with personal data protection legislation.

3. CONDITIONS FOR PROCESSING PERSONAL DATA

Within the scope of Law No. 6698, your personal data and special category personal data may be processed under the following conditions.

3.1 Explicitly Provided for by Law

The basic rule is that personal data may not be processed without the explicit consent of the data subject; as an exception to this rule, your personal data may be processed in cases where laws explicitly provide for the processing of personal data.

3.2 Where the Explicit Consent of the Data Subject Cannot Be Obtained Due to Actual Impossibility

Where it is mandatory to process the personal data of a data subject who is unable to express consent due to actual impossibility, or whose consent cannot be considered legally valid, in order to protect the life or bodily integrity of that person or of another person, your personal data may be processed.

3.3 Direct Connection with the Establishment or Performance of a Contract

Where it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract, your personal data may be processed.

3.4 Fulfillment of the Company’s Legal Obligation

Where processing is mandatory for the Company to fulfill its legal obligations arising from the legislation, contracts and similar sources to which it is bound and for which it is responsible, your personal data may be processed.

3.5 Personal Data Made Public by the Data Subject

Where your personal data has been made public by you, i.e., shared by you with the public, it may be processed to the extent connected with and proportionate to the purpose of such disclosure.

3.6 Where Data Processing is Mandatory for the Establishment or Protection of a Right

Where data processing is mandatory for the establishment, exercise or protection of a legal or commercial right held by the Company, within the scope of the management of related processes, your personal data may be processed.

3.7 Processing of Data Based on Legitimate Interest

Where it is necessary for the Company’s legitimate interests to process data, your personal data may be processed. In cases where our Company needs to process data based on this condition, we conduct an assessment that also takes into account your fundamental rights and freedoms, and make our decision based on the outcome of that assessment.

3.8 Processing Based on Explicit Consent

While processing based on the explicit consent of the data subject is the general rule, explicit consent is not relied upon where the other conditions specified in this Article exist; otherwise, this would constitute an abuse of right. Accordingly, where your personal data is not processed based on any of the conditions specified in this Policy, it is processed based on your explicit consent.

3.9 Processing of Special Category Personal Data

We process your special category personal data pursuant to Article 6 of Law No. 6698, provided that: your explicit consent exists; it is explicitly provided for by law; it relates to personal data that has been made public by the data subject and is consistent with the data subject’s intention in making it public; it is mandatory for the establishment, exercise or protection of a right; or it is mandatory for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance.

4. TRANSFER OF PERSONAL DATA

Your personal and special category data may be transferred, within the scope of Article 2 of this Policy, to our domestic business partners, public institutions and organizations and similar entities, or to our business partners abroad. Such transfers are carried out in compliance with Articles 8 and 9 of Law No. 6698. Where necessary, your explicit consent is obtained and the transfer is carried out within this framework.

5. SECURITY OF PERSONAL DATA

In order to ensure the security of personal data and to prevent its unlawful processing, the Company takes all reasonable administrative and technical measures to prevent risks of unauthorized access, accidental data loss, intentional deletion of data, or damage to data.

All reasonable technical and physical measures are taken to prevent access to personal data by persons other than those with access authorization. In this context, in particular, the authorization system is designed in such a way that individuals and systems cannot access more personal data than necessary.

The Company carries out and commissions the necessary audits within its own organization to ensure compliance with the provisions of Law No. 6698.

The measures taken are as follows:

  • Network security and application security are ensured.
  • A closed system network is used for personal data transfers over the network.
  • Key management is applied.
  • Security measures are taken within the scope of the procurement, development and maintenance of information technology systems.
  • The security of personal data stored in the cloud is ensured.
  • Disciplinary regulations containing data security provisions are in place for employees.
  • Periodic training and awareness programs on data security are conducted for employees.
  • An authorization matrix has been established for employees.
  • Other — A data breach response plan has been established and implemented.
  • Other — A coordination committee has been established to ensure the sustainability of the KVKK compliance process.
  • Access logs are kept regularly.
  • Institutional policies on access, information security, use, retention and destruction have been prepared and put into practice.
  • Confidentiality undertakings are obtained.
  • Access rights of employees who change roles or leave the company in this area are revoked.
  • Up-to-date antivirus systems are used.
  • Firewalls are used.
  • Signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred on paper, and the relevant documents are sent in a confidential-classification document format.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported promptly.
  • Personal data security is monitored.
  • Necessary security measures are taken regarding entries and exits to/from physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • The security of environments containing personal data is ensured.
  • Personal data is minimized as much as possible.
  • Personal data is backed up, and the security of the backed-up personal data is also ensured.
  • A user account management and authorization control system is applied, and these are also monitored.
  • Periodic and/or random internal audits are conducted and commissioned.
  • Log records are kept without the possibility of user intervention.
  • Existing risks and threats have been identified.
  • Protocols and procedures for the security of special category personal data have been determined and implemented.
  • If special category personal data is to be sent by e-mail, it is always sent encrypted, using a registered e-mail system (KEP) or a corporate e-mail account.
  • Secure encryption/cryptographic keys are used for special category personal data and are managed by different units.
  • Intrusion detection and prevention systems are used.
  • Cybersecurity measures have been taken and their implementation is continuously monitored.
  • Encryption is applied.
  • Special category personal data transferred via portable storage media, CDs or DVDs is transferred in encrypted form.
  • The data security of service providers acting as data processors is audited at regular intervals.
  • Awareness of data security is ensured among service providers acting as data processors.
  • Data loss prevention software is used.

6. DATA DELETION INSTRUCTIONS

We respect your right to privacy, your right to be forgotten and your right to control your personal data. You can delete your account and all associated personal data (including any data obtained via Facebook Connect) at any time using either of the following methods:

1. In-App Deletion:

  • Open the Astopia app and navigate to the Settings menu.
  • Tap on "Account Settings -> Delete Account" and follow the on-screen prompts to automatically delete your account and associated data.

2. Email Request:

  • Send an email to support@astopia.com from the email address associated with your Astopia account.
  • Use the subject line: "Account and Data Deletion Request".
  • Include your full name and the username associated with your account in the body of the email.

3. Data Subject Request:

You may also submit requests regarding the deletion of your personal data through the Data Subject Application Form Regarding The Protection Of Personal Data.

Deletion requests are evaluated in accordance with applicable data protection laws. Whether you use the in-app deletion feature or submit your request via email, your personal data (including data obtained through Facebook Login) that is not required to be retained by law or whose processing purpose has ceased to exist will be deleted, destroyed, or anonymized from our active databases and servers within a maximum of 30 days following the evaluation of your request. Any data that must be retained pursuant to applicable laws will be stored for the required retention period and will be deleted, destroyed, or anonymized upon the expiration of such period.

7. RIGHTS OF THE DATA SUBJECT, APPLICATION PROCEDURES AND PRINCIPLES

As a data subject, if you have a request relating to your rights under Article 11 of Law No. 6698, and, if you are an EU citizen, in relation to your rights under the GDPR — including withdrawing your explicit consent, obtaining information about and accessing your data, correcting, deleting or restricting the processing of your personal data under certain circumstances, data portability under certain conditions, objecting to the processing of your personal data, and similar rights — you may submit your requests to us by completing the Application Form Regarding the Protection of Personal Data available on our website, or by submitting an application that meets the minimum conditions stipulated by the Communiqué on the Procedures and Principles for Application to the Data Controller, via the methods listed below.

As the Company, we will conclude your application free of charge, as soon as possible and, in any event, within thirty days at the latest, depending on the nature of your request. However, if the transaction requires an additional cost, a fee determined by the Personal Data Protection Board will be charged by the Company. If your application to us is rejected, if the response is found insufficient, or if no response is given within the specified period, you may inform us of this; furthermore, as a data subject, you have the right to lodge a complaint with the competent data protection authority in your country within thirty days from the date you learn of our response and, in any event, within sixty days from the date you make your application in accordance with the procedure.

Application MethodApplication Address
Message sent from your e-mail address registered in our system, or via secure electronic signature or mobile signaturesupport@astopia.com
Written application submitted in person or through a notary publicAhmet Yesevi Mah. Kerem Sok. No:9 İç Kapı No:203 Pendik/İstanbul