Privacy Policy and Protection of Personal Data

Privacy and Personal Data Protection Policy

Protecting personal data is an important issue for MTA MEDIA TOURISM INFORMATICS IND. and TRADE INC. As the data controller, Shopexi adopts the principles prescribed by the Personal Data Protection Law No. 6698 (“PDPL”) to ensure compliance, fulfilling obligations regarding the processing, deletion, destruction, anonymization, transfer of personal data, enlightening the related person, and ensuring data security. In this context, the Privacy and Personal Data Protection Policy, organized by Shopexi, is made available to the access of real persons (“Related Person”) whose data is processed through personal data processing activities conducted via the internet site owned by Shopexi at [www.shopexi.com].

Scope and Purpose of the Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy;

• a. Describes the methods and legal reasons for collecting personal data,
• b. Identifies which groups of people's personal data are processed (Data Subject Group Categorization),
• c. Specifies which categories of personal data are processed for these groups (Data Categories) and examples of data types,
• d. Explains in which business processes and for what purposes these personal data are used,
• e. Outlines the technical and administrative measures taken to ensure the security of personal data,
• f. Details to whom and for what purposes personal data can be transferred,
• g. Provides information on the retention periods of personal data,
• h. Explains the rights of the Related Persons over their personal data and how they can exercise these rights.

a. Methods and Legal Reasons for Collecting Personal Data

Shopexi collects personal data through audio, electronic, or written means via various communication channels, in accordance with the personal data processing conditions stated in the PDPL and for the legal reasons outlined in this Privacy/Personal Data Protection Policy.

b. Data Subject Group Categorization

Shopexi categorizes the groups of people whose personal data are processed in its personal data processing activities and related activities as follows. Moreover, personal data of the detailed groups below can be processed in accordance with the conditions stated in Articles 5 and 6 of the PDPL and for the legal reasons specified in this Privacy/Personal Data Protection Policy.

c. Data Owner Categories and Example Data Types

Member Business Representative, Employee, Shareholders

• Identity Information: Name, surname, national identity number
• Contact Information: mobile phone, email address, address, postal code, landline phone
• Financial Information: Tax office, invoice details
• Risk Management Information: IP address
• Transaction Security Information: Password, password information
• Legal Process and Compliance Information: The start and end time of the service provided, the type of service utilized, the amount of data transferred (traffic data), signature circulars

d. How Personal Data is Used in Which Business Processes and for What Purposes

Member Business Representative, Employee, Shareholders

• Conducting mailing for announcement purposes, 
• Executing training processes,
• Legal processes and compliance,
• Responding to information requests from administrative and judicial authorities,
• Ensuring information and transaction security and preventing malicious use,
• Making necessary adjustments to ensure the processed data is up-to-date and accurate,
• Fulfilling legal obligations,
• Solving questions of the Member Business,
• Inviting to training and events,
• Informing about changes/innovations in the platform infrastructure,
• Messaging related to questions and requests on the platform

e. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

Shopexi commits to taking all necessary technical and administrative measures and showing the required diligence to ensure the confidentiality, integrity, and security of your personal data.

Shopexi takes necessary measures to prevent unauthorized access to personal data, misuse, unlawful processing, disclosure, alteration, or destruction of personal data. Shopexi uses generally accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption when processing personal data. In addition, when sending your personal data to Shopexi via its website, mobile application, and mobile site, these data are transferred using SSL.

To prevent unlawful access to processed personal data, prevent unlawful processing of these data, and ensure the preservation of personal data, Shopexi:

• Protects all areas of the website or mobile application where personal data is collected with SSL,
• Creates and implements access authority and control matrices for its employees to prevent unlawful processing of personal data collected from the website or mobile application,
• Conducts periodic penetration tests and tests the system's resistance to unauthorized access,
• Uses the Pseudonymization method for all secondary data processing activities beyond the primary processing purpose. It uses encryption methods in the systems where pseudonymous data is located to ensure the impossibility of identifying the related person and applies a stricter access authority and control policy to these data,
• Ensures that personal data in paper format are kept in locked cabinets and accessed only by authorized persons.

Despite taking necessary information security measures by Shopexi, if personal data are damaged due to attacks on the platforms operated by Shopexi or its system or fall into the hands of unauthorized third parties, Shopexi will immediately notify you and the Personal Data Protection Board and take necessary measures.

f. To Whom and for What Purpose Personal Data Can Be Transferred

Shopexi transfers personal data only in accordance with the purposes stated in this Privacy and Personal Data Protection Policy and in compliance with Articles 8 and 9 of the PDPL to third parties.

g. Retention Periods of Personal Data

Shopexi retains the personal data processed for the periods prescribed by relevant legislation or required by the processing purpose in compliance with the PDPL. The retention periods in our Personal Data Retention and Destruction Policy are approximately as follows:

h. Rights of the Related Persons over Their Personal Data and How They Can Exercise These Rights

The rights of the Related Person over their personal data processed by Shopexi, pursuant to Article 11 of the PDPL, are listed below:

• To learn whether personal data are processed,
• If personal data have been processed, to request information about this,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties in the country or abroad to whom personal data have been transferred,
• To request the correction of personal data if processed incompletely or inaccurately,
• To request the deletion or destruction of personal data within the framework of the conditions set forth in Article 7 of the PDPL,
• To request notification of the actions carried out in compliance with subparagraphs (d) and (e) to the third parties to whom personal data have been transferred,
• To object to any result that is to their detriment through the analysis of processed data exclusively by automated systems,
• To request compensation for the damages in case of loss due to unlawful processing of personal data.

To exercise your rights over your personal data; you can submit your application by the methods specified in the “Application Form” regulated pursuant to Article 13 of the PDPL on the Shopexi website and exercise your rights.

2. Conditions for the Deletion, Destruction, and Anonymization of Personal Data

Shopexi retains the personal data processed through its website, mobile application, or mobile site for the periods and/or the duration required by the processing purpose as prescribed by Article 7, 17 of the PDPL and Article 138 of the Turkish Penal Code. Upon expiry of these periods, personal data will be deleted, destroyed, or anonymized in accordance with the provisions of the "Regulation on the Deletion, Destruction, or Anonymization of Personal Data".

Deletion of personal data by Shopexi refers to the process of making personal data completely inaccessible and unusable for the relevant users. For this, Shopexi creates and implements a user-level access authority and control matrix. Necessary measures are taken for the deletion process to be carried out in the database.

Destruction of personal data by Shopexi refers to the process of making personal data inaccessible, unrecoverable, and unusable by anyone in any way.

Anonymization of personal data by Shopexi refers to rendering personal data in such a way that it cannot be associated with an identified or identifiable natural person even if matched with other data.

Shopexi explains in detail the methods and the technical and administrative measures taken for deletion, destruction, and anonymization within the scope of the Personal Data Retention and Destruction Policy prepared in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data. This Policy also determines the periodic destruction interval prescribed by the Regulation as 6 months.

3. Changes to the Privacy/Personal Data Protection Policy

Shopexi can make changes to this Privacy/Personal Data Protection Policy at any time. These changes become effective immediately upon the publication of the revised Privacy/Personal Data Protection Policy. Necessary notifications will be made to keep you informed of changes to this Privacy/Personal Data Protection Policy.