Visitor Information Notice Regarding The Protection Of Personal Data

VISITOR INFORMATION NOTICE REGARDING THE PROTECTION OF PERSONAL DATA

PURPOSE OF THE INFORMATION NOTICE

As ROOF STACKS YAZILIM A.Ş. ("Company"), we are the "data controller" within the scope of Law No. 6698 on the Protection of Personal Data ("KVKK"). When you visit our Company through our website, we hereby present you the Information Notice prepared pursuant to Article 10 titled "Obligation to Inform the Data Controller" of the Law No. 6698 on the Protection of Personal Data (KVKK) for your attention.

METHODS OF PERSONAL DATA COLLECTION AND TYPES OF PERSONAL DATA

Your personal data is collected by the Company automatically or non-automatically, verbally, in writing, and/or electronically through the following methods and third parties contracted by the Company, in connection with the transactions you make with the Company:

Through all your visits to the Company's website and/or mobile application, including memberships, chat, and/or messaging contents,
Through requests and complaints communicated verbally to the Call Center or in writing to the Customer Service email address,
Through the Company's social media channels,
Through third parties that the Company has business relations and contracts with concerning its customers.

The categories of data collected from visitors are as follows:

Category of Personal Data	Types of Personal Data
Transaction Security Information	IP Address, website login and logout information
Request and Complaint Management Information	Personal data subject requests made under the scope of the Personal Data Protection Law (KVKK)

PURPOSES AND LEGAL GROUNDS FOR PROCESSING YOUR PERSONAL DATA

The personal data collected may be processed within the scope of the processing purposes stated below and the personal data processing conditions (legal grounds) specified in Article 5 of the Law.

Categories of Personal Data	Purposes of Personal Data Processing	Legal Grounds
Customer Transaction Information	Management of complaint, objection, and request processes Management of efficiency processes Management of customer relationships	Processing of personal data of the parties to the contract is necessary for the establishment or performance of a contract in accordance with the Terms of Use.

PARTIES AND ENTITIES TO WHOM PERSONAL DATA MAY BE TRANSFERRED AND PURPOSES OF TRANSFER

Your personal data may be transferred in accordance with the data processing conditions set out in Article 5 of the Law and the rules regarding the transfer of personal data specified in Articles 8 and 9 of the Law. We would like to emphasize that we have taken all necessary measures to ensure that your data is processed, transferred, and protected as explained in this clarification text during any international transfers.

Your personal data may be shared with program partner institutions and organizations we cooperate with to carry out our activities; third parties acting as service providers and/or intermediary service providers; our business partners providing special integrator services; independent auditors; domestic and international persons and institutions from whom we receive cloud storage services; domestic and international organizations we have agreements with for sending commercial electronic messages to our customers; our financial advisors; the Interbank Card Center; contracted banks; payment service providers; various domestic and international agencies, advertising companies, and survey companies involved in marketing activities to provide better service and customer satisfaction; other domestic and international third parties and relevant business partners; our shareholders and affiliates; third parties from whom we receive services under contractual relationships; our lawyers and consultants; and legally authorized public institutions and private legal entities.

Transferred Parties/Entities	Purposes of Data Transfer
Business Partners	Provision and promotion of products and services Ensuring transaction and information security during your operations
Suppliers and Service Providers	Monitoring and management of general litigation processes Provision of products and services
Legally Authorized Institutions and Organizations	Establishment, use, or protection of a right or conducting alternative dispute resolution processes Fulfillment of obligations arising from legislation

Transferred Parties/Entities

Purposes of Data Transfer

Business Partners

Provision and promotion of products and services

Ensuring transaction and information security during your operations

Suppliers and Service Providers

Monitoring and management of general litigation processes

Provision of products and services

Legally Authorized Institutions and Organizations

Establishment, use, or protection of a right or conducting alternative dispute resolution processes

Fulfillment of obligations arising from legislation

RETENTION PERIOD OF PERSONAL DATA

In accordance with the provisions of the KVKK (Personal Data Protection Law), your personal data processed for the purposes stated in this "Personal Data Processing Clarification Text" will be deleted, destroyed, or anonymized by us when the purpose requiring processing pursuant to Article 7/f.1 of the KVKK ceases to exist and/or when the statute of limitations periods, which legally require us to process your data, expire, taking into account the Personal Data Retention and Destruction Policy.

MEASURES TAKEN FOR YOUR DATA SECURITY AND ADOPTED PRINCIPLES

A. Security Measures

We support all kinds of confidentiality and security solutions to prevent unlawful processing of your personal data, unlawful access to your personal data, and to ensure the protection of personal data. All necessary administrative and technical measures to implement these data protection solutions are carried out with great sensitivity by our Company.

B. Administrative Measures

In addition to taking these measures within the Company, we ensure your data security by signing confidentiality agreements and commitments with our suppliers and business partners with whom we lawfully share your personal data, ensuring that our stakeholders also show sufficient sensitivity regarding your personal data.

Alongside these trainings, audits, and precautions, intervention plans have been established in the event of any breach of your personal data, and as a Company, preparations have been made to work together with the Board to address and resolve such breaches.

C. Technical Measures

We give special importance to information technologies and data security to protect the personal data of the wide customer base we serve. Therefore, our Company prioritizes employing experienced and certified personnel in this field.

Moreover, an IT infrastructure equipped with security measures compliant with international standards has been established to ensure data security and prevent unlawful access to your data. This system, built upon the infrastructure, is continuously audited internally to ensure its smooth operation.

Our IT infrastructure, where your data is processed and stored, adheres to the technical measures prescribed by the Personal Data Protection Authority, including encryption, authorization matrix, application and network security, data masking, firewalls, backup, key management, and up-to-date antivirus systems.

Furthermore, attack detection and prevention systems have been established to prevent attacks on our IT infrastructure, and regular risk analysis, data classification, vulnerability scanning, and penetration tests are conducted to control the system's security. To perform all these operations, as part of our commitment to the importance of your personal data, software programs and support compliant with international standards are also procured.

YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA:

We hereby inform you that, pursuant to Article 11 of the Law, you have the following rights concerning your personal data:

To learn whether your personal data is processed and to request information if it has been processed,
To know the third parties to whom your personal data is transferred domestically or abroad,
To request correction of your personal data if it has been processed incompletely or inaccurately, and to request deletion or destruction of your personal data,
To request notification of the third parties to whom your personal data has been transferred about the correction and/or deletion or destruction of your personal data if it has been processed incompletely or inaccurately,
To object to the emergence of a result against you by means of analysis exclusively through automated systems based on the processed data,
To demand compensation for damages in case you suffer damage due to unlawful processing of personal data.

You can submit your requests within the scope of Article 11 of the Law regulating the rights of the data subject, in accordance with the "Communiqué on the Procedures and Principles of Application to the Data Controller", by reviewing the "Information on the Application Form within the Scope of KVKK" text on our website and filling out the relevant form, only by using our Registered Electronic Mail address. You can make your applications via [email protected], which is the Registered Electronic Mail address of our company.

Your application will be reviewed and answered within thirty days from the date of receipt, pursuant to the provisions of the KVKK and the Communiqué. The response will be sent to you either in written or electronic form. As a rule, our Company does not charge any fees for the applications made; however, if the process requires additional costs, fees determined by the Board may be charged.

Update date: 22/07/2025