CUSTOMER INFORMATION NOTICE REGARDING THE PROTECTION OF PERSONAL DATA

Data Controller:
Neslihan Biri Adi Komandit Şirketi
Address:
Meşrutiyet Mah. Kodaman Sk. No: 41 İç Kapı No: 5 Şişli/İstanbul
MERSIS No:
35488746386
This notice has been prepared and published by Neslihan Biri Adi Komandit Şirketi to inform our customers about the procedures and principles that will be followed in the protection of their personal data, in accordance with Law No. 6698 on the Protection of Personal Data (hereinafter referred to as "KVKK") and the Communiqué on the Principles and Procedures to be Followed in the Fulfillment of the Obligation to Inform (hereinafter referred to as the "Communiqué").
Article 10 of KVKK:
When personal data is obtained, the data controller or an authorized person must provide information on:

• The identity of the data controller or their representative (if any),

• The purpose of processing personal data,

• To whom and for what purpose the processed personal data can be transferred,

• The method and legal reason for collecting personal data,

• The rights listed in Article 11 of KVKK.

Key Definitions in the Law
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation carried out on personal data, whether fully or partially automatic or manually, including obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of data.
Data Controller: A natural or legal person responsible for determining the purposes and means of processing personal data and for establishing and managing the data recording system.
In the context of this document, Neslihan Biri Adi Komandit Şirketi is the data controller.
Data Recording System (VERBIS): A system in which personal data is processed based on specific criteria.
Explicit Consent: Freely given, specific, and informed consent concerning a particular matter.
The Board: Refers to the Personal Data Protection Board.
Personal Data Related to Customers
Personal data belonging to customers may be processed according to the conditions and purposes stated in this notice. The personal data processed include:
a. Identity Data: Name, surname, parent names, birth date, Turkish ID number, gender, marital status, ID card serial number, nationality, passport information, job title, and position.
b. Contact Data: Phone number, email address, physical address, company internal communication details (corporate email, office phone number).
c. Financial Data: Bank IBAN, payment details, debt information.
d. Visual and Audio Data: Photographs, camera recordings of individuals.
e. Other Data: Invoice, promissory note, and check details; order information; purchase history; credit card information; voice recordings; IP address; website access logs; handwritten notes and signatures; tax office information (for sole proprietorships); complaint and request records.
Purpose of Processing Personal Data
In compliance with Article 10 of KVKK and Article 5 of the Communiqué, customer personal data may be processed for the following purposes, in accordance with the lawful processing principles outlined in KVKK Article 4:

• Fulfilling obligations under sales contracts,

• Ensuring the legal and commercial security of individuals in a relationship with our organization,

• Providing updates on changes to sales conditions,

• Handling customer complaints and requests and processing data access or correction requests,

• Preparing all records and documents necessary for transactions, whether in electronic or physical format,

• Managing contract processes under the Code of Obligations, Commercial Code, and other regulations,

• Carrying out online and phone-based sales operations,

• Fulfilling legal obligations and exercising rights under current laws,

• Sharing information with authorized persons, institutions, and organizations,

• Managing emergency situations,

• Carrying out communication activities,

• Managing accounting and financial operations,

• Organizing events and activities,

• Ensuring information security,

• Conducting storage and archiving operations,

• Ensuring physical security.

Method and Legal Basis of Data Collection
Personal data is collected directly from individuals, third parties, and public authorities during the establishment of a legal relationship. The data may be collected via contracts, emails, phone calls, websites, and verbal, written, or electronic communications with the company.
In accordance with Article 5 of KVKK, personal data cannot be processed without explicit consent. However, the law lists exceptions where explicit consent is not required, including:

• If there is a clear legal provision,

• If processing is necessary for the performance or establishment of a contract,

• If processing is required for the company to fulfill its legal obligations,

• If the data has been publicly disclosed by the individual,

• If processing is necessary for the establishment, exercise, or protection of a right,

• If processing is necessary for the legitimate interests of the data controller, provided the individual’s fundamental rights and freedoms are not harmed.

Data Transfers and Recipients
Personal data may be transferred to achieve the purposes outlined in this document, in compliance with the conditions for data transfer specified in Articles 8 and 9 of KVKK. Data may be shared with:

• Suppliers, shareholders, authorized dealers,

• Private entities providing services (such as auditing, event management, legal services),

• Independent auditing firms, financial institutions, and direct or indirect subsidiaries,

• Domestic and international business partners and IT service providers (cloud computing, hosting, etc.),

• Legally authorized public institutions.

Customer data shared includes: customer ID, title, address, contact number, email, and identification information.
Retention Period for Personal Data
In compliance with KVKK, personal data will be retained as long as the purpose for processing remains valid. When the processing purpose no longer exists or when the statutory retention period has expired, the data will be deleted, destroyed, or anonymized according to the Data Retention and Destruction Policy.
Rights of the Data Subject
The data subject has the following rights:

• To learn whether their personal data has been processed,

• To request information if their personal data has been processed,

• To learn the purpose of data processing and whether it is used in accordance with this purpose,

• To know the third parties to whom personal data has been transferred domestically or abroad,

• To request correction of inaccurate or incomplete personal data,

• To request the deletion or destruction of personal data when the reasons for processing no longer apply,

• To request notification of corrections or deletions to third parties to whom the data has been transferred,

• To object to negative consequences resulting from automated processing,

• To claim compensation for damages arising from unlawful processing.

Exceptions to the Right of Application
Under Article 28/2 of KVKK, data subjects cannot exercise their rights (except the right to claim damages) in the following cases:

• If the processing of personal data is necessary for the prevention of crime or investigation of criminal activity,

• If the data subject has disclosed their personal data to the public.

Application Method and Form
Data subjects may submit their requests to the data controller in accordance with the Communiqué on the Principles and Procedures for Applications to the Data Controller. Requests may also be sent to the company’s email address info@neslihanbiri.com. The responsible person will assess the request and provide a response as soon as possible.