This Endeksa Privacy and Member/Visitor Personal Data Protection Policy Text (“Personal Data Text”) is prepared by Endeksa Teknoloji A.Ş. (“Endeksa” veya “Company”) within the scope of the Law No. 6698 on the Protection of Personal Data (“Law”) and the Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Obligation to Clarify (“Communiqué”)", which regulates the obligations of real and legal persons who process personal data and the procedures and principles to be followed in the processing of personal data, in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life.

Endeksa has prepared separate disclosure texts for each personal data processing activity. The texts include the legal grounds for personal data processing activities, categories of data collected and details of other processing activities. We share these texts with you below.

• Endeksa Terms of Use
• Call Centre Policy and Personal Data Text
• Cookie Policy
• Guide Synchronization Information Text

The purpose of this Personal Data Text is to enlighten/inform the Members and Visitors regarding the personal data obtained during the use of the website under the domain name www.endeksa.com owned by Endeksa and the mobile application in the virtual stores (Site and mobile application together or separately “Platform”) by the Members and Visitors. Terms used herein shall have the following meanings:

• Member(s): Persons who create a membership on the Platform and is bonded by the Platform Terms of Use Agreement;
• Visitor(s): The person who uses the Platform without any membership registration,
• Relevant Person(s): Refers to one or both of the Member or Visitor whose personal data is processed.

Personal data refers to any information relating to an identified or identifiable natural person. For this reason, provisions regarding personal data in this text will be applied if the relevant information belongs to a natural person. If the relevant information belongs to a legal person, provisions apart from provisions regarding personal data in this text shall be applied. In addition, the concept of "processing of personal data"; refers to all kinds of operations performed on personal data such as obtaining, recording, storing, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system.

Endeksa regards the confidentiality of data and takes care to be transparent about the storage of data. This text includes information on what kind of data is obtained, how this data is used, with whom this information is shared if necessary, what are the rights regarding personal data and how these rights can be exercised, and the principles adopted by Endeksa regarding confidentiality. Personal data is processed in accordance with following principles:

• Lawfulness and fairness,
• Being accurate and kept up to date where necessary,
• Being processed for specified, explicit, and legitimate purposes,
• Being relevant, limited and proportionate to the purposes for which they are processed,
• Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

With this Personal Data Text, Endeksa aims to enlighten/inform the natural persons whose data will be processed during the acquisition of personal data in accordance with Article 10 of the Law. The scope of this disclosure obligation is as follows:

• The identity of the data controller and of its representative, if any,
• The purpose of data processing,
• To whom and for which purposes the processed personal data may be transferred,
• The method and legal basis of collection of personal data,
• The rights of data subject.

1. Data Subject, Data Categories and Data Types

The information that the Relevant Person, Members and Visitors send, share and/or provide to Endeksa in accessible form or collected automatically through the Platform while creating their membership on the Platform and/or accessing the Platform or benefiting from Endeksa services may fall within the scope of personal data. In this context, if you benefit from the services offered by Endeksa or access the Platform, we may collect information from you and various sources as specified in the table below:

• Registration/Identity Information: In order to benefit from Endeksa services, you may need to become a Member of Endeksa. To register, you must enter your username, password and e-mail address. If you want to register with third-party accounts (such as your Google or Facebook account), you should consider the section titled 'Information from third parties'.
• Financial Information: When making a payment to Endeksa, you must provide your name, address, e-mail address and mandatory details to be included in the invoice. The credit card information you provide while making a payment is not recorded in the Endeksa infrastructure; it is only used by the 3D Secure secure payment infrastructure built on the Endeksa system when performing transactions.
• Real estate data you want to be valued or analyzed: If you wish to evaluate the location, neighbourhood or other specific information of any real estate property through Endeksa and to value this real estate property; Endeksa records and processes this data you enter into the system by specifically recording the location and characteristics of each real estate property in order to provide services to you at later stages and to develop and enrich its own database.
• Usage data: Regardless of whether you are a Member or a Visitor; whenever you use Endeksa services or access the Platform, usage data is collected about you. This may include data such as when you visit the Platform, what you click, when you perform these actions, etc. It also includes data on the nature of each access, such as source IP addresses, internet service providers, files displayed on the Platform (e.g. HTML pages, graphics, etc.), operating system versions and timestamps.
• Device data: Data is collected from the devices and applications you use to access our Services, such as your IP address, operating system version, device type, system and performance information, and browser type.
• Information from third parties: If you allow third parties to share your information with us, we may collect personal information or data about you from those third parties. For example; If you use the option to register and log in to Endeksa with your Google account details, your login information is verified by Google; we only collect information about your Google account that you expressly agree to share with us by allowing your Endeksa account to be linked to your Google account.

a) Data Categories and Data Types

b) Lawful Basis

Your personal data mentioned above are processed for the purposes for which you have shared this data with Endeksa, based on the following legal reasons in accordance with the relevant legislation.

The identity, contact, financial and customer transaction personal data of our members and customer transaction data of our visitors are processed for the legal reasons that it is necessary to process your personal data and that your data has been made public by you, provided that it is directly related to our establishment of a contractual relationship or our performance obligation arising from such contract.

Your communication data is processed for the purposes of conducting online sales, direct sales, and telemarketing activities, as well as for fulfilling contractual obligations, enabling communication with you, and managing mass electronic communications.

Process security personal data is processed because the process in which we process your personal data is clearly stipulated in the laws and data processing is mandatory in order to fulfil our legal obligation.

2. For What Purposes Your Personal Data Is Processed

Personal data will be processed for the following purposes in accordance with the procedures and principles stipulated in the legislation, in line with the conditions for processing personal data stipulated in Articles 5 and 6 of the Law and the principles listed in Article 4:

3. Parties to whom Your Personal Data are Transferred and Purposes of Transfer

Endeksa takes care to process your Personal Data in accordance with the principles of "need to know" and "need to use", by ensuring the necessary data minimization and taking the necessary technical and administrative security measures. Since the nature of business partnership processes, the requirements of goods and service procurement processes, the execution or supervision of processes such as the management of supply chain management processes, and the operation of digital infrastructures necessitate continuous data flow with different stakeholders, we have to transfer the personal data we process to third parties for certain purposes.

Your collected personal data may be transferred, processed and stored on servers abroad from time to time and to the extent required by the activity, within the framework of the main purpose of carrying out our Company's operations and in accordance with the appropriate safeguards set forth under Article 9 of the Law, for the storage of such data or for the lawful purposes set out in this text. Endeksa may transfer the information of the relevant persons, including personal data, to another country and jurisdiction that does not have the same/similar data protection laws in the jurisdiction where they are located. In this context, Endeksa may share personal data with third parties such as professional consultants, accountants and auditors, companies providing information technologies and archive services, institutions with which the Company has commercial, administrative or contractual relations, banks, the Company's controlling shareholder company and its group companies in order to carry out our internal relations. In addition, the Company may share personal data with authorized institutions in case transaction security information is requested; personal data may be shared with judicial authorities in case of legal proceedings.

Endeksa does not in any way cause the personal information of users/visitors to be rented, sold or shared with others or non-affiliated companies (e.g. for direct marketing purposes). However, Endeksa may share non-personal (anonymous) aggregated information with third parties.

Your personal data may be shared with public institutions and organizations authorized to request personal data in order for Endeksa to fulfil its obligations under the law (in cases where there is an obligation to provide information such as combating crime and threats to state and public security). Endeksa may share information with third parties in order to fulfil its terms and conditions or to ensure transaction or user security, in cases where it is authorized under the Law, if it accepts that a reasonable disclosure is necessary.

In addition to these, Endeksa may share your personal data with real estate consultants in the Endeksa system to the extent necessary and within the limits required for the performance of the services you explicitly request, and may allow the relevant real estate consultants to contact you. In this context, for example, Endeksa may share the contact information of the Member who wants to sell his/her real estate and the Electronic Valuation Report of the relevant real estate with the real estate consultants registered in the Endeksa system in line with the Member's request.

Endeksa undertakes a data responsibility obligation towards the Member for the personal data processing processes for which it is the data controller, for the third parties and real estate consultants to whom it transfers personal data, limited only for the relevant transfer purpose. The data transferred party is individually responsible for the processes in which it processes personal data as the data controller.

4. Cookies

Cookies are small data files, usually consisting of letters and numbers, which are saved on your computer (or other devices such as smartphones or tablets) by the websites you visit through browsers. Cookies do not contain personal data about visitors such as name, gender or address.

Cookies are created by the servers that manage the website you visit. This way, the server can recognize when a visitor visits the same website. Cookies can be likened to identity cards that show website owners that the same visitor has visited the site again.

We attach importance to the protection of your personal data when using cookies. You can find detailed information about our obligations and notifications under the Law regarding the cookies used on the Site in our Cookie Policy.

5. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

Endeksa has made it its main objective to take all necessary technical and administrative measures and to take due care to ensure the confidentiality, integrity and security of your personal data. In this context, we take necessary measures to prevent misuse of personal data, unlawful processing, unauthorized access to data, disclosure, alteration or destruction of data.

The Company takes the following technical and administrative measures to prevent unlawful access to the personal data it processes, to prevent unlawful processing of this data and to ensure the protection of personal data:

Anti-Virus: All computers and servers in the Company's information technology infrastructure have periodically updated anti-virus applications installed.

Firewall: The data centres hosting the Company's servers are protected by firewalls with periodically updated software. Internet connections are controlled through the relevant protection system and protection is provided against viruses and similar threats.

VPN: Server systems are connected with IP-SEC VPN; traffic between two points is transmitted in an encrypted manner.

User Definitions and Need to Know: The authorizations of the Company and its employees to the Company systems are limited only to the extent required by their job descriptions. In case of any change in authorization and duties, system authorizations are updated immediately.

Information security threat and incident management: It is aimed to respond immediately to incidents occurring on company servers and firewalls with the principle of "Information Security Threat and Incident Management". In this way, it is aimed to provide the opportunity to respond to the threat immediately when a security threat occurs.

Encryption: Sensitive data are stored using cryptographic methods, transferred through media encrypted with cryptographic methods when necessary, and cryptographic keys are kept in secure and different environments.

Logging: The transaction records of all movements performed in the systems are securely logged.

Penetration Testing: Periodically, penetration tests are performed on servers, computers and a sample application in the Company system. It is aimed to close the security gaps that occur as a result of this test.

SSL: All areas on the website where personal data is received are protected by SSL.

Clean Desk Principle: In accordance with the internal rules of the company, employees are obliged to comply with the clean desk principle. It is aimed to keep personal data in paper media in locked cabinets and to be accessed only by authorized persons.

Training: Endeksa prioritizes raising awareness of its employees against various information security breaches and minimizing the impact of the human factor in information breach incidents.

Backup: Endeksa periodically backs up the data it stores. As a backup mechanism, provided that it complies with the relevant legislation and the provisions of this Policy, it uses the backup facilities provided by cloud infrastructure providers as well as self-developed backup solutions when deemed necessary.

In the event that personal data is damaged as a result of attacks on the platforms operated by Endeksa or the Endeksa system or in the hands of unauthorised third parties despite Endeksa taking the necessary information security measures, Endeksa notifies you and the competent authorities of this situation within the periods stipulated in the relevant legislation and takes the necessary measures.

6. Conditions for Retention of Personal Data and Deletion, Destruction and Anonymization of Personal Data

Endeksa retains the personal data it processes in accordance with the Law for the periods stipulated in the relevant legislation or required by the purpose of processing.

The Company retains the personal data that it collects and processes through channels such as physical, electronic, website, e-mail within the scope of business processes for the periods stipulated by the relevant laws and/or for the periods required by the purpose of processing in accordance with Articles 7, 17 of the Law and Article 138 of the Turkish Penal Code. In the event that these periods expire, it will delete, destroy or anonymise the relevant personal data in accordance with the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data and the Guide on Deletion, Destruction or Anonymization of Personal Data.

7. Your Rights as a Data Subject

Pursuant to Article 11 of the Law, the data subject has the right to request the following by applying to the data controller:

1. to learn whether personal data is processed or not,
2. to request information on whether his/her personal data has been processed,
3. to learn the purpose of the processing of the personal data and whether this information is used within the intended purposes,
4. to know the third parties to whom the personal data is transferred in domestic or abroad
5. to request the rectification of the incomplete or inaccurate processed personal data, if any,
6. to request the erasure or destruction of the personal data under the conditions stipulated in Article 7 of the Personal Data Protection Law,
7. to request notifying third parties to whom the personal data has been transferred, the transactions made pursuant to subparagraphs (d) and (e),
8. to object to the processing, exclusively by automatic systems, of the personal data, which leads to an unfavorable consequence for the person
9. to request compensation for the damage arising from the unlawful processing of personal data.

As data subjects, in order to express your requests regarding your rights and to exercise your rights on your personal data; The Company's official e-mail address [email protected] or the Company's Ankara Technology Development Zone 1606. Door No:4 Cyberpark Cyberplaza A Blok 4th Floor No: A407 Bilkent Çankaya/Ankara Turkiye address; you can carry out the necessary changes, updates and/or deletions and related requests by submitting the necessary changes, updates and/or deletions and related requests in a manner that meets the minimum application requirements in the Communiqué on Application Procedures and Principles to the Data Controller.

In the application containing your explanations regarding the right you have as Relevant Persons and that you will make in order to exercise your rights mentioned above and that you request to exercise; the matter you request must be clear and understandable, the subject you request must be related to you personally or if you are acting on behalf of someone else, you must be specifically authorised in this regard and your authorisation must be documented, and the application must meet the minimum application requirements in the Communiqué on Application Procedures and Principles to the Data Controller.

If you submit your requests to us with the specified methods, Endeksa shall conclude the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, if the transaction requires an additional cost, Endeksa will charge the fee in the tariff determined by the Personal Data Protection Board.