Article 1. Purpose and Scope
The purpose of this Personal Data Protection and Data Privacy Policy ("Privacy Policy") is to determine the issues related to the processing of personal data belonging to third parties (employees, employee candidates, customers, suppliers, business partners, etc.) by Envepo Software Inc. ("Company"), to establish rights and responsibilities, to create awareness among Company employees regarding this matter, and to take necessary measures in compliance with relevant legislation, including Article 20 of the Constitution and the Law on Protection of Personal Data No. 6698 ("KVKK"). This Privacy Policy covers all kinds of information and documents that can be associated with a specific or identifiable natural person. Data belonging to legal entities is not protected under the KVKK and is outside the scope of this Privacy Policy.
Article 2. Definitions
Personal Data: Any kind of information related to an identified or identifiable natural person.
Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association, foundation or union membership, health, sex life, criminal record, and security measures, as well as biometric and genetic data.
Explicit Consent: Consent based on information and freely given with the free will.
Anonymization: Making personal data unrelated to a specific or identifiable natural person by matching it with other data.
Processing of Personal Data: Any operation performed on personal data, either fully or partially automated or non-automated, as part of any data recording system, including collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, takeover, making available, classification, or preventing the use of data.
Data Subject or Owner: All individuals (Turkish citizens or foreigners) whose personal data is processed by the Company, including employees.
Data Controller: The natural or legal person responsible for determining the purposes and means of processing personal data and establishing and managing the data recording system.
Data Processor: Any natural person or legal entity processing personal data on behalf of the data controller, based on the authority granted by and on behalf of the data controller.
Article 2. Purpose of Data Processing
As the Company, the information we obtain regarding job candidates, our employees, customers, suppliers, or third parties is processed in compliance with the procedures and principles set forth in the KVKK, for purposes such as the performance of Contracts entered into and execution of our business activities, performance of operations related to vehicle rental and related processes, provision of insurance, banking, and other financial services, etc., and in order to improve service/product standards.
Article 3. Principles of Data Processing
Personal data is collected, processed, and stored by the Company in accordance with the law and integrity, and is kept securely to prevent unauthorized access, manipulation, loss, or damage. When the purpose of processing personal data no longer exists, or when the legal retention periods expire, the relevant personal data is anonymized or deleted/destroyed by appropriate methods.
The entire personal data processing process by the Company is carried out with full confidentiality. In this context, unauthorized access to personal data is prevented by the Company using technical, legal, and administrative measures. If necessary, the Company applies periodic audits for this purpose.
Personal information is kept accurate and complete by the Company and is updated when necessary.
The Company processes personal data only within the scope of the purposes notified to the data subject and in a manner consistent only with these purposes, and does not process, store, or transfer to third parties for purposes other than those specified.
When the purpose requiring processing of the data ends and it is no longer needed, the relevant personal data is deleted.
Before processing personal data, the Company informs the data subject fully and properly and obtains explicit consent if necessary, and provides the option to withdraw consent or request information at any time. In cases where explicit consent is not obtained, the Company processes personal data only if one or more of the legal processing reasons specified in Article 5/2 of the KVKK exist. According to Article 5/2 of the KVKK;
If expressly provided for in the laws, If it is directly related to the establishment or performance of a contract and is necessary for the data subjects who are parties to the contract, To fulfill the legal obligations of the data controller, as a data controller, If the data subject has publicly disclosed his/her personal data, If data processing is mandatory for the establishment, exercise, or protection of a right, In cases where data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject, the Company has the right to process personal data without obtaining explicit consent.
Article 4. Transfer of Personal Data and Exceptions
It may be necessary for the Company to transfer personal data to third parties, and such data transfer shall be carried out in compliance with the Personal Data Protection Law (KVKK) and this Privacy Policy. In this context:
Personal data is stored in electronic and/or physical environments to prevent unauthorized access, manipulation, loss, or damage. Necessary technical security measures are taken, and infrastructure improvements are implemented.
Personal data is processed with all necessary information security measures taken, ensuring that it is not used outside the purposes and scope communicated to the data subject. It is stored and processed during the legal retention period or, if no such period is specified, for the period required by the processing purpose. Upon expiration of this period or the cessation of the processing purpose, your personal data will be removed from the Company's data flows/storage environment by means of deletion, destruction, or anonymization methods.
In order to fulfill our obligations towards laws and relevant parties (such as Customers, Suppliers, Employees, business partners, etc.), Personal Data may be shared with the following, without being limited to:
Regulatory and supervisory authorities, public institutions, or organizations authorized to request personal data according to the laws it is subject to, Business partners, GSM companies, supplier and contractor companies, banks, credit risk and finance institutions, and other real or legal persons for the purposes stated, Consultants providing services in matters such as tax, legal/litigation, security, and without being limited to them, both domestically and abroad, business partners, third parties providing services, authorized individuals and organizations. In the event that we receive services through Cloud systems for data storage purposes, your Personal Data may be transferred abroad due to the location of the Cloud servers. In this case, your data is securely stored in the Cloud system with necessary encryption, and no unauthorized person has access to the content of the data. The transfer of personal data to third parties can only be carried out within the legitimate and lawful purposes of Personal Data processing, with the explicit consent of the data subject, or based on one or more of the personal data processing conditions specified in Article 5/2 of the KVKK and in a limited manner.
Third parties to whom personal data is transferred cannot use or process the transferred personal data for purposes other than the transfer purpose for their personal or commercial purposes. Third parties to whom personal data is transferred are obliged to comply with the instructions given by the Company and take all necessary technical and administrative measures to ensure data security. The Company conducts relevant audits, if necessary, to ensure that third parties act in compliance with this matter.
Article 5. Obligation to Inform
When obtaining personal data, our Company provides the data subjects with information about:
The identity of the data controller and, if any, its representative, The purpose of processing personal data, The persons to whom personal data may be transferred and the purposes of the transfer, The method of collecting and preserving personal data, its legal reason, and Rights of the data subject as explained in Article 11 of the KVKK. Article 6. Rights of the Data Subject According to Article 11 of the KVKK
As a data subject, you have the right to apply to our Company within the scope of Article 11 of the KVKK to:
Learn whether your personal data is processed or not, Request information regarding the processing if your personal data has been processed, Learn the purpose of processing your personal data and whether this data is used for its intended purposes, Know the third parties to whom your personal data is transferred domestically or abroad, Request the rectification of the incomplete or inaccurate data, if any, and to notify third parties to whom your personal data has been transferred, Request the deletion or destruction of personal data, Object to the occurrence of a result against you by means of analysis of the processed data exclusively through automated systems, Request compensation for the damage you have suffered due to the unlawful processing of your personal data. Article 7. Ensuring Data Security:
Our Company takes necessary technical and administrative measures, within the means available, to ensure the security of personal data to prevent unauthorized access and unlawful processing, both electronically and physically. For this purpose, electronic security measures such as masking, encryption, anonymization, and physical measures such as restricting access, locking are taken in line with current technological developments. Personal data can be accessed appropriately in both physical and electronic environments in accordance with the scope and purpose.
Our Company informs its employees that they cannot disclose the personal data they have obtained in the scope of their duties to third parties separately, cannot use it for purposes other than processing, and that this obligation will continue after their duties are terminated.
Article 8. Physical Security, Visitors, and Internet Access
If necessary, our Company may keep video recordings through cameras to ensure the physical security of the workplace. In addition, personal data may be processed for monitoring visitor entrances and exits. During visits to our Company, internet access may be provided to visitors, and in such a case, 'log' records may be kept. Access to the records obtained through the lawful and honest processing of such cameras, 'logs', and other visitor records is limited to individuals with restricted access.