The Law No. 6698 on the Protection of Personal Data will be referred to as the "Law". TUBA ÜNSAL fulfills its obligations arising from the Law regarding the processing, deletion, destruction, anonymization, transfer of personal data, informing the data subject, and ensuring data security, within the scope of the principles stipulated in the Law.

This Privacy and Personal Data Protection Policy, which has been prepared in accordance with the law, is made available to natural persons whose personal data is processed (“data subject”).

1. Scope and Purpose of the Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy applies to TUBA ÜNSAL;

• Methods and legal grounds for collecting personal data,
• Which groups of people's personal data are being processed (Data Subject Categorization),
• The categories of personal data of data subjects that are processed (Data Categories) and examples of data types,
• For what purposes the relevant personal data is used,
• Technical and administrative measures taken to ensure the security of personal data,
• To whom and for what purposes personal data may be transferred,
• Sharing personal data with public institutions and organizations and official authorities,
• Personal data retention periods,
• Profiling and segmentation,
• What rights data owners have regarding their personal data and how they can exercise these rights.

It specifies this in detail.

a. Methods and Legal Grounds for Collecting Personal Data

TUBA ÜNSAL collects personal data audibly, electronically, or in writing through call centers, websites, social media accounts, e-mail, postal services, CCTV, cookies, notifications from administrative and judicial authorities, and other communication channels, in accordance with the personal data processing conditions specified in the Personal Data Protection Law and in line with the legal grounds stated in this Privacy and Personal Data Protection Policy.

b. Data Subject Categorization

TUBA ÜNSAL groups the data subjects whose personal data it processes as follows, and these groups may be expanded in light of the processes and legal reasons stated in this policy:
i. Customer
ii. Online Customer
iii. Visitor
iv. Online Visitors
v. Business Solution Partner / Supplier

c. Data Categories and Example Data Types

No	Data Subject	Data Category	Data Types
1	Customer	Identity Information	Full Name, Gender, Turkish Republic Identity Number, Turkish Republic Identity Information (Wallet serial number, family sequence number, etc.), Date of Birth, Place of Birth, Marital Status, Passport Number
		Contact Information	Address (home/work), Email, Phone/Mobile Phone
		Financial Information	Bank Account Information, Financial Transaction Information, IBAN Number, Payment Information
		Customer Information	Customer Number, Customer Business Relationship Start/End Date and Reason, Customer Requests, Customer Satisfaction Information, Product-Related Complaint and Request Information
		Personal and Professional Information	Retirement Information, Insurance Information, Educational Status, Graduation Information, Affiliation Organization
		Legal Procedures and Compliance Information	Official Records (Police, etc.), Power of Attorney
		Special Category Personal Data	Diopter Information, Hospital Reports
		Transaction Security Information	Call Center Records, Credit Card Number, Credit Card Expiration Date
		Family Members and Close Relatives Information	Full Name, Relationship, Occupation, School, Date of Birth, Mobile Phone Number
		Other	Call Center Recordings, CCTV

 

d. Purposes for Which Personal Data is Used

Personal data is used by TUBA ÜNSAL for the following purposes:

• Conducting commercial activities, planning and managing business processes.
• Logistics, operations, corporate communications, supply chain management.
• Information security, accounting and finance process management.
• Customer relations and after-sales support
• Operational activities in compliance with legal regulations

e. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

• Using antivirus, firewall, VPN, and SSL.
• User authorizations and the "Need to Know" principle.
• Information Security Threat and Incident Management
• Penetration testing, BYGS meetings, and audits in accordance with Cobit standards.
• Fishing email sniffing and user awareness through the Training Portal.
• Clean Table & Clean Desk principle and paper-based locked storage.
• SSL and pseudonymization application on websites

f. To Whom and for What Purpose Personal Data May Be Transferred

Personal data may only be transferred to third parties and shareholders abroad in accordance with Articles 8 and 9 of the Law. Transfers are made through secure environments and channels, and pseudonymous data is used where possible.

g. Sharing Personal Data with Public Institutions and Organizations and Official Authorities

• Sharing data with SGK (Social Security Institution), Ministry of Health, Ministry of Finance, prosecutor's office, courts and notaries.
• E-commerce platforms sharing traffic data and log records with official institutions.

h. Retention Periods of Personal Data

Personal data will be stored for the periods stipulated in the relevant legislation or required by the purpose of processing. Storage and destruction periods will be recorded in the VERBİS system.

i. Profiling and Segmentation

For customers and online clients, content and campaign planning is done according to likes and preferences within the scope of commercial electronic communication consent. Each transaction is carried out through unique customer numbers.

j. Data Subjects' Rights

According to Article 11 of the Personal Data Protection Law, data owners;

1. To find out whether your personal data is being processed.
2. Request information if it has been processed.
3. Learning about the purpose of processing and its appropriate use.
4. Knowing the third parties to whom it is transferred
5. Requesting correction of missing or incorrect data.
6. Requesting its deletion or destruction
7. Requesting that transactions be disclosed to third parties.
8. Objection to unfavorable outcomes caused by automated systems.
9. Claiming compensation for damages caused by an unlawful act.

To exercise your rights:

• Website "Contact Form"
• Phone: +90 ( )
• Email: info@tobehouse.com

2. Deletion, Destruction and Anonymization of Personal Data

Data is stored for the periods determined in accordance with Articles 7 and 17 of the Law and Article 138 of the Turkish Penal Code. Upon expiration of this period, it is deleted, destroyed, or anonymized. The periodic destruction interval is set at 6 months.

3. Policy Changes

TUBA ÜNSAL may make changes to this policy. The new version will become effective upon publication, and you will be notified accordingly.