Address: Burhaniye Mah. Bahçeler Sok. No: 8/2 Istanbul, Türkiye

Personal Data Processing Information Notice (KVKK)

As FELTOUCH YAPI TASARIM SANAYİ TİCARET ANONİM ŞİRKETİ (“Company”), within the scope of our activities arising from the Law No. 6698 on the Protection of Personal Data (“KVKK”) and other applicable legislation, we have prepared this Information Notice to inform:

• Our employees
• Our job applicants
• Our interns
• Authorized persons of our suppliers
• Potential purchasers of products/services and authorized persons of legal entities
• Purchasers of products/services and authorized persons of legal entities
• Our online visitors

Which Personal Data Are Collected and For What Purposes?

Employees

Detailed information regarding personal data processed about employees has been provided to our employees in writing against signature. If you are a former employee of the Company, you may obtain information about your processed personal data upon your request.

Job Applicants

Identity Information

Processed Data: Name–surname, Turkish ID number / foreign ID number, date of birth, signature.

Purposes: Conducting applicant selection and placement processes; managing application processes; ensuring compliance with legislation; planning HR processes; conducting communication activities.

Contact Information

Processed Data: Email address, residence address, mobile phone number.

Purposes: Conducting applicant selection and placement processes; managing application processes; ensuring compliance with legislation; planning HR processes; conducting communication activities.

Personnel / HR Information

Processed Data: Work history and details, education status, CV/resume, reference information.

Purposes: Conducting applicant selection and placement processes; managing application processes; ensuring compliance with legislation; planning HR processes; conducting communication activities.

Professional Experience Information

Processed Data: Foreign language skills, internship, course, seminar information, certificate information.

Purposes: Conducting applicant selection and placement processes; managing application processes; ensuring compliance with legislation; planning HR processes; conducting communication activities.

Reference Information

Processed Data: Name–surname, phone number, department, title.

Purposes: Managing application processes; planning HR processes; carrying out HR activities for the applied position and potential future positions.

Interns

Identity Information

Processed Data: Name–surname, Turkish ID number, photo, signature, copy of ID card, gender, date of birth,
criminal record, phone number of a relative (emergency contact).

Purposes: Conducting intern selection and placement; fulfilling obligations arising from employment contract and legislation for employees; conducting training activities; ensuring compliance; planning HR processes; conducting/auditing business activities; conducting contract processes; providing information to authorized persons/institutions; conducting occupational health & safety activities.

Contact Information

Processed Data: Phone number, email address.

Purposes: Conducting intern selection and placement; training activities; compliance; communication activities; conducting/auditing business activities; providing information to authorized persons/institutions.

Personnel / HR Information

Processed Data: Internship details, student certificate, mandatory internship certificate (internship initiation form), school information, education status, address information, criminal record, phone number of a relative.

Purposes: Conducting intern selection and placement; providing information to authorized persons/institutions; planning HR processes; conducting/auditing business activities; conducting occupational health & safety; talent/career development; retention and archiving; compliance.

Financial Information

Processed Data: Bank name, account number, branch number, IBAN.

Legal Transaction Information

Processed Data: Correspondence with administrative authorities.

Purposes: Providing information to authorized persons/institutions; retention/archiving; follow-up and execution of legal affairs.

IT / Transaction Security Records

Processed Data: Internal IP address, target IP/domain records, electronic access/activity logs, other traffic data
(e.g., connection time/duration, communication amount, etc.).

Purposes: Conducting information security processes; audit/ethics activities; managing access authorizations; compliance; conducting/auditing business activities; retention/archiving; providing information to authorized persons/institutions.

Supplier Authorized Persons

Identity Information

Processed Data: Name–surname, Turkish ID number, tax ID number, signature circular, signature.

Purposes: Compliance; finance/accounting; loyalty processes; conducting/auditing business activities; business continuity; procurement; operations; event management; retention/archiving; contract processes; supply chain management; marketing; providing information to authorized persons/institutions.

Contact Information

Processed Data: Email address, mobile phone number, fax number, workplace name/title, workplace address.

Purposes: Compliance; finance/accounting; loyalty processes; conducting/auditing business activities; business continuity; procurement; operations; event management; retention/archiving; contract processes; supply chain management; marketing; providing information to authorized persons/institutions.

Financial Information

Processed Data: Bank name/branch, account number, IBAN.

Purposes: Finance/accounting; procurement; investment processes; contract processes; compliance; providing information to authorized persons/institutions; conducting/auditing business activities.

Potential Purchasers (Authorized Persons of Companies)

Identity & Contact Information

Processed Data: Name–surname, email, phone number, workplace address, other phone/fax, mobile phone number.

Purposes: Marketing of products/services; advertising/campaign/promotion; communication; conducting/auditing business activities; customer relationship management; organization and event management; marketing analysis; sponsorship activities.

Visual & Audio Records

Processed Data: Photo and video recordings.

Purposes: Training activities; sales processes; marketing processes; organization/event management; conducting/auditing business activities; CRM; sponsorship; providing information to authorized persons/institutions.

Purchasers (Authorized Persons of Companies)

Identity Information

Processed Data: Name–surname, Turkish ID number/foreign ID number, signature circular.

Purposes: Compliance; finance/accounting; loyalty processes; conducting/auditing business activities; logistics; after-sales support; sales processes; marketing analysis; contract processes; providing information to authorized persons/institutions; event management; legal affairs; request/complaint handling; customer satisfaction activities.

Contact Information

Processed Data: Email address, residence/postal address, mobile phone number.

Purposes: Loyalty processes; after-sales support; sales processes; marketing analysis; contract processes; providing information to authorized persons/institutions; event management; legal affairs; advertising/campaign/promotion.

Financial Information

Processed Data: Bank name/branch, account number, IBAN, order information, contract, negotiable instruments information.

Purposes: Finance/accounting; procurement; investment processes; contract processes; compliance; providing information to authorized persons/institutions; conducting/auditing business activities; follow-up and execution of legal affairs.

Legal Transaction Information

Processed Data: Information in notices/warnings and case files.

Purposes: Execution of legal affairs; providing information to authorized persons/institutions.

Visual & Audio Records

Processed Data: Photo and video recordings.

Purposes: Training activities; customer satisfaction activities; marketing processes; organization/event management; conducting/auditing business activities; CRM; sponsorship; providing information to authorized persons/institutions.

Online Visitors

Identity Information: Name–surname

Contact Information: Email address

Transaction Security Information: IP address and other traffic data (e.g., connection time/duration, etc.)

Purposes: Conducting information security processes; compliance; communication; retention/archiving; request/complaint handling; ensuring the security of data controller operations; providing information to authorized persons/institutions.

If the personal data processing activity conducted for the purposes listed above does not meet any of the legal bases set forth under KVKK (other than explicit consent), the Company obtains your explicit consent for the relevant processing activity.

How Are Your Personal Data Collected?

Your personal data are collected through application forms, employment contracts, other contracts, resumes, IT systems and electronic devices (e.g., telecommunications infrastructure, computers, phones), İŞKUR and private employment agencies (including Kariyer.net, etc.), third parties, online website channels, cookies created by our website, tracking cookies created by third parties, measurement/analytics systems, and other documents declared by the data subject.

What Is the Legal Basis for Collecting Your Personal Data?

Your personal data are processed by the Company for the purposes explained above, within the scope of applicable legislation, primarily the Turkish Commercial Code, Turkish Code of Obligations, Turkish Labor Law, and KVKK; based on establishment/execution of a contract, explicit legal provisions, establishment / exercise / protection of a right, fulfillment of our legal obligations, and our legitimate interests.

Do We Transfer Your Personal Data to Third Parties?

Your personal data may be transferred domestically, within the scope permitted by law, for the purposes of ensuring compliance, conducting legal affairs, providing information to authorized persons/institutions, fulfilling employment and legal obligations for employees, conducting/auditing business activities, and conducting occupational health & safety activities, to authorized public institutions and organizations.

Additionally, within the scope permitted by law, your personal data may be transferred domestically to real persons or private legal entities for the purposes of ensuring compliance and providing information to authorized persons/institutions.

Do We Transfer Your Personal Data Abroad?

For the purpose of storage services, we transfer your personal data abroad in compliance with KVKK,
by taking necessary data security and administrative measures.

How Long Are Your Personal Data Retained?

If a retention period is specified in applicable legislation, your personal data must be retained for at least that period. Considering possible delays in court or administrative requests and potential disputes, the retention period is determined by adding an additional period of 1–2 years to the legally required durations, and data are deleted at the end of the determined period.

If no legal retention period is prescribed, your data are retained for the duration required by the relationship and/or the period specified in the relevant contract. After the relationship ends or the contract period expires, your data are deleted, destroyed, or anonymized without requiring any request from you.

If legislation prescribes a retention period, requests to delete such data before the end of that period cannot be fulfilled.

For data with no prescribed retention period and no valid processing purpose, if you request deletion, your data shall be deleted immediately or at the latest within 6 months.

Your Rights Regarding Your Personal Data

• To learn whether your personal data are processed
• To request information if your personal data have been processed
• To learn the purpose of processing and whether they are used in accordance with that purpose
• To know third parties to whom personal data are transferred domestically or abroad
• To request correction if your personal data are incomplete or inaccurate
• To request deletion or destruction under the conditions set out in KVKK
• To request notification of correction/deletion/destruction to third parties to whom data are transferred
• To request compensation if you suffer damage due to unlawful processing

How Can You Exercise Your Rights?

You may submit your request via the Data Subject Application Form (add link here):
[LINK TO DATA SUBJECT APPLICATION FORM].

• By sending a wet-signed petition with a copy of your ID to the address:
  Mustafa Kemal Mah. 2139 Cad. No:20/6 Azizoğulları Plaza, Çankaya/ANKARA
  (as stated in the original document).
• By applying in person to the Company with a valid ID document.
• By using Registered Electronic Mail (KEP) and secure electronic signature or mobile signature, and sending to:
  [ADD KEP ADDRESS HERE]
• By sending from the email address previously notified to the Company and registered in our systems, to:
  [ADD COMPANY EMAIL HERE]

Under the Communiqué on the Procedures and Principles of Application to the Data Controller, your application must include: name and surname, signature (if written application), Turkish ID number (or passport number for foreign applicants), residence/work address for notification, if available email address for notification, phone number, fax number, and details of the request.

Supporting information and documents must be attached where applicable.

Unauthorized requests submitted on behalf of another person shall not be taken into consideration.

Response Time to Your Requests

Your requests are evaluated and responded to within a maximum of 30 days from the date they reach us.
If your request is rejected, the justified reasons for rejection are sent via email or postal mail to the address you specified, or through one of the methods selected in the Data Subject Application Form.