EXPLANATION ON THE PROTECTION OF PERSONAL DATA AND PRIVACY POLICY

As the data controller, ECE ŞENYILDIZ (hereinafter referred to as "ECCE") adopts the principles set forth in the Law No. 6698 on the Protection of Personal Data (“KVK Law”) to ensure compliance with the KVK Law, fulfilling its obligations regarding the processing, deletion, destruction, anonymization, transfer of personal data, informing the relevant persons, and ensuring data security. The Privacy and Personal Data Protection Policy prepared within this scope is made available to individuals whose personal data are processed (“Data Subject”).

1. Scope and Purpose of the Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy:

a) Explains the methods and legal grounds for collecting personal data,
b) Defines the groups of individuals whose personal data are processed (Categorization of Data Subject),
c) Specifies the categories of personal data processed concerning these groups (Data Categories) and provides examples of data types,
d) Details the business processes and purposes for which these personal data are used,
e) Outlines the technical and administrative measures taken to ensure the security of personal data,
f) Indicates to whom and for what purposes personal data may be transferred,
g) Describes the retention periods of personal data,
h) Discusses Profiling and Segmentation,
ı) States the rights of Data Subjects regarding their personal data and how they can exercise these rights,
i) Explains how Data Subjects can change their preferences regarding receiving electronic commercial communications,
j) Discusses sharing personal data with official authorities,
k) Details Cookie Usage and Management.

A. Methods and Legal Grounds for Collecting Personal Data

ECCE collects personal data through websites, mobile applications of the websites, social media accounts, cookies, call centers, notifications from administrative and judicial authorities, and other communication channels, either audibly, electronically, or in writing, based on the legal grounds specified in Article 5 of the Law No. 6698:

a) Clearly stipulated by laws,
b) Necessary for the establishment or performance of a contract directly related to the parties involved,
c) Made public by the data subject themselves,
d) Required for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,
e) Necessary for the establishment, use, or protection of a right.

B. Categorization of Data Subject Groups

ECCE categorizes individuals whose personal data are processed in the personal data processing processes and related activities as follows. Additionally, personal data of other groups (consultants, educators, bloggers) may also be processed in accordance with the conditions for processing personal data specified in Articles 5 and 6 of the KVK Law and based on the legal grounds stated in this Privacy/Personal Data Protection Policy.

C. Data Categories and Sample Data Types

1.a) Member Customer

  • Identity Information: Name, surname, date of birth, gender, T.C. identification number
  • Location Information: City, district where the delivery address is located (for purchases made through ………..com)
  • Contact Information: Mobile phone, email address, address, postal code, landline phone
  • Financial Information: Tax office, invoice information
  • Customer/Member Information: Membership information, membership ID number
  • Customer/Member Transaction Information: Products purchased, transaction amount, transaction date, call center call records, consent for commercial communication, campaigns/competitions participated in, coupons used, order-related information
  • Risk Management Information: IP address
  • Transaction Security Information: Password, account information
  • Marketing Information: Cookie records, targeting information, evaluations showing habits and preferences
  • Auditory Data: Call center call records
  • Legal Process and Compliance Information: Start and end times of the service provided, type of service utilized, amount of data transferred, electronic consent given by the data subject for commercial electronic communication, membership agreement consent, corporate membership agreement, and other legal texts and agreements that enable benefiting from the services provided by ECCE
  • Marketing Information: Marketing SMS, email messages, or calls made by the call center sent based on the commercial electronic communication consent provided by the data subject

1.b) Guest Customer (users purchasing without membership)

  • Identity Information: Name, surname, date of birth, gender, T.C. identification number
  • Location Information: City, district where the delivery address is located (for purchases made through ……com)
  • Contact Information: Mobile phone, email address, address, postal code, landline phone
  • Financial Information: Tax office, invoice information
  • Guest Customer Transaction Information: Products purchased, transaction amount, transaction date, call center call records, consent for commercial communication, campaigns participated in, order-related information
  • Risk Management Information: IP address
  • Transaction Security Information: Password, account information
  • Marketing Information: Cookie records, targeting information, evaluations showing habits and preferences
  • Auditory Data: Call center call records
  • Legal Process and Compliance Information: Start and end times of the service provided, type of service utilized, amount of data transferred, electronic consent given by the data subject for commercial electronic communication, and other legal texts and agreements that enable benefiting from the services provided by ECCE
  • Marketing Information: Marketing SMS, email messages, or calls made by the call center sent based on the commercial electronic communication consent provided by the data subject
  1. Online Visitors
  • Transaction Security Information: Password, mobile phone, account information
  • Legal Process/Risk Management Information: IP address
  • Legal Process and Compliance Information: Start and end times of the service provided, type of service utilized, amount of data transferred.
  1. Recipient of Purchased Product
  • Identity Information: Name, surname, date of birth, gender, T.C. identification number
  • Location Information: City, district where the delivery address is located (for purchases made through ………...com)
  • Contact Information: Mobile phone, email address, address, postal code, landline phone
  • Financial Information: Tax office, invoice information
  1. Seller/Supplier/Seller Candidate/Seller or Supplier Employee or Authorized Person
  • Identity Information: T.C. identification number, name, surname
  • Contact Information: Email address, phone, KEP address, address, mobile phone
  • Financial Information: Account number, tax office, tax identification number, tax plate, IBAN
  • Legal Process and Compliance Information: Signature circular, activity document
  • Special Category Personal Data/Legal Process Information: Signature
  • Visual Information: Photograph

D. Purposes and Business Processes for Using Personal Data

1.a) Member Customer Personal Data

  • To carry out membership processes,
  • To improve the services provided through the e-commerce platforms operated by ECCE (“platform”), develop new services, and provide related information,
  • To fulfill the Membership Agreement established with the Member Customer; for Member Customers who have given consent for commercial electronic communication; to analyze preferences, likes, and needs of the Member Customer and provide tailored promotions, opportunities, and benefits,
  • To conduct remarketing, targeting, profiling, and analysis with the explicit consent of the Member Customer, and to promote and market applications, goods/products, and services based on the Member Customer's preferences and likes,
  • To resolve issues and complaints of the Member Customer,
  • To enhance the experience of the Member Customer on the platform and mobile application,
  • To track accounting and purchasing processes,
  • To ensure compliance with legal processes and regulations,
  • To respond to information requests from administrative and judicial authorities,
  • To ensure information and transaction security and prevent malicious use,
  • Making the necessary arrangements to ensure that the processed data is up-to-date and accurate, 
  • Fulfillment of legal obligations 

2. Personal Data of Online Visitors

  • Processing of online visitor data under Law No. 5651.
  • Legal processes and compliance with regulations.
  • Responding to information requests from administrative and judicial authorities.
  • Ensuring information and transaction security and preventing misuse.
  • Fulfilling legal obligations.

3. Personal Data of the Person to Whom the Purchased Product Will Be Delivered

  • Executing product delivery processes.
  • Tracking accounting and purchasing operations.
  • Legal processes and compliance with regulations.
  • Responding to information requests from administrative and judicial authorities.
  • Ensuring information and transaction security and preventing misuse.
  • Making necessary arrangements to ensure that processed data is current and accurate.
  • Fulfilling legal obligations.

4. Personal Data of Seller/Supplier/Seller Candidate/Seller or Supplier Employee or Authorized Person

  • Executing contract processes.
  • Tracking accounting and purchasing operations.
  • Legal processes and compliance with regulations.
  • Responding to information requests from administrative and judicial authorities.
  • Ensuring information and transaction security and preventing misuse.
  • Making necessary arrangements to ensure that processed data is current and accurate.
  • Fulfilling legal obligations.

E. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

ECCE is committed to taking all necessary technical and administrative measures and showing due diligence to ensure the confidentiality, integrity, and security of your personal data.

ECCE takes necessary precautions to prevent unauthorized access, misuse, illegal processing, disclosure, alteration, or destruction of personal data. ECCE uses widely accepted security technology standards, such as firewalls and Secure Sockets Layer (SSL) encryption, when processing personal data. Additionally, when sending your personal data to ECCE through the website, mobile application, and mobile site, this data is transmitted using SSL.

In relation to preventing unauthorized access to personal data, preventing illegal processing of this data, and ensuring the retention of personal data:

  • All fields on the website or mobile application where personal data is collected are protected with SSL.
  • Access authorization and control matrices are created and implemented for employees to prevent illegal processing of personal data collected from the website or mobile application.
  • To ensure unauthorized access to personal data does not occur, periodic penetration tests are conducted to test the system's resilience against unauthorized access.
  • For all secondary data processing that is outside the primary processing purpose, the method to be used is determined. Measures are taken to ensure that this data makes it impossible to identify the relevant person by using encryption methods in the systems where this data is located, and stricter access authorization and control policies are applied to this data.
  • Personal data in paper environments must be stored in locked cabinets and accessed only by authorized personnel.
  • Personal data processed through cookies belonging to third parties will be deleted from third-party systems upon termination of membership.

Despite ECCE taking necessary information security measures, in case of damage to personal data or access by unauthorized third parties due to attacks on the platforms operated by ECCE or the ECCE system, ECCE will immediately inform you and the Personal Data Protection Board and take necessary precautions.

F. To Whom and for What Purposes Personal Data May Be Transferred

ECCE transfers personal data only for the purposes specified in this Privacy and Personal Data Protection Policy and in accordance with Articles 8 and 9 of the KVK Law. In this context, member customer/guest customer data processed and the information of the person to whom the purchased product will be delivered is shared with the seller and the shipping company, and this data can also be accessed by the call center when necessary. The information of the person to whom the invoice will be issued is shared with the shipping company for the purpose of sending the invoice to the relevant person.

The mobile phone number and/or email address of the member customer/guest customer are shared with the commercial electronic communication service provider based on consent for promotional activities, advertisements, and offers based on shopping preferences, likes, and habits.

Website or mobile application usage preferences and browsing history are shared with our domestic/international partners from whom cookie (cookie) services are obtained for segmentation purposes and for communication with member customers/guest customers in line with their preferences and likes. The personal data transfers conducted in this scope occur through secure environments and channels provided by the relevant third party. Depending on the content and scope of the service received from third parties, in all cases where it is not necessary to transfer the personal data of the member customer/guest customer, the transfer will be made using the data named …………….

For the purpose of increasing member customer/guest customer satisfaction and loyalty, data belonging to member customers/guest customers are shared with companies that conduct market research.

In the scope of reporting and statistical studies, data belonging to member customers/guest customers are shared with ECCE's partners …………… companies.

Additionally, your personal data will be shared with our international partners for the purposes of providing business development services, statistical and technical services, and managing customer relationships.

If a member customer/guest customer/online visitor reaches ECCE via the line stating whether the provided service is domestic or international, in the case of being international, the relevant system will be specified. Consequently, they will have sent their personal data abroad. If the member customer/guest customer/online visitor does not wish to send their personal data abroad, they may use other communication options provided by ECCE.

The personal data subject to the aforementioned domestic and international transfers are legally protected by the provisions compatible with the KVK Law in our contracts, considering the counterparty of the legal relationship as the data controller or data processor, in addition to the technical measures to ensure their security.

During the sharing of information as mentioned above when transferring personal information to countries outside of Turkey, it is ensured that the data is transferred in accordance with this policy and in a manner permitted by the applicable law regarding data protection.

G. Retention Periods for Personal Data

ECCE retains the personal data it processes in accordance with the KVK Law for the periods specified in the relevant legislation or required by the processing purpose. The retention periods in our Personal Data Retention and Destruction Policy are approximately as follows:

TYPE DURATION LEGISLATION
Call center voice recordings 3 years Law No. 6563 and related secondary legislation
Membership and order records 10 years Law No. 6098
All records related to accounting and financial transactions 10 years Law No. 6102, Law No. 213
Cookies Maximum 540 days  
Commercial electronic communication consent records 1 year from the date consent is withdrawn Law No. 6563 and related secondary legislation
Traffic information related to online visitors 2 years Law No. 5651
Information and/or CVs obtained due to job applications 1 year  
Personal data related to member customers/guest customers 10 years after the legal relationship ends; Law No. 6563, Law No. 6102,
  3 years in accordance with Law No. 6563 and related secondary legislation Law No. 6098, Law No. 213, Law No. 6502
Personal data related to suppliers 10 years after the legal relationship ends Law No. 6102, Law No. 6098, and Law No. 213
Personal data obtained for usability testing research 2 weeks  

You can review our Cookie Policy regarding the retention periods of personal data obtained through cookies.

H. Profiling and Segmentation

ECCE uses the personal data processed concerning member customers/guest customers to:

a. Prepare content more suitable to the likes and preferences of member customers/guest customers who give consent to receive commercial electronic communications, enabling advertisements, promotions, and discounts to be made.

cultureSettings.RegionId: 0 cultureSettings.LanguageCode: EN