DİYETKOLİK PERSONAL DATA PROTECTION POLICY AND DISCLOSURE TEXT

Purpose and Introduction

This Personal Data Protection Policy and Disclosure Text has been prepared to fulfill the disclosure obligation in accordance with the Personal Data Protection Law No. 6698 and GDPR for the personal data processing practices related to the Diyetkolik mobile application, which is managed by PCI Yazılım Danışmanlık ve Organizasyon Ltd. Şti. This policy aims to inform you about how personal data is collected, processed, the purpose and legal basis of processing, and your rights while using the application. The personal data collected or provided by you during the use of the application, along with the methods of collection, processing purposes, legal grounds, and your rights, are outlined as part of our obligation to inform you.

We take all necessary security measures to ensure the lawful acquisition, storage, processing, sharing, and protection of the confidentiality and integrity of personal data, in compliance with the Personal Data Protection Law No. 6698 and decisions published by the Personal Data Protection Authority. We do not disclose your personal data to third parties unlawfully.

The personal data mentioned in our Disclosure Text refers to all information relating to an identified or identifiable natural person. These data can be processed in whole or in part through various methods, such as:

• Through automated means or as part of a data recording system,
• Obtained through non-automated means,
• Recorded, stored, preserved, reorganized, disclosed, transferred, made available,
• Classified or blocked from use.

In this Disclosure Text, the individuals referred to under Law No. 6698 on the Protection of Personal Data (KVKK) are as follows:

• Data Subject / Relevant Person: Refers to the natural persons whose personal data is processed, i.e., our users.
• Data Controller: The natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system. In this case, DİYETKOLİK is the data controller responsible for determining the purposes and means of processing personal data and for managing the data recording system.

Collected Personal Data

The personal data processed under the services provided are grouped below in accordance with data protection laws, along with their processing purposes and legal grounds:

• During application visits: Traffic data such as connection time, visited pages, IP address, etc., are processed in accordance with legal requirements for information security, visitor records, and archiving activities, as well as under the obligations of the hosting provider pursuant to Law No. 5651. If the user’s consent is obtained for cookies, the data collected through them may be processed for advertising, campaigns, and promotions, provided that the user has granted explicit consent. For more detailed information, please refer to our Cookie Policy.
• When you become a member or make a purchase for services offered: As a relevant person, you will provide personal data such as your name, surname, email, phone number, date of birth, and gender. These are processed for the purpose of conducting e-commerce and member-related activities, monitoring, and archiving. These data are also processed in order to fulfill the legal obligations of the data controller and for the electronic recordkeeping obligations, as well as for the performance of the contract.
• When using services such as creating and tracking diet plans in the application, you provide information regarding certain medical conditions, height, weight, body fat percentage, body measurements, body index, food consumption, eating habits such as smoking and alcohol, exercise and activity information, step count, mobile health data, smart scale data (muscle mass, basal metabolic rate, bone mass, water mass, protein percentage, body age), and water intake. These data are processed lawfully and with your consent for the purpose of delivering the service.
• When a user uses the paid service to ask a question to the Dietitian, they acknowledge that the information provided during the consultation may differ from or be additional to the information they have provided to the application. The Dietitian will have access to the user's data entered into the application for the purpose of fulfilling the service. There is a confidentiality and personal data commitment between the Dietitian and Diyetkolik. By asking a question, the user acknowledges providing the information voluntarily and consents to the Dietitian accessing it. Diyetkolik does not guarantee the expected benefits from the information provided by the Dietitians.
• The user guarantees that they have the authority to provide the information they submit to DİYETKOLİK. If not, the user will bear the responsibility.

Cases of Data Transfer Without Explicit Consent

In legally exceptional cases, personal data may be transferred to relevant authorities and public institutions without the necessity of fulfilling the obligation of disclosure or obtaining explicit consent. Additionally, for the purpose of carrying out data storage activities, personal data may be shared with our suppliers and business partners. Furthermore, when payments are made via credit or debit cards through the system, the relevant data will be processed in accordance with the User Agreement, strictly for the purpose of executing the service sale process and fulfilling contractual obligations.

Processing of Personal Data

* Age Information and Preferred Language Data: Processed for the purposes of data analysis, improvement of post-sales processes, complaint management, operational activities, record-keeping, and issue/error reporting.

* Location Data: Users’ approximate or precise location data is processed to provide location-based services. If the user consents, such data may be used for service provision, monitoring and control, and risk management.

* Biometric Authentication: If a user opts to log into the application via fingerprint authentication instead of a password, DİYETKOLİK will not receive or process fingerprint data, except for verification or error messages.

* Survey Responses: Responses to surveys within the portal may be processed in collaboration with third parties for the purpose of improving application functionalities, conducting direct marketing to users, and performing statistical analyses .

Purposes and Legal Basis for Processing Personal Data

Personal data is processed automatically or manually in compliance with the Personal Data Protection Law (KVKK) and based on the explicit consent of the data subject. Additionally, where necessary for the performance of a contract, personal data may be processed without explicit consent, provided it complies with KVKK provisions.

In this context, personal data is processed for the following purposes:

• Managing user registration and membership processes,
• Conducting payment and accounting activities,
• Managing product sales processes,
• Ensuring the provision of services,
• Handling after-sales support processes,
• Tracking user requests and complaints.

Personal data will be retained for as long as the processing purpose remains valid and subsequently stored for the legally required duration.

Transfer of Personal Data to Third Parties

The transfer of personal data to third parties is subject to the explicit consent of the data subject. However, in certain exceptional cases where explicit consent is not required by law, personal data may be transferred while ensuring the protection of the data subject’s rights and freedoms. Provisions in other relevant laws regarding the transfer of personal data remain unaffected.

Exceptions where explicit consent is not required include:

• Cases explicitly stipulated by law,
• Situations necessary for the establishment or performance of a contract,
• Cases where the transfer is necessary for the data controller to fulfill its legal obligations,
• Situations where the data has been made public by the data subject.

Methods of Obtaining Personal Data

Personal data may be obtained through the following methods:

• Fully or partially automated means,
• User input into the mobile application,
• Completion of forms,
• Collection of certain information via cookies.

Third-Party Applications

If the Application contains links to third-party applications, DİYETKOLİK shall not be responsible for the privacy, security, or data protection policies and content of such applications. Users acknowledge that all information they provide through the Application is complete, accurate, and up to date. Otherwise, DİYETKOLİK shall not be liable for any resulting damages.

Information About Social Media Plugins

The application may embed Social Media content management services, such as cookies and plugins from various social media networks. These services are provided by the relevant companies listed below, only with your consent.

 Facebook, Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, and within the EU Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland https://developers.facebook.com/docs/¬plugins

 X, X Corp., 865 FM 1209 Bldg 2 Bastrop, TX, 78602-3227 United States https://developers.x.com/docsa

 YouTube, Google LLC, 1600 Amphitheater Parkway, Mountainview, California 94043, USA, and within the EU by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland https://developers.google.com/youtube/documentation

 Instagram, Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland https://developers.facebook.com/docs/instagram

 LinkedIn, LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, California 94085, USA, and within the EU LinkedIn Ireland Unlimited Company, Gardner House, Wilton Plaza, Wilton Place, Dublin 2, Ireland https://developer.linkedin.com/plugins#

Only if you actively use social media services, you are deemed to have consented to data transfer and provide the relevant companies with information such as previously visited websites, your IP address, browser information and the date and time of the server request. In addition, if you click on buttons such as share or comment, your browser sends this information to them. These companies may use your data for their own purposes, even if you do not log in to your social media account, for analysis, marketing, profiling and to link your data with other previously collected data (your user account on the relevant social media).

Rights of Data Subjects Regarding Personal Data

Data subjects have the following rights regarding their personal data and may exercise these rights by applying to the data controller:

a) To learn whether their personal data is being processed and, if so, to request information about such processing,
b) To learn the purpose of personal data processing and whether it is used in accordance with its purpose,
c) To know the third parties to whom personal data has been transferred, whether domestically or abroad,
d) To request the correction of personal data if it has been processed incompletely or inaccurately,
e) To request the deletion or destruction of personal data when the reasons for processing no longer exist,
f) To request notification of the actions taken under the above two clauses to third parties to whom the data has been transferred,
g) To object to any adverse outcome arising from the analysis of personal data solely through automated systems,
h) To request compensation for damages incurred due to the unlawful processing of personal data.

Application to the Data Controller

Pursuant to the Law No. 6698 on the Protection of Personal Data, "data subjects" may exercise their rights under this law and submit their related requests in writing to the data controller, DİYETKOLİK.

Requests can be submitted:

• In writing to the address: Evliya Çelebi Mh. Sadi Konuralp Cd. No:5/2 IKSV Vakfı Binası, 34433 Beyoğlu, İstanbul,
• Via registered electronic mail (KEP) to pci@hs01.kep.tr,
• By sending an email from the registered email address in our system to duyuru@diyetkolik.com.

The request must include documents verifying identity. Additionally, a wet-signed copy of the application form must be submitted in person, via a notary, or through other methods specified in the Law.

Mandatory Information for the Application:

• Full name and, if the application is in writing, a signature,
• For Turkish citizens: Turkish ID number; for foreign nationals: nationality, passport number, or identification number (if available),
• Residential or workplace address for official notifications,
• Email address, telephone number, and fax number (if available) for notifications,
• Subject of the request.

The requested information must be included in the application, along with any relevant supporting documents, if applicable.

Diyetkolik's acceptance of your application does not guarantee that your request will be fulfilled; it may also be rejected with justification. Additional information and documents may be requested from the applicant to assess whether they are the relevant data subject. In any case, the application will be processed free of charge as a rule and concluded within 30 days. Detailed information regarding the procedures and principles to be followed for the application can be accessed through the "Communiqué on the Procedures and Principles of Application to the Data Controller" published by the Authority.

The provisions herein may be unilaterally updated and amended at any time by being published in the Application. In such cases, the updated version shall be effective as of the date of publication.

Company Information (Data Controller)

Title : PCI Yazılım Danışmanlık ve Organizasyon Ltd. Şti.

Address : Evliya Çelebi Neighborhood, Sadi Konuralp Street No:5/2, IKSV Foundation Building, 34433 Beyoğlu, Istanbul, Turkey

Mersis No. : 0723007106900016

TEL : +90 850 333 49 38

EMAIL: diyetkolik@diyetkolik.com