Legal notice

AGREEMENT ON THE PROTECTION OF PERSONAL DATA
This Agreement on the Protection of Personal Data (hereinafter referred to as the "Agreement") was signed on 09.01.2026 between the following parties:
1. User:
Address: User Address (hereinafter referred to as "Personal Data Sharer")
2. Cenk Cemal Özen:
Address: Merkez Mah, 148. Sok, 8N, 07980, Kemer, Antalya (hereinafter referred to as
"Personal Data Recipient")
The Personal Data Recipient and the Personal Data Sharer will be referred to separately as "Party" and together as "Parties".
3. SUBJECT OF THE AGREEMENT
The subject of this Agreement is to determine the rights, obligations, risks, and liabilities of the Parties regarding the protection of Personal Data shared by the Personal Data Sharer
with the Personal Data Receiver, as defined in this Agreement.
4. DEFINITIONS
Unless explicitly stated otherwise, the terms in this Agreement shall have the meanings defined in Article 3 (third) of the Law No. 6698 on the Protection of Personal Data ("KVKK") titled 'Definitions'. Apart from this, the following terms have the following meanings:
Data Subject: Refers to the natural person whose personal data is processed.
Personal Data: Refers to any information relating to an identified or identifiable natural person.
Personal Data Receiver: Refers to Cenk Cemal Özen.
Personal Data Sharer: Refers to the User.
Processing of Personal Data: This refers to any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether wholly or partly automated,
or non-automated, provided that it is part of any data recording system.
Board: Refers to the Personal Data Protection Board.
KVKK: Refers to the Law No. 6698 on the Protection of Personal Data. 5. PROTECTION OF PERSONAL DATA
The parties acknowledge that they are aware of all applicable national and international legislation, primarily the KVKK, regarding the processing of personal data; During the performance of the Main Agreement, they acknowledge, declare, and undertake that they are subject to all national and international legislation currently in force or that may come into force in the future in the field of personal data protection, primarily the Personal Data Protection Law (KVKK), and that compliance with this legislation in all processing processes in which they process personal data is within their legal obligations. Furthermore, they acknowledge, declare, and undertake that they will comply with the principles set forth in the Board Decisions and Guides to be published by the Personal Data Protection Board ("Board"), within the scope of personal data legislation; and that they will follow booklets, magazines, and other publications. The Personal Data Recipient may process personal data in all processing processes included in the scope of the Agreement only in accordance with the written instructions of the Personal Data Sharer, to the extent required by the tasks performed under the Agreement and mandatory legal rules, and in accordance with the provisions of this Agreement. The Data Subject is responsible for preventing the unlawful processing, storage, transfer, and unlawful access to Personal Data, and for preventing risks such as loss, destruction, damage, and alteration of data, and accepts, declares, and undertakes to take all necessary legal, administrative, and technical measures to ensure this. The Data Subject accepts and declares that it obtains, processes, and transfers the personal data it transfers/will transfer to the Data Sharer within the scope of the Agreement in accordance with the procedures and principles regulated in the personal data legislation; that it informs the personal data owners in accordance with the provisions regulated in the personal data legislation; and that their explicit consent based on information is obtained only when necessary. All legal, administrative, and criminal liability arising from the unlawful acquisition and processing of the transferred data belongs to the Data Subject. The Data Recipient shall not use, process, archive, or transfer or share the Personal Data transferred to it by the Data Sharer, for any purpose or in any way, outside the scope of the work performed under the Agreement, to any third party or organization within or outside the country, without the written consent of the Data Sharer. The written consent of the Data Sharer shall not relieve the Data Recipient of its obligations arising from personal data legislation, and in particular its obligation to take measures regarding data security. Even with the written consent of the Data Sharer, the Data Recipient shall warn the third parties to whom it transfers data about compliance with personal data legislation and necessary measures regarding data security, and shall hold the Data Sharer liable for any violations by these parties.

The Data Recipient acknowledges, declares, and undertakes that it will be jointly and severally liable and will also transfer the data by obtaining the necessary permissions and submitting the required commitments from the Board, if necessary.
If the Data Recipient receives personal data of a special nature from the Data Sharer, it will process and transfer the said personal data in accordance with Article 6 (sixth) of the KVKK, the provisions in the relevant secondary legislation, and the Board's decisions, subject to additional security measures and authorizations.
It will follow and implement the adequate measures determined/to be determined by the Board.
The Data Recipient acknowledges and declares that in all transaction processes included in the scope of the Agreement, if the Data Sharer requests it in this regard, it will use the information and/or consent texts sent to it by the Data Sharer in accordance with the principles and procedures determined by the Data Sharer. The Personal Data Recipient will provide the necessary infrastructure and administrative requirements to ensure that applications made by the relevant person, the personal data owner, within the scope of Article 11 (eleventh) of the KVKK (Personal Data Protection Law), are answered in accordance with the law and within the legal timeframe.
In case of an application or complaint regarding the Personal Data Sharer,
the Personal Data Recipient will immediately (in any case within a maximum of 2 (two) business days) inform the Personal Data Sharer and agree with the Personal Data Sharer on the answer to be given to the person making the application or complaint. The Personal Data Recipient accepts, declares and undertakes to provide all kinds of support to the Personal Data Sharer regarding all complaints and requests submitted to it; to transmit information and documents and to cooperate. Except for situations arising from the laws, in the event of termination of the Agreement for any reason, the Data Subject is obliged to delete and destroy the personal data transferred to it by the Data Subject or obtained on behalf of the Data Subject within the scope of the Agreement, and to deliver any physical or electronic recording media on which this data is recorded to the Data Subject upon the request of the Data Subject. The Data Subject accepts that it will fulfill the Data Subject's requests for deletion, destruction, anonymization, modification, and similar requests for personal data in accordance with the Personal Data Protection Law and related secondary legislation. The Data Subject accepts, declares, and undertakes that in case of any action contrary to the personal data legislation and the obligations set forth in this Agreement, it will immediately and in full pay the Data Subject for any direct or indirect damages incurred, legal, administrative, and criminal sanctions it may face, and any compensation it may be obliged to pay, upon first demand. Otherwise, the Data Sharer reserves the right to offset its losses against the Data Recipient's receivables and/or guarantees. The Data Recipient is liable to the Data Sharer for any direct or indirect damages that may arise from the compliance of its employees, subcontractors and/or any third party to whom it transfers data and their employees with the obligations set forth in this clause and from any breach of these obligations. In this context, the Data Recipient agrees, declares and undertakes to provide the necessary training to its personnel who have access to personal data, to issue warnings and to take the necessary administrative and technical measures. The Data Subject acknowledges, declares, and undertakes that, limited to personal data processing activities within the scope of the work performed pursuant to the Agreement, it authorizes the Data Sharer to audit whether all records and documents related to the relevant activities comply with the legislation and this Agreement, and that it will respond to any reasonable requests of the Data Sharer within the scope of this audit authority, and will send these records and documents to the Data Sharer or make them accessible to the Data Sharer as required. The Data Subject acknowledges and declares that it is aware that the Personal Data Protection Authority may conduct audits regarding personal data processing activities and that it will inform the Data Sharer as soon as it becomes aware of such an audit. The parties acknowledge and declare that they will comply with the obligations set forth in this clause indefinitely, even after the termination of the Agreement. 6. PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORY PERSONAL DATA
Personal data can only be processed in accordance with the procedures and principles stipulated in this Personal Data Protection Law and other laws.
The following principles must be adhered to in the processing of personal data:
Lawful and fair.
Accurate and, where necessary, up-to-date.
Processing for specific, explicit and legitimate purposes.
Being relevant, limited and proportionate to the purpose for which they are processed.
Retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
Personal data cannot be processed without the explicit consent of the data subject. If one of the following conditions exists, the explicit consent of the data subject is required.

Personal data may be processed without being requested.
5/9
Processing of personal data is possible if:
It is explicitly provided for in the laws.
It is necessary for the protection of the life or physical integrity of the person who is unable to express their consent due to factual impossibility or whose consent is not legally valid, or of another person.
It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
It is necessary for the data controller to fulfill its legal obligation.
It has been made public by the data subject themselves.
It is necessary to process the data for the establishment, exercise or protection of a right.
It is necessary to process the data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data. Processing special categories of personal data without the explicit consent of the data subject is prohibited. Personal data other than health and sexual life data may be processed without the explicit consent of the data subject in cases stipulated by law. However, personal data relating to health and sexual life may only be processed without the explicit consent of the data subject by persons or authorized institutions and organizations under an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. In processing special categories of personal data, it is also mandatory to take adequate measures determined by the Board. 7. DELETION OF PERSONAL DATA
Even if processed in accordance with the KVKK (Personal Data Protection Law) and other relevant laws,
personal data shall be deleted, destroyed, or anonymized by the data controller ex officio
or upon the request of the data subject, if the reasons requiring its processing cease to exist.
Provisions in other laws regarding the deletion, destruction, or anonymization of personal data are reserved.
The procedures and principles regarding the deletion, destruction, or anonymization of personal data shall be regulated by regulation. 8. CONFIDENTIALITY
6/9
Within the scope of this Agreement, "Confidential Information" refers to any information disclosed or to be disclosed by either Party to the other, directly or indirectly, in writing, orally, in electronic format or otherwise, before or after the signing of this Agreement, including but not limited to: the Party's assets, facilities, products, services, projects, activities, projections and estimates, plans, patents, licenses and copyrights, all intellectual and industrial property rights and financial rights, trademarks, trade secrets, any kind of improvement idea, invention, method, business and any kind of innovation, databases, computer programs and their documentation, encryption techniques, processes, advertising, packaging and marketing plans, product plans, technical plans, business strategies, strategic alliances and partners, financial information, engineering data, product and service data, any kind of methods and processes, estimates, personnel information, customer lists, potential and actual customers' identities and all other information. Confidential information refers to all types of oral, written, graphic, or machine-readable information, including personal data, trade secrets, product design capabilities, specifications, suppliers, and any documents, materials, information, and records provided by one Party to the other. Confidential information and data shall be considered Confidential Information even if not explicitly stated in writing as confidential and/or proprietary. The Parties undertake to keep all information obtained in the course of fulfilling this Agreement or the obligations set forth herein absolutely confidential, regardless of whether it is explicitly stated as 'confidential'. The Parties undertake not to disclose or use confidential information without the written consent of the other party, except as expressly permitted in this Agreement. As part of their confidentiality obligations, the Parties shall disclose any information to their own personnel only to the extent necessary and shall be responsible for ensuring compliance with the confidentiality obligation by the personnel to whom the information is disclosed. The confidentiality obligation set forth in this clause applies to:
(i) information which is known to or in the possession of the recipient at the time of disclosure, which the recipient has legitimately acquired and for which the recipient is not under any obligation of confidentiality to the disclosing party;
(ii) information which is already in the public domain at the time of disclosure or which is published or made public after the date of disclosure in a lawful manner without any breach of obligation by the recipient;
(iii) information which the recipient itself is independent of (iv) Information which the Parties can prove they have found or developed, or obtained from a third party who obtained this information directly or indirectly from the disclosing party and without being subject to any obligation not to disclose it; and
7/9
(v) Information which must be disclosed under applicable laws or irrefutable decisions or orders of competent administrative or judicial authorities. Unless required under applicable laws or irrefutable decisions or orders of competent administrative or judicial authorities, or unless duly consented to by the other party, the Parties may not issue any press releases about the Agreement, make any statements to the public or to any person, publish on social media, promote, or share it. If consent is given, the written agreement of the consenting party is required regarding the timing, content, and medium of the disclosure. The Parties shall restrict access to Confidential Information, both for personnel who need access to it to enable the proper performance of the Agreement and for information that is necessary, and shall ensure that the relevant personnel comply with these confidentiality obligations. Without prejudice to the foregoing provisions, each Party shall exercise at least as much care in protecting the confidential information and trade secrets of the other Party as it does with its own confidential information. The parties shall immediately return (and in any case within 7 (seven) days at the latest) the originals of the information in writing, copies and summaries prepared with the permission of the other party, all written transcripts and notes of the information disclosed orally, all copies of the information stored electronically, and all documents containing records within this framework, upon the written request of the other party and/or destroy/delete them from their records upon written instruction, and shall provide the other party with a statement signed by their authorized representatives confirming the completion of these processes. The parties acknowledge and declare that they will comply with the confidentiality obligation set forth in this clause indefinitely, even after the termination of the Agreement. 9. PARTIAL INVALIDITY
If any provision of this Agreement is found to be invalid at any time,
or contrary to any legal regulation or decision of a government agency, or otherwise unenforceable,
or if any court decides that it is unenforceable,
all other provisions of this Agreement shall remain valid, binding and enforceable.
10. AMENDMENTS TO THE AGREEMENT
8/9
Any amendments to this Agreement shall be made by addendums signed by both Parties; such addendums shall constitute an annex and integral part of this Agreement from the date of their signature by the Parties. 11. NOTIFICATIONS
For all notices, requests, and other correspondence made for the purpose of fulfilling the matters contained in this Agreement, the addresses of the Parties written in this Agreement shall be considered their legal domiciles, subject to the provisions of Article 21 and Article 148/a of the Enforcement and Bankruptcy Law No. 2004, and notifications made to these addresses shall be deemed to have been made to the Parties.
The addresses specified by the Parties in this Agreement are their notification addresses.
Any changes to the addresses and contact information specified by the Parties shall be notified to the other party in writing within 7 (seven) days following the change. Otherwise, notifications made to the addresses and contact information specified by the Parties in this Agreement shall be valid.
12. BREACH AND TERMINATION OF THE AGREEMENT
In case of breach of the Agreement, both Parties may terminate the Agreement. Thus,
Each Party shall have the right to immediately suspend, limit, or terminate its obligations and responsibilities under this Agreement if the other Party breaches the Agreement. In this case, the relevant Party may instruct the breaching Party to cease its promotional activities under this Agreement. The breaching Party acknowledges, declares, and undertakes that it will immediately cease its activities in accordance with these instructions. Without prejudice to the immediate termination cases stipulated in this Agreement, the Parties shall have the right to terminate the Agreement for just cause and to claim damages incurred or to be incurred from the other party if the other party fails to perform its obligations under the Agreement fully and on time, or performs them incompletely, and if the breach is not rectified within 15 (fifteen) days despite written notice. 13. EVIDENCE AND APPLICABLE LAW
The Parties acknowledge and declare that all emails and messages exchanged between them shall constitute evidence. This clause constitutes an agreement on evidence.
14. COMPETENT COURT
9/9
This agreement has been concluded subject to the laws of the Republic of Turkey,
The parties agree that during the implementation of this Agreement. They shall make every effort to resolve all disputes that may arise between the Parties through conciliation and peace. If the disputes cannot be resolved amicably between the Parties, the Parties shall have the right to bring their claims of violation of the relevant provisions of this Agreement before the judicial authorities, to demand compensation and to file a lawsuit, and the competent courts shall be the Courts and Enforcement Offices of the defendant's place of residence or the place where this Agreement is to be performed. User
Cenk Cemal Özen