PRIVACY POLICY AND INFORMATION NOTICE REGARDING THE PROCESSING OF YOUR DATA

As ERUS GROUP, we attach utmost importance to ensuring the security of your personal data. In this context, pursuant to Law No. 6698 on the Protection of Personal Data (the “KVK Law”), we take the necessary measures to ensure an appropriate level of security in order to prevent your personal data from being processed and accessed unlawfully and to ensure their preservation during the processing of your personal data and their transfer to third parties. For this reason, this notice has been prepared to inform the data subjects whose personal data are obtained within the scope of the activities of our stores.

This notice issued by our Company is dated 16.10.2025. In the event that all or certain provisions of the notice are updated, the effective date and version of the notice will be updated. The Statement is published on our Company’s website at the www.erusgroup.com.tr and is available for access by data subjects.

1. THE PERSON PROCESSING YOUR DATA:

As a company, we are the legal entity that determines the purposes and means of processing your personal data and is responsible for the establishment and management of the data recording system. Upon your explicit consent to the processing of your personal data or upon our notification to you in cases where explicit consent is not required, our Company will start processing your personal data by ensuring data security. While processing your personal data, we may authorize one or more data processors and have your data processed by them by ensuring the necessary level of security.

2. THE LEGAL BASIS FOR THE PROCESSING OF YOUR PERSONAL DATA, THE METHODS BY WHICH THEY MAY BE OBTAINED, AND WHICH OF YOUR DATA WILL BE PROCESSED:

Pursuant to the Turkish Civil Code, occupational health and safety legislation, and other legislation, your personal data listed below will be processed and used for the purpose of providing services related to our Company’s fields of activity, improving the quality of these services, and fulfilling other activities as well as complying with information obligations. In addition, for the purposes of enabling you to visit our workplaces, protecting security and legitimate interests related to your visit, providing the necessary services in the best possible way, establishing contact regarding the products and services you have received/will receive in this regard, updating/improving services in line with your opinions and suggestions, informing you on these issues, as well as using them in marketing activities, product/service offerings, increasing customer satisfaction, providing better service during your subsequent visits, modeling, reporting, scoring, risk monitoring, existing or new product studies, and identifying potential customers. We share your personal data processed for these purposes with our subsidiaries and business partners located in Turkey and abroad. The current list of our subsidiaries and business partners is available at www.erusgroup.com.tr.

3. SHARING OF YOUR PERSONAL DATA:

Your personal data may be collected by our company, our subsidiaries and business partners, and through our sales and employees, via other forms filled out during your visit to our workplace, our digital marketing and call centers, our website, our social media channels, information transmitted by electronic mail, and through any and all other channels, verbally, in writing, or in electronic form, with your consent. This information notice is an annex and an integral part of any and all agreements concluded with our company and Erus Group on behalf of our company, as well as any requests you have made for the procurement of services.

4. DESTRUCTION OF YOUR PERSONAL DATA:

Our Company stores the personal data it processes for the periods specified by the legislation, and if no period is specified in the legislation; personal data is stored for as long as required to be processed in accordance with our Company’s practices and the customs of our Company’s commercial life in connection with the services provided by our Company while processing such data, and thereafter only for the periods that are demonstrated in practice to be necessary for the purpose of serving as evidence in possible legal disputes. After the expiration of the specified periods, pursuant to Article 7 of the KVK Law, the said personal data are deleted, destroyed, or anonymized at the first destruction date.

5. YOUR RIGHTS REGARDING THE PROCESSING OF YOUR PERSONAL DATA:

Within the scope of Article 11 of the KVK Law, you may submit the following requests to our Company:
a. To learn whether your personal data are processed, and if processed, to request information regarding this,
b. To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
c. To learn the third parties to whom your personal data are transferred domestically or abroad,
d. If personal data have been processed incompletely or inaccurately, to request their correction,
e. Within the scope of Article 7 of the KVK Law, to request the deletion, destruction, or anonymization of your personal data in the event that the reasons requiring their processing cease to exist,
f. To request that the transactions carried out pursuant to subparagraphs (d) and (e) be notified to third parties to whom your personal data have been transferred, to object to the occurrence of a result to your detriment by means of the exclusive analysis of the processed data through automated systems,
g. To request compensation for damages in the event that you suffer damage due to the unlawful processing of your personal data.

Personal data owners may submit their requests regarding their rights specified above to our company by fully completing the form available at the web address www.erusgroup.com.tr, signing it with a wet signature, and sending it by registered mail with return receipt to the address www.erusgroup.com.tr. Duly submitted requests to our company will be concluded within thirty days at the latest. In the event that concluding the said requests requires an additional cost, our company will charge the applicant the fee in the tariff determined by the Personal Data Protection Board. 

Our company may request information from the relevant person in order to determine whether the person making the application is the personal data owner, and may direct questions to the personal data owner regarding the application in order to clarify the matters specified in the application.

In the following cases, our Company may reject the application of the applicant by stating its justification:
• Processing of personal data for purposes such as research, planning, and statistics by anonymizing them with official statistics.

• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, and does not constitute a crime.

• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.

• Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial, or execution proceedings.

• Processing of personal data being necessary for the prevention of crime or for criminal investigation.

• Processing of personal data that have been made public by the personal data owner.

• Processing of personal data being necessary for the performance of supervisory or regulatory duties and for disciplinary investigation or prosecution by public institutions and organizations and professional organizations having the status of public institutions, based on the authority granted by law.

• Processing of personal data being necessary for the protection of the economic and financial interests of the State in relation to budget, tax, and financial matters.

• There being a possibility that the request of the personal data owner may hinder the rights and freedoms of other persons.

• Requests that require disproportionate effort.

• The requested information being information that is publicly available.

Pursuant to Article 14 of the KVK Law, in cases where the application is rejected, the response provided is found insufficient, or the application is not responded to in due time; the personal data owner may file a complaint with the Board within thirty days from the date on which our Company’s response is learned and in any event within sixty days from the date of application.

ANNEX-1: Categories of Personal Data

Identity Information

All information contained in documents such as Driver’s License, Identity Card, Certificate of Residence, Passport, Attorney Identification Card, and Marriage Certificate, which is clearly related to an identified or identifiable natural person and is processed partially or wholly by automated means or by non-automated means which form part of a data recording system.

Contact Information

Information such as telephone number, address, and email, which is clearly related to an identified or identifiable natural person and is processed partially or wholly by automated means or by non-automated means which form part of a data recording system.

Customer Information

Information obtained and produced about the relevant person who is the customer’s authorized representative or employee, as a result of our commercial activities and the operations carried out by our business units within this framework, which is clearly related to an identified or identifiable natural person and is processed partially or wholly by automated means or by non-automated means which form part of a data recording system.

Customer Transaction Information

Information such as records regarding the use of our products and services and the instructions and requests necessary for the customer’s use of the products and services, which is clearly related to an identified or identifiable natural person and is included within the data recording system.

Physical Space Security Information

Personal data relating to the records and documents taken at the entrance to the physical space and during the stay within the physical space, which is clearly related to an identified or identifiable natural person and is included within the data recording system.

Transaction Security Information

Your personal data which are clearly related to an identified or identifiable natural person and are included within the data recording system, processed for the purpose of ensuring the fulfillment of technical, administrative, legal, and commercial obligations while we conduct our commercial activities.

Risk Management Information

Personal data which are clearly related to an identified or identifiable natural person and are included within the data recording system, processed through methods used in accordance with generally accepted legal, commercial custom, and the rule of good faith in these areas, in order for us to manage our commercial, technical, and administrative risks.

Financial Information

Personal data of the customer’s authorized representative or employee relating to the information, documents, and records showing any and all financial results of the customer, which are clearly related to an identified or identifiable natural person and are processed partially or wholly by automated means or by non-automated means which form part of a data recording system.