A. INTRODUCTION

The Code No. 6698 on the Protection of Personal Data (“Code”) effective on April 7, 2016. The Code defines personal data and sets forth the principles regarding their protection as well as the conditions to be complied with by data controllers in the processing of such data. Under the Code, personal data means any information relating to an identified or identifiable natural person. Processing of personal data refers to any operation performed upon personal data, including obtaining, recording, storing, altering, sharing with third parties, and transferring abroad, whether by automated means or non-automated means provided that they form part of a data recording system.

LUMO YAZILIM VE BİLİŞİM TEKNOLOJİLERİ A.Ş (hereinafter referred to as “LUMO”) adopts the principles regarding the protection and processing of personal data set forth in the relevant legislation and takes the necessary administrative and technical measures to ensure compliance with the Law. For the scope of this Personal Data Protection and Processing Policy (“Policy”), see Section F: DATA SUBJECT AND PERSONAL DATA CATEGORIZATION.

Applicable legislation in force concerning the processing and protection of personal data shall primarily apply. In the event of any inconsistency between the legislation in force and this Policy, LUMO accepts that the legislation in force shall prevail. The Policy is published on LUMO’s website (www.mooncape.co) and made accessible to personal data subjects. Amendments and updates may be made to the Policy to ensure compliance with changing conditions and legislation and will be made available to personal data subjects via the relevant website.

All users of applications developed by LUMO, primarily including RALLAE, shall be defined as “User” under this Policy regardless of whether they are natural or legal persons.

B. PROCESSING OF PERSONAL DATA

B.I. PRINCIPLES FOR PROCESSING PERSONAL DATA

Article 20/III of the Constitution guarantees the protection of personal data by stipulating that personal data may be processed only in cases prescribed by code or with the explicit consent of the person. In line with this right granted to personal data subjects, LUMO processes personal data in accordance with the principles specified in the relevant legislation or in cases where the explicit consent of the individual exists, and in compliance with the following principles:

·      Processing in compliance with the law and the rule of good faith

·      Ensuring that personal data are accurate and, where necessary, kept up to date

·      Processing for specific, explicit and legitimate purposes

·      Being relevant, limited and proportionate to the purposes for which they are processed

·      Retaining for the period stipulated in the relevant legislation or required for the purpose for which they are processed

B.II. CONDITIONS AND PURPOSES OF PROCESSING PERSONAL DATA

As a rule, personal data may be processed only where the explicit consent of the personal data subject exists. Articles 5 and 6 of the Code set out the conditions for processing personal data and special categories of personal data. The Code designates certain personal data that carry the risk of causing victimization or discrimination if processed unlawfully as “special categories of personal data.” Article 6 of the Code lists such data exhaustively and includes data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. LUMO processes users’ special categories of personal data as described in this Policy.

In all cases, LUMO processes personal data in accordance with the general principles set forth in Article 4 of the Code and for the purposes and under the conditions specified below.

With respect to general personal data, personal data are processed by LUMO where:

·      It is explicitly provided by law that LUMO must carry out the relevant processing activity

·      Processing by LUMO is necessary to protect the life or physical integrity of the personal data subject or another person and the data subject is incapable of giving consent due to actual or legal impossibility

·      Processing of the User’s personal data by LUMO is directly related to and necessary for the establishment or performance of a contract

·      Processing is necessary for LUMO to fulfill its legal obligations

·      The personal data have been made public by the User, provided that processing is limited to the purpose of such disclosure

·      Processing is necessary for the establishment, exercise or protection of the rights of LUMO, the User or third parties

·      Processing is necessary for the legitimate interests of LUMO, provided that it does not harm the fundamental rights and freedoms of the User

Within this framework, personal data are processed by LUMO for the following purposes:

·      Planning, auditing and execution of information security processes

·      Establishment and management of IT infrastructure

·      Planning and execution of employees’ information access authorizations

·      Monitoring of finance and/or accounting affairs

·      Follow-up of legal affairs

·      Planning and/or execution of analyses for efficiency/productivity and/or appropriateness of business activities

·      Planning and execution of business activities

·      Planning and/or execution of business continuity activities

·      Planning and execution of corporate communication activities

·      Planning and execution of customer/user relationship management processes

·      Planning and/or execution of customer/user satisfaction activities

·      Handling of customer/user requests and/or complaints

·      Conducting activities for determining customers/users financial risks

·      Planning and/or execution of after-sales support services

·      Planning and execution of company audit activities

·      Planning and execution of operational activities necessary to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation

·      Ensuring the security of company operations

·      Planning and execution of relevant processes to obtain maximum benefit from products or services offered by the company

·      Follow-up of contract processes and/or legal claims

·      Execution of strategic planning activities

·      Planning and execution of production and/or operational processes

·      Planning and execution of market research activities for the sales and marketing of products and services

·      Planning and execution of marketing processes of products and/or services

·      Planning and execution of sales processes of products and/or services

·      Ensuring that data are accurate and up to date

·      Providing information to authorized institutions as required by legislation

C. TRANSFER OF PERSONAL DATA

C.I. GENERAL PRINCIPLES REGARDING TRANSFER

Articles 8 and 9 of the Code regulate the transfer of personal data domestically and abroad. LUMO may transfer personal data obtained lawfully to third parties by taking the necessary security measures in line with the purposes of data processing. Accordingly, LUMO may transfer personal data to third parties where one of the processing conditions set forth in Section B.II and the following conditions exist:

·      The explicit consent of the personal data subject exists

·      There is an explicit legal provision regarding the transfer

·      It is necessary to protect the life or physical integrity of the data subject or another person and the data subject is incapable of giving consent

·      The transfer is necessary for the establishment or performance of a contract directly related to the parties

·      Transfer is necessary for LUMO to fulfill its legal obligations

·      The personal data have been made public by the data subject

·      Transfer is necessary for the establishment, exercise or protection of a right

·      Transfer is necessary for LUMO’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject

C.II. TRANSFER OF PERSONAL DATA ABROAD

LUMO may transfer the personal data of the personal data subject abroad, in line with its legitimate and lawful personal data processing purposes, in the following cases:

·      Where the User’s explicit consent exists; or

·      Where one of the conditions set forth in Articles 5 and 6 of the Code exists and an adequacy decision has been issued regarding the country, the sectors within that country, or the international organizations to which the data will be transferred; or

·      In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors, provided that one of the conditions specified in Articles 5 and 6 of the Code exists and that the data subject has the possibility to exercise his/her rights and to seek effective legal remedies in the country of transfer, and that one of the appropriate safeguards listed below is provided by the parties:

a) The existence of an agreement, not constituting an international treaty, concluded between foreign public institutions or organizations or international organizations and Turkish public institutions or organizations or professional organizations with the status of a public institution, and permission for the transfer granted by the Board.

b) The existence of binding corporate rules, approved by the Board, containing provisions on the protection of personal data and to which companies within a group of undertakings engaged in a joint economic activity are obliged to comply.

c) The existence of a standard contract announced by the Board, containing provisions such as the data categories, purposes of the data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data.

ç) The existence of a written undertaking containing provisions ensuring adequate protection and permission for the transfer granted by the Board.

·      Where neither an adequacy decision exists nor any of the above-listed appropriate safeguards can be provided, provided that one of the exceptional cases specified in the Law applies.

C.III. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED

In accordance with the above conditions and Articles 8 and 9 of the Code, LUMO may transfer personal data governed by this Policy to:

·      Business partners (anonymously, limited to partnership purposes; explicit consent is obtained for other transfers)

·      Suppliers providing outsourced services necessary for LUMO’s commercial activities

·      Affiliates, limited to activities requiring participation of LUMO subsidiaries

·      Shareholders, limited to audit and strategy purposes and compliance with legislation

·      Authorized public institutions and private persons within their legal authority

D. PROTECTION OF PERSONAL DATA

LUMO ensures the lawful processing and protection of personal data by taking the administrative and technical measures stipulated under the applicable legislation and any additional measures to be notified by the Personal Data Protection Board, in order to ensure the security of the personal data it processes. Within this scope, LUMO adopts reasonable technical and administrative measures—taking into account technological capabilities and implementation costs—to ensure that personal data are processed lawfully, stored in secure environments, that risks of unauthorized access and any other unlawful access are prevented, that accidental data losses are avoided, and that intentional damage to or deletion of data is prevented. In particular:

·      LUMO’s personal data processing activities are audited through established technical systems, and periodic reporting is carried out regarding the technical measures taken;

·      Employees of LUMO who process personal data are informed and trained on personal data protection law and the lawful processing of personal data;

·      Legal compliance requirements determined on a business-unit basis are met by creating awareness within the relevant units and establishing implementation rules, and by organizing internal policies and training to ensure auditability and sustainability;

·      Contracts and documents governing the legal relationship between LUMO and its employees include provisions imposing obligations not to process, disclose, or use personal data except in accordance with LUMO’s instructions and the exceptions provided by the Code, and employee awareness in this regard is ensured;

·      Access rights and authorizations are assigned in accordance with business-unit–based legal compliance requirements, and access privileges are restricted accordingly;

·      Software and hardware including antivirus systems and firewalls are installed and operated;

·      Contracts concluded with persons to whom personal data are lawfully transferred—including parties from whom LUMO receives outsourced services due to technical requirements related to data storage—include provisions requiring such recipients to take the necessary security measures for the protection of personal data and to ensure compliance with such measures within their own organizations;

·      Technical security systems for storage areas are established through the use of lawful backup programs;

·      GitHub, server, and database access of personnel whose employment has terminated are immediately disabled and logged;

·      In accordance with Article 12 of the Code, LUMO operates a system ensuring that, where personal data processed are obtained by others through unlawful means, this situation is notified to the relevant personal data subject and to the Personal Data Protection Board as soon as possible. Where deemed necessary by the Board, this situation may be announced on the Board’s website or by another method.

E. INFORMATION OF DATA SUBJECT, RIGHTS AND REQUESTS

E.I. DUTY TO INFORM THE DATA OWNER

Article 10 of the Code stipulates that personal data subjects must be informed during the collection of personal data. Accordingly, in line with the other general principles governing personal data processing activities set out in the relevant legislation, LUMO informs personal data subjects, at the time their personal data are obtained, regarding: (i) the identity of the data controller and, if any, its representative, (ii) the purposes for which personal data will be processed, (iii) to whom and for what purposes the data may be transferred, (iv) the method and legal basis of personal data collection, and (v) the rights of the personal data subject.

E.II. RIGHTS OF PERSONAL DATA OWNER

Article 11 of the Code sets forth the rights of the personal data subject. Accordingly, the data subject has the right to:

·      Learn whether his/her personal data are processed;

·      Request information regarding the processing if his/her personal data have been processed;

·      Learn the purpose of processing of personal data and whether they are used in accordance with that purpose;

·      Know the third parties to whom personal data are transferred domestically or abroad;

·      Request rectification of personal data where they are processed incompletely or inaccurately, and request notification of such rectification to third parties to whom personal data have been transferred; and, although processed in accordance with the Law and other relevant legal provisions, request the deletion or destruction of personal data where the reasons requiring processing cease to exist, and request notification of such action to third parties to whom personal data have been transferred;

·      Object to the occurrence of a result against the person arising from the analysis of processed data exclusively through automated systems;

Request compensation for damages in case he/she suffers damage due to the unlawful processing of personal data. However, pursuant to Article 28 of the Code, the above-mentioned rights may not be asserted in the following cases:

·      Processing of personal data for purposes such as research, planning and statistics by anonymization for official statistics;

·      Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights, or constitute a crime;

·      Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security;

·      Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, adjudication or execution proceedings.

·      Pursuant to Article 28/2 of the Code, in the cases listed below, personal data subjects may not assert their other rights specified above, except for the right to claim compensation for damages:

·      Where personal data processing is necessary for the prevention of a crime or for a criminal investigation;

·      Processing of personal data that have been made public by the data subject himself/herself;

·      Where personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution carried out by authorized public institutions and organizations or professional organizations having the status of a public institution, based on authority granted by law;

·      Where personal data processing is necessary for the protection of the State’s economic and financial interests in relation to budgetary, tax and fiscal matters.

E.III. NOTIFICATION OF PERSONAL DATA SUBJECTS

Requests for information submitted by personal data subjects, pursuant to Article 20 of the Constitution and the right to request information listed among the above-mentioned rights, are fulfilled by LUMO in accordance with the Law. For the purpose of providing the necessary notifications to personal data subjects, LUMO establishes and maintains the required channels, internal procedures, and administrative and technical arrangements in accordance with Article 13 of the Code. Accordingly, where personal data subjects submit their requests regarding the above-mentioned rights to LUMO, LUMO provides a reasoned positive or negative response free of charge within thirty (30) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, LUMO may charge the fee set forth in the tariff determined by the Personal Data Protection Board. Personal data subjects may exercise their above-mentioned rights through one of the following methods:

·      Sending a request to the e-mail address info@mooncape.co (In this case, in order to verify whether the applicant is indeed the rightful personal data subject through the same channel from which the application is made, LUMO will contact the relevant person via the registered telephone number to confirm that the request has genuinely been submitted by the data subject. Within this scope, the applicant’s latest order details will be verified, and if the data subject and the requester are matched, the application will be taken into evaluation.);

·      Following a method prescribed by the Personal Data Protection Board;

·      For third parties to submit an application request on behalf of personal data subjects, a special power of attorney issued via a notary public in the name of the person authorized to apply by the data subject must be provided;

·      LUMO may request information from the applicant in order to determine whether the person submitting the application is the personal data subject and may direct questions to the personal data subject regarding his/her application in order to clarify the matters stated therein. Pursuant to Article 14 of the Code, where the application is rejected, the response is deemed insufficient, or no response is provided within the prescribed time, the personal data subject may file a complaint with the Personal Data Protection Board within thirty (30) days from the date on which he/she learns of LUMO’s response and, in any event, within sixty (60) days from the date of application.

F. DATA SUBJECT AND PERSONAL DATA CATEGORIZATION

F.I. DATA SUBJECT CATEGORIZATION

LUMO has categorized the subjects of the personal data it processes within its organization as follows. The data subject categorization established under this Policy is associated with the personal data subjects listed below. Data subjects falling outside this scope may also submit their requests to LUMO in accordance with this Policy.

Personal Data Subject Categories

Customer/User/Person Receiving Products or Services: Natural persons who use or have used the products and services offered by LUMO, regardless of whether they have any contractual relationship with LUMO.

Potential Customer: Natural persons who have requested or shown interest in using LUMO’s products and services or who may reasonably be evaluated as having such interest in accordance with commercial customs and the principle of good faith.

Third Parties: Other natural persons who do not fall within the scope of this Policy or the LUMO Employees Personal Data Protection and Processing Policy.

Business Partner Shareholder, Authorized Person, Employee: Natural persons working at institutions with which LUMO has any kind of business relationship, including shareholders and authorized representatives of such institutions.

Supplier Shareholder, Authorized Person, Employee: Natural persons working at institutions from which LUMO procures products or services and with which LUMO has a business relationship, including shareholders and authorized representatives of such institutions.

Business Partner Candidate: Natural persons with whom LUMO envisages establishing a business relationship, or natural persons who are employees, shareholders, or authorized representatives of legal entities with whom such a relationship is envisaged.

Visitor: Natural persons who have entered LUMO’s physical premises for various purposes or who visit our websites.

F.II. PERSONAL DATA CATEGORIZATION

Within the scope of this Policy, personal data processed by LUMO are categorized. The personal data of the data subjects included in the above-mentioned data subject categories are associated with the following personal data categories.

Personal Data Categories

Profile Information: Profile-specific information such as username.

Contact Information: Information such as telephone number, address, e-mail address, fax number, etc., that clearly belongs to an identified or identifiable natural person and is processed wholly or partially by automated means or by non-automated means forming part of a data recording system.

Location Data: Information that clearly belongs to an identified or identifiable natural person and is processed wholly or partially by automated means or by non-automated means forming part of a data recording system, and that determines the location of the personal data subject such as employees of institutions cooperating with LUMO while using LUMO tools within the scope of operations carried out by LUMO business units.

Customer Transaction Information: Information clearly belonging to an identified or identifiable natural person and contained in a data recording system, such as records regarding the use of our products and services and instructions and requests necessary for the customer’s use of such products and services.

Transaction Security Information: Personal data clearly belonging to an identified or identifiable natural person and contained in a data recording system, such as IP address, system login credentials, logs of resources accessed by suppliers while providing support services, and user actions within the wallet system (e.g., password reset, password creation) processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities.

Legal Transaction Information: Personal data clearly belonging to an identified or identifiable natural person and contained in a data recording system, processed within the scope of determining and pursuing our legal receivables and rights, fulfilling our obligations, and ensuring compliance with legal obligations and company policies.

Marketing Information: Personal data clearly belonging to an identified or identifiable natural person and contained in a data recording system, processed for the purpose of customizing and marketing our products and services in line with the usage habits, preferences and needs of the personal data subject, as well as reports and evaluations generated as a result of such processing.

Risk Management Information: Information associated with a person and collected for the purpose of protecting LUMO’s commercial reputation (e.g., information collected regarding posts made against LUMO, its senior executives and shareholders on the App Store application page, Twitter and Facebook, related evaluation reports, and actions taken in this regard).

G. PRINCIPLES REGARDING RETENTION PERIODS OF PERSONAL DATA

Personal data are retained by LUMO for the periods stipulated in the relevant legislation and in line with its legal obligations. If no retention period is prescribed in the legislation regarding how long personal data must be stored, personal data are processed for the period required by the activity carried out by LUMO while processing such data, in accordance with LUMO’s practices and commercial customs, and are subsequently erased, destroyed, or anonymized. Personal data whose processing purpose has ceased, as well as personal data for which erasure/anonymization has been requested by the personal data subject, if the retention periods stipulated in the relevant legislation and determined by LUMO have also expired/be retained solely for the purpose of constituting evidence in possible legal disputes or for the establishment, exercise, or defense of a right related to such personal data. In determining retention periods, LUMO takes into account the statutory limitation periods prescribed in the relevant legislation. Personal data retained for this purpose are accessible only to limited persons when necessary for use in the relevant legal dispute and are not accessed for any other purpose. At the end of this period, the personal data are erased, destroyed, or anonymized.

H. CONDITIONS FOR ERASURE, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

As regulated under Article 138 of the Turkish Penal Code and Article 7 of the Code, even if personal data have been processed in accordance with the relevant legal provisions, where the reasons requiring their processing cease to exist, such personal data shall be erased, destroyed, or anonymized ex officio upon LUMO’s decision or upon the request of the personal data subject.

I. UPDATES, COMPLIANCE AND AMENDMENTS

LUMO reserves the right to make amendments to this Policy and to other policies related and connected to this Policy due to amendments to the Code, pursuant to decisions of the Personal Data Protection Board, or in line with developments in the sector or in the field of information technologies.

Amendments made to this Policy are incorporated into the text without delay, and explanations regarding such amendments are provided at the end of the Policy.