WOODSAKA PERSONAL DATA PROTECTION POLICY

General Information on the Personal Data Protection Law
The Personal Data Protection Law No. 6698 (hereinafter referred to as the “KVKK”) was adopted on 24 March 2016 and published in the Official Gazette dated 7 April 2016 and numbered 29677. Certain provisions of the KVKK entered into force on the date of publication, while the remaining provisions entered into force on 7 October 2016.

Information as Data Controller
Pursuant to the KVKK No. 6698 and in our capacity as the Data Controller, your personal data may be recorded, stored, updated, disclosed to or transferred to third parties where permitted by legislation, classified, and processed in the manners specified in the KVKK, within the scope explained on this page.

Methods of Processing Personal Data
In accordance with the KVKK No. 6698, personal data shared by you with our Company may be obtained, recorded, stored, modified, reorganized, and processed in whole or in part, either automatically or non-automatically provided that they are part of a data recording system. All operations performed on personal data within the scope of the KVKK are deemed as “processing of personal data”.

Purposes and Legal Grounds for Processing Personal Data
Your shared personal data may be processed in accordance with the KVKK No. 6698 and relevant secondary legislation for the following purposes:
To perform the requirements of the services provided to our customers in compliance with contractual and technological requirements and to improve our products and services.
To record identity, address, and other necessary information for the purpose of identifying the transaction holder within the scope of the Law No. 6563 on the Regulation of Electronic Commerce, Law No. 6502 on the Protection of Consumers, the Regulation on Service Providers and Intermediary Service Providers in Electronic Commerce published in the Official Gazette dated 26.08.2015 and numbered 29457, the Regulation on Distance Contracts published in the Official Gazette dated 27.11.2014 and numbered 29188, and other relevant legislation.
To arrange all records and documents forming the basis of transactions in electronic or physical form, including payment systems that are mandatory in the fields of banking and electronic payments, and to comply with information retention, reporting, and disclosure obligations stipulated by legislation and other authorities.
To provide information to public prosecutors’ offices, courts, and relevant public officials upon request and as required by legislation in matters concerning public security and legal disputes.

Information on Third Parties to Whom Personal Data May Be Transferred
For the purposes stated above, personal data shared with our Company may be transferred to persons or entities related to the services provided, including primarily IdeaSoft Software Industry and Trade Inc., which provides our e-commerce infrastructure, as well as suppliers, cargo companies, program partner organizations with whom we cooperate as data processors, domestic and foreign organizations, and other third parties.

Method of Collection of Personal Data
Your personal data may be collected and processed through the following means:
Through forms on our Company’s website and mobile applications, including name, surname, Turkish ID number, address, telephone number, business or personal email address; preferences entered on pages accessed via username and password; IP records of transactions, cookie data collected by the browser, browsing duration and details, and location data.
Through verbal, written, or electronic means via our sales and marketing staff, branches, suppliers, other sales channels, paper forms, business cards, digital marketing tools, and call centers.
From individuals who share their personal data for purposes such as establishing a commercial relationship with our Company, applying for a job, or submitting offers, through business cards, résumés (CVs), proposals, and similar means, whether in physical or digital environments, face-to-face or remotely.
From indirect sources such as websites, blogs, contests, surveys, games, campaigns, social media platforms, e-newsletter reading or click activities, publicly available databases, and publicly shared profile information on social media platforms.

Personal Data Obtained Prior to the Entry into Force of the KVKK
Personal data lawfully obtained prior to the effective date of the KVKK on 7 April 2016 through membership, electronic communication consent, purchase of products or services, or other means are also processed and retained in accordance with the terms and conditions set forth in this document.

Transfer of Personal Data Abroad
Personal data collected by any of the methods listed above may be transferred to service providers located abroad, provided that they are accredited by the Personal Data Protection Board and located in countries offering adequate protection for personal data, in compliance with the KVKK and in accordance with contractual purposes.

Retention and Protection of Personal Data
Your personal data are stored confidentially in databases and systems maintained by our Company in accordance with Article 12 of the KVKK and shall not be shared with third parties except as required by law and as stated in this document. Our Company is obliged to take software-based measures such as access management and physical security measures to prevent unlawful processing of personal data and unauthorized access. In the event that personal data are obtained by others through unlawful means, the situation shall be promptly reported in writing to the Personal Data Protection Board in accordance with legal regulations.

Ensuring Accuracy and Currency of Personal Data
Pursuant to Article 4 of the KVKK, our Company is obliged to keep personal data accurate and up to date. Accordingly, customers are required to share accurate and up-to-date data or update their information via the website or mobile application to enable our Company to fulfill its legal obligations.

Rights of the Personal Data Owner under the KVKK
Article 11 of the KVKK entered into force on 7 October 2016. Pursuant to this article, Personal Data Owners have the following rights by applying to our Company as the Data Controller:
To learn whether personal data are processed.
To request information if personal data have been processed.
To learn the purpose of processing personal data and whether they are used in accordance with that purpose.
To know the third parties to whom personal data are transferred domestically or abroad.
To request correction of personal data if they are incomplete or inaccurate.
To request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK.
To request notification of the correction, deletion, or destruction of personal data to third parties to whom the data have been transferred.
To object to the emergence of a result against the individual by analyzing the processed data exclusively through automated systems.
To request compensation for damages in case personal data are processed unlawfully.

[................] Chamber of Commerce, registered under registration number [..........................], holding MERSIS number [.............................], and located at [.......................................................................], [Full Company Trade Name], is the Data Controller within the scope of the KVKK. The Data Controller Representative to be appointed by our Company shall be announced in the Data Controllers Registry and on the website where this document is published once the legal infrastructure is established.

Personal Data Owners may submit their questions, opinions, or requests through any of the following communication channels:
Email: [email protected]
Telephone: +90 332 249 0409