UPLICO Technology Inc. Personal Data Processing, Collection, Storage, Disclosure and Privacy Policy and Other Management Policies

Disclosure Statement

1. Definitions and Terms:

1. Personal Data: It refers to any information relating to an identified or identifiable natural person. This information includes data such as name, surname, date of birth, Turkish ID number, telephone number, e-mail address, IP address (a set of numbers specific to each device that devices connected to packet-switched networks using the internet use to exchange data with each other over the network).

2. Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

3. Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

4. Explicit Consent: Consent based on information on a specific subject and expressed with free will.

5. Anonymization: It refers to making personal data impossible to be associated with an identified or identifiable natural person even if it is matched with other data.

6. Processing of Personal Data: It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, retaining, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data.

7. Special Category Personal Data: Personal data such as race, ethnic origin, political opinion, philosophical belief, religion, denomination or other beliefs, attire and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

8. Data Breach: Refers to the unauthorized disclosure, alteration, or destruction of personal data as a result of its unlawful processing, access, or loss.

9. Data Processing Inventory: Refers to the inventory of personal data processing activities carried out by data controllers, including the purposes of processing, data categories, recipient groups to whom the data is transferred, and groups of data subjects, as well as the methods used in the processing process.

10. Institution: Refers to the Personal Data Protection Authority. The Authority is an independent administrative authority that implements regulations and controls related to the protection of personal data.

11. Data Subject: Refers to the real person whose personal data is processed. The data subject may also be referred to as the "relevant person."

12. Relevant Person: Refers to the real person whose personal data is processed. The data subject has the right to request information from the data controller about the processing of their personal data and to exercise their rights.

13. Third Party: Refers to real or legal persons to whom personal data may be transferred. These persons are persons other than the data controller and data processor.

14. Data Recording System: Refers to a recording system in which personal data is processed according to specific criteria.

2. Data Management and Representation (Identity of the Data Controller)

Under the Personal Data Protection Law No. 6698 (KVKK), UPLICO Technology Inc. (hereinafter referred to as "UPLICO") processes your personal data as the data controller. UPLICO takes its obligation to protect the confidentiality of customer information and prevent its unauthorized disclosure seriously.

In this context, all personnel working in our company undertake to use the information they learn while performing their duties only within legal limits and as required by their duties. Our employees are also responsible for complying with legal regulations regarding customer confidentiality and the protection of personal information.

Detailed information regarding the Protection and Processing of Personal Data can be accessed on our company's website. Our relevant policies have been carefully prepared and regularly updated to ensure the security of our valued customers' data. These updates can be accessed on our website.

3. Processing of Personal Data, Transfer Abroad, and Their Purposes

In accordance with the KVKK, you must be informed in advance and your explicit consent must be obtained for the processing of your personal data. In the case of transfers abroad, the application of standard contracts or binding corporate rules is essential. However, some special cases are excluded from this general rule. Specifically:

• Public Interest: At the request of public institutions such as government agencies.
• Legal Obligation: In cases explicitly permitted by other laws.
• Emergency Situations: In situations where consent cannot be obtained, such as to protect the life of a person in imminent danger.
• Contractual Obligations: When necessary to fulfill a contract.
• Legal Obligations: When necessary for the data controller to fulfill its legal obligations.
• Publicly Available Data: Data shared by the individual with the public.
• Protection of Legal Rights: When necessary for the establishment, exercise, or defense of a legal claim.
• Legitimate Interest: For the legitimate interests of the data controller, provided that this does not harm other fundamental rights and freedoms.

Except for these exceptions, your explicit consent must be obtained for the processing of your personal data, and standard contract or binding company rules must be applied.

UPLICO Technology Inc. ("UPLICO") processes your personal data within the framework of the KVKK for the following purposes in order to provide high-standard services to the technical service and energy sectors in Turkey and to ensure customer satisfaction:

1. Legal and Regulatory Compliance: Full compliance with local and international legislation, as well as the regulations of the regulatory bodies to which our parent company is subject; compliance with group-wide customer identification and risk management policies as part of the fight against money laundering. Additionally, due to the use of Amazon and Microsoft products for the transfer of personal data abroad, in accordance with the standard contract signed between us.

   Processes such as auditing, maintaining ethical standards, managing receivables, assessing creditworthiness, and conducting activities in compliance with legislation. Additionally, the effective execution of internal audit, investigation, and intelligence activities, as well as risk management processes.

   Conducting management activities, strategic planning, ensuring the security of data controller operations, and managing the procurement processes for goods and services. Furthermore, special circumstances such as the identification of risk groups in accordance with competition and social security legislation are also evaluated within this scope.

2. Work Support: Governance processes between individuals who wish to work and companies, and the preparation and sharing of related information and documents by the companies to be worked for.
3. Human Resources Management: Effective implementation of human resources policies, recruitment of suitable personnel, and fulfillment of occupational health and safety obligations.
4. Operational Efficiency and Communication: Regular execution of internal communication and operational activities, management of evaluation processes related to customers and business partners, and continuous monitoring of risk analyses and legal compliance processes. Production of goods and services, ensuring the security of transactions (e.g., transmission and processing of data of persons working abroad), document registration processes, and job search and worker referral processes. These processes are managed to ensure organizational effectiveness and customer satisfaction.
5. Customer Relations and Marketing: Customizing products and services to customer preferences, developing effective marketing strategies, and carrying out activities aimed at customer satisfaction. These processes are supported by both information security processes and post-sales support services for goods/services.
6. Strategic Planning and Business Development: Determining and implementing the organization's overall commercial and business strategies, supported by sectoral analyses and market research.
7. Financial and Administrative Management: Coordination of finance, communication, and market research activities; internal system and application management; management of purchasing and legal transactions.
8. Corporate Reputation and Relationship Management: Management of business partnerships and supplier relationships; corporate social responsibility projects; and protection and development of the company's image in society.
9. Business and Contract Management: Processing personal data belonging to contract parties, receiving and evaluating suggestions for improving business processes, and conducting communication activities.
10. Physical and Information Security: Ensuring physical space security, conducting information security processes, and following up on legal matters.

4. Transfer of Personal Data

Personal data managed by UPLICO Technology Inc. ("UPLICO") in accordance with the Personal Data Protection Law (KVKK) and in compliance with the law and principles of good faith are processed for specific, clear, and legitimate purposes and stored only for those purposes. Personal data is kept accurate and up-to-date in accordance with the purposes for which it is processed and is retained for as long as necessary.

This process is carried out in accordance with the legal conditions specified in Articles 8 and 9 of the KVKK. UPLICO takes the necessary security measures during the transfer of personal data and processes this data on servers and other electronic media located within and outside the country that meet appropriate security standards. These transfer operations are carried out within the scope of the purposes explained in the "Purposes of Processing Personal Data" section determined in advance, and the data is stored for the periods required by the relevant law and necessary for the purpose of processing.

In this context, UPLICO may transfer your personal data to third parties within and outside the country. These transfer activities are regulated in a manner that ensures the protection of data and are also linked to standard contracts, ensuring that the security of your personal data is maintained at the highest level. Each transfer is carried out in compliance with relevant legal regulations, taking into account the technical and administrative measures determined by the Personal Data Protection Authority, MASAK, the Competition Authority, the Personal Data Protection Authority, and institutions such as SPK and SGK to ensure the protection of data.

5. Collection of Personal Data, Method, and Legal Basis

Your personal data is collected by UPLICO Technology Inc. ("UPLICO") in accordance with the Turkish Labor Code (Law No. 4904), the Labor Law (Law No. 4857), and other relevant legislation, as well as through contracts, information forms, and other documents related to the information, documents, and other obligations provided by UPLICO Technology Inc. ("UPLICO") and its services. This collection process is carried out through notifications made with your consent and/or electronic signature, written or digital applications made to sales teams, and similar methods.

Collection Channels:

• Headquarters,
• Form and document uploads via the internet,
• Physical mail,
• Customer meetings,
• Telephone recordings, and other verbal, written, or electronic media.

These processes are carried out using fully or partially automated systems or non-automated methods as part of any data recording system. Your personal data may also be obtained by our affiliates located domestically and abroad, program partner institutions and organizations we collaborate with, third parties from whom services are obtained, official institutions, domestic and foreign banks, investment institutions, exchanges where transactions are conducted, markets, custodial institutions, and other third parties.

UPLICO acts in accordance with relevant legislation during the collection and processing of your personal data and takes all necessary security measures to protect your data. This information is used to improve the quality of the services offered by UPLICO and to provide you with better service.

UPLICO Technology Inc. ("UPLICO"), as a leading organization in the field of capital-based career management markets in Turkey, collects and processes your personal data in compliance with the KVKK. This process is necessary for the effective provision of our products and services and the execution of our investment and capital market services.

Personal Data Collection Channels and Purposes:

We collect your personal data through various channels such as our headquarters, websites, mobile and web applications.

Your identity information, contact information (address, phone number, email address), account information you have created through uplico.com and its extensions, biometric and health data, tax number, and other personal information are recorded and processed to accurately identify and execute your transactions.

Legal Obligations and Security Needs:

The personal data collected is shared with the Capital Markets Board (SPK), Borsa Istanbul (BIST), the Central Bank of the Republic of Turkey (TCMB), the Financial Crimes Investigation Board (MASAK), the Revenue Administration (GİB), the Investor Compensation Center (YTM), Takasbank, and the Central Registry Agency (MKK), the KVKK, the Turkish Employment Agency (İŞKUR), and the Social Security Institution (SGK), among others, to comply with the information storage, reporting, and disclosure obligations prescribed by the relevant judicial and administrative authorities.

These data may also be processed for reasons such as security, crime prevention, and our legitimate interests, in accordance with relevant legal regulations.

Conditions for Processing Personal Data:

UPLICO processes your personal data in accordance with the processing conditions stipulated by the KVKK and, in particular, without harming the fundamental rights and freedoms of the individuals concerned.

Your special category personal data is processed only with the relevant legal permissions, through a standard contract, and under high levels of protection and confidentiality principles.

This information is used to fulfill the requirements of the contracts signed with you and to provide you with better service. UPLICO takes all necessary measures to protect and secure your personal data and processes and stores this data in accordance with the law. Standard contract processes are also included in these processes.

6. Rights of Data Subjects

As UPLICO Technology Inc. ("UPLICO"), the rights granted to data subjects under the Personal Data Protection Law (KVKK) are as follows:

1. To learn whether personal data is being processed.
2. To obtain detailed information about the personal data that has been processed.
3. To inquire about the purpose of processing personal data and whether it is being used in accordance with that purpose.
4. To learn to which third parties within or outside the country personal data has been transferred.
5. Requesting the correction of incomplete or incorrect personal data and requesting that these corrections be communicated to the relevant third parties.
6. Requesting the deletion or destruction of personal data when the reasons for processing no longer exist and requesting that these actions be communicated to the relevant third parties.
7. Objecting to decisions made against you as a result of the processing of personal data by fully automated systems.
8. Request compensation for damages incurred as a result of the unlawful processing of personal data.

The necessary applications for the exercise of these rights can be made by filling out the form provided by UPLICO, signing it with a wet signature, and sending it by post to the physical company address below or by email to the account below. If the procedures are carried out in accordance with the regulations, requests will be evaluated and resolved within thirty days at the latest. If the relevant procedures incur additional costs, fees may be charged in accordance with the tariff determined by the KVKK.

Your Rights Regarding Your Personal Data

Data subjects must first contact the data controller to exercise their rights regarding their personal data. Pursuant to Article 14 of the Law, complaints cannot be made directly to the Personal Data Protection Board.

Under the law, you have the following rights regarding your personal data:

1. To learn whether your personal data has been processed,
2. To request information about the processing of your personal data,
3. To learn the purpose of the processing of your personal data and whether it is being used in accordance with that purpose,
4. To know the third parties to whom your personal data has been transferred within or outside the country,
5. To request the correction of your personal data if it has been processed incompletely or incorrectly,
6. To request the deletion or destruction of your personal data if the reasons for its processing no longer exist,
7. Requesting that the actions taken in accordance with paragraphs (5) and (6) be communicated to third parties to whom your personal data has been transferred,
8. Objecting to the emergence of a result detrimental to you through the analysis of your processed data exclusively by automated systems,
9. To request compensation for any damage you may have suffered as a result of the unlawful processing of your personal data.

You may exercise these rights by contacting the data controller, i.e., us.

How to Contact the Data Controller

You can submit your request using the following methods:

• Data Controller: UPLICO Technology Inc.
• Address: Esentepe Mah. Talat Paşa Cad. No: 5 İç Kapi No: 1 Şişli / Istanbul
• Email: info@uplico.com

Your application must include the following information:

1. Your first and last name and your signature if the application is in writing,
2. Your Turkish Republic ID number if you are a Turkish citizen, or your nationality, passport number, or ID number if you are a foreigner,
3. Your permanent residence or business address for notification purposes,
4. Your email address, phone number, and fax number, if applicable,
5. The subject of your request.

If applicable, any relevant information and documents related to the subject must also be attached to your application.

Your application will be processed within thirty days:

• (i) It may be accepted, and you will be informed about your request, or
• (ii) It may be rejected with an explanation of the reasons.

For more detailed information on the procedures and principles to be followed when submitting an application, please refer to the Personal Data Protection Authority's "Communication on the Procedures and Principles for Applications to the Data Controller."

You can access the Sample Information Request Form at https://uplico.com/kvkk-bilgi-formu.html.

Privacy Rights and Policy

Our users have the following rights regarding the processing of their personal data:

• Access and Correction: You have the right to access your personal data and correct it.
• Deletion: Under certain conditions, you may request the deletion of your personal data.
• Objection: You have the right to object to the processing of your personal data.

1. Introduction

UPLICO Technology Inc. ("UPLICO") takes the utmost care to protect the privacy of the personal data of our customers, employees, and other relevant individuals. This Privacy Policy clearly defines our obligations regarding the protection of personal data and the rights of data subjects.

2. Data Controller and Data Processor

In accordance with Articles 3 and 4 of the KVKK, UPLICO is responsible for taking measures related to the processing and protection of your personal data. As the data controller, our company ensures that your data is processed in accordance with the law and that processes are managed effectively.

3. Methods and Purposes of Collecting Personal Data

Your personal data may be collected through the following methods:

• Physical forms, call centers, our company's website, and mobile applications.
• Emails and various digital platforms.

The collected data may be processed for the following purposes:

• Improvement of service delivery and work processes,
• Fulfillment of legal obligations,
• Human resources and operational management processes,
• Ensuring data security.

4. Transfer of Personal Data Within Turkey and Abroad

Your personal data may be shared with third parties abroad in accordance with standard contracts and, where necessary, binding corporate rules contracts in the following circumstances:

• Due to contractual obligations with service providers,
• For the purpose of fulfilling legal obligations.

When your data is transferred, we act in accordance with Articles 8 and 9 of the KVKK and take the necessary technical and administrative measures.

5. Rights of Data Subjects

Pursuant to Article 11 of the KVKK, data subjects have the following rights:

• To learn whether personal data is being processed,
• To inquire about the purpose of processing the data and whether it is being used in accordance with its purpose,
• To request the correction of incomplete or incorrectly processed data,
• To request the deletion or destruction of data,
• To object in the event of an adverse outcome.

6. Data Security

UPLICO takes the measures listed below, as well as those listed in the Link, to ensure the security of your personal data:

• Technical measures: Encryption, authorization systems, and up-to-date antivirus software are used.
• Administrative measures: Our employees undergo training on personal data protection.

Changes:
All of this text and our other texts may be updated in accordance with changes in legislation. All updates will be shared on our website.

Last update date: 12.02.2025