Privacy Policy

1.1. Purpose and Scope of the Policy This Data Protection and Processing Policy ("Policy") is designed to ensure TRIA APPLES TURIZM LTD STI – WISE COMPASS TRAVEL AGENCY (TRIA APPLES TOURISM INC.) ("Company") complies with Personal Data Protection Law No. 6698, European Union General Data Protection Regulation, and related regulations. It aims to establish guidelines for the Company to fulfill its responsibilities in safeguarding and handling personal data. The policy outlines the criteria for processing personal data and presents the core principles embraced by the Company in personal data processing. Within this framework, the Policy encompasses all activities related to personal data processing as stipulated by the Law, the individuals whose personal data is processed by the Company, and all personal data processed by the Company.

1.2. Effectiveness and Amendment

The Company has released the policy on its website for public access. In case of any discrepancies between the existing laws, particularly the Law, and the guidelines outlined in this Policy, the legal provisions will take precedence. The Company retains the authority to modify the Policy to align with legal requirements.

2.1. Data Subjects

The individuals covered by this policy include all individuals whose personal information is being processed by the Company. In this context, the groups of individuals are outlined as follows:

- Client: Represents individuals who utilize the products and services provided by the Company.

- Potential Client: Denotes individuals who show interest in using the Company's products and services and have the potential to become clients.

- Visitor: Refers to individuals who visit the Company's premises, hotels, campuses, and website.

- Job Applicant: Represents individuals who apply for a position by submitting a CV to the Company or through other channels.

- Staff Member: Denotes individuals employed by the Company.

- Service Providers: Represents entities offering services to the Company to support its business operations as per the Company's instructions and contractual agreements.

- Business Associate: Denotes partners with whom the Company has established a business relationship during its commercial activities.

- Stakeholders: Refers to partners of the Company.

- External Parties: Denotes individuals other than those mentioned in the above categories.

The categorization of data subjects is provided for informational purposes. The absence of a data subject within these categories does not negate their status as a data subject as defined by the Law.

Your personal and sensitive personal data may be processed by the Company for the purposes outlined in accordance with the conditions for personal data processing specified in the Law and relevant regulations.

• Establishing, implementing, and enhancing Human Resources functions and initiatives

• Coordinating, developing, and executing Company-specific business activities, as well as planning and implementing strategies for business growth and development

• Ensuring the legal, technical, and occupational safety of the Company and individuals associated with the Company, and carrying out tasks to meet obligations

• Managing corporate relationships and operations

• Implementing and managing customer demand, complaint resolution, and post-sales processes

• Tailoring products and services to individuals, including designing and implementing activities for profiling, promotion, and marketing

• Evaluating feedback, complaints, and suggestions, and facilitating communication

• Managing customer contracts, relations, and services, as well as planning and overseeing commercial activities, projects, and operations

• Overseeing finance, accounting, and related activities

• Planning, implementing, and analyzing system access, IT, and data security initiatives

• Conducting control, data management, analysis, social activities, process improvement, and reporting

• Ensuring physical and electronic security measures for the Company

• Managing brand perception and customer-oriented advertising, sales, and marketing efforts

• Developing products and services based on customer usage patterns and trends

• Handling employee contract payments and related transactions

• Conducting research, analysis, and reporting for customer contracts and relationships

• Managing pre-contractual and post-contractual relations, aftersales services, and contractual obligations

• Building and maintaining relationships with suppliers, dealers, and business partners

• Overseeing operational processes and business continuity efforts

• Strategic planning activities for the Company's overall goals and objectives (collectively referred to as "Purposes").

Your personal information, as classified below by the Company, will be processed in compliance with the personal data processing requirements outlined in the Law and relevant regulations:

- Identity Details: All details pertaining to the individual's identity found in documents like driver's license, ID card, residency permit, passport, attorney ID, marriage certificate

- Contact Details: Information for contacting the data subject, including phone number, address, email

- Family and Relatives Information: Details about the products and services offered, or about the family members and relatives of the data subject, processed to safeguard the legal interests of both the Company and the individual

- Customer Transaction Details: Information on the utilization of our products and services, along with guidelines necessary for the customer to use them

- Physical Space Security Details: Records like video footage, phone calls, voice recordings, and personal data from documents obtained upon entry and during the stay in physical spaces

- Transaction Security Details: Personal data processed to ensure technical, administrative, legal, and commercial security during our business operations

- Financial Details: Personal data concerning information, documents, and records indicating financial outcomes based on the legal relationship established with the data subject

- Legal Compliance Details: Data processed for identifying and monitoring legal claims and rights, fulfilling debts, complying with legal obligations, and company policies

- Personnel Records: Payroll details, disciplinary inquiries, employment documents, asset declarations, background checks, performance evaluations, etc.

- Professional Experience Records: Diploma details, training courses attended, vocational training information, certifications, transcripts, etc.

- Marketing Insights: Purchase history, survey responses, cookie data, campaign-related information, etc.

- Visual and Audio Recordings: Video and audio recordings

- Sensitive Personal Data: Information on security measures involving biometric and genetic data related to race, ethnicity, political views, religious beliefs, appearance, medical conditions, criminal history, etc.

- Other Details: Data concerning requests or complaints directed to the Company, records of product/service inquiries, satisfaction surveys, personal interests, habits, tastes, campaign outcomes, complaints, and special occasions.

3.1. Principles Relating to Processing Personal Data

The company will handle your personal information in line with the personal data processing principles outlined in Article 4 of the Law. It is essential to adhere to these principles for each personal data processing activity:

• Processing personal data in compliance with legal and ethical standards; the Company will abide by laws, regulations, and legal principles when processing your personal data; it will prioritize processing personal data only for the intended purpose and consider the reasonable expectations of data subjects.

• Maintaining accurate and current personal data; the Company will ensure that the personal data it processes is accurate and regularly verify the data's currency. Data subjects have the right to request corrections or removal of inaccurate or outdated data.

• Processing personal data for specific, transparent, and lawful purposes; the Company will define the purposes of data processing before each personal data processing activity and ensure that these purposes are lawful.

• Personal data should be relevant, limited, and proportionate to the purposes for which it is processed; the company will restrict data processing to the necessary personal data required to achieve the collection purpose and take measures to prevent the processing of data unrelated to this purpose.

• Retaining personal data for the period required by law or processing purposes; Personal data will be deleted, destroyed, or anonymized by the Company once the purpose of processing is fulfilled, or the legally stipulated period expires.

3.2. Conditions Relating to Processing Personal Data

The Company will process your personal data based on at least one of the personal data processing conditions outlined in Article 5 of the Law. Here are explanations regarding these conditions:

• If the data subject explicitly consents and no other data processing conditions apply, the Company can process the data subject's personal data with their voluntary approval and sufficient knowledge about the processing activity, limited to that specific transaction, in accordance with the general principles

outlined in section 3.1.

• Personal data may be processed by the Company without explicit consent if the processing activity is legally mandated. In such cases, the Company will process personal data in line with the relevant legal regulations.

• If obtaining explicit consent is impossible due to practical reasons and data processing is necessary to protect the life or physical integrity of the data subject or a third party, the Company may process the data subject's personal data.

• Personal data processing related to drafting or executing a contract will be carried out if necessary for processing the personal data of the parties involved in the contract between the data subject and the Company.

• When personal data processing is required to fulfill legal obligations, the data controller will process the personal data to comply with the legal duties under current legislation.

• Publicly disclosed personal data can be processed by the Company for the purpose of disclosure, even without explicit consent from the data subject.

• Personal data may be processed without explicit consent if necessary for establishing, exercising, or defending a legal right.

• Personal data may be processed for the legitimate interests of the data controller, ensuring a balance of interests and safeguarding the data subject's rights and freedoms. The Company will assess the impact of data processing on the data subject's rights and freedoms and proceed with processing if the balance is maintained.

3.3. Conditions Relating to Processing Sensitive Personal Data

Sensitive personal data are defined in a limited scope in Article 6 of the Law. These data include information related to security measures involving biometric and genetic data concerning aspects such as race, ethnicity, political opinions, philosophical beliefs, religion, sects or other beliefs, appearance and attire, membership in organizations, foundations, or unions, medical conditions, sexual life, and criminal convictions. The Company may process sensitive personal data by implementing additional measures specified by the Personal Data Protection Board in the following scenarios:

• Sensitive personal data, excluding health and sexual life information, can be processed with explicit consent from the data subject or when legally mandated. • Health and sexual life-related personal data can be processed by authorized institutions, organizations, and individuals bound by confidentiality obligations for the purposes of financial planning, healthcare management, preventive medicine, medical diagnosis, treatment, care services, and safeguarding public health without requiring explicit consent from the data subject.

The Company is authorized to transfer personal data domestically or internationally when specific conditions for data transfer are met as outlined in the supplementary regulations detailed in Articles 8 and 9 of the Law, as determined by the Personal Data Protection Board.

For transfers of personal data to third parties within the country, the Company will ensure that at least one of the data processing conditions specified in Articles 5 and 6 of the Law, as described in Section 3 of this Policy, is met, and that these conditions align with the fundamental principles.

When transferring personal data to third parties outside the country without explicit consent, the Company will adhere to the data processing conditions outlined in Articles 5 and 6 of the Law, as detailed in Section 3 of this Policy, and ensure compliance with the basic principles. If the destination country is not deemed a secure location by the Personal Data Protection Board, personal data may still be transferred abroad if the Company and the data controller in the receiving country provide written assurances of adequate protection, and if at least one of the data processing conditions in Articles 5 and 6 of the Law (refer to Section 3 of the Policy) is met, with the permission of the Personal Data Protection Board.

In line with the overarching principles of the Law and the data processing conditions specified in Articles 8 and 9, the Company may transfer data to the categorized parties listed in the table below:

SHARED PARTY CATEGORIZATION SCOPE TRANSFER PURPOSE

Business Partner The parties with which the Company has established a business partnership while carrying out its commercial activities Business Partner:

Limited sharing of personal data in order to ensure the fulfillment of the business partnership's objectives

Shareholders Company partners Limited personal data sharing in order to ensure that shareholders have the right to receive information during the performance of the Company's commercial activities

Supplier The parties providing services for the Company to continue its commercial activities in accordance with the instructions received from the Company and based on the contract concluded with the Company Limited transfer by procuring outsourced services from the supplier

Legally Authorized Public Authority Public institutions and organizations legally authorized to receive information and documents from the Company Limited

personal data sharing of relevant public institutions and organizations with the aim of requesting information

Legally Authorized Private Institution Private law officers who are legally authorized to receive information and documents from the Company Limited sharing of data for the purpose requested by the relevant private law officers within their legal authority

As per Article 10 of the Law, individuals must receive information regarding the processing of their personal data before or at the latest during the processing operation. The Company has established a framework within its organizational structure to ensure that individuals are informed whenever personal data processing activities are conducted by the Company acting as the data controller.

In this context:

• Refer to Section 2.2 of the Policy for details on the processing of your personal data.

• Check Section 4 of the Policy for information on the parties to whom your personal data is transferred and the purpose of such transfers.

• Review Sections 3.2 and 3.3 of the Policy to understand the conditions for processing your personal data collected through various channels in physical or electronic media.

- To ascertain if your personal data has been processed.

- To request information about the processing of your personal data if it has been processed.

- To know the purpose of processing your personal data and its compliance with the intended use.

- To be informed about the third parties, both domestic and international, to whom your personal data has been transferred.

- To request correction of incomplete or inaccurately processed personal data and notification of such corrections to relevant third parties.

- To request deletion or destruction of personal data when the reasons for processing no longer exist, and to inform relevant third parties of such actions.

- To object to decisions made solely by automated systems.

- To seek redress for damages resulting from unlawful data processing.

You can submit your requests related to these rights to our Company using the Data Subject Application Form on our website www.turkeytourbox.com, by emailing triaapples@hs01.kep.tr with "Personal Data Protection Law Information Request" in the subject line using a secure electronic signature as per the Electronic Signature Law No. 5070, or by sending your request form in person, by mail, or through a notary channel to the address "Duayeri Mah. Mehmet Akif blv. Ethem Tanriver Ish. No: 26/205 Urgup Nevsehir" with a wet signature and the label "Information Request under the Law on Protection of Personal Data."

Your requests will be processed promptly and within thirty days at no cost, unless additional charges are necessary as determined by the Personal Data Protection Board. The Company will verify the identity of the requester and may request further information if needed to clarify the request. Responses to data subject applications will be provided in writing or electronically. If an application is denied, the reasons for rejection will be clearly communicated to the data subject.

In cases where personal data is not obtained directly from the data subject, the Company will undertake activities to inform the data subjects promptly, either (1) within a reasonable timeframe from acquiring the data, (2) during initial communication if the data will be used to contact the data subject, or (3) before transferring the data for the first time.

In compliance with Article 7 of the Law, the Company will erase, destroy, or render personal data anonymous following the standards set forth by the Authority when the necessity for data processing ceases to exist or at the request of the data subject.

7.3. Retention Times

Employee Personal data on recruitment documents and service period and wage notifications made to the Social Security Institution The data shall be retained for 50 (fifty) years at the continuation and also expiry of the service contract.

Employee Personnel data excluding the personal data of the recruitment documents and service period and wage notifications made to the Social Security Institution The data shall be retained for 10 (ten) years at the continuation of the service contract and from the beginning of the calendar year following the expiry of the service contract.

Employee Data in Workplace Personal Health Files The data shall be retained for 30 (thirty) years at the continuation and also expiry of the service contract. Employee Video camera footage, video camera voice recordings, voice recordings taken during phone calls The data shall be retained for 2 years. Business Partner / Solution Partner / Consultant Identity information, contact information, financial information, business partner / Solution Partner / Consultant employee data regarding the performance of the business relationship between the Partner / Solution Partner / Consultant and the Company The data shall be retained for 10 years during the business / commercial relationship with the Company and Business Partner / Solution Partner / Consultant and from the expiry of business / commercial relation in accordance with the Article 146 of Turkish Code of Obligations and the Article 82 of Turkish Commercial Code. Business Partner / Solution Partner / Consultant Video camera footage, video camera voice recordings, voice recordings taken during phone calls The data shall be retained for 2 years.

Visitor Name, surname, T.R. ID No., Passport No., car license plate of the visitor taken at the entrance to the company's premises and video camera footage recordings, sound recordings taken during phone calls The data shall be retained for 2 years.

Employee Candidate Information on the Candidate's CV and job application form The data shall be retained for up to 2 years, until the resume is outdated. Employee Candidate Video camera footage, video camera voice recordings, voice recordings taken during phone calls The data shall be retained for 2 years. Intern (student) Information contained in the internship file of the student The data shall be retained for 10 (ten) years at the continuation of the internship and from the beginning of the calendar year following the expiry of the internship.

Intern (student) Video camera footage, video camera voice recordings, voice recordings taken during phone calls The data shall be retained for 2 years. Customer Customer name, surname, T.R. ID number, contact information, payment information and methods, Mac address information, access IP Information and data originating from Law No. 5651, information on the special days and health data other than the camera images, camera sound recordings, voice recordings collected during phone calls. The data shall be retained for 10 years from the delivery of each product / service purchased by the customer in accordance with Article 146 of Turkish Code of Obligations and the Article 82 of Turkish Commercial Code.

Customer Video camera footage, video camera voice recordings, voice recordings taken during phone calls The data shall be retained for 2 years. Prospective Customer Identity information, contact information, financial information, voice records taken during telephone calls regarding the establishment of a commercial relationship between the Prospective Customer and the Company The data shall be retained for 2 years.

Cooperated Institutions / Firms (Supplier) Identity information, contact information, financial information about the execution of the commercial relationship between the Cooperated Institutions / Firms and Data of the Cooperated Institution / Firm Employees The data shall be retained for 10 years during the business / commercial relationship between Cooperated Institutions / Firms and the Company and from the expiry of such relationships in accordance with Article 146 of Turkish Code of Obligations and the Article 82 of Turkish Commercial Code.

Cooperated Institutions / Firms (Supplier) Video camera footage, video camera voice recordings, voice recordings taken during phone calls The data shall be retained for 2 years.

* If a longer duration is stipulated by law or if extended timeframes are designated for timeouts, expiration, or retention periods as per legal requirements, the durations outlined in legislative provisions will be regarded as the maximum retention period.

7.4. Duration of Data Destruction

The Company is obligated to delete, destroy, or anonymize personal data within six months from the date when the responsibility to delete, destroy, or anonymize the data arises, as outlined in the Law, relevant regulations, the Processing and Protection of Personal Data Policy, and this Personal Data Retention and Disposal Policy. In cases where the data subject requests the deletion or destruction of their personal data by submitting a request to the Company in accordance

with Article 13 of the Law.

7.4.1. If the Company no longer meets all the criteria for processing personal data, it will delete, destroy, or anonymize the data upon request using an appropriate method within 30 days of receiving the request. The individual must submit the request in line with the Policy on Processing and Protection of Personal Data for it to be considered received by the Company, which will then communicate the action taken to the individual.

7.4.2. If the conditions for processing personal data are still valid, the Company may reject the request in accordance with the third paragraph of Article 13 of the Law, providing reasons for rejection. The response will be communicated to the individual in writing or electronically within thirty days at the latest.

7.5. PERIODIC DESTRUCTION

If the conditions for processing personal data as stipulated in the Law are no longer applicable, the Company will delete, destroy, or anonymize the data, accordingly, following the procedures outlined in the Personal Data Retention and Disposal Policy. These actions will be conducted proactively at scheduled intervals. The periodic disposal processes will be conducted every six months.

7.6. CONTROL OVER COMPLIANCE WITH THE LAW FOR DATA DESTRUCTION PROCESS

The Company will conduct destruction procedures, whether initiated upon request or proactively, at specified intervals in compliance with the Law, relevant regulations, the Policy on Processing and Protection of Personal Data, and this Personal Data Retention and Destruction Policy. To ensure compliance with these regulations, the Company will implement administrative and technical measures for the proper execution of the disposal process.

6.4.1. Technical Measures

• The Company will have appropriate technical tools and equipment for each destruction method outlined in this policy.

• The Company will secure the location where destruction procedures take place.

• Records of destruction procedures will be maintained by the Company.

• Competent and experienced personnel will be responsible for executing the destruction procedures, or services will be outsourced to qualified third parties as needed.

6.4.2. Administrative Measures

• The Company will strive to enhance and promote awareness among its employees regarding information security, personal data, and privacy. • Legal and technical consultancy services have been engaged by the company to stay abreast of advancements in information security, privacy rights, personal data protection, and secure destruction techniques, and to implement necessary measures.

• When destruction procedures are outsourced to third parties due to technical or legal requirements, the Company will establish protocols with these parties to safeguard personal data and ensure their compliance with obligations outlined in these protocols. • Regular audits will be conducted by the Company to verify compliance with the law, as well as the conditions and responsibilities outlined in the Personal Data Retention and Destruction Policy, with appropriate actions taken as needed.

• All activities related to the deletion, destruction, and anonymization of personal data will be documented by the Company and these records will be retained for a minimum of three years, unless other legal obligations dictate otherwise.

Our Company implements a range of technical and administrative measures to safeguard both physical and digital documents effectively:

- Employee disciplinary regulations with data security provisions are enforced.

- Regular training and awareness programs on data security are conducted for employees.

- An authority matrix is established for employees.

- Corporate policies covering access, information security, usage, retention, and disposal are developed and enforced.

- Confidentiality agreements are signed.

- Responsibilities of employees who change roles or leave the company are revoked.

- Data security clauses are included in signed contracts.

- Additional security measures are implemented for paper-based personal data transmission.

- Policies and procedures for personal data security are defined and communicated.

- Prompt reporting of personal data security issues is ensured.

- Security measures are in place for access to and exit from physical areas containing personal data.

- Physical environments housing personal data are safeguarded against external risks like fire or flood.

- Security of environments with personal data is maintained.

- Data minimization practices are followed.

- Regular audits are conducted within the organization.

- Risks and threats are identified and addressed.

- Protocols and procedures for securing specially qualified personal data are established and followed.

- Network and application security are maintained.

- Closed system networks are used for transferring personal data.

- Security measures are integrated into the supply, development, and maintenance of IT systems.

- Access logs are regularly monitored.

- Data masking techniques are applied when necessary.

- Up-to-date anti-virus systems and firewalls are deployed.

- Personal data security is continuously monitored.

- Personal data is backed up securely.

- User account management and access control systems are implemented and monitored.

- Log records are maintained without user intervention.

- Intrusion detection and prevention systems are utilized.

- Penetration testing is conducted.

- Ongoing cyber security measures are implemented and monitored.

- Sensitive personal data transferred via memory, CD, or DVD media is encrypted.

- Data loss prevention software is utilized.

The Law does not apply to the following scenarios:

- Processing personal data within the family or household context of individuals, provided that data security obligations are met, and data is not shared with third parties.

- Anonymizing personal data for investigation, planning, and statistical purposes in official statistics.

- Processing personal data for artistic, historical, literary, or scientific purposes, or freedom of speech, if it does not infringe upon natural defense, national security, public order, economic security, or personal rights, and does not constitute a crime.

- Processing personal data for preventive, protective, and intelligence operations carried out by authorized state institutions and organizations to ensure national defense, security, public safety, order, or economic security.

- Processing personal data by judicial or enforcement authorities for investigative, legal, litigation, or enforcement procedures.

In the cases mentioned above, the Company is not required to provide clarification to data subjects, and data subjects cannot exercise their rights under the Law, except for the right to seek redress for any losses incurred:

- Processing personal data necessary to prevent illegal acts or for criminal investigations.

- Processing personal data that has been made public by the data subject.

- Processing personal data required for disciplinary investigations, prosecutions, supervisory duties by authorized state institutions, professional public organizations as mandated by law.

- Processing personal data necessary to protect the economic and financial interests of the State concerning budget, tax, and financial matters.