Data Protection Act (KVKK) Information Notice

Last Updated: 06.05.2026

This Privacy Notice has been prepared by Karınca Prefabrik Çelik Yapı A.Ş. (“Company”) pursuant to the Law on the Protection of Personal Data No. 6698 (“KVKK”) to inform data subjects whose personal data is processed, in accordance with Article 10 of the KVKK. This notice also contains information regarding cookies. Viewing this notice or using our website does not, by itself, constitute consent to any data processing activities. In cases requiring explicit consent, such consent is obtained separately and explicitly from the data subject.

• Identity of the Data Controller

Pursuant to the KVKK, the data controller is the company whose information is provided below:

Title	Karınca Prefabrik Çelik Yapı A.Ş.
Address	Çerkeşli OSB Mah. İMES-10 Cad. No:1 Dilovası / Kocaeli
Tax Office / Tax Number	Uluçınar V.D. / 524 160 17 12
Phone	0262 641 04 44
Mail	info@karincaprefabrik.com
Web Sitesi	www.karincaprefabrik.com

The company acts as the data controller, determining the purposes and means of processing personal data.

• Processed Personal Data

Depending on the nature of your relationship with our company, the following personal data may be processed. Our company processes only the data necessary for the relevant processing purpose.

• Identification Information

First name, last name, title, information about the requesting individual or organization, and, if applicable, information about the representative.

• Contact Information

Phone number, email address, physical address, city/county information, and contact information shared via WhatsApp or similar communication channels.

• Customer Transaction Information

Requests for proposals, orders, and project requests; correspondence; follow-up records; the content of pre-contract meetings; notes regarding your requests; and records of complaints and suggestions.

• Transaction Security Information

IP address, log records, access logs, browser type, device information, transaction date and time, session activity, security logs.

• Financial and Accounting Information

Billing information, payment information, bank account information, tax records, and information contained in documents issued in the course of a business relationship.

• Visual and Physical Security Information

Entry and exit logs for the company premises, security camera footage, visitor logs.

• Marketing and Communication Preferences

If you provide your explicit consent, this includes product and service promotion preferences, campaign feedback, permissions for electronic communications, interests, cookie preferences, and digital interaction data.

• Request and Complaint Information

The content of the requests, complaints, objections, returns, maintenance, service, or information requests you have submitted to our company.

• Purposes of Personal Data Processing

Your personal data may be processed for the following purposes:

• Communication and Request Management

Receiving, evaluating, responding to, and finalizing the information, proposals, quotes, project requests, and product and service requests you have submitted.

• Pre-Contractual and Contractual Processes

Preparing proposals, conducting preliminary discussions, and managing the processes related to ordering, delivery, installation, assembly, maintenance, service, warranty, and post-sales support.

• Conducting Business and Commercial Activities

Ensuring corporate communication, managing operational processes, managing customer relationships, and conducting business development activities.

• Finance, Accounting, and Tax Obligations

Billing, collections, payments, maintaining accounting records, and fulfilling obligations arising from tax and commercial regulations.

• Compliance with Legal Obligations

Submitting the information and documents required under applicable laws to the relevant public institutions and agencies; conducting legal proceedings; preserving evidence; and managing litigation and enforcement proceedings.

• Corporate Security and Information Security

Ensuring physical security, access control, information systems security, preventing unauthorized access, and implementing cybersecurity measures.

• Improving Service Quality and Internal Audit

Improving service quality, measuring customer satisfaction, conducting internal control and audit activities, and implementing process improvement initiatives.

• Website and Digital System Operations

To ensure the technical operation of our website, maintain its security, measure its performance, identify errors, and conduct statistical analysis.

• Marketing and Promotional Activities

If you provide your explicit consent, we will use your information to carry out activities such as product and service promotions, campaigns, announcements, advertising, targeted marketing, remarketing, and the sending of commercial electronic communications.

• Corporate Archiving and Storage Activities

The retention, archiving, and, when necessary, deletion, destruction, or anonymization of records and documents for the periods specified by law.

• Legal Grounds for the Processing of Personal Data
  

Your personal data is processed in accordance with one or more of the legal grounds set forth in Articles 5 and, where applicable, 6 of the Personal Data Protection Law (KVKK), depending on the purpose of the data processing. The primary purposes of processing and the legal grounds on which they are based are explained below by way of example:

• Pre-Contractual and Contractual Processes

Your personal data may be processed in connection with processes such as preparing quotes, receiving orders, creating projects, installation, delivery, and after-sales support, provided that such processing is directly related to the conclusion or performance of a contract .

• Legal Obligations

Your personal data may be processed for activities such as issuing invoices, maintaining tax and accounting records, submitting notifications to government agencies, and fulfilling retention obligations, based on the legal basis that such processing is necessary for the data controller to fulfill its legal obligations and .

• Legitimate Interest

Your personal data may be processed based on the legal grounds that processing is necessary for the legitimate interests of the data controller, provided that such processing does not infringe upon the fundamental rights and freedoms of the data subject, in situations such as internal company security, system and communication security, process improvement, customer relationship management, and the effective tracking of requests and complaints.

• Explicit Consent

With regard to activities such as marketing, advertising, campaign notifications, the sending of commercial electronic communications, non-essential analytics and advertising cookies, and retargeting activities, data may be processed by obtaining your explicit consent at and when deemed necessary.

• The Establishment, Exercise, or Protection of a Right

In cases such as the conduct of legal disputes, the preservation of evidence, the pursuit of lawsuits and enforcement proceedings, and the exercise of rights to object and defend, your personal data may be processed based on the legal ground that data processing is necessary for the establishment, exercise, or defense of a legal claim .

• Other Circumstances in Which the Processing of Personal Data Is Necessary

In accordance with the conditions set forth in the Personal Data Protection Law (KVKK) and other relevant legislation, your personal data may be processed without your explicit consent if necessary.

• Methods of Collecting Personal Data

Your personal data may be collected through the following methods:

• The contact, quote, and application forms on our website,
• Phone calls,
• Email correspondence,
• WhatsApp and similar messaging apps,
• Applications submitted in person to our company,
• Contracts, order forms, invoices, and commercial documents,
• Visitor logs and camera systems,
• Cookies, log files, and other electronic tracking tools,
• Through authorized public institutions and organizations, business partners, solution partners, and service providers.

Your personal data may be processed by automated or semi-automated means, or by non-automated means provided that such processing forms part of a data filing system.

• Transfer of Personal Data

Your personal data will be processed in accordance with Articles 8 and 9 of the Personal Data Protection Law (KVKK) and other relevant legislation, and to the extent necessary for the purpose of processing

may be disclosed to third parties to a certain extent.

• Domestic Transfers

Your personal data may be transferred to the following individuals and organizations:

• Authorized public institutions and organizations,
• Tax offices, courts, enforcement offices, law enforcement agencies, and other government authorities,
• Legal advisors, attorneys, financial advisors, independent auditors,
• Accounting, finance, archiving, IT infrastructure, server, hosting, email, CRM, and technical support service providers,
• Companies that provide cargo, logistics, and shipping services,
• Business partners and solution partners with whom we collaborate to provide products, installation, maintenance, service, technical support, and similar services,
• Internal departments and authorized personnel.

• International Transfers

If we use website infrastructure, email services, analytics, advertising technologies, cloud systems, or similar services, some of your personal data may be processed on servers located outside the country or transferred to service providers located outside the country.

In this context, cross-border transfers are carried out in accordance with the conditions and transfer mechanisms set forth in Article 9 of the Personal Data Protection Law. Depending on the nature of the transfer:

• the explicit consent of the individual,
• decision on eligibility,
• adequate protection,
• or the exceptions provided for in the KVKK may apply.

• Advertising and Analytics Service Providers

Our company may use third-party analytics and advertising tools (such as Google Analytics, Yandex Metrica, Google Ads, and Meta Pixel) to measure website visits, campaign performance, and user experience. The data processed in this context may also be processed by service providers located outside the country, depending on the technical nature of the relevant tools.

As needed for such transactions:

• separate lighting,
• cookie management panel,
• explicit consent mechanism,
• The objection and preference management process is implemented.

• Cookies and Similar Technologies

Our website may use essential cookies as well as cookies for analytical and/or marketing purposes. Essential cookies are necessary for the website to function. Analytical and marketing cookies, on the other hand, may be used to analyze your usage habits, improve the quality of our services, and carry out our advertising and promotional activities.

With regard to the use of non-essential cookies, to the extent permitted by applicable law:

• Cookie Policy,
• preference management,
• explicit consent,
• Mechanisms for revoking consent are implemented.

Detailed information about cookies is also provided in our Privacy and Cookie Policy available on our website.

• Retention Period for Personal Data

Your personal data will be retained for the retention periods specified in applicable laws and regulations or for as long as necessary to fulfill the purpose of processing. Upon the expiration of the retention period, your personal data will be deleted, destroyed, or anonymized in accordance with our Company’s retention and destruction policy.

In determining the retention period;

• the duration of the transaction and business relationship,
• statute of limitations periods,
• obligations arising from tax and commercial laws,
• the possibility of a legal dispute,
• sector-specific regulations are taken into account.

• Data Security

The company takes the necessary technical and administrative measures to prevent the unlawful processing of personal data, unauthorized access, and any loss of data that may occur during its storage. In this context, the following measures may be implemented, for example:

• SSL/TLS security certificates
• Access authorization and password policies
• Firewalls
• Log retention
• Backup and recovery processes
• Employee awareness training
• Contractual security obligations with data processors
• Masking and restricted access measures when necessary

However, it is important to remember that no method of data transmission over the internet is completely risk-free.

• The Data Subject's Rights Under the Personal Data Protection Law

Pursuant to Article 11 of the Personal Data Protection Law (KVKK), as individuals whose personal data is processed, you have the following rights:

1. The right to know whether personal data is being processed,
2. To request information if their personal data has been processed,
3. The right to learn the purpose of the processing of personal data and whether such data is being used in accordance with that purpose; (c) The right to know the third parties to whom personal data has been transferred, whether within the country or abroad;
4. The right to request the correction of personal data that has been processed inaccurately or incompletely,
5. The right to request the erasure or destruction of personal data in accordance with the conditions set forth in Article 7 of the KVKK,
6. the right to request that the third parties to whom personal data has been transferred be notified of the actions taken pursuant to subparagraphs (d) and (e),
7. The right to object to a decision made solely through the automated processing of personal data that adversely affects the individual; (g) The right to request compensation for damages suffered as a result of the unlawful processing of personal data.

• Application Process

You may submit your requests under the KVKK to our Company using the following methods, in accordance with the Communication on the Procedures and Principles for Submitting Requests to the Data Controller :

• Written Application

You may deliver the signed petition in person to the address below or send it by certified mail:

Karınca Prefabricated Steel Structures Inc. Çerkeşli OSB Neighborhood, İMES-10 Street, No. 1, Dilovası / Kocaeli

• Application via Registered Email Through the System

You can contact us at the following address using the email address registered in our system:

info@karincaprefabrik.com

Your application must include your first and last name, your signature (if the application is in writing), your Turkish ID number or passport number (for foreign nationals), your address for service of process, your email address and/or phone number (if applicable), and a clear statement of the subject of your request.

Your requests will be processed as soon as possible and no later than thirty (30) days . If the process involves additional costs, a fee set by the Personal Data Protection Board may be charged.

• Update to the Privacy Notice

Our company may update this Privacy Notice in the event of changes to our business processes, technology infrastructure, legal obligations, or data processing activities. The updated version will take effect as of the date it is published on our website.

Karınca Prefabricated Steel Structures Inc. | Çerkeşli OSB Neighborhood, İMES-10 St., No. 1, Dilovası / Kocaeli | Tel: 0262 641 04 44 | info@karincaprefabrik.com