Our Policies

PERSONAL DATA PROTECTION POLICY

1. Legal Basis : We give utmost importance to the protection and processing of Personal Data in accordance with the Law No. 6698 on the Protection of Personal Data by taking the basic legal basis that everyone has the right to request the protection of personal data related to him/her, that this right includes being informed about personal data about the person, accessing this data, requesting their correction or deletion and learning whether they are used for their purposes, that personal data can only be processed in cases stipulated by law or with the explicit consent of the person, and we act with this care in all our planning and activities. As a company, we take all administrative and technical measures for the protection and processing of Personal Data, which is the basis of the privacy of private life, and we inform and warn our personnel about the legal sanctions regulated in Article 135 and following of the Turkish Criminal Code (TCK) No. 5237.

2. Purpose: The Law No. 6698 on the Protection of Personal Data in force regulates the protection of fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and the obligations of real and legal persons who process personal data and the procedures and principles to be followed. The purpose of our policy prepared by taking into account the said regulation is to ensure compliance with the obligations regarding the protection of personal data, to evaluate the issues related to the processing, transfer and protection of confidentiality of the information obtained within the scope of the activities carried out by our Company with a risk-based approach, to determine the strategies, internal controls and measures, operating rules and responsibilities and to raise awareness of the employees of the organization on these issues. At the same time; It is aimed to ensure transparency by informing the persons whose personal data are processed by our Company, especially our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions / organizations we cooperate with and third parties.

3. Scope: This policy is related to all personal data of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions / organizations we cooperate with and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.

4. Definitions 4.1. Explicit Consent Consent based on information on a specific subject and expressed with free will. 4.2. Anonymization It is the modification of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be reversed. Example: Masking, aggregation, data corruption, etc. Making personal data impossible to be associated with a real person by using techniques. 4.3. Employee Persons who are working at the Company in accordance with the employment contract made between the Company and the Company 4.4. Employee Candidate Real persons who have applied for a job to the Company in any way or who have opened their resume and related information to the Company's review 4.5. Employees, Shareholders and Authorities of the Institutions We Cooperate with Real persons, including, but not limited to, employees, shareholders and authorities of the institutions (such as business partners, suppliers) with which the Company has any kind of business relationship 4.6: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. 4.7. Personal Data Owner The natural person whose personal data is processed. For example; Customers and employees. 4.8. Personal Data Any information relating to an identified or identifiable natural person. The processing of information on legal persons is not covered by the law. For example; name-surname, TR, e-mail, address, date of birth, credit card number, etc. 4.9. Customer Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company 4.10: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are special categories of personal data. 4.11. Potential Customer Natural persons who have made a request or interest in using our products and services or who have been evaluated in accordance with the rules of commercial custom and honesty that they may have this interest 4.12: Real persons who are shareholders of the Company 4.13. Company Officials: Members of the Company's board of directors and other authorized natural persons 4.14. Third Party Third party natural persons (e.g. Family Members and relatives) who are related to these persons in order to ensure the security of commercial transactions between the Company and the above-mentioned parties or to protect the rights of the aforementioned persons and to obtain benefits 4.15. Data Processor Natural and legal person who processes personal data on behalf of the data controller based on the authorization given by the data controller. For example, firms or companies that hold the Company's data, etc. 4.16. Data Controller The data controller is the person who determines the purposes and means of processing personal data, manages the place where the data is kept systematically (data recording system), provides the necessary information to the data subject regarding his/her personal information as a result of the request / application of the data subject and makes the necessary directions. 4.17. Visitors Natural persons who have entered the physical premises owned by the Company for various purposes or who visit our websites

5. Abbreviations 5.1. KVKK : Law No. 6698 Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698 published in the Official Gazette dated April 7, 2016 and numbered 29677. 5.2. Constitution : The Constitution of the Republic of Turkey dated November 7, 1982 and numbered 2709, published in the Official Gazette dated November 9, 1982 and numbered 17863. 5.3. PDP Board Personal Data Protection Board 5.4. PDP Authority Personal Data Protection Authority 5.5. Policy Company Personal Data Protection and Processing Policy 5.6. TCO Turkish Code of Obligations dated January 11, 2011 and numbered 6098 published in the Official Gazette dated February 4, 2011 and numbered 27836. 5.7. TCC Turkish Penal Code dated September 26, 2004 and numbered 5237 published in the Official Gazette dated October 12, 2004 and numbered 25611. 5.8. TCC Turkish Commercial Code dated January 13, 2011 and numbered 6102 published in the Official Gazette dated February 14, 2011 and numbered 27846
6. Data Categories: The Company may record, process or transfer data related to the following categories of data. 6.1. Identity (such as name, surname, mother's and father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial number, TR ID number) 6.2. Contact (such as address number, e-mail address, contact address, registered electronic mail address (REM), telephone number) 6.3. Location (location information of the location) 6. 4. Personnel (such as payroll information, disciplinary proceedings, employment records, property declaration information, CV information, performance evaluation reports) 6.5. Legal Action (such as information in correspondence with judicial authorities, information in case files) 6.6. Customer Transaction (such as call center records, invoice, promissory note, check information, information in box office receipts, order information, request information) 6.7. Physical Space Security (such as employee and visitor entrance and exit registration information, camera records) 6.8. Transaction Security (such as IP address information, website login and exit information, password and password information) 6. 9. Risk Management (such as information processed to manage commercial, technical, administrative risks) 6.10. Finance (such as balance sheet information, financial performance information, credit and risk information, asset information) 6.11. Professional Experience (such as diploma information, courses attended, vocational training information, certificates, transcript information) 6. 12. Marketing (such as shopping history information, surveys, cookie records, information obtained through campaign work) 6.13. Visual and Auditory Records (such as visual and auditory records) 6.14. Race and Ethnic Origin (such as racial and ethnic origin information) 6.15. Political Opinion Information (such as information indicating political opinion, political party membership information) 6. 16. Philosophical Beliefs, Religion, Sect and Other Beliefs (such as information on religious affiliation, information on philosophical beliefs, information on sectarian affiliation, information on other beliefs) 6.17. Dress and Attire (information on dress and appearance) 6.18. Association Membership (such as information on association membership) 6.19. Foundation Membership (such as information on foundation membership) 6.20. Trade Union Membership (such as information on trade union membership) 6.21. Health Information (such as information on disability status, blood type information, personal health information, information on devices and prostheses used) 6.22. Sexual Life (such as information on sexual life) 6.23. Criminal Conviction and Security Measures (such as information on criminal conviction, information on security measures) 6.24. Biometric Data (such as palm information, fingerprint information, retinal scan information, facial recognition information) 6.25. Genetic Data (such as genetic data)
7. Purposes of Processing Personal Data The Company may record, process or transfer personal data for the following purposes. 7.1. Execution of Emergency Management Processes 7.2. Execution of Information Security Processes 7.3. Execution of Employee Candidate / Intern / Student Selection and Placement Processes 7.4. Execution of Application Processes of Employee Candidates 7.5. Execution of Employee Satisfaction and Loyalty Processes 7.6. Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees 7.7. Execution of Benefits and Benefits Processes for Employees 7.8. Execution of Audit / Ethical Activities 7.9. Execution of Training Activities 7.10. Execution of Access Authorizations 7.11. Execution of Activities in Compliance with Legislation 7.12. Execution of Company / Product / Services Commitment Processes 7.14. Ensuring Physical Space Security 7.15. Execution of Assignment Processes 7.16. Follow-up and Execution of Legal Affairs 7.17. Execution of Internal Audit / Investigation / Intelligence Activities 7.18. Execution of Communication Activities 7.19. Execution / Supervision of Business Activities 7.21. Execution of Occupational Health / Safety Activities 7.22. Receiving and Evaluating Suggestions for Improving Business Processes 7.23. Execution of Business Continuity Activities 7.24. Execution of Logistics Activities 7.25. 26. Execution of Goods / Services After Sales Support Services 7.27. Execution of Goods / Services Sales Processes 7.28. Execution of Goods / Services Production and Operation Processes 7.29. Execution of Customer Relationship Management Processes 7.30. Execution of Activities for Customer Satisfaction 7.31. Organization and Event Management 7.32. Execution of Marketing Analysis Studies 7.33. Performance Evaluation Processes 7.34. Execution of Advertising / Campaign / Promotion Processes 7.35. Execution of Risk Management Processes 7.36. Execution of Storage and Archive Activities 7.37. Execution of Social Responsibility and Civil Society Activities 7.38. 39. Execution of Sponsorship Activities 7.40. Execution of Strategic Planning Activities 7.41. Tracking Demands / Complaints 7.42. Ensuring the Security of Movable Goods and Resources 7.43. Execution of Supply Chain Management Processes 7.44. Execution of Wage Policy 7.45. Execution of Marketing Processes of Products / Services 7.46. Ensuring the Security of Data Controller Operations 7.47. Foreign Personnel Work and Residence Permit Procedures 7.48. Execution of Investment Processes 7.49. Execution of Talent / Career Development Activities 7.50. Providing Information to Authorized Persons, Institutions and Organizations 7.51. Execution of Management Activities 7.52.
8. Personal Data Transfer Recipient Groups The Company may transfer personal data to the following Personal Data Transfer Recipient groups. 8.1. Natural Persons and Private Law Legal Entities 8.2. Public 8.3. Shareholders 8.4. Business Partner 8.5. Affiliates and Subsidiaries 8.6. Supplier 8.7. Group Company 8.8. Authorized Public Institutions and Organizations

9. Personal Data Subjects - The Company may record, process or transfer personal data according to the following types of persons. 9.1. Employee Candidate 9.2. Employee 9.3. Subject 9.4. Subject of the News 9.5. Shareholder/Partner 9.6. Potential Product and Service Buyer 9.7. Exam Candidates 9.8. Intern 9.9. Supplier Employee 9.10. Supplier Official 9.11. Product or Service Receiver 9.12. Parent/Guardian/Representative 9.13. Visitor

10. Personal Data Retention Periods: Personal data retention periods are regulated in detail in the Personal Data Retention and Destruction Policy.

11. Deletion, Destruction or Anonymization of Personal Data : 11.1. Although personal data has been processed in accordance with the law, in the event that the reasons requiring the processing of personal data disappear, such data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject. 11.2. The data controller shall erase, destroy or anonymize personal data in the first periodic destruction process following the date on which the obligation to erase, destroy or anonymize personal data arises. 11.3. The actions to be taken regarding these issues are explained in detail in the Personal Data Storage and Destruction Policy.

12. Transfer of Personal Data Personal data obtained for processing within the framework of the general principles specified in the Law may be transferred to third parties with the explicit consent of the person concerned. 12.1. Domestic transfer: Details regarding the domestic transfer of personal data and personal data of special nature are regulated in the Personal Data Transfer procedure. 12.2. Transfer abroad: Personal data may be transferred to countries where there is adequate protection in the presence of the cases specified in the Law, provided that the data subject has explicit consent. Data transfer to countries where there is no adequate protection can be realized in the presence of the conditions specified in the Law, in addition to the existence of explicit consent, in addition to the written commitment of adequate protection and the permission of the Board. Details on the subject are regulated in the Procedure for Transfer of Personal Data.

13. General (Basic) Principles for Processing Personal Data: Personal data will be processed in accordance with the following basic principles as detailed in the Personal Data Processing Procedure. 13.1. Being in compliance with the law and good faith, 13.2. Being accurate and up-to-date when necessary, 13.3. Being processed for specific, explicit and legitimate purposes, 13.4. Being relevant, limited and proportionate to the purpose for which they are processed, 13.5. Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

14. Explicit Consent: It is the consent regarding a specific subject, based on information and expressed with free will. As stated in detail in the procedure for obtaining explicit consent, explicit consent must be related to a specific subject, the consent must be based on information and must be expressed with free will.
15. Obligation to inform: During the acquisition of personal data, the relevant persons are informed by the company. As regulated in detail in the Disclosure Procedure, this information includes at least the following issues. 15.1. The identity of the data controller and its representative, if any, 15.2. The purpose for which personal data will be processed, 15.3. To whom and for what purpose personal data can be transferred, 15.4. The method and legal reason for collecting personal data, 15.5. Other rights of the data subject listed in Article 11 of the Law.

16. The rights of the data subject: By applying to the Company, the data subjects have the right to learn whether personal data about them are processed, to request them if they have been processed, to request the correction of the content of the data if it is incomplete or incorrect, to request the deletion or destruction of the data if it is unlawful, and to notify the third parties to whom the data are disclosed and to request the compensation of their damages due to the unlawful processing of the data. The data subject may exercise his/her rights of application and complaint, the details of which are set out in the Data Subject's Right Seeking Procedure. 16.1. Application : In order for the data subjects to exercise their rights, they must first apply to the data controller. A complaint to the Board cannot be filed before this path is exhausted. 16.2. Complaint: In order for the data subject to file a complaint, the application to the Company must be rejected, the answer given must be found insufficient or the application must not be answered within 30 days. It is not possible for the relevant persons to file a complaint directly to the Board without applying to the Company.

17. Obligation to Fulfill the Board Decisions : If the Board determines the existence of a violation as a result of the examination to be carried out ex officio upon a complaint or upon learning of the alleged violation, the Board decides that the unlawfulness shall be remedied by the Company and notifies the decision to the relevant persons. As stated in detail in the Fulfillment of Board Decisions procedure, the Company shall fulfill this decision without delay and within thirty days at the latest from the date of notification.

18. Data Controllers Registry (VERBIS) registration obligation: The Company registers and updates these records as specified in the Data Controllers Registry (VERBIS) registration procedure to the registration system in which data controllers are obliged to register and declare information about data processing activities.

19. Personal Data Breach : In the event that the processed personal data is obtained by others illegally, the Company shall notify the relevant person and the Board as soon as possible as specified in the Personal Data Breach Procedure. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.

20. Personal Data Security Measures : The Company takes the following technical and administrative measures at a level appropriate to the Company structure in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data. 20.1. Network security and application security are ensured. 20.2. Closed system network is used for personal data transfers through the network. 20.3. Key management is implemented. 20.4. Security measures are taken within the scope of procurement, development and maintenance of information technology systems. 20.5. There are disciplinary regulations that include data security provisions for employees. 20.6. Training and awareness raising activities on data security for employees are conducted at regular intervals. 20.7. An authorization matrix has been established for employees. 20.8. Access logs are kept regularly. 20.9. Corporate policies on access, information security, use, storage and destruction have been prepared and implemented. 20.10. Data masking measures are applied when necessary. 20.11. Confidentiality undertakings are made. 20.12. The authorizations of employees who change their duties or leave their jobs are removed. 20.13. Up-to-date anti-virus systems are used. 20.14. Firewalls are used. 20.15. Signed contracts contain data security provisions. 20.16. Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format. 20.17. Personal data security policies and procedures have been determined. 20.18. Personal data security issues are reported quickly. 20.19. Personal data security is monitored. 20.20. Necessary security measures are taken for entry and exit to physical environments containing personal data. 20.21. Physical environments containing personal data are secured against external risks (fire, flood, etc.). 20.22. The security of environments containing personal data is ensured. 20.23. Personal data is minimized as much as possible. 20.24. Personal data is backed up and the security of backed up personal data is also ensured. 20.25. User account management and authorization control system is implemented and monitored. 20.26. Internal periodic and/or random audits are performed and conducted. 20.27. Log records are kept without user intervention. 20.28. Existing risks and threats have been identified. 20.29. Protocols and procedures for the security of sensitive personal data have been determined and implemented. 20.30. If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account. 20.31. Secure encryption / cryptographic keys are used for sensitive personal data and managed by different units. 20.32. Intrusion detection and prevention systems are used. 20.33. Penetration testing is applied. 20.34. Cyber security measures have been taken and their implementation is constantly monitored. 20.35. Encryption is performed. 20.36. Data processing service providers are periodically audited on data security. 20.37. Awareness of data processing service providers on data security is ensured. 20.38. Data loss prevention software is used.

E-mails sent by us have the extension hibro.co. Do not rely on any e-mail address that appears to be sent from Hi Bro but does not have the hibro.co extension.

In the e-mails we send from hibro.co, you are never asked for bank, credit card information, T.R. ID number information.

One-time password information sent to your GSM number is sufficient to log in to the Hi Bro member login system.

You should not share your user information, sensitive data, account number or password regarding the service we provide to you with third parties, you should take utmost care to ensure the confidentiality of this information, we are not responsible for any damages that may arise from sharing this information.

You should use the latest version of our mobile application so that we can serve you better.

You should use the application on your own phones and tablets so that your authentication is correct and your account is not accessed by third parties.

If your card is lost, stolen or you encounter unfamiliar transactions in your account or any other suspicious situation, please inform customer service at hi@hibro.co.

For your information.

Sincerely yours.