KVKK POLICY
1- DEFINITIONS
- Explicit Consent; Consent on a specific subject, based on information and expressed
with free will
- Anonymization; Making personal data impossible to be associated with an identified
or identifiable natural person under any circumstances, even by matching it with other
data, Changing personal data in such a way that it loses its personal data quality and
this situation cannot be reversed.
- Application Form; The form presented in the annex of this Policy, which includes the
application to be made by the data owner to exercise his/her rights within the
framework of the relevant legislation,
- Website; HASEKİ TURİZM's website named "shop.hurremsultanhamami.com",
- Business Partner; Real or legal persons with whom HASEKİ TURİZM has established
a business partnership for purposes such as carrying out various projects and
receiving services, either personally or together with its shareholders companies or
group companies while carrying out its commercial activities
- Personal Data; Any information relating to an identified or identifiable natural person
- Processing of Personal Data; All kinds of operations performed on personal data
such as obtaining, recording, storing, storing, preserving, modifying, reorganizing,
disclosing, transferring, taking over, making available, classifying or preventing the
use of personal data by fully or partially automatic means or by non-automatic means
provided that it is part of any data recording system,
- Sensitive Personal Data; Data relating to race, ethnic origin, political opinion,
philosophical belief, religion, sect or other beliefs, clothing, membership of
associations, foundations or trade unions, health, sexual life, criminal convictions and
security measures, and biometric and genetic data,
- Data Owner; The real person whose personal data is processed,
- Data Controller; The natural or legal person who determines the purposes and means
of processing personal data and manages the place where the data is kept
systematically (data recording system),

2- ABBREVIATIONS:
- KVKK; Personal Data Protection Law No. 6698 published in the Official Gazette dated
April 7, 2016 and numbered 29677
- PDP Board; Personal Data Protection Board
- HASEKI TOURISM: Haseki Turizm Sağlık İnşaat San ve Dış Tic. Ltd. Şti.

PERSONAL DATA PROTECTION AND PRIVACY POLICY
1- INTRODUCTION

As HASEKİ TURİZM, we attach great importance to the protection of the personal data
of our customers/members, business partners, shareholders, employees and other
real persons who contact/contract with us personally or as a representative of a
company or organization and/or benefit from the services offered by us, and who
establish a relationship with us by applying for a job, visiting our websites, through
our mobile applications or social media accounts, or in any other way. As the data
controller, we have prepared this Personal Data Protection and Privacy Policy
("Policy") to explain our policy on the processing of personal data within the
framework of the Personal Data Protection Law No. 6698 ("KVKK").

2- PURPOSE AND SCOPE
KVKK was published in the Official Gazette dated April 7, 2016 and numbered 29677.
KVKK is regulated to protect the fundamental rights and freedoms of natural persons
whose personal data are processed, including the privacy of private life, and to
determine the obligations of natural and legal persons who process personal data.
The purpose of this Policy is to establish management instructions, procedural
requirements and a technical policy to ensure that HASEKİ TURİZM processes and
protects the personal data of the relevant persons in accordance with the KVKK.
This Policy applies to the activities carried out for the processing and protection of all
personal data owned by HASEKİ TURİZM or managed by HASEKİ TURİZM. The Policy
has been handled and prepared based on the legislation on the processing and
protection of KVKK and other personal data.

3- PERSONAL DATA
Definition of Personal Data;
Within the framework of Article 3/I(d) of the LPPD, "personal data" refers to any information relating to an identified or identifiable natural person. In this context,
anonymous information, anonymized information and other data that cannot be
associated with a specific person are not considered personal data under this Policy.

General Principles for Processing Personal Data Within the framework of Article 3/I(e) of the LPPD, all kinds of operations that may be performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making it available, classifying or preventing its use by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system, fall within the scope of "data processing".

HASEKİ TURİZM processes personal data in accordance with the principles listed
below: (i) being in compliance with the law and good faith, (ii) being accurate and up-
to-date when necessary, (iii) being processed for specific, explicit and legitimate
purposes, (iv) being relevant, limited and proportionate to the purpose for which they are processed, (v) being retained for the period stipulated in the relevant legislation or
required for the purpose for which they are processed.

In this context, in the capacity of Data Controller, your personal and / or sensitive
personal data obtained by HASEKİ TOURISM's BUSINESSES AND FACILITIES,
affiliated companies or through all kinds of channels, including but not limited to
websites and websites, in written, verbal or electronic media; Your personal and / or
sensitive personal data obtained within the scope of KVKK and other legislation; It can
be obtained, recorded, stored, stored, stored, stored, stored, changed in the ways
stipulated in the KVKK, and shared with other persons deemed appropriate by HASEKİ
TURİZM for legal and legal reasons or in line with the actual requirements of the
service provided by HASEKİ TURİZM and/or with the relevant 3rd party real
person/legal entities in Turkey or abroad. It can be shared with real persons/legal
entities in Turkey or abroad and can be processed, including transferring it abroad.

Processed Data;
HASEKİ TURİZM may process general and special categories of personal data with the
explicit consent of the data owner or without explicit consent in cases stipulated in
Articles 5 and 6 of KVKK. HASEKİ TURİZM, Law No. 6502 on Consumer Protection,
Regulation on Subscription Agreements issued for this law, Regulation on Distance
Contracts, Law No. 6563 on the Regulation of Electronic Commerce, Regulation on
Private Physical Education and Sports Facilities, Labor Law No. 4857, Law No. 5510 on
Social Security and General Health Insurance, Turkish Commercial Code No. 6102, Tax
Procedure Law No. 213 and all other laws, legislation, regulations, communiqués and
all other legal regulations related to these laws and personal data can be processed
within the provisions specified in the relevant legislation.

In the light of other legislation and in line with the principles in this Policy and the
legitimate interest of HASEKİ TURİZM, the personal data that can be processed by
HASEKİ TURİZM are listed below:
(i) Name, surname, profession, curriculum vitae, educational background, work
history, occupation, gender, marital status, nationality and other additional data to
recognize and differentiate the data subject,
(ii) Data contained in identification documents such as ID cards, passports, driver's
licenses, etc., where proof of identity is required,
(iii) Contact information such as address, telephone, e-mail and fax numbers, and
mobile phone number of the home, workplace or temporary place of residence,
(iv) Communication records such as telephone calls, e-mail correspondence and other
audio and video data, complaint and request records and security camera records
kept for certain periods of time,
(v) Facility, operation and service utilization data and data for determining member
habits in order to raise service standards,

(vi) Internet protocol (IP) address, device ID, statistics on web page views and mobile
and other digital applications, incoming and outgoing traffic information, routing URL,
internet log information, location information, visited sites and information on
transactions and actions carried out through our websites, advertisements and e-mail
content.
Purposes of Processing Personal Data;
HASEKİ TURİZM may process personal data for the purposes stated below and may
be kept for the period required by these purposes:
(i) Fulfillment of legal and administrative obligations,
(ii) Negotiation, establishment and performance of contracts concluded/intended to be
concluded,
(iii) Providing and developing the services requested by the members and customers
effectively, creating and organizing the personal account of the customer, member
through the website and managing the membership and purchase transactions
through the personal account, informing the members and customers about the
campaigns and opportunities or providing prices, marketing, other opportunities,
offers and information regarding the services and products provided,
(iv) Ensuring the security of HASEKİ TURİZM's website and other electronic systems, social media accounts and physical environments,
(v) Promotion and marketing of HASEKİ TURİZM's services and products and their
development, obtaining the opinion of the data subject through surveys and polls,
(vi) Ensuring entry and exit security and preventing foreign and illegal entries,
(vii) Celebration of birthdays, special days, inclusion in sweepstakes, campaigns or
competitions, gift giving and realization of other similar events, promotions and
campaigns in favor of the data subject,
(viii) Investigation, detection, prevention and reporting of breaches of the Convention
and the law to the relevant administrative or judicial authorities,
(ix) Resolution of existing and future legal disputes,
(x) Responding to requests and questions,
(xi) Performing corporate and partnership law and financial and administrative
transactions,
(xii) Execution of recruitment processes, performance and satisfaction evaluation
within the framework of human resources policies,
(xiii) Evaluating and finalizing the eligibility of job applications and contacting job
applicants,
(xiv) Data processing is mandatory for the establishment, exercise or protection of a
right,
(xv) Protection of HASEKİ TURİZM's legitimate interests, provided that the
fundamental rights and freedoms of the data owner are not harmed.
Transfer of Personal Data within and outside Turkey;

HASEKİ TURİZM may transfer the personal data obtained for the purposes specified in
this Policy to third parties in Turkey and abroad and process and store them on
servers or other electronic media located in Turkey and abroad, provided that it
complies with the general principles listed in the KVKK and the conditions stipulated
in Articles 8 and 9 of the KVKK and takes the necessary security measures.
Although the third parties to whom personal data may be transferred may vary
depending on various factors such as the type (membership relationship, business
relationship, etc.) and nature of the relationship between the data subject and HASEKİ
TURİZM, they are generally as follows
(i) HASEKİ TURİZM Group Companies, (ii) custodians, platform owners, data
broadcasting organizations, infrastructure providers and other business partners,
suppliers and subcontractors that HASEKİ TURİZM works with in Turkey and abroad,
(iii) All kinds of official authorities and institutions, (iv) Banks for collection purposes
and/or institutions authorized for collection and domestic / foreign organizations and
other relevant third parties for the execution of the relevant activity for these
purposes.
Method of Collection of Personal Data
HASEKİ TURİZM may obtain personal data in written, verbal, audio or video recording
or other physical or electronic forms for the purposes specified in this Policy within
the framework of the conditions specified in Articles 5 and 6 of the KVKK.
In addition, personal data may also be collected through channels such as
headquarters and other physical environments, call centers, websites, mobile
applications, electronic transaction platforms, social media and other public channels
or events organized, sales and marketing units, customer forms, digital marketing,
contracts, applications, forms, offers, cookies used during website visits.
Retention Period of Personal Data Except in cases where it is legally required or permitted to be stored for longer periods, HASEKİ TURİZM retains the personal data that it obtains and processes in accordance with the KVKK in line with the purposes specified in this Policy and Annex.
- Personal Data Retention and Destruction Policy for the periods specified in the KVKK
and other special laws. In the event that the purpose of processing personal data expires and the retention periods determined by HASEKİ TURİZM in accordance with the LPPD and other legislation and HASEKİ TURİZM expire, personal data are stored only as evidence in possible legal disputes, in order to assert the relevant right related to personal data and / or to establish a defense or to submit it if requested by competent official
authorities. In determining the aforementioned periods, the statute of limitations and retention periods determined in the relevant legislation for the assertion of the aforementioned right are taken as basis. In this case, the personal data stored in this case is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute.
The specified periods are meticulously followed by HASEKİ TURİZM and the personal
data that are determined that the above-mentioned retention periods have expired are deleted, destroyed or anonymized in accordance with the KVKK as detailed in the
Annex - Personal Data Retention and Destruction Policy. Security and Audit of Personal Data Within the framework of Article 12 of KVKK, HASEKİ TURİZM takes the necessary technical and administrative measures to ensure the appropriate level of security as the "data controller" in order to prevent unlawful processing of personal data and unlawful access to data and to ensure the protection of personal data. For this purpose
(i) It is ensured that activities are carried out in accordance with the internal policies
and rules prepared for the protection of personal data,
(ii) Employees are provided with the necessary training and responsibilities regarding
the personal data protection legislation and internal policies and rules prepared in this
direction,
(iii) All necessary declarations and commitments are obtained from employees and
persons and institutions that process data on behalf of HASEKİ TURİZM for the
confidentiality and protection of data,
(iv) Necessary information security measures are implemented to ensure the security
of personal data inside and outside the company and to prevent unauthorized access
to data,
(v) Compliance with internal policies and rules established for the protection of
personal data is ensured,
(vi) The adequacy of the measures taken is checked and new data security systems
are procured and/or existing data security systems are developed and updated
according to the needs and possibilities and necessary audits are carried out in this
regard.
(vii) In group reservations, the person making the reservation must obtain the
permission of the guests themselves before providing us with personal data, and the
responsibility also belongs to the person making the reservation.
Measures taken by HASEKİ TURİZM for the Protection and Security of Personal Data;
HASEKİ TOURISM
a. Ensures that all personal data collected are processed in accordance with the
principles listed in Article 4 of the KVKK and in compliance with the conditions
specified in Articles 5 and 6.
b. It fulfills the "Information and Disclosure Obligation", which is the obligation of the data controller within the scope of KVKK, through the Disclosure Texts published both on its website and in its businesses and facilities.
c. In its capacity as Data Controller, it creates the necessary infrastructure to ensure
that "explicit consent" is obtained for the provision and processing of personal data in accordance with the KVKK, if required by law.
d. For communication, marketing, opportunity notifications and promotional
purposes; It creates the necessary infrastructure for the provision of personal data in accordance with the KVKK and makes the necessary revisions in the applications
within the Company.
e. In job applications and recruitment processes, it takes the necessary measures by
creating the necessary conditions for the provision and storage of personal data in
accordance with the KVKK.
f. Personal data that have been processed in accordance with the provisions of the
LPPD and other relevant laws shall be deleted, destroyed or anonymized by Haseki
Turizm ex officio or upon the request of the relevant person, in such a way that they
cannot be used or recovered in any way, in the event that the reasons requiring their
processing disappear and the periods specified in the article titled "Retention Periods of Personal Data" of this Policy and the Annex-Personal Data Retention and
Destruction Policy expire. In order to ensure data security, HASEKİ TURİZM imposes restrictions in accordance with the KVKK in internal data access authorizations and carries out the destruction of the data deemed necessary for destruction.
g. Takes all kinds of technical and administrative measures to prevent unlawful
processing of personal data and unlawful access to this data, and to ensure that
personal data is kept in accordance with the KVKK. It develops internal encryption
policies and configures existing encryption systems for data security and secure
storage.
h. It takes the necessary internal measures to prevent data leaks with the Company's internal applications and outsourced support products.
i. Determines the legal retention periods in accordance with the relevant legal
legislation according to the nature of the data provided, develops and puts into effect
the retention policies in accordance with these periods in the Company's practice.
j. It takes measures to prevent unauthorized access and use of personal data
processed and transferred or received as a result of transfer by different departments
within HASEKİ TURİZM and by real or legal persons who process personal data on its
behalf based on the authorization given by HASEKİ TURİZM.
k. Periodically audits the personal data protection activities carried out by real or legal
persons who process personal data on its behalf based on the authorization it has
given.
l. Although the necessary technical and administrative measures have been taken
regarding the processing, transfer and preservation of personal data; If third parties
have unlawful access to personal data; It takes all technical and administrative
measures to prevent damage to those concerned in accordance with the relevant
legislation on the protection of personal data and KVK Board decisions.
m. Periodically monitors and audits that the data recording systems used within the
Company are created and used in accordance with the KVKK and the relevant
legislation.
Rights of the Data Owner within the Framework of KVKK Pursuant to Article 11 of the LPPD, data subjects
a. Learn whether their personal data is being processed or not,

b. Request information if their personal data has been processed,
c. To learn the purpose of processing personal data and whether they are used in
accordance with their purpose,
d. To know the third parties in Turkey or abroad to whom their personal data are
transferred,
e. To request correction of personal data in case of incomplete or incorrect
processing,
f. To request the deletion or destruction of personal data within the framework of the
conditions stipulated in Article 7 of the KVKK,
g. To request notification of the transactions made pursuant to subparagraphs (d) and
(e) to third parties to whom personal data are transferred,
h. To object to the occurrence of a result to his/her detriment by analyzing the
processed data exclusively through automated systems,
i. In case of damage due to unlawful processing of personal data, they have the right
to demand the compensation of the damage.
In case the data owners wish to exercise any of the above-mentioned rights, they are
required to fill in the application form attached to this Policy and submit a wet signed
copy of the form together with the information and documents that will identify their
identity to the company address by personal application or via notary public.
In the event that the Personal Data Protection Board decides to submit the requests by
methods other than those mentioned above, the ways in which the applications can be
submitted will be announced separately.
HASEKİ TURİZM'İN will evaluate and finalize the requests duly received from the data owners as soon as possible and in any case within the framework of Article 13 of the
KVKK within 30 (thirty) days at the latest depending on the nature of the request.
Although the requests of the data owners will be finalized free of charge as a rule, if
the response of the request requires an additional cost, a fee may be charged in the
amounts determined within the framework of the relevant legislation.
4- COOKIES AND SIMILAR TECHNOLOGIES
During access to the websites, electronic platforms, mobile and digital applications
owned by HASEKİ TURİZM or e-mail messages or advertisements sent by HASEKİ
TURİZM, users' computers, mobile phones, tablets or other devices accessed/used
may place small data files that enable the recording and collection of certain data by
technical means in order to show customized content to visitors and to carry out
online advertising activities. These data files placed on computers and other devices
may be cookies, pixel tags, flash cookies and web beacons, as well as other similar
technologies for data storage purposes. ("Cookies" for short) It is also possible to collect personal data through cookies, and the data obtained through cookies may be
processed by HASEKİ TURİZM within the scope of this Policy and KVKK to the extent
that they constitute personal data under Turkish law.

The user can remove cookies and reject cookies by following the instructions given in
the "help" file of the internet browsers or by visiting the address
"www.allaboutcookies.org". If the user rejects cookies, the user may continue to use the website, mobile or digital application in question, but may not be able to access or have limited access to all functions of such media.

5- SITES, PRODUCTS AND SERVICES OF THIRD PARTIES
HASEKİ TURİZM's websites, platforms and applications may contain links to third
party websites, products and services. Such links are subject to the privacy policies of
third parties, and third parties and third party sites are independent of HASEKİ
TURİZM and HASEKİ TURİZM shall under no circumstances be responsible for the
privacy practices of third parties.

6- CHANGES
HASEKİ TURİZM has the right to make changes in this Personal Data Protection and
Privacy Policy from time to time in the light of the Regulation articles to be issued in
accordance with the KVKK and other legislation and for other reasons, including but
not limited to these. The current version of the Policy will be published on the
websites of HASEKİ TURİZM and will be kept open to the access of users and
members from the websites.

7- ENFORCEMENT
This Policy will enter into force on the date of its publication and will remain in force
until it is removed from the website.

PERSONAL DATA RETENTION AND DESTRUCTION POLICY PURPOSE AND SCOPE

The purpose of this Deletion and Destruction Policy is to ensure that HASEKİ TURİZM
processes, stores and protects the personal data belonging to the relevant persons in
accordance with the Law on the Protection of Personal Data ("Law" or "KVKK") and that, despite being processed in accordance with the provisions of the law, in the event that the reasons requiring processing disappear and the legal retention periods expire, the KVKK and the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation"), which constitutes the secondary regulation of the KVKK, which was published in the Official Gazette dated 28. 10.2017 dated 28. 2017 and numbered 30224 ("Regulation"), which constitutes the secondary regulation of KVKK and KVKK, and to establish management instructions, procedural requirements and a technical policy in order to ensure that the obligations arising from the Regulation are fulfilled.

This Deletion and Destruction Policy is applied in the activities regarding the storage
and destruction of personal data processed by HASEKİ TURİZM. This Deletion and Destruction Policy has been handled and prepared based on KVKK, "Regulation on
Deletion, Destruction or Anonymization of Personal Data" and other legislation on the storage and destruction of personal data.

ACTIVITIES ON DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL
DATA CARRIED OUT BY HASEKİ TURİZM

Personal data are retained by HASEKİ TURİZM only within the retention and limitation
periods specified in the relevant legislation and/or for the period required for the
purpose for which they are processed.
Accordingly, HASEKİ TURİZM first determines whether there is any period and/or
statute of limitations for the storage of personal data in the relevant legislation and
stores personal data in accordance with these periods. If no period is stipulated in the relevant legislation, personal data are stored in accordance with the KVKK and for the period required for the purpose for which they are processed. Deletion of Personal Data It is the process of making personal data inaccessible and non-reusable in any way for the relevant users.
Destruction of Personal Data It is the process of making personal data inaccessible,
unrecoverable and non-reusable by anyone in any way. Anonymization of Personal
Data It is the process of making personal data impossible to be associated with an
identified or identifiable natural person in any way, even by matching with other data.

As regulated in Article 7 of the KVKK, HASEKİ TURİZM destroys personal data by
deleting, destroying or anonymizing personal data in accordance with Articles 8, 9 and
10 of the "Regulation on Deletion, Destruction or Anonymization of Personal Data" exofficio or upon the request of the relevant person in the event that the reasons requiring its processing disappear and/or the legal retention periods expire, although it has been processed in accordance with the provisions of the relevant law.

HASEKİ TURİZM, in order to fulfill its obligations arising from the Law and the
Regulation, by taking the necessary technical and administrative measures; has
developed the necessary operating mechanisms in this regard; It trains its relevant
units to comply with these obligations and makes the necessary assignments in this
regard.

CIRCUMSTANCES REQUIRING THE DESTRUCTION OF PERSONAL DATA AND
METHODS OF DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL
DATA
1- Circumstances Requiring Destruction of Personal Data
Pursuant to the LPPD and the Regulation, in the following cases, personal data
belonging to data subjects shall be deleted, destroyed or anonymized by HASEKİ
TURİZM'İN ex officio or upon request:

i. The provisions of other legislation that constitute the basis for the processing,
storage and retention periods of personal data are amended and / or abolished in a
way that eliminates the obligation to store personal data,
ii. The purpose requiring the processing or storage of personal data disappears,
iii. The disappearance of the "Conditions for Processing Personal Data" specified in Articles 5 and 6 of the Law.
iv. In cases where the processing of personal data is carried out only on the basis of
"explicit consent", the data subject withdraws his/her consent,
v. Acceptance by the data controller of the data subject's application for the deletion,
destruction or anonymization of his/her personal data within the scope of the rights
referred to in paragraphs 2/e-f of Article 11 of the KVKK,
vi. The Board decides to delete, destroy or anonymize personal data, vii. Following
the expiration of the maximum period of time required for the retention of personal
data, there is no legal requirement that would justify the retention of personal data for
a longer period of time,

2- Methods of Deletion, Destruction and Anonymization of Personal Data;
2.1. In general, HASEKİ TURİZM uses deletion, destruction and anonymization
methods in accordance with KVKK in the destruction of personal data:
i. As deletion method; command deletion from the database is applied.
ii. As destruction method; the data in the paper environment are physically destroyed
through the archive company.
iii. As anonymization method; regional hiding process is applied and character type
data is anonymized by replacing the character "*" and numeric type data with the
number "1".
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN BY HASEKİ TURİZM FOR THE SAFE STORAGE OF PERSONAL DATA AND THE PREVENTION OF UNLAWFUL
PROCESSING AND ACCESS;
i. Access to member data by membership services representatives working in
facilities and enterprises is restricted by the relevant software, and in this context,
they are not authorized to obtain bulk member customer lists from the software in
order to ensure data security.
ii. In order to ensure data security and to limit authorization, the access
authorization of each employee to the data of member customers has been limited.
iii. On the company's main server, personnel access authorizations are restricted.
iv. A "deep freeze" system has been installed on the computers provided by HASEKİ TURİZM for public use in the facility, and downloaded files have been deleted every time the computers are restarted. However, the computers in question have been
reorganized to have Chrome and Explorer applications only for internet access.
v. New encryption techniques have been introduced for staff computers and periodic
password change is mandatory.

vi. USB ports and printing authorizations of the computers allocated to the staff
have been limited.