CONSENT TEXT FOR PROCESSING PERSONAL DATA

We, as our company Scotty Kurye Distribution and Technologies Inc. ("SCOTTY" or "Company"), would like to inform you about the activities conducted through the website www.scotty.com.tr. As SCOTTY, a courier and delivery platform, we attach great importance to the personal data of our stakeholders and their protection. While demonstrating utmost sensitivity to the security of personal data of our employees, customers, business partners, and every other individual we have a business relationship with, we process all types of personal data in accordance with the Law on the Protection of Personal Data No. 6698 ("KVKK"), ensuring their compliance and proper preservation.

In this regard, we process your valuable personal data, such as Name - Surname, Date of Birth, Gender, Identification Number, Email Address, Invoice & Delivery Addresses, Mobile Phone Number, Information in Case of Disputes, Warning Letters, Information in Correspondence with Judicial and Administrative Authorities, Invoice Information, Request Information, Order Information, Product Information, Shipping Information, Authorized Service Information, IP Address Information, Internet Site Login-Logout Information, User Name Information, Password Information, Traffic Data (Connection Time / Duration, etc.), Encrypted Credit Card Information, Bank Account / IBAN Number Information, Call Center Voice Recordings, Location Information, IP Address Information, Internet Site Login-Logout Information, Password and Password Information, Computer Screen Recordings, Device IMEI Number, Device MAC Address, Turkish Identification Number, Identity Copy, Invoice Information Request Information, Information Processed for Managing Commercial Risks, Trade Name, Product Category to be Transported, Date of Birth, Gender, HES Code, Credit Card Number, Credit Card CCV Code, and Credit Card Expiry Date, as explained below, in accordance with the KVKK and other related regulations, within the limits prescribed by the current legal framework, directly relevant due to the performance of the service we provide.

Based on your explicit consent;

1. What are the Collection, Processing, and Processing Purposes of Personal Data?

1.1. Your personal data mentioned above can be collected by Scotty through automatic or non-automatic methods, verbally, in writing, digitally, or electronically, during your use of courier services. Your personal data may be processed as long as the contractual relationship or obligations arising from the contract continue, by creating and updating as necessary.

1.2. Before starting to use the Scotty application, your mobile phone number, which is processed for the legitimate interests of Scotty such as the provision of services and the conduct of marketing activities, will be transferred to the domestic service provider of bulk SMS services and to domestic service providers offering cloud call center services, along with voice recordings for all voice communications made within the application, when sending SMS messages is required.

1.3. Your payments and related data are not processed by Scotty, and they are carried out through payment system providers that are licensed by the Banking Regulation and Supervision Agency (BDDK), who have taken all necessary technical and administrative measures and data security precautions for the protection of personal data.

1.4. Your personal data may also be processed for the purposes of conducting and improving Scotty's corporate communication, determining its accessibility and relevant perceptions, measuring service quality and beneficiary satisfaction through survey studies, recording, examining, and responding to notifications such as requests, suggestions, satisfaction, complaints, objections, and conducting optional surveys, as well as for purposes of Scotty's institutional communication, development, and improvement, detecting relevant perceptions, measuring service quality, assessing beneficiary satisfaction through survey studies, conducting optional survey studies, and recording, examining, and responding to notifications such as requests, suggestions, satisfaction, complaints, and objections.

2. Processing of Personal Data: To Whom and for What Purpose May It Be Transferred?

2.1. During your use of courier services, in order for you to benefit from the service, your personal data including Name-Surname, Email Address, Cash/Credit Card Payment Preference Information, Phone Number, Address Information where the relevant package will be received and/or delivered, Real-time Location Information, and optionally, Turkish Identification Number, is transferred to the relevant personnel and other carriers we work with, within various agreements.

2.2. In case you apply to our company as a driver, your personal data including Name-Surname, Date of Birth, Gender, Turkish Identification Number, Email Address, Invoice & Delivery Addresses, Mobile Phone Number, Education Status, Motorcycle Ownership Status, Driving License, Criminal Record, Vehicle License, and Photo, is transferred to the relevant personnel and other authorities we work with, within various agreements.

2.3. Personalized advertisements, promotions, and campaigns specifically for you, cross-selling, target audience determination, activities to enhance user experience by tracking customer movements, development and personalization of Scotty's website and mobile application based on customer needs, direct and indirect marketing, personalized marketing, and re-marketing activities, personalized segmentation, targeting, analysis, and in-house reporting activities, market research, planning and execution of customer satisfaction activities, and planning and execution of customer relationship management processes, including planning and execution of sales and marketing processes of products and/or services of Scotty and affiliated professional business partners, creating and/or increasing loyalty to products and/or services offered by Scotty, as well as communication activities with you in all the aforementioned scopes; within the scope of Article 5/1 of the KVKK "explicit consent" legal basis, and for the same purposes and legal basis, may be processed and shared with third parties within Turkey and abroad in compliance with the rules stated in Article 9 of the KVKK.

2.4. Transfer of Personal Data Abroad:

If you choose to become a driver, use courier services, or request services as a passenger, by giving your consent:

Your identity (name, surname), contact information (email address, mobile phone number), personal information, legal transactions, professional experience, visual and audio recordings, customer and business partner transactions, customer transactions (ticket information, cargo information, membership information, order information, delivery information, review information, payment information, bank account information, card information, invoice information, amount information), marketing (campaign information, product information, gift voucher information), and transaction security (IP address) data may be recorded, and therefore, transferred abroad to programs and/or systems provided by data processors ("Orange Business) abroad and owned by Microsoft Co., Braze Inc., Click Labs Inc., Google (Google LLC.), Dynamics, and Akamai, through technology-based cloud service infrastructure providers. These transfers are made in compliance with the rules specified in Article 9 of the KVKK titled "Transfer of Personal Data Abroad," and necessary technical and administrative measures are taken. These transfers are made as there are no domestic alternatives that would enable us to maintain the service quality and service continuity offered to you, and are within the scope of the purposes of ensuring business continuity, providing information security, running business activities, ensuring the monitoring and audit of business activities, performing sales processes of goods and services, conducting activities aimed at customer satisfaction, and planning and executing customer relationship management processes. The companies selected by Scotty adopt data security measures in line with internationally recognized standards and undertake to provide a level of security to their customers, and thus to Scotty, in accordance with these standards. Moreover, numerous international regulations, including the General Data Protection Regulation (GDPR) of the European Union, ensure that such data is not processed by Data Processors (the companies that own the aforementioned infrastructure) beyond the purposes and requests of Scotty. The personal data transferred abroad due to the use of software provided by Data Processors is not shared with third parties abroad beyond the specified purposes.

3. What is the Storage Period of Processed Personal Data?

3.1. Scotty keeps the processed personal data for the periods determined by legislation. If no period is specified in the legislation, personal data is stored for the period required by the Scotty application and commercial activities associated with processing the data, and after this period, they are stored only for the time necessary to prove possible legal disputes.

4. Rights of the Data Subject in accordance with Article 20 of the Constitution and Article 11 of the KVKK

4.1. Article 20 of the Constitution grants everyone the right to be informed about their personal data, and Article 11 of the KVKK includes the right to request information, among the rights of the data subject. Within this scope, data subjects have the following rights:

  • Learning whether their personal data is processed,
  • Requesting information if their personal data has been processed,
  • Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
  • Learning the third parties to whom personal data is transferred, whether domestically or abroad,
  • If their personal data is processed incompletely or inaccurately, requesting their correction,
  • Requesting the deletion or destruction of personal data,
  • If personal data is corrected, deleted, or destroyed, requesting notification of these processes to third parties to whom personal data has been transferred,
  • Objecting to a result against themselves that arises from the analysis of personal data solely through automated systems,
  • If they suffer damage due to the unlawful processing of personal data, requesting compensation for the damage.

4.2. As data subjects, if you submit your requests regarding your rights in writing to Scotty, depending on the nature of the request, your request will be concluded within the periods specified in the Law, at the latest within 30 (thirty) days after verifying your identity.

5. In Which Cases are the Processed Personal Data Not Covered by the Law?

5.1. Since the situations listed below are excluded from the scope of the KVKK according to Article 28, data subjects cannot assert their rights in these matters:

  • Processing personal data for research, planning, and statistical purposes by anonymizing it through official statistics,
  • Processing personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personality rights or does not constitute a crime,
  • Processing personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized and empowered by law for national defense, national security, public security, public order, or economic security,
  • Processing personal data by judicial authorities or enforcement authorities in connection with investigation, prosecution, trial, or execution processes.

5.2. According to Article 28/2 of the KVKK, except for the right to claim compensation, data subjects cannot assert their rights in these matters:

  • Processing personal data that is necessary for the prevention of a crime or for conducting a criminal investigation,
  • Processing personal data that has already been made public by the data subject,
  • Processing personal data that is required for the performance of duties related to audit or regulation by authorized public institutions and organizations vested with duties and powers based on law or by public institutions with the status of professional organizations, or for the performance of discipline investigations or prosecutions.
  • Processing personal data that is necessary for the protection of the economic and financial interests of the State in relation to budget, tax, and financial matters.

6. Submission Procedure and Principles to Scotty Regarding Processed Personal Data

6.1. As a data subject, you can submit your requests regarding your aforementioned rights to Scotty in accordance with Article 13 and Article 22 of the Law on the Protection of Personal Data and the Principles and Procedures for Data Controllers' Applications.

6.2. For someone other than yourself to make a request, a special power of attorney specifically prepared on behalf of the person applying for the request must be submitted to Scotty along with the application documents.

6.3. Under Article 11 of the KVKK;

  • Learning whether your personal data is being processed,
  • Requesting information if your personal data has been processed,
  • Learning the purpose of processing your personal data and whether they are used in line with that purpose,
  • Being informed about third parties to whom your personal data has been transferred, whether within the country or abroad,
  • Requesting the correction of your incomplete or inaccurate personal data,
  • Requesting the deletion or destruction of your personal data within the framework of the conditions stipulated in the KVKK legislation,
  • If your incomplete or inaccurate data is corrected, requesting that such correction and deletion or destruction be notified to third parties to whom your personal data was transferred,
  • If an outcome is generated against you as a result of analyzing processed data solely through automated systems, objecting to the outcome,
  • If your personal data is processed unlawfully resulting in harm, requesting compensation for such harm.

Contact Information of the Data Controller

Trade Name: SCOTTY KURYE DAĞITIM VE TEKNOLOJİLERİ A.Ş.

Tax ID: 7570851018

Address: Merkez Mah. Ayazma Cad. No:37/14 Kağıthane / İstanbul

Email Address: [email protected]

Mersis No: 0757-0851-0180-0001 / İstanbul Tic. Sic. Müd. / 247172-5

Scotty reserves the right to make changes to this document. This Privacy Statement becomes effective immediately upon publication at www.scotty.com.tr/clarification-text.

I have read and understood the information text.

You hereby explicitly consent to the processing of all your personal data mentioned above, limited to the specified processing purposes, without any pressure, by clicking the "Accept" button on the relevant page.