Data Security Policy
OUR DATA SECURITY POLICY
BOOMKIN YAZILIM TEKNOLOJİLERI VE TİCARET ANONİM ŞİRKETİ DATA SECURITY POLICY
CONTENTS
1. DATA SPEAKER
- DEFINITIONS
3. SCOPE
4. PURPOSE AND PRINCIPLES - COLLECTION OF PERSONAL DATA
- LEGAL REASONS FOR PROCESSING PERSONAL DATA
- PURPOSE OF PROCESSING PERSONAL DATA
- TRANSFER OF PERSONAL DATA
- TRANSFER OF PERSONAL DATA ABROAD
- STORAGE OF PERSONAL DATA
- PERSONAL DATA STORAGE PERIOD
- DISPOSAL OF PERSONAL DATA
- SECURITY MEASURES TAKEN IN PROCESSING PERSONAL DATA
- YOUR RIGHTS UNDER ARTICLE 11 OF THE LAW
- FORCE
16. CONTACT INFORMATION
- .one. DATA SPEAKER
This Policy, in accordance with Article 10 of the Personal Data Protection Law No. 6698, the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation, and the relevant legislation, Boomkin Yazılım Teknolojileri ve Ticaret A.Ş. was prepared by the Data Controller.
- .2. DEFINITIONS
The terms defined below in this Policy have the following meanings, unless expressly defined differently elsewhere in the Policy or in future annexes:
- a) “ Explicit Consent ” means the consent on a specific subject, based on information and expressed with free will,
- b) “ Explicit Consent Statement ” , a statement of will and statement of will showing that information has been given on a particular subject and that consent and approval has been given by the person concerned,
- c) “ Recipient Group ” means the natural or legal person category to which personal data is transferred by the data controller,
ç) “ Anonymization ” means making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data,
- d) “ Relevant Person ” means the real person whose personal data is processed,
- e) " Destruction " , deletion, destruction or anonymization of personal data,
- f) “ Law ” means the Law on Protection of Personal Data No. 6698,
- g) “ Recording Medium ” means any medium in which personal data is partially or fully automated or processed by non-automatic means provided that it is a part of any data recording system,
ğ) “ Personal Data ” means any information relating to an identified or identifiable natural person,
- h) “ Board ” means the Personal Data Protection Board,
ı) “ Periodic Destruction ” means the deletion, destruction and anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the Law are eliminated,
- i) “ Policy ” means this Data Security Policy of our Company,
- j) “ Company ”, “ Our Company ” or “ Our Party ” means the Data Controller legal person who will determine and implement this Policy,
- k) “ Communiqué ” means the Communiqué of the Personal Data Protection Authority on the Procedures and Principles of Application to the Data Controller, published in the Official Gazette on 10.03.2018,
- l) " Data Registration System " , the registration system in which personal data is processed and structured according to certain criteria,
- m) “ Data Controller ” , Boomkin Yazılım Teknolojileri ve Ticaret A.Ş. denotes .
- .3. SCOPE
This Policy covers all processes in which Personal Data is processed and all storage, processing, destruction and anonymization practices implemented by our Company regarding Personal Data.
- .4. PURPOSE AND PRINCIPLES
This Policy regulates the collection, storage, deletion, destruction or anonymization of Personal Data by our Company in accordance with the Law and relevant legislation, as well as the operation, duties and responsibilities of the authorized personnel and the principles of application regarding data security. The purpose of this Policy is to ensure data security.
Our company undertakes to ensure data security by establishing business and transactions in accordance with the Law, Regulation and relevant legal legislation in the collection, storage and destruction of Personal Data.
The following principles are followed in the collection, storage, destruction and security of Personal Data:
- a) In the collection, storage, deletion, destruction and anonymization of Personal Data, the principles listed in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, relevant legislation provisions, Board decisions and this Policy will be followed.
- b) All transactions regarding the collection, storage, deletion, destruction and anonymization of Personal Data will be recorded and these records will be kept for as long as required by the legal legislation.
- c) Unless a contrary decision is taken by the Board, the appropriate method of deletion, destruction or anonymization of Personal Data ex officio will be chosen by us, and the appropriate method will be disclosed upon the request of the Relevant Person.
- d) In the event that the processing conditions for Personal Data in Articles 5 and 6 of the Law are no longer valid, Personal Data will be deleted, destroyed or anonymized by us ex officio or upon the request of the Relevant Person. In case the Related Person applies to our Company in this regard;
- Requests submitted will be finalized within 30 (thirty) days at the latest and the Related Person will be informed.
- In case the data subject to the request has been transferred to third parties, this will be notified to the third party to whom the data has been transferred and necessary actions will be taken before the third parties.
- .5. COLLECTION OF PERSONAL DATA
Our company, within the scope of its legitimate commercial activities, in accordance with the relevant legislation;
- a) Our company's website or social media accounts, call centers,
- b) Audio and video recordings made at the company headquarters, affiliated offices, group companies, warehouses or stores,
- c) Cookies,
- d) Documents submitted by employees or related persons, statements received, personal business cards or CVs, information shared over websites and human resources systems, applications made, visits, communications made via e-mail, telephone, fax, social media accounts,
- e) Information and documents regarding goods and service orders, purchases and sales, storage, transportation and delivery, and electronic correspondence,
- f) Works and transactions and notifications made in SGK, Tax Office, Public Institutions, Professional Chambers and other official authorities,
- g) Trainings, seminars or organizations organized by our company or group companies,
- h) Works and transactions made pursuant to the explicit consent of the Related Person,
- i) It collects your Personal Data in written, audio, video and electronic form through other methods stated in the Express Consent Statement received from the Related Person.
Which personal data do we process?
a- When an order is placed on our website www.gizlisekme.co
- Carrying out the shopping process, preparing the order, preparing the packing slip, shipping, updating the delivery information, delivering your order to you, distinguishing the records belonging to you that we create in our system from the records of other customers, instead of post-sales operational transactions (exchange, return, product review, etc.). Your identity (name and surname) and contact information (e-mail address, phone number, address) and shopping (shopping date, time, amount, shopping content, payment method and payment details) information for the purpose of sending you the e-invoice regarding your shopping,
- In order to be able to issue invoices, your identity and billing information, if you are a taxpayer, and some additional billing information (TC identity number, tax number, personal company information)
- If you want to make your payment by credit card, your credit card information (credit card information is transferred to the payment institution without being recorded by us) in order to receive the payment.
- In order to detect and correct technical/software errors and deficiencies encountered during your visit and use of our website, you can use your website usage information.
we are processing.
b- www.gizlisekme.co membership
- Your identity (name and surname), contact (e-mail address, telephone number) and password information for the purposes of ensuring the realization of membership transactions, fulfilling the requirements of the membership agreement that we will conclude with you, making member login, and providing membership information,
- Your identity (name and surname) and contact (phone number, e-mail address, delivery and billing address information) information, in order to enable you to shop using your member information without the need to re-enter information in each shopping transaction, when you want to shop on our website as a member,
- As a member, in order to provide you with the service of viewing your order history, your shopping information (shopping date, time, amount, shopping content, payment details),
- In order for you to benefit from special membership programs and to benefit from special opportunities and offers that will be created according to your purchases on our website, secretsekme.co , to earn points and to use these points, your shopping information on our website, general or special personalized campaigns, advantages, promotions, creation of advertisements, campaigns , organizing contests, sweepstakes and other events, segmentation, reporting, profiling, marketing and analysis studies, advertisements and marketing/communication activities of www.gizlisekme.co on our website or other 3rd party environments (notifications on the Site, pop-up -up display, personalized offers, customization of user screens, advertisements, searches, surveys, etc.) and to improve the user experience on our website www.gizlisekme.co p Location information, approaches to on-site notifications/surveys/offers/campaigns, habits, favourites, likes, behaviors, preferences, search activities, segments, past purchases, cookie records, cookie and ad identifier/ID information, and device ID if the sharing is open. , payment methods and preferences, Mobile Application usage time, Mobile Application version information, communication preferences, shopping amount, payment channels, bank information where the payment is made, brand, model, technical feature and operating system information of the device used, operator information you use, survey answers etc.)
we are processing.
c- Commercial communication processes
In case you give commercial communication permission/explicit consent, you can use the general or personalized campaigns, advantages, promotions, advertisements, notifications, marketing activities and commercial communication activities (SMS, e-mail, search, etc.) We process your identity (name and surname) and contact (phone number, e-mail address) information for the purposes of sending customer satisfaction surveys, campaigns, contests, sweepstakes, invitations, openings and other events related to our products and services.
d- Call center and customer relations processes
If you contact us through our communication channels (call center, e-mail, www.gizlisekme.co website, social media, online messaging/voice call application, etc.), to resolve your problems and complaints, to answer your questions about our sexual health products, Identity (name and surname), contact (address, e-mail address, phone number), customer transaction (appointment information, requests and complaints, purchases, gifts/discounts/benefits), in the messages you transmit, in order to be able to contact you regarding them when necessary. and, if necessary, your legal transaction information; In addition, we process call center voice recordings to be used as evidence for our customer satisfaction efforts and disputes that may arise between us.
e- Legal processes and internal activities
We process your identity, communication, shopping, invoice and transaction security (log records) information in order to fulfill our obligations arising from the legislation and to fulfill our other legal obligations towards authorized and authorized public institutions and organizations.
For the purposes of exercising all kinds of lawsuits, replies and objections against official institutions and organizations such as courts, enforcement offices, arbitral tribunals in disputes that may arise, conducting negotiations and agreement processes regarding disputes, delivering the necessary information to you if you request information from us, and internal audit, internal control. and within the scope of reporting, testing, development and improvement studies, information on identity (name and surname), contact (phone number, e-mail address, address), shopping, invoice, transaction security ( www.gizlisekme.co membership, shopping on the site, We process your legal transaction information (correspondence and file information regarding dispute processes) and log records of permission/explicit consent/contract approval within the scope of commercial communication.
Your identity, contact, credit card information (only first 6 and last 4 digits) in order to prevent www.gizlisekme.co website membership agreements, legislation and unethical use, to detect suspicious transactions and illegal uses, to block and unblock them. information), your shopping and order information, and your transaction security information.
- .6. LEGAL REASONS FOR PROCESSING PERSONAL DATA
Our Company, Personal Data;
- a) It is clearly stipulated in the laws,
- b) Fulfilling our legal obligations arising from the Turkish Commercial Code No. 6102, the Turkish Code of Obligations No. 6098, the Law No. 6563 on the Regulation of Electronic Commerce, the Law on the Protection of the Consumer No. 6502 and the regulations regarding the implementation of these laws and other legal legislation,
- c) Establishment, performance, provision of a contract, or commercial or legal requirements related thereto,
- d) Data processing is mandatory for our legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Data Subject,
- e) Data processing is mandatory for the establishment, exercise or protection of a right
works for legal reasons.
- .7. PURPOSE OF PROCESSING PERSONAL DATA
Our Company, Personal Data;
- a) Execution of sales processes of goods and services, management of operational processes, supply of goods, management and follow-up of commercial activity processes, performance of work, arrangement and performance of contracts, within the scope of maintaining commercial activity,
- b) Managing communication activities and loyalty processes in line with the explicit consent of the person concerned, carrying out membership transactions, marketing and accounting activities, managing customer relations, executing processes for customer satisfaction, marketing processes of products and services, and managing campaign and promotional communications,
- c) Improving the user experience,
- d) Follow-up of your requests and complaints,
- e) Ensuring information and transaction security,
- f) Planning and executing the application processes of employee candidates and human resources processes; Creation of personnel files,
- g) Ensuring workplace and work safety, monitoring the entrance and exit to the workplace and overtime schedules,
- h) Our company's management of relevant legal processes or fulfillment of legal obligations,
- i) Responding to the requests of administrative and judicial authorities within the framework of legal legislation
works for its purposes.
- .8. TRANSFER OF PERSONAL DATA
8.1. Personal Data collected by our company; Fulfilling the requirements of the products or services sold, making evaluations of appreciation, satisfaction or complaints about these products or services and providing a more perfect service, ensuring the legal and commercial security of real or legal persons who have a business relationship with our Company, determining the business strategy and implementing the human resources policy for the purpose of; Group companies, company partners, legally authorized public institutions and private individuals, suppliers, business partners in accordance with Articles 8 and 9 of the Law.
8.2. In detail:
- Information technologies, marketing/advertising/analysis activities, logistics services, payment services or consultancy requiring expertise, etc. with our company's domestic service providers and business partners (call center, those who collect personal data via devices, marketing/advertising/analysis service providers, database and server service providers, internet site usage monitoring service providers, e-mail server) in order to receive product and service support on issues. service providers, e-invoice and e-archive invoice service providers, electronic message tool service providers, cargo and courier companies, warehouse service providers, banks and electronic payment institutions, legal and financial consultancy services, independent audit service providers, archiving service providers , customer support - with video call service providers and online messaging/voice call service providers),
- To these institutions, organizations and authorities with the information requested from us in order to provide information, documents and other related obligations to authorized public institutions and organizations and judicial authorities, and to use our legal rights such as the rights of lawsuit and reply,
- Temporarily keeping this data anonymously in Google Analytics for analysis and reporting of user movements on the Website;
- With our suppliers and payment institutions regarding the relevant transaction, from which we receive consultancy services when necessary, for the purposes of tracking and detecting suspicious transactions and preventing illegal transactions,
- With our business partners within the scope of activities related to increasing visitor traffic to our website,
we share.
- .9. TRANSFER OF PERSONAL DATA ABROAD
6.1. By obtaining express consent, information technologies, marketing/advertising/analysis activities, or consultancy that requires expertise, etc. In order to fulfill the requirements of the agreements we have made with service providers abroad (insurance service within the scope of cyber security, server / maintenance and development service) and with our business partners in order to receive product and service support on issues, with business partners and thus with relevant domestic and / or abroad Since the suppliers' servers are abroad, we share your identity, finance, communication, marketing, location, customer transaction, and transaction security data with abroad.
- .10. STORAGE OF PERSONAL DATA
Our company undertakes to act in accordance with the following principles in the storage of Personal Data:
- a) Compliance with the Law
Our company undertakes to process Personal Data within the framework determined in the Law and relevant legislation.
- b) Up-to-date
Our company is responsible for the up-to-dateness of the data processing conditions and does not continue to process data when the data processing conditions are no longer valid. In the event that the data processing conditions disappear, the data will be destroyed in accordance with this Policy. Our company accepts that the data processing conditions disappear in the following cases:
- Elimination of the legal regulation that forms the basis for the processing of Personal Data,
- The disappearance of the purpose requiring the processing of Personal Data,
iii. Processing Personal Data becomes unlawful or against the rule of good faith,
- Revoking the consent of the Relevant Person in cases where the processing of Personal Data is based only on the Statement of Explicit Consent,
- Ordered by the Board,
- The expiry of the maximum period requiring the retention of Personal Data and the absence of any conditions to justify longer retention.
- .11th. PERSONAL DATA STORAGE PERIOD
The following principles are used in determining the retention and destruction periods of Personal Data obtained by our company in accordance with the provisions of the Law and other relevant legislation:
- a) If a legal period for the storage of Personal Data is foreseen, this period shall be complied with.
- b) 4/2 of the Law on Confidentiality. Data that are determined to be in violation of the principles set forth in the article are deleted, destroyed or anonymized.
- c) Reasonable periods for keeping Personal Data that are legally possible and for which no retention period is foreseen are determined.
- d) Personal Data is deleted, destroyed or anonymized upon the expiration of the legal period or the reasonable period determined.
- e) All transactions regarding the deletion, destruction and anonymization of Personal Data are recorded.
The retention periods of our Company's Personal Data are as follows:
Data Type |
Storage Time |
Traffic information about online visitors |
2 years from the date of collection |
Data processed for the purpose of enhancing user experience |
2 years from the date of collection |
Data on orders, purchases and sales, shipping and delivery of goods and services |
10 Years from the date of termination of the commercial relationship |
Sales and marketing unit operations |
10 Years from the date of termination of the commercial relationship |
Membership data |
10 Years from expiration of membership |
Commercial electronic message open consent records |
10 years from the date of express consent |
Data on employees and employee candidates, data on work and transactions carried out by human resources and management units. (Identity, communication, Transaction Security, Risk Management, Professional Experience, Health Information, Criminal Conviction and Security Measures.) |
10 Years from the date of termination of the service relationship |
Data related to works and transactions carried out in official institutions, judicial and administrative authorities, Legal Action, Transaction Security, communication, |
10 years from date of transaction |
Call center audio recordings |
2 years from the date of registration |
Location, Physical Space Security, Audio-Visual Records, Biometric Data |
2 years from the date of registration |
- .12. DISPOSAL OF PERSONAL DATA
Destruction of Personal Data can be achieved in three ways; deletion, destruction and anonymization of data. The purpose of the destruction process is to make it impossible to reach the real person with the remaining data.
- a) Deletion of Personal Data
Deletion is the rendering of said Personal Data inaccessible and unusable. In cases where our company deletes Personal Data, the data is rendered inaccessible or unusable in any way.
- b) Destruction of Personal Data
Destruction is implemented in cases where the Company processes Personal Data on physical recording media. Our company destroys the physical records in such a way that it is impossible to recover them.
- c) Anonymization of Personal Data
Anonymization is making the Personal Data unidentifiable even if it is matched with other data.
The appropriate method to be used for the destruction of Personal Data is determined and applied by our Company, depending on the situation.
- .13. SECURITY MEASURES TAKEN IN PROCESSING PERSONAL DATA
The Company takes the following precautions regarding the safe storage of Personal Data and the prevention of unlawful processing or access:
- Network security and application security are provided.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- There are disciplinary regulations that include data security provisions for employees.
- Training and awareness activities are carried out periodically for employees on data security.
- An authorization matrix has been created for employees.
- Access logs are kept regularly.
- Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
- Data masking is applied when necessary.
- Confidentiality commitments are made.
- The authorizations of employees who have a change in duty or quit their job in this field are removed.
- Current anti-virus systems are used.
- Firewalls are used.
- Personal data security policies and procedures have been determined.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- Log records are kept without user intervention.
- .14. YOUR RIGHTS UNDER ARTICLE 11 OF THE LAW
Your rights under Article 11 of the Law are as follows:
- a) Learning whether personal data is processed or not
- b) If personal data has been processed, requesting information about it
- c) Learning the purpose of processing personal data and whether they are used in accordance with the purpose
- d) Knowing the third parties to whom personal data is transferred in the country or abroad,
- e) Requesting correction of personal data if it is incomplete or incorrectly processed,
- f) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
- g) Requesting notification of the transactions made pursuant to subparagraphs (e) and (f) to third parties to whom personal data has been transferred,
- h) Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
- i) To request the compensation of the damage in case of any damage due to the unlawful processing of personal data.
Complaints and requests regarding your enumerated rights are required to be notified to the contact addresses specified in this Policy by our Company, by hand or through a notary public or other methods to be determined by the Board, with a document proving their identity. Our company will finalize these applications within 30 (thirty) days after the application reaches us.
- .15. FORCE
This Policy was put into effect on 10/07/2021. Our company may make changes to this Policy at any time. Changes made will become effective upon the publication of the new Policy.
- .16. CONTACT INFORMATION
You can find our company's contact information below.
Correspondence Address |
Boomkin Software Technologies and Trade Inc. Mesrutiyet Mah. Melek Sk. Hosgor Apt. No:10a, Sisli, Istanbul |
E-mail address |
legal@boomkintech.com |