Personal Data Protection and Privacy Policy

This is an English translation prepared for informational purposes. In case of any discrepancy, the Turkish version available at /gizlilik-politikasi shall prevail.

1. General Statement

In accordance with the Personal Data Protection Law No. 6698 (KVKK), ESM Mobil Teknoloji Anonim Şirketi (the "Company"), in its capacity as data controller, takes the utmost care to process, store, protect, and where necessary transfer personal data in compliance with the law. This information notice regulates the procedures and principles concerning the processing of personal data of users (the "User") who request, and service providers who provide, tow truck, battery, insurance policy, tire replacement, on-site intervention, and similar roadside assistance services through the mobile application developed by the Company. The Company processes users' personal data only within the boundaries required by the relevant legislation, the principle of good faith, and the performance of the service.

2. Collection of Personal Data and Methods of Collection

Personal data is collected for the purpose of providing and improving the services offered by the Company through the mobile application, website, call center, e-mail, social media, customer support units, and similar channels, in electronic or physical environments, by automated or non-automated methods. This data is obtained when users create an account, request a service, complete payment transactions, or contact the Company through the application. Collected data is retained for the periods stipulated by the KVKK and is deleted, destroyed, or anonymized at the end of the legal retention period.

3. Scope of Processed Personal Data

Personal data processed by the Company includes: identity information (name, surname, national ID number, photo, driver's license details); contact information (telephone number, e-mail address, full address); location information (request and service point, destination point, live location data); vehicle and service information (vehicle license plate, registration, make, model, requested service type); financial information (payment, invoicing, credit-card information, bank information); transaction-security data (IP address, device information, access logs); audio-visual recordings (call-center voice recordings and messages, photos, video recordings); and feedback data regarding customer satisfaction. The Company processes special-category personal data only in the cases set forth in Article 6 of the KVKK and only with sufficient safeguards.

4. Purposes of Processing Personal Data

The collected personal data is processed as required by the activities conducted by the Company: planning of the tow truck, battery, tire replacement, insurance policy, and similar services offered through the mobile application; provision and follow-up of the service; matching users with service providers; identity verification; sharing of live location information within the framework of service security; processing of payment and invoicing transactions; managing customer relations; measurement and improvement of service quality; measuring customer satisfaction; evaluation of complaints and requests; ensuring system security; preventing fraud and misuse; fulfilling legal obligations and reporting to legal authorities when required. Statistical assessments aimed at improving the user experience and conducting campaign and communication processes are also among the purposes.

4.1 Transfer of Personal Data

Your personal data may be transferred to the following recipient groups, limited to the purposes set forth above and in accordance with Article 8 of the KVKK:

• Payment Institutions (e.g., iyzico): to process payment transactions
• Service Providers: to deliver the requested service
• Cloud and Server Service Providers: for data hosting, logging, and system security
• Map and Location Service Providers: for location-based services
• Analytics and Error-Reporting Providers: for measuring application performance and improving service quality
• Authorized Public Institutions and Organizations: to fulfill obligations arising from legislation

4.2 Transfer of Data Abroad

Your personal data may, where necessary, be transferred to countries with adequate protection or to service providers that have provided written undertakings of adequate protection, in compliance with Article 9 of the KVKK and the regulations of the Personal Data Protection Board. Where explicit consent is required, personal data may be transferred abroad only with the explicit consent of the data subject.

The user accepts, declares, and undertakes that they expressly consent to data transfers under the conditions described above.

5. Legal Grounds for Processing Personal Data

Personal data is processed within the scope of the legal grounds set out in Articles 5 and 6 of the KVKK, including: where expressly provided by law; where directly related to the establishment or performance of a contract; where necessary for the data controller to fulfill a legal obligation; where mandatory for the establishment, exercise, or protection of a right; and where the legitimate interests of the data controller require.

6. Transfer of Personal Data

Personal data may be transferred, within the scope of the purposes set out in this notice and within the framework of legal obligations, to the Company's business partners, suppliers, organizations providing payment-system infrastructure, banks, the call center, service providers, all parties providing or benefiting from services within contractual/business/application scope, firms providing IT-infrastructure services, legal advisors, and authorized public institutions and organizations. Where data is transferred abroad, such transfer will only take place to countries deemed safe by the Personal Data Protection Board within the scope of Article 9 of the KVKK, or through contracts that ensure adequate protection. The Company takes the necessary technical and administrative measures to prevent the unauthorized or improper transfer of personal data.

7. Storage and Security of Personal Data

The Company takes every technical and administrative measure necessary to protect the confidentiality of personal data, and uses methods such as encryption, access control, log records, firewalls, penetration testing, and backup systems to ensure data security. Personal data is retained for the period required by the purposes of processing and, in any case, no longer than the maximum statute-of-limitation periods stipulated in the Tax Procedure Law, the Turkish Commercial Code, and the Turkish Code of Obligations (10 years). Upon expiry of the period or once the purpose of processing ceases, personal data is deleted, destroyed, or anonymized in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

In the event of unauthorized access, loss, theft, or misuse of personal data, the Company undertakes to notify the data subject and the Personal Data Protection Board as soon as possible.

7.1 Retention Periods

• Financial and invoice records: for the periods stipulated by relevant legislation
• Location data: for the operational-necessity period following service completion
• Log and transaction-security data: up to 2 years
• Membership data: while membership is active; after termination of membership, for the relevant legal limitation periods

Upon expiry of the retention period or once the purpose of processing ceases, personal data is deleted, destroyed, or anonymized.

8. Rights of the Data Subject

Pursuant to Article 11 of the KVKK, data subjects have the following rights:

• To learn whether their personal data is being processed
• To request information if processing has occurred
• To learn the purpose of processing and whether the data is used in accordance with that purpose
• To know the third parties to which the data has been transferred
• To request correction of incomplete or inaccurate data
• To request deletion or destruction of personal data
• To request that such operations be notified to third parties to which the data has been transferred
• To object to any adverse outcome resulting from automated analysis
• To claim compensation for damages incurred due to unlawful processing

Data subjects may submit their requests in writing to [email protected]. Pursuant to Article 13 of the KVKK, applications are evaluated and finalized within thirty days at the latest.

9. About This Information Notice

The Company reserves the right to update this Information Notice on the Protection of Personal Data at any time in accordance with changes in applicable legislation. Updated versions enter into force on the date they are published on the Company's website or mobile applications.

10. Privacy Policy

ESM Mobil Teknoloji A.Ş. has adopted as a core principle the protection of its users' privacy and the security of personal data. The Company takes the necessary technical, administrative, and legal measures to ensure that its users can use the service securely.

This Privacy Policy explains how all personal data obtained through the mobile application, website, and digital platforms developed by the Company is collected, processed, stored, and protected.

10.1 Information Collected

The Company may collect data such as identity, contact, location, payment, and vehicle information from its users, as well as technical data such as device type, operating system, IP address, connection duration, and location information. This data is processed for the purposes of providing the service, conducting support processes, ensuring system security, and performing statistical analysis.

10.2 Use of Data

The collected personal data is used solely to deliver the service, improve the system, measure user satisfaction, and fulfill legal obligations. The Company does not share, sell, or disclose user data to any third parties outside the purpose of service.

10.3 Financial Data Security

Credit-card and payment transactions are conducted through encrypted infrastructures that comply with international security standards. Payment data is processed and stored not by the Company but only through authorized payment institutions.

10.4 Cookies and Analytics Technologies

The mobile application and website may use cookies and analytics tools to improve user experience, monitor system performance, and detect errors. Users can restrict or completely disable cookies through their device or browser settings.

10.5 Third-Party Services and Links

The Company may work with third parties such as tow truck service providers, battery or tire service partners, payment-infrastructure providers, and technical-support firms. The Company is not responsible for the privacy practices of these parties; however, all business partners are expected to comply with KVKK and data-security obligations.

10.6 Commercial Communications and Consent Management

Notifications for information, campaigns, or promotions are only sent with explicit consent. Users can opt out at any time via an "unsubscribe" link or the "application settings" menu.

10.7 Data Retention and Deletion

Collected data is deleted or anonymized in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data when the purpose of processing ceases or when the legal retention period expires.

10.8 Security Measures

To ensure data security, the Company implements technical and administrative measures including access authorization, encryption, log records, penetration testing, antivirus systems, backup, and network firewalls.

10.9 Policy Updates

This Privacy Policy may be revised in light of changes in applicable legislation or updates to the Company's services. Updated versions take effect from the date they are published on the Company's website or in the application.

11. Legal Nature

The Cancellation and Refund Policy, Distance Service User Agreement, Service Provider Agreement, and Pre-Information Form are integral parts of the legal relationship between the parties and together constitute a whole. Matters relating to the processing of personal data are evaluated within the framework of the Information Notice on the Protection and Processing of Personal Data prepared under Law No. 6698.