LabX Studio – Olcay İpek Şahıs Şirketi Privacy Policy and Personal Data Text

“RİSKBUL”

Update Date: June 11, 2024

Purpose

LabX Studio – Olcay İpek Şahıs Şirketi (“LABX” or “Company”); aims to process users’ personal data in accordance with general privacy principles for data subjects and the provisions of applicable data protection legislation, especially the Personal Data Protection Law No. 6698 (“KVKK”) and other current regulations.

Your personal data, which you provide/will provide to our Company and/or obtained by our Company through any external means, may be processed by our Company as a “Data Controller” in the following ways;

Kişisel verilerinizin işlenme amacı kapsamında ve bu amaçla bağlantılı olarak sınırlı ve ölçülü bir şekilde,

By maintaining the accuracy and up-to-date status of personal data as reported or notified to our Company,
Such personal data may be recorded, stored, preserved, reorganized, and transferred to institutions legally authorized to request this personal data; these will only be transferred domestically or internationally, classified, and shared with third parties under the conditions stipulated by the legislation and with your explicit consent when necessary, and they may also be processed by other means specified in the legislation and subjected to other processes specified in the legislation.

This Privacy Policy is used to maintain and improve the activities carried out by LABX in line with the principles set out in the KVKK.

This Privacy Policy; explains what data we collect, how we plan to use, store, protect, and share the data we collect, how you can withdraw your consent for the processing of this data, and how you can correct and revise the data.

Terms capitalized in this Privacy Policy shall have the meanings set forth in the Terms and Conditions, unless otherwise defined in this Privacy Policy.

2. Collection Method and Categories of Personal Data

LABX may process your personal data for the purposes specified in this Privacy Policy.

The personal data specifically collected and used by LABX from users include: your order information if you make a purchase via in-app purchase, Identifier for Advertisers (IDFA) specified on your mobile device used to access our services, Identifier for Vendors/Developers (IDFV) specified on your mobile device, and Internet Protocol Address (IP Address).

Data Categories and Data Types

Transaction Security

Internet traffic data (network movements, IP address, visit data, time and date information), device name, in-app purchase history, Token ID (when you allow notifications via your device), Identifier for Advertisers (IDFA) specified on your mobile device when accessing our services (if you allow), Identifier for Vendors/Developers (IDFV) specified on your mobile device

(Identifier for Vendors-IDVF)

Customer Transaction

Order information

Marketing Data

IDFA, IDFV

We may collect your data mentioned above; directly from you through electronic or physical environments, your mobile device, third-party applications or third-party sources through which you can access our application, such as Apple App Store, Google Play App Store (similar platforms collectively with “App Store”), in order to comply with legal obligations, improve our services, manage your use of our services, and enable you to easily navigate our services while enjoying them.

We may collect your log data (via our products or third-party products) generated when you use our services/applications. This log data may include information such as your device’s Internet Protocol (“IP”) address, device name, operating system version, the application’s configuration when using our service/application, the time/date of your use of the service/application, and other statistics.

General Principles Regarding the Processing of Personal Data

In accordance with this Privacy Policy, personal data is processed by LABX as a data controller in line with the following basic principles stated herein: (i) to be in compliance with the law and good faith,

(ii) to be accurate and, where necessary, up-to-date,

(iii) to be processed for specified, explicit, and legitimate purposes,

(iv) to be limited to the purpose for which they are processed and to minimize data, and

(v) to be stored for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed.

3. Purposes and Legal Grounds for Processing Personal Data

Your personal data will be processed by automated or non-automated means for the purposes stated below, in accordance with applicable legislation and Articles 5 and 6 of the KVKK where expressly permitted by law, where expressly provided for by law, for the purpose of establishing a contract or directly related to the performance of a contract, and in line with LABX’s legitimate interests, provided that your fundamental rights and freedoms are protected.

a) Purposes of Processing Personal Data

In accordance with this text, your personal data is processed for the following purposes, in line with the general conditions above:

Transaction Security

● Conducting activities in compliance with legislation

● Conducting company/product/service commitment operations

● Conducting communication activities

● Conducting/supervising business activities

● Providing after-sales support services for goods/services

● Conducting sales processes for goods/services

● Conducting storage and archiving activities

● Conducting contract processes

● Conducting information security processes

● Conducting audits/ethical activities

● Conducting/supervising business activities

● Carrying out activities aimed at ensuring business continuity

● Providing information to authorized persons, institutions, and organizations

Customer Transaction

● Conducting/supervising business activities

● Providing after-sales support services for goods/services

● Conducting sales processes for goods/services

● Carrying out activities aimed at customer satisfaction

● Conducting contract processes

Marketing Data

● Conducting marketing analysis studies

● Conducting advertising/campaign/promotion processes

Additionally, the purposes of processing personal data may be updated in line with our company policies and legal obligations; in particular,

Creating user accounts for service recipients/application users,
Customizing our Services, increasing user experience and enjoyment through the use of our Services, and understanding our users and their preferences to enhance their experience,
Informing about new products, services, and applications; providing information regarding advertisements and promotions,
Managing digital subscription and in-app purchase processes for service recipients,
Executing auto-renewable subscriptions to allow users access to content, services, or premium features in our service,
Conducting information security processes,
Conducting activities in compliance with legislation,
Fulfilling requests from authorized authorities,
Conducting processes related to finance and accounting transactions,
Conducting communication activities,
Conducting contract processes,
Carrying out strategic planning activities,
Handling requests and complaints.

b) Legal Grounds

Customer Transaction

● It is necessary to process your personal data provided that it is directly related to the establishment of a contract with you or our performance obligation arising from this contract.

● Data processing is mandatory for the establishment, exercise, or protection of a right for you.

Transaction Security

● The law clearly regulates the process by which we process your personal data

● Conditions necessary to fulfill our legal obligation

● It is necessary to process your personal data provided that it is directly related to the establishment of a contract with you or our performance obligation arising from this contract.

Marketing Data

● Your explicit consent (obtained via Apple and/or Google)

Third-Party Websites and Applications

The RİSKBUL Application (RİSKBUL); may contain links to other internet sites unknown to LABX and whose content is not controlled. These linked internet sites, may contain terms and conditions other than LABX texts. LABX, cannot be held responsible for the use or disclosure of information that these internet sites may process. Similarly, LABX, will not be responsible for links provided to RiskBul’a from other sites owned by LABX.

We collect information by fair and lawful means with your knowledge and permission. We also inform you why we collect it and how it will be used. You are free to refuse this request for information, accepting that without this information, we may not be able to provide you with some of the services you desire.

Cookies

Cookies are small text files stored in your computer’s or mobile device’s browser or hard disk when you visit an internet page or application. Cookies, ensure the presentation of personalized internet pages for a faster visit experience that is more suitable for your personal needs and demands, as well as enabling a website to operate more efficiently. Cookies, which only contain data from your internet site visit history via the internet, do not collect any information, including your personal data/files stored on your computer or mobile device. We may use cookies when necessary to operate our services, increase our service performance and functionality, and deliver content on our sites or third-party sites, including advertisements relevant to your interests. You can delete cookies already on your computer and prevent cookies from being saved/placed in your internet browser.

Internet browsers, are predefined to automatically accept cookies by default. Since cookie management varies from browser to browser, you can refer to the browser’s or application’s help menu for detailed information.

Push Notifications

LABX may occasionally send push notifications related to application upgrades or notifications about our services through its mobile applications. You can always manage these communications and notifications from your device settings and stop receiving them.

Your data, will be stored for the period specified in the applicable legislation or for a reasonable period until the processing purpose ceases, or for legal limitation periods.

LABX, may continue to store your personal data even after the purpose of use has ceased, provided that other laws require it or a separate consent from you is given in this regard.

If you consent to LABX’s storing your personal data for an additional period, such data will be immediately deleted, destroyed, or anonymized upon the expiry of that additional period or when the processing purpose ceases.

Technical and Administrative Measures

LABX; undertakes to take all necessary technical and administrative measures and to show due diligence to ensure the confidentiality, integrity, and security of personal data it processes in accordance with relevant legislation, for the periods stipulated in the relevant legislation or for the periods required for the purpose for which they are processed. In this context, it takes necessary measures to prevent unlawful processing of personal data, unauthorized access to data, unlawful disclosure, alteration, or destruction of data. In this context, LABX, takes the following technical and administrative measures regarding the personal data it processes:

Anti-virus application. All computers and servers in LABX’s information technology infrastructure have periodically updated anti-virus applications installed.

Firewall. The data center and disaster recovery centers hosting LABX servers are protected by firewalls with periodically updated software; these next-generation firewalls control all personnel’s internet connections and provide protection against viruses and similar threats during this control.

VPN. Suppliers can access LABX servers or systems via SSL-VPN defined in Firewalls. A separate SSL-VPN definition has been made for each supplier; with the definition made, the supplier only accesses the systems they need to use or are authorized to use.

User IDs. LABX employees’ authorizations for LABX systems are limited only to the extent required by their job descriptions; in case of any change in authorization and duty, system authorizations are also updated.

Information security threat and incident management. Events occurring on LABX servers and firewalls are transferred to the “Information Security Threat and Incident Management” system. This system, alerts responsible personnel when a security threat occurs and enables them to respond to the threat instantly.

Encryption. Special categories of personal data are stored using cryptographic methods, transferred via environments encrypted with cryptographic methods when necessary, and cryptographic keys are stored in various secure environments.

Data logging. All transaction records related to special categories of personal data are securely logged.

Two-factor authentication. Remote access to special categories of personal data is allowed through at least two-factor authentication.

Penetration testing. Penetration tests are periodically performed on servers in the LABX system. Security vulnerabilities resulting from these tests are closed and a verification test is performed to show that the relevant security vulnerabilities have been closed. In addition, the Information Security Threat and Incident Management System also automatically performs penetration tests. Test results are recorded.

Information Security Management System (ISMS). In ISMS meetings held within LABX; topics in the control forum are reviewed monthly by the information technology director and financial operations director.

Training. Employees are regularly trained to increase their awareness against various information security breaches and to minimize the impact of the human factor in information breach incidents.

Physical data security. It ensures that personal data in paper form is stored in locked cabinets and accessed only by authorized persons. Adequate security measures (for electric leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where special categories of personal data are stored.

Backup. LABX, regularly backs up the data it stores. As a backup mechanism, it uses backup facilities provided by cloud infrastructure providers and backup solutions it develops when deemed necessary, provided that they comply with relevant legislation and the provisions of this Privacy Policy.

Confidentiality agreement. Confidentiality agreements are concluded with employees involved in the processing of special categories of personal data.

Transfer of special categories of personal data. If special categories of personal data need to be transferred via e-mail; such a transfer is made via (i) encrypted corporate e-mail or (ii) Registered E-mail.

Despite LABX taking the necessary information security measures, in the event of damage to your personal data or unauthorized third-party access to such personal data as a result of attacks on RISKBUL or the LABX system, LABX will immediately notify Users and, if necessary, the relevant data protection authority and take the necessary measures.

4. Transfer of Personal Data to Third Parties

The procedures and principles to be applied regarding the transfer of personal data are regulated in Articles 8 and 9 of the KVKK, and since we may use servers and cloud systems located abroad, the supplier’s personal and special categories of data may be transferred to third parties within Turkey or abroad.

Your personal data may be transferred abroad for the following reasons:

Conducting storage and archiving activities
Conducting business activities
Providing after-sales support services for goods/services
Conducting customer relationship management processes

LABX also may transfer your personal data to our Company’s service providers and third parties embedded in our service such as Facebook SDK, Adjust and Firebase Analytics for the following purposes:

Sharing identity, contact, and transaction security information with authorized public institutions and organizations for the purpose of conducting activities in compliance with legislation; monitoring and conducting legal affairs; informing authorized persons, institutions, and organizations.

Sharing customer transaction information to manage after-sales support services, conduct business activities, and manage customer relationship management processes.

5. Your Rights as a Data Subject

In accordance with Article 11 of the KVKK, by applying to LABX, you can request the following regarding your personal data:

Learning whether your personal data is processed;
If your personal data has been processed, requesting information regarding this processing;
Learning the purpose of processing your personal data and whether they are used in accordance with their purpose;
Learning the third parties to whom your personal data is transferred domestically or abroad;
In case your personal data is incomplete or incorrectly processed; requesting that the operations carried out in this context be notified to third parties to whom personal data has been transferred;
Requesting the deletion, destruction, or anonymization of personal data if the reasons for processing cease to exist and requesting that the operations carried out in this context be notified to third parties to whom personal data has been transferred;
Objecting to the emergence of a result against you solely through the analysis of processed data by automatic systems;
Requesting compensation for damages if you suffer damage due to the unlawful processing of your personal data.

Where the General Data Protection Regulation (GDPR) applies, data subjects have the following rights:

Right of access – To learn whether personal data is processed and, if processed, to access information regarding your personal data and the processing of your personal data,
Right to rectification – To request the correction of information you believe is inaccurate or to have LABX complete information you believe is incomplete,
Right to erasure – To request the erasure of personal data under the conditions stipulated in the GDPR,
Right to restriction of processing – To request the restriction of the processing of personal data under the conditions stipulated in the GDPR,
Right to object to processing – To object to the processing of personal data under the conditions stipulated in the GDPR,
Right to data portability – To request the transfer of data collected by LABX directly to another organization or under certain conditions,
Objecting to the emergence of a result against the person solely through the analysis of processed data by automatic systems, including profiling.

In the application containing your explanations regarding the rights you have as a data subject and wish to use, your request must be clear and understandable; if the subject of your request is related to you or if you are acting on behalf of someone else, you must have special authorization in this regard and your authorization must be documented; your application must include identity and address information and documents proving your identity must be attached to the application. Our Company will allow you to submit such requests via the info@labx.studio address via the “Data Subject Application Form”. Our Company, in accordance with Article 13 of the KVKK, will finalize your requests free of charge within a maximum of 30 (thirty) days, depending on the nature of your request. In case the request is rejected, the reason(s) for rejection will be notified in writing or electronically, with justification.

If you believe that we or the person to whom we have transferred your data have violated your rights, you can complain to the data protection authority in your country and other authorized supervisory authorities.

This Privacy Policy may be revised by our Company when deemed necessary. If you continue to access RiskBul and use the Services offered by LABX after the notification period, you will be deemed to have consented to the changes in this Privacy Policy.

Company Title: Olcay İpek Şahıs Şirketi

Address : Mustafa Kemal Paşa Mah. Mahir Sok. No:105/10 Avcılar/İstanbul

Email : info@labx.studio