1. Purpose
The Personal Data Protection and Processing Policy (“Policy”) of Zeren Group Yatırım Holding A.Ş. (“Zeren Group” or “Company”) has been prepared to determine the procedures and principles regarding the protection, storage, and disposal of personal data by Zeren Group. This policy covers the data of all personal data subjects related to our Company, including employees, suppliers, subsidiaries, business partners, visitors, and various third parties.
Our Company takes all necessary measures to ensure that personal data is processed and stored in compliance with the law, that legal obligations are fulfilled, that data security is maintained, and that the rights of the relevant individuals are protected. This policy aims to fulfill our Company’s obligations under the Turkish Personal Data Protection Law No. 6698 (“Law”) and related legislation.

2. Scope
This Policy applies to the personal data of individuals other than our employees, processed automatically or by non-automated means, provided that it is part of a data recording system. The data processing activities related to our employees are conducted under the "Zeren Group Employee Personal Data Protection and Processing Policy," which has been prepared in parallel with this policy.

3. Definitions and Abbreviations
The terms and abbreviations used in this Policy are defined as follows:
• Personal Data: Any information relating to an identified or identifiable natural person.
• Sensitive Personal Data: Data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect, attire, association, foundation, or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
• Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
• Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on their authorization.
• Explicit Consent: Consent that is given for a specific issue, based on information, and expressed freely.
• Anonymization: The process of making personal data impossible to link to an identified or identifiable natural person, even by matching it with other data.
• Personal Data Subjects: All parties with whom a business relationship is established, including job applicants, former employees, customers and potential customers, event participants, individuals submitting opinions/complaints/suggestions or information requests, visitors, campaign or competition participants, relatives of our employees or service recipients, shareholders, authorized representatives, and employees of suppliers and business partners, as well as other third parties.

4. Principles for Processing Personal Data
Our Company processes personal data in accordance with the principles stipulated in Article 4 of the Law and the relevant Turkish legislation. These principles include processing personal data:
• Lawfully and fairly,
• Accurately and up-to-date,
• For specific, explicit, and legitimate purposes,
• In a manner relevant, limited, and proportionate to the purpose,
• Retaining it for the period stipulated in the legislation or necessary for processing purposes.

Personal data is processed based on the explicit consent of the data subject or under the legal grounds specified in Articles 5 and 6 of the Law. In this context, personal data may be processed without explicit consent if one or more of the legal bases set out in the Law apply.
a) Purposes of Processing Personal Data
Our Company processes personal data for the following purposes:
• Planning and/or executing human resources policies and processes,
• Ensuring the legal and technical security of our Company and related persons with whom we have a business relationship,
• Planning and/or executing the necessary activities for customizing and promoting the products and services offered by our Company and/or on behalf of our Company according to individual preferences, usage habits, and needs,
• Conducting the necessary work and executing the relevant business processes to provide individuals with the products and/or services offered by our Company,
• Conducting commercial and/or operational activities carried out by our Company,
• Planning and/or executing our Company's commercial and/or business strategies.

5. Data Storage Environments
Personal data is securely stored by our Company in both electronic and physical environments. The storage media used include:
• Electronic Storage Environment
Servers, software systems, cloud services, portable disks, email systems, security cameras (CCTV), databases.
• Physical Storage Environment:
File cabinets, paper documents, archive rooms, storage boxes, locked cabinets.
Technical and administrative measures are taken to ensure the security of storage environments, and these measures are regularly reviewed and updated.

6. Notification to Personal Data Subjects
Our Company informs personal data subjects in accordance with Article 10 of the Law and relevant Turkish legislation regarding the purposes of processing, the parties involved in processing, data sharing practices, data collection methods, the legal basis for processing, and the rights of data subjects.

7. Retention Period of Personal Data
Our Company retains personal data for the necessary period in accordance with the processing purposes and the legally prescribed periods. If no specific period is determined in the legislation, personal data is retained for the time required to fulfill its purpose and is deleted, destroyed, or anonymized after the expiration of this period, either during periodic destruction processes or upon the request of the data subject.

The processes for data retention and disposal are carried out as follows:
• Retention Periods: Personal data is stored for the duration stipulated in the legislation or necessary for processing. Once the retention period expires, personal data is deleted, destroyed, or anonymized through periodic destruction processes.

8. Disposal of Personal Data
Personal data is deleted, destroyed, or anonymized upon the expiration of retention periods, the elimination of processing purposes, or upon the request of the data subject. Our Company complies with Article 7 of the Law and relevant Turkish legislation when disposing of personal data.
• Deletion: Ensuring that personal data is completely inaccessible and unusable by relevant users.
• Destruction: Ensuring that personal data is permanently erased from physical or electronic environments.
• Anonymization: Making personal data impossible to associate with an identified or identifiable person, even by matching it with other data.

9. Periodic Disposal Processes
Our Company conducts periodic disposal processes in June and December each year. Personal data whose retention period has expired is deleted, destroyed, or anonymized on these predetermined periodic disposal dates.

10. Data Breach Management
In case of a personal data breach, our Company immediately notifies the Personal Data Protection Board (“Board”) upon detecting the breach. Additionally, affected individuals are identified and informed using appropriate methods, and necessary measures are taken to prevent recurrence.

11. Transfer of Personal Data
Our Company may transfer personal data to third parties by taking necessary security measures and in accordance with the legal bases for processing. The transfer of personal data is carried out in compliance with Articles 8 and 9 of the Law. Personal data may be transferred within Türkiye and internationally to countries with adequate protection or, if adequate protection is not available, to countries where data controllers provide written assurances as determined by the Board.

12. Rights of Personal Data Subjects
According to Article 11 of the Turkish Personal Data Protection Law, personal data subjects have the following rights:
• To learn whether their personal data is processed,
• To request information if their personal data has been processed,
• To learn the purpose of data processing and whether it is used in accordance with its purpose,
• To know the third parties to whom personal data is transferred within Türkiye or abroad,
• To request correction of incorrect or incomplete personal data and notification of third parties,
• To request deletion or destruction of personal data under the conditions stipulated in the Law,
• To object to adverse outcomes resulting from automated processing,
• To claim compensation for damages arising from unlawful processing.

13. Technical and Administrative Measures
Our Company takes the following technical and administrative measures in compliance with Article 12 of the Law:
o Technical Measures:
• Network and application security, encryption, penetration testing, access logs, updated antivirus software, and firewalls.
o Administrative Measures:
• Employee training and awareness programs, data processing inventory, confidentiality agreements, and data security provisions in contracts with data processors.