Privacy Policy and GDPR Information

Last updated: 29/10/2023

This Privacy Policy ("Policy") explains the procedures we follow to protect personal data, including your personal data, as well as various information collected, used, and transferred by Mergenium Eğitim Teknolojileri ve Ticaret Ltd. Şti. ("Mergenium" or "we"). This Policy is prepared in accordance with Law No. 6698 on the Protection of Personal Data ("KVKK") and the General Data Protection Regulation ("GDPR") of the European Union.

The purpose of this Policy is to determine the conditions and terms of use of personal data and usage data that you share with Mergenium or that Mergenium collects during the operation of the website www.arfulus.com ("Site") and the mobile application ("Application") (together referred to as "Arfulus") and that are generated by the users ("Data Subject") of Mergenium during their use of the Site and Application.

Processed Personal Data

We collect, process, and store certain personal data and usage data to perform transactions related to your registration, membership, and trial version, to provide other services, and to improve our services.

The data collected when you sign up for the Arfulus service or update your account is classified as User Data and consists of personal data that is used to create your account and enable you to use the Arfulus service. Your email address and password that you use to create your account are included in this data.

The data collected through your use of the Arfulus service is classified as Usage Data and consists of personal data related to you that is collected and processed when accessing and using the Arfulus service. We process Calculation queries, Calculation history, Calculation settings, Account settings, and user preferences to improve the Arfulus service. We process your URL information, cookie information, IP address technical data for functional purposes such as security, performance, and prevention of account sharing.

As additional data that you may choose to provide us, we process your Payment and Purchase Data for the initiation and renewal of paid membership and your Survey and Research Data for research, analysis, and improvement purposes.

We also obtain your data from third-party sources. If you sign up for the Arfulus service or log in to the Arfulus service using another service, we obtain User Data from Identity Verification Partners, Usage Data and User Data from Technical Service Partners used to provide the technical infrastructure and security of the Arfulus service, and Payment and Purchase Data from Payment Partners and Sellers for processing your payments.

Methods of Collecting Personal Data

Your personal data mentioned above is collected through digital and printed forms (e.g., website contact form) or other web technologies (e.g., cookies) during customer experience (e.g., complaint management, satisfaction surveys, etc.) and sales processes.

Your personal data mentioned above is collected through the following channels, using both automated and non-automated methods:

• Email, surveys, SMS
• Phone, correspondence with customer services
• Our website, electronic devices
• Physical forms
• Cookies and similar tracking technologies
• Mail, shipping, courier
• Face-to-face meetings
• Other physical and electronic environments

Purposes of Processing Personal Data

Mergenium processes the personal data provided by the Data Subject for the purposes ("Purposes") of improving Mergenium's products and services, ensuring communication with the Data Subject regarding the use of the Site and Application, and performing business development and reporting activities in accordance with Article 5 of the Law.

With the explicit consent of the Data Subject, User personal data may be processed by Mergenium for direct marketing and sending commercial electronic messages to the communication address provided by the User.

1. To improve Mergenium's products and services: We may use the personal data collected to analyze usage patterns, identify areas for improvement, and enhance the functionality and features of the Arfulus service.

2. To ensure communication with the Data Subject: We may use personal data to communicate with you regarding your use of the Site and Application, respond to your inquiries, provide customer support, and send important notifications about the Arfulus service.

3. To perform business development and reporting activities: We may process personal data for internal business purposes, such as analyzing customer trends, conducting market research, and generating reports to improve our business strategies and operations.

4. Direct marketing and commercial electronic messages (with explicit consent): With your explicit consent, we may process your personal data for direct marketing purposes, including sending commercial electronic messages to the communication address you have provided. You have the right to withdraw your consent at any time.

Please note that we will not use your personal data for purposes other than those specified in this Policy without obtaining your consent, unless required or permitted by law.

Legal Grounds for Processing Personal Data

In this section, we explain the legal bases (each referred to as a "legal ground") under the data protection law that Mergenium relies on for processing your personal data for our purposes, as well as the categories of personal data we use for these purposes.

To assist you in understanding the legal bases mentioned below, a general description is provided for each legal ground:

• Performance of a Contract: When Mergenium (or a third party) needs to process your personal data for the following purposes:

  • To fulfill our obligations under a contract with you. This includes providing the Arfulus service to you or
  • verifying information before entering into a new contract with you, as required by Arfulus' Terms of Use.

• Legitimate Interests: When Mergenium or a third party has a legitimate interest in using your personal data in a specific manner, taking into account potential risks for you and other Arfulus users, and provided that such processing is necessary and based on justified reasons. For example, using Usage Data to improve the Arfulus service for all users. If you wish to understand a specific justification, please contact us.

• Consent/Explicit Consent (referred to as "Consent" in the table below): When Arfulus asks you to actively indicate your acceptance of Mergenium using your personal data for a specific purpose (we rely on this legal ground only if we do not rely on any of the other legal grounds mentioned above).

• Compliance with Legal Obligations: When Mergenium needs to process your personal data to comply with a legal obligation.

The legal grounds for collecting and using personal data as described in this Privacy Policy depend on the circumstances existing at the time of processing the relevant personal data. Accordingly, we rely on the following legal grounds when processing your personal data:

• To provide the Arfulus service in accordance with our contract with you, to create an account and/or paid membership for you, and to personalize your account, it is necessary to process User Data, Usage Data, and Payment and Purchase Data for the performance of the contract.

• To understand and identify issues related to the Arfulus service and to resolve them, we process User Data and Usage Data for the performance of the contract. For example, we use these personal data to respond to your messages when you contact customer service, to identify unusual data or behaviors that may indicate an error or other issue in our logs, or to monitor and verify accounts for detecting and preventing unauthorized users.

• To evaluate and improve new features, technologies, and enhancements for the Arfulus service, we process User Data, Usage Data, and Survey and Research Data based on our legitimate interest in developing and improving products and features for our users.

• With your consent, we process User Data, Usage Data, and Survey and Research Data for marketing or advertising activities that require your permission under applicable laws.

• To comply with legal obligations, we process User Data, Usage Data, Payment and Purchase Data, and Survey and Research Data for compliance with legal obligations.

• To comply with requests from law enforcement, courts, or other competent authorities, we process User Data, Usage Data, Payment and Purchase Data, and Survey and Research Data for compliance with legal obligations and our legitimate interest in assisting law enforcement in preventing or detecting serious crimes.

• To prepare, enforce, or defend legal claims, seek legal advice, and protect our legitimate interests, including protecting ourselves, our users, or others in legal proceedings, we process User Data, Usage Data, Payment and Purchase Data, and Survey and Research Data.

• For business planning, preparing reports, and making predictions, we process User Data, Usage Data, Payment and Purchase Data, and Survey and Research Data as part of our

legitimate interests in continuing to run our business successfully through research and planning.

• To process your payment in accordance with your consent, we process User Data and Payment and Purchase Data for the performance of the contract.

• To detect and prevent fraud, and to control fraudulent use of the Arfulus service, we process User Data, Usage Data, Payment and Purchase Data based on our legitimate interest in protecting the Arfulus service and its users from fraud and other illegal activities.

• For conducting research and surveys, we process User Data, Usage Data, and Survey and Research Data based on our legitimate interest in gaining further insights into users' thoughts about the Arfulus service and how they use it.

Transfer of Personal Data

Your personal data may be shared with individuals explicitly authorized by legislation, including the Information Technologies and Communication Authority, in accordance with legal regulations and the applicable legislation. Additionally, your personal data may be shared with authorized individuals or institutions upon the request of a court order or competent authorized administrative authorities, within the scope prescribed by legal regulations.

Your personal data may be shared with our suppliers within the scope of the service agreement between us, regarding the products or services to be provided by the suppliers, for the execution of supply chain management processes, ensuring business continuity, conducting operations, and performing the contract.

In order to obtain information related to customer relationship management and to conduct our activities, we may collaborate with a range of IT service providers, both within and outside of Turkey, to provide unexpected situation recovery services, payment services, security, and related IT services. Third parties authorized by us to process your personal data are bound by contractual obligations to ensure the security of your personal data in accordance with the terms of this Privacy Policy.

With the explicit consent of the Data Subject, User's personal data may be shared with suppliers and business partners for the purpose of direct marketing and sending commercial electronic messages to the communication address provided by the Data Subject.

In the event of a merger with another commercial company or the acquisition of our shares by another company, we may share information about you with the parent company with whom we will have a relationship. In such a case, we will inform you as soon as possible.

Your personal data is transferred abroad due to the presence of servers and data centers abroad. During the transfer of personal data to countries outside of Turkey, we ensure that the transfer of personal data is made in compliance with this Privacy Policy and the applicable legislation on data protection.

Storage of Personal Data

Your personal data processed in accordance with the purposes stated in this Privacy Policy will be stored and destroyed in compliance with the Law and the Regulation on Deletion, Destruction, or Anonymization of Personal Data. As Mergenium, we store and destroy your personal data in accordance with this Privacy Policy. We will continue to store your personal data as long as you have an Arfulus account or subscription. When your account is deleted or your subscription ends, we may continue to store some of your personal data to fulfill our legal obligations and to establish, use, and protect our rights and interests.

Your Rights Regarding Personal Data

In accordance with Article 11 of the Personal Data Protection Law (KVKK), every Data Subject can exercise the following rights by contacting Mergenium:

• Learn whether personal data is being processed,
• Request information if personal data has been processed,
• Learn the purpose of the processing of personal data and whether they are being used in accordance with their purpose,
• Be informed about third parties to whom personal data is transferred, whether domestically or internationally,
• Request the correction of personal data if it is incomplete or inaccurate,
• Request the deletion or destruction of personal data,
• Request that the operations carried out in accordance with subparagraphs (e) and (f) be notified to the third parties to whom personal data has been transferred,
• Object to the occurrence of a result against the person as a result of the analysis of personal data solely through automated systems,
• Request the remedy of damages in case of suffering damage due to the unlawful processing of personal data.

You can submit your requests regarding these rights in writing to Mergenium's address at {ADDRESS} or via the email address [email protected], in accordance with the "Communiqué on Principles and Procedures for Application to the Data Controller". Your applications will be responded to in writing or electronically within the shortest possible time and no later than 30 (thirty) days, depending on the nature of the request. If your application is negatively evaluated, the justified reasons for rejection will be communicated to you through electronic mail or by post, if possible, using the method of application you have specified.

While it is essential not to request any fees regarding the requests, if the requested operation requires a separate cost, Mergenium reserves the right to request a fee from the applicant according to the fees determined by the Personal Data Protection Board.

Security of Data

To ensure the necessary protection against the risks of loss, theft, unauthorized access, processing, and alteration of your personal data, we take reasonable technical, administrative, logical, physical, and organizational measures. These measures are specifically designed to establish a level of security appropriate to the risks that may arise during the processing of your personal data. However, please note that no system is completely secure. Third-party service providers, payment gateways, and payment processors (often referred to as PCI-compliant service providers, verified to be compliant with all payment card industry standards) are verified for compliance.

The measures we take to protect your personal data include encryption, access restrictions, isolation of application networks, and adherence to globally accepted standards.

To protect your user account, we recommend the following:

• Use a unique, strong password for your Arfulus account
• Never share your password with anyone
• Limit access to your computer and browser
• Access your Arfulus account through a secure device and network
• Log out of the Arfulus service after using it on a shared device
• Learn more about account security
• Consider that by logging into your Arfulus account from shared devices, you may have allowed someone else to access your account

If other individuals have access to your Arfulus account, they may have access to your personal data and account controls. It is your responsibility to allow them to use your account only if you do not have any concerns about sharing this personal data with them.

External Links, Other Websites, Applications, and Services

We are not responsible for any internet sites or services, including their applications and content, accessed through or linked from the Arfulus service. Please note that our Privacy Policy does not apply to any third-party internet sites or services when you navigate and interact with them through a link from our service. This includes third-party internet sites or services that have a link on our website. Your navigation and interaction on third-party internet sites or services are subject to the third party's own rules and policies. Additionally, you acknowledge that we are not responsible for and have no control over third parties to whom you grant access to your User Content. If you choose to use a third-party internet site or service and grant them access to your User Content, you do so at your own risk.

We recommend carefully reading the privacy policies of third parties.

Children

Individuals under the age of 18 can also benefit from our products and services. However, as Mergenium, we do not intentionally process the data of individuals under the age of 18. We are aware of the sensitivity of your children's personal data and take the utmost care to protect these data, including all our departments and the individuals and legal entities we collaborate with. It is the responsibility of a parent or legal guardian to share their child's personal data with us. You can contact us at [email protected] regarding the personal data of your child.

We recommend that parents take an active role in monitoring their children's online activities.

Changes to this Policy

We may modify this Policy due to changing laws, regulations, operational requirements, or as we deem necessary. In the event of such changes, we will provide you with a legally compliant notification (including the effective date). By continuing to use the Site and Application after these changes have been implemented, you signify that you have accepted and (to the extent applicable) agreed to these modifications. If you do not wish to accept any changes to this Policy, you may terminate your use of the Site and Application and delete your account.

The current Policy will come into effect on the date it is published on the Site.

Contact

For general inquiries regarding your membership, you can contact customer service at [email protected]. If you have any questions about this Policy, how we use your personal data, cookies, or similar technologies, you can always reach us at [email protected].

Please note that in order to ensure your security, we may need to verify your identity before fulfilling your request when you reach out to us for support.