1. Purpose

At GİZİR AHŞAP İNŞAAT TURİZM SAN. TİC. A.Ş., we attach great importance to the privacy of visitors, business partners, customers, suppliers, and all individuals whose personal data may be processed in connection with our activities. This Privacy and Personal Data Protection Policy has been prepared to explain the general principles governing the collection, use, protection, retention, and transfer of personal data through our website and related business processes.

This Policy is intended to provide a general framework. Detailed information regarding specific processing activities may also be provided through separate privacy notices, cookie notices, application forms, communication forms, or relevant disclosure texts published on our website.

2. Scope

This Policy applies to personal data processed by our Company in relation to website visitors, users who contact us through online forms or communication channels, customers, prospective customers, suppliers, business contacts, and other relevant third parties.

It covers personal data obtained through our website, digital platforms, e-mail correspondence, phone communications, physical visits, business relations, and other lawful channels connected with our operations.

3. Personal Data We May Process

Depending on the nature of the relationship and the service provided, the categories of personal data we may process may include:

• Identity information
• Contact information
• Company, title, and professional information
• Transaction security data
• Website usage records and technical log data
• Request, complaint, and communication records
• Visitor and physical security records where applicable
• Financial or commercial information where required by the relevant process

4. Purposes of Processing

Personal data may be processed for purposes such as carrying out communication activities, responding to requests and inquiries, managing customer and supplier relations, ensuring website and system security, conducting business operations, fulfilling legal obligations, following up legal affairs, improving services, carrying out marketing communication where permitted, and protecting the rights, legitimate interests, and commercial security of our Company.

Data processing activities are carried out only to the extent necessary, relevant, and proportionate to the applicable purpose.

5. Legal Grounds

Personal data is processed in accordance with the applicable legislation and on the basis of the relevant legal grounds, including where processing is expressly permitted by law, necessary for the establishment or performance of a contract, required for compliance with legal obligations, necessary for the establishment, exercise, or protection of a right, based on the legitimate interests of our Company provided that fundamental rights and freedoms are not harmed, or based on explicit consent where such consent is required.

6. Collection Methods

Personal data may be collected through automatic or non-automatic means, including but not limited to website contact forms, cookies and similar technologies, e-mail communications, phone calls, digital correspondence, documents shared during business relations, physical visits, and other channels used in the ordinary course of our activities.

7. Transfer of Personal Data

Personal data may be transferred, limited to the purpose requiring the transfer and in accordance with applicable law, to authorized public institutions and authorities, legal advisors, service providers, suppliers, technology and infrastructure providers, logistics and operational partners, and other third parties from whom support is received for the conduct of business processes.

Where international data transfer is involved, such transfer shall be carried out in compliance with the applicable data transfer rules and subject to the required safeguards.

8. Cookies and Website Technologies

Our website may use cookies and similar technologies to ensure the proper functioning of the website, improve user experience, analyze website performance, remember preferences, and support security processes.

Detailed information regarding cookies, their purposes, categories, and preference management should be presented through a separate Cookie Policy and cookie preference mechanism where applicable.

9. Data Security

Our Company takes reasonable technical and administrative measures to help ensure the confidentiality, integrity, and security of personal data. These measures may include access controls, authorization management, system security practices, logging, monitoring, internal policies, and organizational safeguards designed to prevent unlawful processing, unauthorized access, disclosure, alteration, or loss.

10. Retention and Deletion

Personal data is retained for the period required by the purpose of processing, the applicable legislation, and relevant retention obligations. Once the purpose no longer exists or the legal retention period expires, personal data is deleted, destroyed, or anonymized in accordance with the relevant legal requirements and internal retention practices.

11. Rights of Data Subjects

Subject to the applicable legislation, data subjects may have the right to learn whether their personal data is being processed, request information regarding such processing, learn the purpose of processing and whether the data is used in line with that purpose, request correction of incomplete or inaccurate data, request deletion or destruction where the legal conditions are met, request notification of relevant third parties regarding correction or deletion where applicable, object to certain processing results generated exclusively by automated systems, and request compensation for damages in case of unlawful processing.

Requests regarding these rights may be submitted to our Company through the contact channels and application procedures announced in the relevant privacy notices or on our website.

12. Updates to This Policy

Our Company reserves the right to update this Privacy and Personal Data Protection Policy when necessary due to legal, operational, or technical developments. The updated version becomes effective as of the date it is published on the website.