Data Protection

Dear Customers and Visitors,

The explanations set out in this personal data protection notice have been prepared in compliance with the applicable legislation of the countries in which the companies operating under the Personal Uniques Luxury Fashion Concierge Services brand are established.

As the Personal Uniques Luxury Concierge brand, we attach great importance to the protection of personal data processed through our e-commerce activities conducted via the website https://www.personaluniques.com and all digital platforms affiliated with our brand.

This information notice has been prepared in order to inform you about the personal data processing activities carried out by the data controller established in the Republic of Türkiye and/or the data controller established in the United Arab Emirates, depending on the nature of your request, the company by which the service is provided, and the jurisdictional structure through which the relevant transaction is conducted.

This notice has been drafted by taking into account the obligation to inform under the Law No. 6698 on the Protection of Personal Data in Türkiye (“KVKK”) and the information obligations under the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data in the United Arab Emirates (“UAE PDPL”).

Our Company, acting as a “data controller” within the scope of the KVKK and the applicable international data protection legislation, processes the personal data of customers, visitors, and platform users in accordance with the law and the principles of good faith; in an accurate and, where necessary, up-to-date manner; for specified, explicit, and legitimate purposes.

Detailed information regarding the scope in which your personal data is processed, the purposes of processing, the parties to whom such data may be transferred, the legal grounds for processing, and your rights is set out below.

The seller company affiliated with the Brand may be one of the following companies:

1. Data Controller Established in Türkiye

Trade Name: Ayda Viva E-Ticaret (Sole Proprietorship)

Website: https://www.personaluniques.com and the social media accounts specified on this website

E-mail: info@personaluniques.com

2. Data Controller Established in the United Arab Emirates

Trade Name: Boun Avin Free Zone Company

Address: IFZA Business Park A2 Building Dubai Silicon Oasis / United Arab Emirates 342001

Tax Number: 104816317200003

License Number: 54186 – DSO054186

Telephone: +90 (506) 020 02 02

Website: https://www.personaluniques.com and the social media accounts specified on this website

E-mail: info@personaluniques.com

Depending on the nature of your request, one of the above-mentioned companies may act in the capacity of an independent data controller. The company through which the service is provided shall be determined based on the structure of the quotation, payment, invoicing, delivery, supply, logistics, customer relations, and operational execution processes.

In this context, pursuant primarily to the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye (“KVKK”) and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data in force in the United Arab Emirates (“PDPL”), as well as the applicable relevant legislation, we would like to inform you within the scope of the data controller’s obligation to provide information.

In the processing of personal data, the protection of individuals’ fundamental rights and freedoms, in particular the right to privacy, is taken as a principal basis. Accordingly, personal data means any information relating to an identified or identifiable natural person.

Your personal data processed by our Company, together with the purposes of processing, the persons to whom and the purposes for which such data may be transferred, the method of collection, the legal grounds, and the details regarding your rights under the KVKK and the applicable international data protection legislation, are set out below for your information.

Your personal data may be collected, wholly or partially by automated means or, provided that it forms part of a data recording system, by non-automated methods; verbally, in writing, or electronically, through the website, social media accounts, contact forms, e-mail correspondence, messaging applications, telephone conversations, digital platforms, payment and delivery processes, quotation and order processes, customer relations, and concierge services, either directly from you or through persons authorized to act on your behalf.

In addition, your personal data may also be obtained through business partners, service providers, financial institutions, technical infrastructure providers, and relevant public/private institutions and organizations for the purposes of providing the service, payment, delivery, cross-border supply, logistics, security, information technologies, customer relations, verification, financial compliance, know your customer (KYC), prevention of fraud and misuse, and the execution of controls aimed at the prevention of money laundering.

Your personal data is processed pursuant to the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye (“KVKK”) and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data in force in the United Arab Emirates (“PDPL”) on the basis of the following legal grounds:

being directly related to the establishment or performance of a contract,
being necessary for the data controller to fulfil its legal obligations,
being necessary for the establishment, exercise, or protection of a right,
being necessary for the legitimate interests of the data controller, provided that such processing does not prejudice the fundamental rights and freedoms of the data subject,

Your personal data may also be processed, primarily under the Law No. 6698 on the Protection of Personal Data, the Law No. 6502 on the Protection of Consumers, the Law No. 6563 on the Regulation of Electronic Commerce, and, to the extent applicable in relation to the operation of the website and digital platforms, the retention of access records, the maintenance of system security, and the fulfilment of related technical obligations, the Law No. 5651 and the relevant secondary legislation, as well as the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data in force in the United Arab Emirates (“PDPL”) and other applicable legislation; for the purposes of fulfilling contractual, legal, administrative, technical, financial, consumer protection, e-commerce, information security, record-keeping, evidential, audit, and regulatory compliance obligations.

Due to the nature of our activities, to the extent that services are offered to data subjects located within the European Economic Area (EEA), communication is established with such persons, or their behavior is monitored, our Company also acts in compliance with the provisions of the General Data Protection Regulation (“GDPR”). In this context, personal data is processed in accordance with the legal bases for processing set out under Article 6 of the GDPR, and the principles of data minimization, purpose limitation, accuracy, storage limitation, integrity, and confidentiality are observed. Where the transfer of personal data to the European Economic Area or the processing of personal data originating from this region is involved, the necessary technical and administrative measures are implemented and appropriate data transfer mechanisms are applied.

With respect to personal data processing activities that require explicit consent, such processing is carried out upon obtaining the explicit consent of the data subject.

DATA CONTROLLER

Our Company, in its capacity as data controller, processes your personal data for the purposes of communicating with visitors through the website, social media accounts affiliated with the brand, and third-party digital platforms, evaluating requests and applications, conducting the processes relating to the services provided, and improving the website user experience.

Your personal data may be collected, by automated or non-automated means, through visits made via the website https://www.personaluniques.com, the social media accounts affiliated with the brand, and other digital communication channels, as well as through contact forms, e-mail correspondence, and similar means.

Our Company acts in compliance with the applicable legislation, primarily the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye (“KVKK”) and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data in force in the United Arab Emirates (“PDPL”), in the processing of personal data; ensures that the data is accurate and, where necessary, up to date; processes such data for specified, explicit, and legitimate purposes; and retains it in a manner that is relevant, limited, and proportionate to the purposes for which it is processed.

Detailed information regarding the purposes for which your personal data is processed, the persons to whom and the purposes for which such data may be transferred, the method of collection, the legal grounds for processing, and your rights is set out in the continuation of this information notice.

PROCESSED PERSONAL DATA

Your personal data may be processed in accordance with the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye (“KVKK”) and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data in force in the United Arab Emirates (“PDPL”), based primarily on your explicit consent and other legal grounds stipulated under the applicable legislation.

In this context, your personal data is processed within the scope of activities carried out via the website and digital platforms for the purposes of conducting communication processes, evaluating requests and applications, and providing services.

The categories of data processed by the Company and deemed as personal data under the applicable legislation are set out below. Unless expressly stated otherwise, the term “personal data” within the scope of this Information Notice shall include the information listed below.

CATEGORIES OF PROCESSED PERSONAL DATA

The categories of personal data processed by our Company within the scope of the services provided, together with the purposes of processing and the legal grounds relied upon, are explained in detail below.

Identity Information: Name and surname, identity photograph, nationality, date of birth, place of birth, and identification number. Limited information contained in identity documents, where requested for identity verification purposes.

Purpose of Processing: Identity information is processed for the purposes of conducting customer verification processes within the scope of the luxury consumption and concierge services provided, preventing fraud and misuse risks, ensuring secure service delivery, evaluating requests and applications, conducting know your customer (KYC) controls where necessary, supporting risk assessment processes for the prevention of money laundering, and fulfilling legal obligations where required.

Legal Grounds for Processing: Identity information is processed pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye based on the legal grounds of “being directly related to the establishment or performance of a contract”, “being necessary for the legitimate interests of the data controller”, and “fulfilment of legal obligations”; and within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, based on the legitimate interests and legal obligations of the data controller.

Identity data is processed in a manner that is limited, proportionate, and necessary for the purposes of processing; and is deleted, destroyed, or anonymized in accordance with the applicable legislation when the necessity ceases.

Contact Information: Telephone number, address, e-mail address, and contact information shared by you through contact forms or other communication channels.

Purpose of Processing: Contact information is used for communicating with you, evaluating requests and applications, conducting processes related to the services provided, supporting identity verification and security processes, preventing fraud and misuse risks, and conducting legal processes where necessary.

Legal Grounds for Processing: Contact information is processed pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye based on the legal grounds of “being directly related to the establishment or performance of a contract”, “being necessary for the legitimate interests of the data controller”, and “fulfilment of legal obligations”; and within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, based on the legitimate interests and legal obligations of the data controller.

Contact information is processed in a manner that is relevant, limited, and proportionate to the purposes for which it is processed and is retained for the period necessary.

Customer Transaction Information: The content of requests, suggestions, complaints, and applications submitted by you, as well as communication records generated within this scope.

Purpose of Processing: Customer transaction information is processed for the purposes of evaluating requests submitted by you, planning and executing service processes, improving customer experience, resolving potential disputes, ensuring service security, and preventing fraud and misuse risks.

Legal Grounds for Processing: Customer transaction information is processed pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye based on the legal grounds of “being directly related to the establishment or performance of a contract”, “being necessary for the legitimate interests of the data controller”, and “being necessary for the establishment, exercise, or protection of a right”; and within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, based on the legitimate interests and legal obligations of the data controller.

Customer transaction information is processed in a manner that is relevant, limited, and proportionate to the purposes for which it is processed and is retained for the necessary period.

Financial and Banking Information: Bank details, payment descriptions, and information forming the basis for invoicing, shared by you within the scope of payment processes.

Purpose of Processing: Financial and banking information is processed for the purposes of conducting payment processes related to the services provided, ensuring payment verification and security, carrying out invoicing procedures, maintaining financial records, evaluating unusual transactions, conducting know your customer (KYC), financial compliance, and anti-money laundering processes where necessary, resolving potential disputes, and preventing fraud and misuse risks.

Legal Grounds for Processing: Financial and banking information is processed pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye based on the legal grounds of “being directly related to the establishment or performance of a contract”, “being necessary for the fulfilment of the legal obligation of the data controller”, and “being necessary for the establishment, exercise, or protection of a right”; and within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, based on the legal obligations and legitimate interests of the data controller.

Financial data is processed in a limited and proportionate manner for the purposes for which it is processed and is retained for the periods prescribed under the applicable legislation.

Transaction Security Information: IP address, website access records (log records), cookie information, and site usage data.

Purpose of Processing: Transaction security information is processed for the purposes of ensuring the security of the website and digital platforms, preventing unauthorized access, protecting systems, detecting and preventing fraud and misuse activities, improving user experience, and resolving technical issues.

Legal Grounds for Processing: Transaction security information is processed pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye based on the legal grounds of “being necessary for the legitimate interests of the data controller” and “fulfilment of legal obligations”; and within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, based on the legitimate interests and legal obligations of the data controller.

With respect to data collected through cookies, explicit consent is obtained where required under the applicable legislation, and such data is used in a limited and proportionate manner for the purposes for which it is processed and retained for the necessary period.

Legal Transaction Information: Information shared in line with requests received from competent authorities and institutions or processed within the scope of legal obligations, as well as information and documents generated within the scope of legal processes.

Purpose of Processing: Legal transaction information is processed for the purposes of fulfilling obligations arising from applicable legislation, responding to requests from competent public authorities and institutions, conducting legal processes, resolving potential disputes, establishing, exercising, and protecting rights, and carrying out necessary actions against fraud and misuse risks.

Legal Grounds for Processing: Legal transaction information is processed for the purposes of fulfilling obligations arising from applicable legislation, responding to requests from competent public authorities and institutions, conducting legal processes, resolving potential disputes, establishing, exercising, and protecting rights, and carrying out necessary actions against fraud and misuse risks.

Legal transaction information is processed in a limited and proportionate manner for the purposes for which it is processed and is retained for the periods prescribed under the applicable legislation.

Marketing and Analytics Information: Website usage preferences, cookie data, and anonymized analytics information.

Purpose of Processing: Marketing and analytics information is processed for the purposes of analyzing the use of the website, improving user experience, increasing site performance, enhancing services, and, where necessary, providing user-specific content and information.

Legal Grounds for Processing: Data processing activities carried out for analytical purposes are conducted pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye based on the legal ground of “being necessary for the legitimate interests of the data controller”; and within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, based on the legitimate interests of the data controller.

Data processing activities carried out through cookies for marketing and personalization purposes are performed upon obtaining explicit consent in accordance with the applicable legislation.

Data processed within this scope is used, to the extent possible, in anonymized or anonymized form and is retained in a manner limited and proportionate to the purposes for which it is processed.

Request Management Information: Information shared by you within the scope of information requests, service applications, appointment requests, and similar applications submitted via the website, e-mail, social media accounts, or other communication channels, as well as communication records generated during these processes.

Purpose of Processing: Request management information is processed for the purposes of evaluating requests submitted by you, planning and executing processes related to luxury consumption and concierge services, communicating with you, conducting eligibility and security assessments, preventing fraud and misuse risks, and conducting legal processes where necessary.

Legal Grounds for Processing: Request management information is processed pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye based on the legal grounds of “being directly related to the establishment or performance of a contract”, “being necessary for the legitimate interests of the data controller”, and “being necessary for the establishment, exercise, or protection of a right”; and within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, based on the legitimate interests and legal obligations of the data controller.

Data processed within the scope of request management is used solely in a manner that is relevant, limited, and proportionate to the purposes for which it is processed and is retained for the necessary period.

Complaint Management Information: Information shared within the scope of complaints, feedback, and dissatisfaction notifications submitted by you, as well as communication and transaction records generated during the evaluation and resolution of such complaints.

Purpose of Processing: Complaint management information is processed for the purposes of evaluating complaints and feedback submitted by you, improving service quality, ensuring customer satisfaction, resolving potential disputes, improving service processes, detecting and preventing fraud and misuse risks, and conducting legal processes where necessary.

Legal Grounds for Processing: Complaint management information is processed pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye based on the legal grounds of “being directly related to the establishment or performance of a contract”, “being necessary for the legitimate interests of the data controller”, and “being necessary for the establishment, exercise, or protection of a right”; and within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, based on the legitimate interests and legal obligations of the data controller.

Data processed within the scope of complaint management is used solely in a manner that is relevant, limited, and proportionate to the purposes for which it is processed and is retained for the necessary period.

Your personal data may also be used for planning and executing remotely conducted service processes, providing preliminary information, preparing quotations, managing order and request processes, establishing contracts, organizing payment and delivery, personalizing the service and improving customer experience by understanding your requests and preferences, measuring customer satisfaction, conducting surveys, feedback and service quality analyses, and planning, executing, auditing, reporting company activities and ensuring compliance with the applicable legislation.

The above-mentioned personal data is processed pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates based on the following legal grounds:

• Being directly related to the establishment or performance of a contract,

• Being necessary for the data controller to fulfil its legal obligations,

• Being necessary for the establishment, exercise, or protection of a right,

• Being necessary for the legitimate interests of the data controller, provided that such processing does not prejudice the fundamental rights and freedoms of the data subject.

With respect to personal data processing activities that require explicit consent, such processing is carried out upon obtaining the explicit consent of the data subject.

SHARING AND TRANSFER OF YOUR PERSONAL DATA

Your collected and processed personal data may be transferred, in compliance with Articles 8 and 9 of the Law No. 6698 on the Protection of Personal Data (“KVKK”) and the provisions of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, and limited to the purposes specified in this Information Notice, to the parties set out below:

• to consultants, service providers, and business partners with whom cooperation is established for the purpose of conducting service processes,

• to domestic and/or foreign service providers providing information technologies, hosting, data storage, and technical support services,

• to competent public institutions and organizations, regulatory authorities, and judicial bodies within the scope of the fulfilment of legal obligations,

• to parties providing accounting, finance, and financial advisory services for the purpose of conducting financial processes and maintaining records,

• to attorneys and legal consultants for the purpose of resolving potential disputes and protecting rights.

Where the transfer of your personal data abroad is required, such transfer is carried out in compliance with Article 9 of the KVKK and the data transfer requirements stipulated under the PDPL, with the necessary technical and administrative security measures in place.

Our Company acts in accordance with the principle of data minimization in the transfer of personal data and shares only the data that is necessary, limited to the purpose for which it is processed.

Your Personal Data Categories, and the Purposes and Legal Grounds for the Collection, Transfer, and Processing of Your Personal Data

1. Recipient Group: For the purposes of enabling the provision of services and conducting operational processes, your personal data may be shared, on a limited basis, with suppliers and service providers located domestically and/or abroad that provide information technologies, data hosting, identity verification, communication infrastructure, and general technical support services.

Purposes of transfer: Procurement of products and/or services for the purposes of conducting service processes, meeting customer requests, planning and providing the concierge and luxury consumption services offered, ensuring continuity in service quality, conducting operational processes, and operating and maintaining the continuity of the technical infrastructure relating to the provision of the service.

Personal data category: Within the scope of the concierge and luxury consumption services offered by our Company, your personal data falling under the categories of identity, contact, request/complaint/suggestion, customer transaction, legal transaction, and transaction security may be processed.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to subparagraph (f) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, namely where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data transfer is carried out only to the extent necessary for the secure and effective conduct of the concierge and luxury consumption services provided, the prevention of fraud and misuse risks, the sustainability of service processes, and the conduct of operational activities.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data transfer is carried out within the framework of the legitimate interests and legal obligations of the data controller, with the necessary technical and administrative measures in place.

2. Recipient Group: Irrespective of the location of the data subject, your personal data may be shared, on a limited basis and to the extent necessary for the performance of the service, with business partners, individual sellers, and service providers that process transactions in line with your requests within the scope of the concierge and luxury consumption services provided.

Within this scope, where necessary for the conduct of shipping and delivery processes relating to the product or service requested by you, your contact and delivery information may be shared with the relevant seller, supplier, or logistics service providers.

Furthermore, irrespective of the location of the data subject, your personal data may be shared with courier, logistics, delivery, and relevant organization/service providers engaged for the purpose of conducting special occasion celebration, gift, flower, and message delivery processes.

Purposes of transfer: Your personal data is transferred for the purposes of fulfilling the concierge and luxury consumption services provided in line with your requests, conducting the supply, shipping, and delivery processes relating to the requested product or service, ensuring coordination with relevant sellers, suppliers, and logistics service providers, providing the service in a secure and effective manner, preventing fraud and misuse risks, conducting operational processes, planning, preparing, delivering, and ensuring the receipt by the relevant recipient of birthday, special occasion celebration, gift, flower, and personalized message delivery processes, fulfilling customer requests, ensuring delivery organization, and increasing service quality.

In addition, your personal data may also be transferred for the purposes of managing the return processes of undeliverable shipments, planning and managing return, reverse logistics, re-shipment, and re-delivery processes, resolving delivery-related disputes, and ensuring the necessary coordination among sender, recipient, seller, supplier, and logistics service providers.

Personal data category: Within the scope of the concierge and luxury consumption services provided by our Company in line with your requests, your personal data falling under the categories of identity, contact, request/complaint/suggestion, and customer transaction may be processed. Such data is used only to the extent necessary for conducting the processes relating to the product or service requested by you, ensuring coordination with sellers, suppliers, and logistics service providers where required, and providing the service in a secure and effective manner.

Within the scope of special occasion celebrations, gift, flower, and message delivery processes, our Company may process personal data falling under the categories of identity, contact, customer transaction, and request/complaint/suggestion.

Such data is used only to the extent limited to the sender’s and/or recipient’s full name, telephone number, delivery address, delivery notes, personal message content, and other limited information necessary for the performance of the service.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to subparagraph (c) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where it is directly related to the establishment or performance of a contract; subparagraph (e), where processing is necessary for the establishment, exercise, or protection of a right; and subparagraph (f), where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data transfer is carried out only to the extent necessary for conducting concierge and luxury consumption services in the countries of operation, particularly Türkiye and the United Arab Emirates, meeting customer requests, ensuring coordination with sellers, suppliers, and logistics service providers, preventing fraud and misuse risks, managing potential disputes, and protecting the rights and interests of the Company.

Where a situation arises requiring explicit consent in relation to the processing of special occasion messages, personal notes, celebratory content, or personalized communication elements, the necessary explicit consent shall also be obtained in accordance with the applicable legislation.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data transfer is carried out within the framework of the legitimate interests, contractual requirements, and legal obligations of the data controller, with the necessary technical and administrative measures in place.

3. Recipient Group: Irrespective of the location of the data subject, your personal data may be shared on a limited basis with (i) attorneys, law partnerships, and legal consultants from whom services are obtained for the purposes of conducting legal processes, obtaining legal advisory services, protecting the rights and interests of the Company, and managing potential disputes, and, where necessary, forensic informatics experts; and (ii) business partners, service providers, and consultants from whom services are obtained for the purposes of evaluating and resolving the requests, complaints, suggestions, feedback, and applications submitted by you, and receiving the necessary operational and advisory support within this scope.

Purposes of transfer: Your personal data is transferred on a limited basis for the purposes of managing disputes to which our Company is or may become a party, establishing, exercising, and protecting the rights and interests of the Company, evaluating legal risks, and conducting legal/advisory processes; as well as evaluating the requests, complaints, suggestions, and feedback submitted by you, managing and finalizing the relevant processes, ensuring customer satisfaction, improving service quality, securely conducting service processes, and preventing fraud and misuse risks.

Personal data category: Within this scope, your personal data falling under the categories of identity, contact, request/complaint/suggestion, customer transaction, legal transaction, transaction security, and marketing may be processed. Such data is used in a lawful, limited, and proportionate manner for the purposes of evaluating requests submitted by you, conducting customer support processes, carrying out communication activities, and improving service processes.

The data processed within the scope of the requests, complaints, suggestions, and feedback submitted by you is limited to the information shared through contact forms, e-mail correspondence, social media messages, and customer support channels.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data; subparagraph (c), where it is directly related to the establishment or performance of a contract; subparagraph (e), where processing is necessary for the establishment, exercise, or protection of a right; and subparagraph (f), where processing is necessary for the legitimate interests of the data controller.

Within this scope, data transfer is carried out only to the extent necessary for the proper conduct of service processes, the management of communication processes, the resolution of potential disputes, and the protection of the rights and interests of the Company.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data transfer is carried out within the framework of the legitimate interests, contractual requirements, and legal obligations of the data controller, with the necessary technical and administrative measures in place.

4. Recipient Group: Irrespective of the location of the data subject, your personal data may be shared, for the purposes of measuring website performance, improving technical infrastructure, enhancing user experience and conducting analytics processes, increasing digital visibility, carrying out advertising and communication activities, and conducting marketing, analytics, and communication processes, with digital marketing, advertising, analytics, measurement, communication, and technology service providers from whom services are obtained; and, within the scope of data processing activities requiring explicit consent, only for the purposes of conducting marketing, analytics, and communication processes, with digital marketing, analytics, and communication service providers established domestically and/or abroad.

Purposes of transfer: Your personal data is transferred for the purposes of analyzing website use, measuring site performance, identifying technical errors, carrying out digital communication and visibility activities, improving service and brand communication, enhancing user experience, planning marketing and promotional activities, conducting performance measurement processes, improving the service, optimizing operational processes, providing you with more relevant content and communication where necessary, sending you commercial electronic communications, conducting marketing and analytics activities, improving user experience, and increasing service quality.

Personal data category: Within the scope of marketing and analytics activities conducted by our Company through the website and digital platforms, your personal data falling under the categories of contact, transaction security, marketing, request/complaint/suggestion, and customer transaction may be processed.

Such data is used only to the extent limited to website usage preferences, IP address, site usage data, cookie data, access records, anonymous or anonymized analytics information, information shared by you during communication processes, and interactions carried out through digital platforms.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to paragraph 1 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where you have provided your explicit consent and to the extent necessary, and pursuant to subparagraph (f) of paragraph 2 of Article 5, where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

With respect to non-essential analytics and measurement cookies, data processing and transfer activities are carried out where your explicit consent exists in accordance with the applicable legislation. Data processing activities not requiring explicit consent are conducted on the basis of the legal grounds specified under paragraph 2 of Article 5 of the KVKK.

Within this scope, data transfer is carried out only to the extent necessary for measuring website performance, improving user experience, conducting digital communication activities, and increasing service quality.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data processing and transfer activities are carried out, with the necessary technical and administrative measures in place, within the framework of the data subject’s consent, the legitimate interests of the data controller, and, where necessary, legal obligations.

5. Recipient Group: Irrespective of the location of the data subject, your personal data may be shared with insurance companies, reinsurance institutions, insurance brokers, claims management service providers, persons and/or entities providing appraisal services, and logistics assurance and product protection service providers for the purposes of protecting high-value goods, ensuring transport and delivery security, conducting cargo insurance and product protection processes, and managing potential loss, damage, delay, delivery dispute, and insurance claim processes.

Purposes of transfer: Your personal data is transferred for the purposes of conducting insurance processes relating to the transport, delivery, and protection of high-value goods, carrying out cargo insurance and product protection transactions, evaluating potential loss, damage, delay, or delivery disputes, managing insurance applications and damage claims, conducting appraisal and review processes, ensuring delivery security, fulfilling customer requests, reducing financial and legal risks, preventing fraud and misuse risks, and protecting the rights and interests of the Company.

Personal data category: Within the scope of insurance, cargo insurance, claims management, and high-value product protection processes, our Company may process your personal data falling under the categories of identity, contact, customer transaction, financial and banking information, legal transaction, transaction security, and request/complaint/suggestion. Such data is used only to the extent necessary and in a limited manner for the purposes of establishing insurance coverage, ensuring transport and delivery security, conducting preventive and verification processes relating to product protection, evaluating potential damage, loss, delivery disputes, or insurance claims, and supporting the relevant legal and financial processes.

Within this scope, data transfer is carried out only to the extent necessary for conducting protection and assurance processes relating to high-value goods, ensuring delivery and product security, managing potential loss and damage risks, conducting insurance and compensation processes, preventing fraud and misuse risks, resolving potential disputes, and protecting the rights and interests of the Company.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data transfer is carried out, with the necessary technical and administrative measures in place, within the framework of the contractual requirements, legitimate interests, and, where necessary, legal obligations of the data controller.

6. Recipient Group: Irrespective of the location of the data subject, your personal data may be shared with accounting firms, certified public accountants, financial consultants, audit service providers, persons and/or entities providing independent audit services, and relevant financial service providers for the purposes of conducting accounting, finance, financial advisory, verification of the accuracy of financial records, assessment of internal control processes, ensuring compliance with legislation, fulfilment of corporate reporting obligations, and conducting audit and financial record processes, as well as for the auditing and conduct of Company activities.

Purposes of transfer: Your personal data is transferred for the purposes of maintaining financial records relating to payment transactions, maintaining general financial records, carrying out invoicing procedures, fulfilling accounting and tax obligations, auditing Company activities, controlling financial and operational processes, assessing the accuracy of accounting and record systems, ensuring compliance with legislation, managing internal audit and reporting processes, conducting financial reporting processes, carrying out financial audit activities, resolving potential irregularities and disputes, and preventing fraud and misuse risks.

Personal data category: Within the scope of independent audit, accounting, finance, and control processes, our Company may process your personal data falling under the categories of identity, contact, customer transaction, financial and banking information, and legal transaction. Such data is used only to the extent necessary and in a limited manner for the purposes of conducting financial records, transaction processes, and service flows, conducting accounting and record processes relating to payment transactions, bank transfers, invoicing processes, accounting records, financial verification transactions, and auditing compliance obligations.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to subparagraph (c) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where it is directly related to the establishment or performance of a contract; subparagraph (ç), where processing is necessary for the data controller to fulfil its legal obligations; subparagraph (e), where processing is necessary for the establishment, exercise, or protection of a right; and subparagraph (f), where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data transfer is carried out only to the extent necessary for conducting accounting and finance processes in connection with the transparent, secure, and legally compliant conduct of Company activities, ensuring the accuracy of operational records, conducting audit processes, fulfilling financial obligations, ensuring the accuracy of financial records, ensuring the sustainability of service processes, and protecting the rights and interests of the Company.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data transfer is carried out, with the necessary technical and administrative measures in place, within the framework of the legal obligations, contractual requirements, and legitimate interests of the data controller.

7. Recipient Group: Irrespective of the location of the data subject, your personal data may be shared with competent public institutions and organizations, regulatory and supervisory authorities, judicial and administrative authorities, law enforcement bodies, tax authorities, financial advisory and certification bodies, financial record authorities, notaries, official notification authorities, financial authorities, customs administrations, banks, financial institutions, payment service providers, and other relevant official institutions and organizations, to the extent necessary for the fulfilment of legal, administrative, financial, judicial, and regulatory obligations arising from the applicable legislation, the conduct of know your customer (KYC), financial compliance, sanctions screening, and anti-money laundering obligations and risk assessment processes, and the fulfilment of legal requests.

Purposes of transfer: Your personal data is transferred for the purposes of fulfilling obligations arising from the applicable legislation, conducting financial and tax processes, verifying payment and collection processes, ensuring accounting and record order, fulfilling official notifications and legal obligations relating to customs, import/export, and logistics processes, conducting identity verification and fraud prevention controls, fulfilling legal requests, conducting official audit and review processes, responding to judicial and administrative applications, and protecting the rights and interests of the Company.

Personal data category: Within the scope of the concierge and luxury consumption services provided by our Company in the countries of operation, particularly Türkiye and the United Arab Emirates, your personal data falling under the categories of identity, contact, customer transaction, financial and banking information, legal transaction, transaction security, and request/complaint/suggestion may be processed.

Such data is used in a lawful and limited manner for the purposes of fulfilling legal obligations, conducting financial and logistics transactions, making necessary notifications and verifications before official authorities, and supporting legal processes.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to subparagraph (ç) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where processing is necessary for the data controller to fulfil its legal obligations; subparagraph (e), where processing is necessary for the establishment, exercise, or protection of a right; and, where necessary, subparagraph (f), where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data transfer is carried out only to the extent necessary for fulfilling official and financial obligations, conducting financial and logistics processes, preventing fraud and misuse risks, ensuring compliance with official audits and reviews, managing potential disputes, and protecting the rights and interests of the Company.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data transfer is carried out, with the necessary technical and administrative measures in place, within the framework of the legal obligations, contractual requirements, and legitimate interests of the data controller.

8. Recipient Group: Irrespective of the location of the data subject, your personal data may be shared with payment institutions, electronic money institutions, virtual POS providers, payment infrastructure service providers, banks, financial institutions, card payment system service providers, and, to the extent necessary, service providers offering transaction security and fraud prevention services, for the purposes of conducting payment processes, carrying out collection transactions, providing virtual POS services, ensuring payment security, conducting transaction verification and financial transaction infrastructure processes, conducting know your customer (KYC), transaction verification, financial risk analysis, anti-money laundering control processes, managing payment disputes, maintaining financial transaction records, and ensuring the necessary coordination between banks and payment institutions.

Purposes of transfer: Your personal data is transferred for the purposes of collecting product and/or service fees, carrying out payment transactions, conducting pre-authorization and collection processes, verifying payment transactions, ensuring payment security, preventing fraud and misuse risks, conducting refund and cancellation processes, managing chargeback and payment disputes, maintaining financial transaction records within the scope of payment infrastructure and collection processes, ensuring the necessary coordination with banks and payment institutions, providing the service in a secure and effective manner, and fulfilling the relevant financial obligations.

Personal data category: Within the scope of payment, collection, and financial transaction processes, our Company may process your personal data falling under the categories of identity, contact, customer transaction, financial and banking information, transaction security, and legal transaction. Such data is used only to the extent necessary and in a limited manner for the purposes of carrying out payment transactions, using card-based or alternative payment methods, ensuring payment security, conducting transaction verification processes, preventing potential fraud and misuse risks, managing refund and objection processes, and fulfilling compliance obligations.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to subparagraph (c) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where it is directly related to the establishment or performance of a contract; subparagraph (ç), where processing is necessary for the data controller to fulfil its legal obligations; subparagraph (e), where processing is necessary for the establishment, exercise, or protection of a right; and subparagraph (f), where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data transfer is carried out only to the extent necessary for conducting payment processes in a secure, uninterrupted, and legally compliant manner, ensuring financial transaction security, preventing fraud and misuse risks, managing potential payment disputes, and protecting the rights and interests of the Company.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data transfer is carried out, with the necessary technical and administrative measures in place, within the framework of the contractual requirements, legal obligations, and legitimate interests of the data controller.

9. Recipient Group: Your personal data may be processed, on a need-to-know basis and limited by the scope of authority, by the relevant departments, managers, and authorized personnel within the Company for the purposes of internal corporate management, conducting operational processes, business development, strategic planning and reporting activities, and carrying out the concierge service provided, customer relations, order, supply, and delivery coordination, irrespective of the location of the data subject.

Purposes of transfer: Your personal data is processed and shared with the relevant internal departments for the purposes of effectively conducting the concierge and luxury consumption services provided, meeting customer requests, managing operational processes, conducting business development activities, increasing service quality, carrying out internal reporting and analysis processes, managing risk, and preventing fraud and misuse risks.

Personal data category: Within the scope of internal management and reporting processes, our Company may process your personal data falling under the categories of identity, contact, request/complaint/suggestion, customer transaction, transaction security, and legal transaction.

Such data is used on a limited basis for the purposes of managing service processes, improving customer relations, conducting performance and quality analyses, and ensuring the sustainability of internal Company operations.

Legal ground for transfer: The processing and internal transfer of your personal data is carried out pursuant to subparagraph (c) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where it is directly related to the establishment or performance of a contract, and subparagraph (f), where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data processing activities are carried out only to the extent necessary for the effective conduct of service processes, ensuring internal coordination, and increasing operational efficiency.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data processing activities are carried out, with the necessary technical and administrative measures in place, within the framework of the legitimate interests and legal obligations of the data controller.

10. Recipient Group: Within the scope of the conduct of our Company’s corporate communication activities, your personal data may be shared, irrespective of the location of the data subject, only in exceptional cases where strictly necessary and on a limited basis, with corporate communication, brand consultancy, and media service providers.

Purposes of transfer: Your personal data may be processed on a limited basis for the purposes of promoting Company activities, conducting brand communication, protecting and enhancing corporate reputation, and planning communication strategies.

Personal data category: Within this scope, your personal data falling under the categories of contact, request/complaint/suggestion, and customer transaction may be processed only to the extent necessary and on a limited basis.

Legal ground for transfer: As a rule, your personal data is not shared with third parties within this scope; only in exceptional cases where necessary are data processing and transfer activities carried out pursuant to paragraph 1 of Article 5 of the Law No. 6698 on the Protection of Personal Data, provided that your explicit consent has been obtained.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data processing activities are carried out in line with the explicit consent of the data subject and with the necessary technical and administrative measures in place.

11. Recipient Group: Irrespective of the location of the data subject, your personal data may be shared, to the extent necessary, with customs brokers, foreign trade consultants, import and export operations service providers, international logistics and transportation companies, cargo and courier companies, customs authorities, financial authorities, and relevant public institutions and organizations from whom services are obtained for the operational conduct of the cross-border supply, import, export, customs clearance, international cargo, logistics, and delivery processes relating to products and/or services.

Purposes of transfer: Your personal data is transferred for the purposes of conducting cross-border supply processes relating to the product or service requested by you, carrying out import and export transactions, planning and conducting international cargo and delivery processes, completing customs clearance procedures, fulfilling the necessary official notification and declaration processes, ensuring delivery organization, conducting logistics processes, arranging domestic and/or international shipment of products, ensuring compliance with customs and foreign trade legislation, preventing fraud and misuse risks, managing potential disputes, and protecting the rights and interests of the Company.

In addition, your personal data may also be transferred for the purposes of conducting return, reverse logistics, re-shipment, and re-delivery processes relating to cross-border consignments, managing return-from-customs or re-export procedures, and ensuring the relevant international logistics coordination.

Personal data category: Within the scope of import, export, customs clearance, and cross-border delivery processes, our Company may process your personal data falling under the categories of identity, contact, customer transaction, financial and banking information, legal transaction, transaction security, and request/complaint/suggestion.

Such data is used in a lawful and limited manner, in accordance with the applicable legislation, for the purposes of conducting shipment, delivery, import-export, customs clearance, and logistics processes relating to the product or service, making the necessary notifications and verifications before official authorities, ensuring international delivery organization, and supporting the relevant operational and legal processes.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to subparagraph (c) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where it is directly related to the establishment or performance of a contract; subparagraph (ç), where processing is necessary for the data controller to fulfil its legal obligations; subparagraph (e), where processing is necessary for the establishment, exercise, or protection of a right; and, to the extent necessary, subparagraph (f), where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data transfer is carried out only to the extent necessary for conducting cross-border product and service processes, fulfilling import-export and customs obligations, completing international delivery processes, preventing fraud and misuse risks, managing official and logistics processes, resolving potential disputes, and protecting the rights and interests of the Company.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data transfer is carried out, with the necessary technical and administrative measures in place, within the framework of the contractual requirements, legal obligations, and legitimate interests of the data controller.

12. Recipient Group: Your personal data may be shared with information security, cybersecurity, and technical security support service providers from whom services are obtained in the country where the relevant company conducting the transaction is located, for the purposes of conducting information security, cybersecurity, technical infrastructure security, system security, access control, threat monitoring, data protection, and digital security processes.

Purposes of transfer: Your personal data is transferred for the purposes of conducting information security processes, protecting the website and digital infrastructure, ensuring system security, preventing unauthorized access, detecting, reviewing, and preventing fraud and misuse risks, ensuring data security, monitoring technical risks and ensuring operational continuity, technically analyzing potential cyber incidents, unauthorized access, and digital security breaches, and, where necessary, assessing digital findings that may constitute evidence in legal proceedings.

Personal data category: Within the scope of information security and digital protection processes, our Company may process your personal data falling under the categories of transaction security, identity, contact, customer transaction, and legal transaction.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to subparagraph (ç) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where processing is necessary for the data controller to fulfil its legal obligations; subparagraph (e), where processing is necessary for the establishment, exercise, or protection of a right; and subparagraph (f), where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data transfer is carried out only to the extent necessary for preventing information security risks, protecting digital infrastructure, ensuring service security, reducing fraud and misuse risks, and protecting the rights and interests of the Company.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data processing and transfer activities are carried out, with the necessary technical and administrative measures in place, within the framework of the legal obligations and legitimate interests of the data controller.

13. Recipient Group: Your personal data may be shared, with the company that is party to the relevant transaction and in the countries in which such company operates, with archiving, data retention, digital record, and document management service providers from whom services are obtained for the purposes of conducting retention, archiving, digital record, document management, data storage, and corporate record processes.

Purposes of transfer: Your personal data is transferred for the purposes of fulfilling retention obligations arising from legislation, recording transaction and service history, preserving financial and legal records, protecting records relating to request and complaint processes, ensuring evidential value in potential disputes, preventing fraud and misuse risks, supporting internal control and audit processes, and ensuring operational continuity.

Personal data category: Within the scope of retention and archiving activities, our Company may process your personal data falling under the categories of identity, contact, customer transaction, financial and banking information, legal transaction, transaction security, request/complaint/suggestion, and, where necessary, marketing.

Such data is used only to the extent necessary and in a limited manner for the purposes of preserving records relating to service processes, financial documents, communication records, requests, complaints, security records, and other documents required to be retained under legal obligations.

Legal ground for transfer: The transfer of your personal data is carried out pursuant to subparagraph (ç) of paragraph 2 of Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye, where processing is necessary for the data controller to fulfil its legal obligations; subparagraph (e), where processing is necessary for the establishment, exercise, or protection of a right; and subparagraph (f), where processing is necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Within this scope, data transfer is carried out only to the extent necessary for fulfilling legal retention obligations, preserving record integrity, ensuring the secure and traceable conduct of Company activities, creating evidence and records in potential legal and financial processes, and protecting the rights and interests of the Company.

In addition, within the scope of the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, data processing and transfer activities are carried out, with the necessary technical and administrative measures in place, within the framework of the legal obligations, contractual requirements, and legitimate interests of the data controller.

TRANSFER OF PERSONAL DATA ABROAD

Your personal data may be processed domestically and/or abroad depending on the nature of the service provided, the data controller by which the service is conducted, the technical infrastructure used, payment and delivery processes, cross-border logistics operations, and the relevant legal obligations.

The data controller established in Türkiye and the data controller established in the United Arab Emirates operating under the Personal Uniques Luxury Fashion Concierge brand are independent data controllers; accordingly, your personal data may be processed by the relevant data controller depending on the nature of your request, the company by which the service is provided, and the relevant transaction process.

Within this scope, your personal data may be transferred abroad, to the extent necessary, for the following purposes:

• provision of the service,

• conduct of product and/or service procurement processes,

• conduct of payment, collection, accounting, and finance processes,

• management of cross-border logistics, delivery, customs, and return processes,

• provision of information technologies, data hosting, communication, and technical infrastructure services,

• fulfilment of legal, financial, and administrative obligations,

• conduct of customer relationship processes,

• prevention of fraud and misuse risks,

• protection of the rights and interests of the Company

for such purposes, to recipient groups located abroad, to the extent necessary.

As a rule, your personal data is processed by the relevant data controller providing the service, irrespective of the country in which the data subject is located or resides. However, where it is necessary that the service requested by you be conducted by a group company, business partner, service provider, or authorized data controller established in another country; that payment or financial transactions be carried out through the relevant institution; that delivery, logistics, or operational processes be conducted on a cross-border basis; or that the service be technically provided through infrastructure, systems, or service providers established abroad, your personal data may be transferred abroad and/or processed abroad, limited to such purposes and to the extent necessary. The data processing and data transfer activities carried out within this scope are conducted in compliance with the applicable data protection legislation and relevant legal obligations.

The transfer of your personal data abroad is carried out in compliance with Article 9 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye and, in particular, the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, as well as the applicable data protection legislation, by implementing the necessary technical and administrative measures and ensuring appropriate legal mechanisms and, where necessary, transfer safeguards.

Our Company acts in accordance with the principle of data minimization in the transfer of data abroad and transfers only the personal data that is necessary, relevant, and limited for the purpose of processing.

DATA RETENTION PERIODS

Your personal data is retained only for the period required by the purpose for which it is processed and, where applicable, for the retention periods prescribed under the applicable legislation of the Republic of Türkiye, the United Arab Emirates, and any other legislation that may apply to the relevant processing activity.

In determining the applicable retention period, our Company takes into account, in particular:

the nature of the service provided and the relevant transaction process,
the category and sensitivity of the personal data,
the legal obligations applicable to the relevant data controller,
statutory limitation periods,
accounting, tax, consumer protection, e-commerce, financial compliance, anti-fraud, anti-money laundering, customs, logistics, and evidential requirements,
the necessity of retaining records for the establishment, exercise, or protection of legal rights, and
the operational necessity of maintaining records for the continuity, security, and traceability of service processes.

Within this scope, personal data may generally be retained for the following indicative periods, unless a longer retention period is required or permitted under the applicable legislation or unless a shorter period becomes appropriate in the specific case:

Identity, contact, customer transaction, request, complaint, and communication records: for the duration of the customer relationship and, as a rule, for up to 10 years following the end of the relevant legal relationship, where necessary for contractual, legal, accounting, consumer protection, evidential, and dispute management purposes;
Financial, payment, invoicing, accounting, and banking records: for up to 10 years in accordance with the applicable accounting, tax, finance, and record-keeping obligations;
Website access logs, transaction security records, and system security records: for the period required by the applicable legislation and operational necessity, and in any event only for the period necessary to ensure information security, prevent fraud and misuse, and support evidential processes;
Marketing and analytics data: for the duration of the relevant consent and/or for the period necessary for the relevant analytical or communication purpose, unless earlier deletion, objection, or withdrawal of consent is exercised;
Legal transaction and dispute-related records: until the expiry of the applicable statutory limitation periods and for such additional period as may be necessary for the establishment, exercise, or protection of legal rights.

Where different retention periods are required for different jurisdictions, processes, or categories of personal data, the relevant data shall be retained for the period applicable to the relevant transaction and legal basis.

At the end of the applicable retention period, personal data is deleted, destroyed, or anonymized in accordance with the applicable legislation and our internal retention and disposal procedures, unless continued retention is required or permitted by law.

HOW AND WHERE YOUR PERSONAL DATA IS STORED AND PROTECTED

Your personal data may be stored in physical and/or electronic environments, including internal systems, secure cloud-based systems, hosting infrastructures, communication tools, financial record systems, and digital archives used by the relevant data controller and its duly authorized service providers.

Depending on the nature of the service, the country in which the relevant transaction is conducted, the technical infrastructure used, and the operational structure of the relevant data controller, your personal data may be stored and processed:

in the Republic of Türkiye,
in the United Arab Emirates, and/or
in other jurisdictions where our duly authorized service providers, technical infrastructure providers, hosting providers, communication providers, or operational partners are located,

provided that such storage and processing is limited to the purposes set out in this Information Notice and carried out in accordance with the applicable legislation and data transfer requirements.

Our Company implements appropriate technical and administrative security measures to protect personal data against unauthorized access, unlawful processing, accidental loss, disclosure, alteration, or destruction. Such measures may include, where appropriate:

access authorization and role-based access controls,
password, authentication, and account security controls,
logging and monitoring of system access,
data segmentation and need-to-know access limitation,
contractual confidentiality obligations,
secure storage and backup practices,
information security, cybersecurity, and technical risk management measures,
supplier and service provider due diligence,
incident response and breach management procedures, and
periodic review of data processing, retention, and access practices.

For the avoidance of doubt, our Company does not publicly disclose specific technical architecture, server configurations, or security infrastructure details, as such disclosure may itself create security risks. However, the Company applies reasonable and appropriate safeguards proportionate to the nature of the personal data processed and the risks involved.

DATA DELETION, DESTRUCTION AND ANONYMISATION

When the purpose requiring the processing of personal data ceases to exist, and where there is no longer any legal ground or legal obligation requiring continued retention, the relevant personal data is deleted, destroyed, or anonymized in accordance with the applicable legislation and internal retention and disposal procedures.

Deletion, destruction, or anonymization processes are carried out periodically and/or upon the occurrence of the relevant disposal conditions, taking into account:

the expiry of the applicable retention period,
the termination of the contractual or service relationship,
the withdrawal of consent where processing is based on consent and no other legal basis remains,
the resolution of the relevant request, complaint, or dispute, and
the expiry of applicable statutory limitation or mandatory retention periods.

Where the relevant legislation requires or permits continued retention for legal, financial, evidential, security, or regulatory purposes, the relevant personal data may continue to be retained for such limited purposes only.

YOUR RIGHTS UNDER THE KVKK AND THE LEGISLATION OF THE UNITED ARAB EMIRATES

As the data subject, we hereby inform you that, with respect to the processing of your personal data by the data controller company operating in Türkiye and the data controller company operating in the United Arab Emirates, each within the scope of its own activities and in compliance with the legislation in force concerning the protection of personal data, you may have the rights set out below under the applicable data protection legislation, primarily the Law No. 6698 on the Protection of Personal Data (“KVKK”) and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates.

Within this scope, to the extent permitted by the applicable legislation, by applying to the relevant data controller you may exercise the following rights in relation to your personal data:

• to learn whether your personal data is being processed,

• to request information if your personal data has been processed,

• to learn the purpose of the processing of your personal data and whether it is used in accordance with such purpose,

• to learn the third parties to whom your personal data has been transferred domestically and/or abroad,

• to request the rectification of your personal data if it has been processed incompletely or inaccurately,

• to request the deletion, destruction, or, where appropriate, anonymization of your personal data within the framework of the conditions stipulated in the applicable legislation,

• to request that the third parties to whom your personal data has been transferred be notified, to the extent possible, of any rectification, deletion, destruction, or anonymization requested by you,

• to object to the emergence of a result against you by means of the analysis of your personal data exclusively through automated systems,

• with respect to data processing activities based on your explicit consent, to withdraw your explicit consent at any time,

• to object, to the extent permitted by the applicable legislation, to direct marketing, profiling, or similar analysis activities,

• to request compensation for the damage in the event that you suffer damage due to the unlawful processing of your personal data.

The rights referred to above may be subject to different scopes and limitations depending on the nature of each specific case, the country in which the data is processed, the location of the relevant data controller, the legal ground on which the data processing activity is based, and the provisions of the applicable legislation. Accordingly, your applications will be evaluated separately according to the nature of the relevant data processing activity and the legislation to which it is subject.

Requests relating to your personal data processed within the scope of the personal shopping, product procurement, bespoke order, reservation, delivery, cross-border logistics, customer relations, premium customer experience, and similar service processes provided under the Personal Uniques Luxury Fashion Concierge brand shall, depending on the nature of your request, be evaluated separately by the company in Türkiye or the company in the United Arab Emirates acting as the relevant data controller in respect of the activity within which the data is processed.

You may submit your applications concerning the aforementioned rights to the relevant data controller, in accordance with the provisions of the Communiqué on the Principles and Procedures for Application to the Data Controller and other applicable relevant legislation, together with information and/or documents verifying your identity for the purpose of determining that you are the real right holder. You may submit your applications by means of the Application Form or by another method compliant with the procedures and principles set out in the applicable legislation.

Your applications shall be concluded within the relevant statutory periods and in accordance with the applicable legislation, depending on their nature, under the legislation of the Republic of Türkiye and/or the data protection legislation in force in the United Arab Emirates.

You may submit your information requests and applications relating to your personal data through the communication channels set out below:

In-Person Written Application Postal Address 1:

For applications to be made by e-mail, in order to ensure the proper conduct of security and identity verification processes, it is recommended, where possible, that your applications be sent from the electronic mail address previously notified to our Company and registered in our systems.

Within the scope of applications, it may be necessary to verify the identity of the applicant and to confirm whether the person making the request is the data subject or a duly authorized representative. Information and documents relating to personal data are, as a rule, disclosed only to the data subject or to his/her representative who duly documents his/her authority; no information is provided to third parties, family members, relatives, assistants, consultants, or persons unable to evidence sufficient authority. Our Company reserves the right to request additional information and/or documents prior to concluding the application for the purpose of ensuring the security and confidentiality of personal data.

We would like to remind you that, within the scope of the documents and information you submit for the purpose of verifying your identity, you should not include your special categories of personal data unless necessary (for example, health data, political opinions, philosophical beliefs, religion, sect and other beliefs, clothing and attire, membership of associations, foundations, or trade unions, blood group information, data relating to sexual life, information regarding criminal convictions and security measures, biometric data, or other similarly sensitive personal data).

SEPARATE INFORMATION NOTICES FOR DISTINCT DATA SUBJECT GROUPS

This Information Notice is primarily addressed to customers, prospective customers, website visitors, digital platform users, persons submitting applications or requests through communication channels, and natural persons benefiting from concierge and luxury consumption services.

However, within the scope of our Company’s field of activity, operational structure, cross-border service model, high-value product and service processes, supply and logistics organizations, human resources activities, corporate business relationships, and obligations arising under the applicable legislation, personal data processing activities relating to different data subject groups may also arise.

Accordingly, for processes that differ in terms of the purpose of processing personal data, data categories, legal grounds, recipients, retention periods, and the rights of the data subject, separate information notices distinct from this text and specifically tailored to the relevant data subject group may additionally be prepared, separately presented to the data subjects, and/or separately applied within the relevant processes.

Within this scope, our Company may, taking into account the country of operation, the relevant data controller company, the nature of the business relationship, the data processing activity, and the applicable legislation, issue the following separate information notices:

• Employee Information Notice

• Job Applicant Information Notice

• Supplier / Business Partner Information Notice

These notices prepared specifically for the relevant data subject group may, depending on the nature of the relevant data processing activity, be separately applicable from, supplementary to, or prevail over this general customer / visitor information notice.

In data processing activities specific to a particular data subject group, the relevant specific information notice shall primarily apply.

Our Company processes personal data relating to each data subject group solely for specified, explicit, and legitimate purposes, in a manner relevant, limited, and proportionate to the purpose for which such data is processed, in compliance with the applicable data protection legislation; may transfer such data domestically and/or abroad to the extent necessary; and retains such data for the period prescribed under the applicable legislation or required for the purpose for which it is processed.

1. PRINCIPLES RELATING TO THE EMPLOYEE INFORMATION NOTICE

Personal data relating to natural persons serving within the Company’s organization, including employees, interns, consultants, payroll personnel, part-time employees, remote workers, managers, authorized personnel, operations personnel, customer relations personnel, logistics/supply coordination personnel, finance/accounting personnel, digital operations personnel, and persons in similar roles, may additionally be processed within the scope of the processes concerning the establishment, performance, management, and termination of the employment relationship.

Within this scope, personal data relating to employees may, in particular, be processed for the following purposes:

• establishment, performance, and termination of the employment contract,

• creation of personnel files and conduct of personnel processes,

• conduct of salary, fringe benefits, expense, advance, and financial entitlement processes,

• fulfilment of payroll, tax, social security institution, social security, and statutory notification processes,

• ensuring job descriptions, authority matrix, organizational structure, and operational management,

• conduct of performance, productivity, quality, disciplinary, internal audit, and business continuity processes,

• conduct of information security, access authorization, device allocation, e-mail, corporate account, and digital systems management processes,

• fulfilment of occupational health and safety obligations,

• conduct of necessary security, confidentiality, compliance, and risk controls in relation to high-value products, customer relations, financial transactions, and cross-border processes,

• conduct of internal communication, training, operational coordination, quality assurance, and business development processes,

• fulfilment of legal, financial, administrative, technical, and corporate obligations,

• dispute management, internal investigation, creation of evidence, establishment, exercise, and protection of rights,

• information security, fraud prevention, access control, record-keeping, and protection of Company assets, to the extent necessary.

The categories of personal data that may be processed in relation to employees may, depending on the specific case, mainly include the following:

• identity information,

• contact information,

• personnel file information,

• professional experience and education information,

• financial information,

• payroll and fringe benefit information,

• attendance / working arrangement information,

• transaction security information,

• access and log records,

• performance and duty-related information,

• legal / compliance / audit information,

• where necessary and only to the extent permitted by the applicable legislation, special categories of personal data.

Legal Grounds for Processing Employee Data: Personal data belonging to employees is processed, pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye (“KVKK”) and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, on the following legal grounds:

• being directly related to the establishment and performance of an employment contract,

• being necessary for the data controller to fulfil its legal obligations,

• being necessary for the establishment, exercise, or protection of a right,

• being necessary for the legitimate interests of the data controller, provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Personal data may also be processed, primarily under the Labour Law No. 4857, the Social Insurances and General Health Insurance Law No. 5510, the Occupational Health and Safety Law No. 6331, the Turkish Code of Obligations No. 6098, the Turkish Commercial Code No. 6102, the Tax Procedure Law No. 213, to the extent applicable the Law No. 5651 and relevant secondary legislation, and the relevant labour, tax, corporate, and data protection legislation in force in the United Arab Emirates, for the following purposes:

• establishment and conduct of the employment relationship,

• conduct of payroll, finance, and personnel processes,

• fulfilment of legal notification and record-keeping obligations,

• conduct of occupational health and safety processes,

• ensuring information technologies, access control, and system security,

• conduct of business continuity, operational management, and organizational planning,

• fulfilment of record-keeping, audit, evidentiary, and regulatory compliance obligations.

Data processing activities relating to employees are not assessed within the scope of this customer / visitor information notice, but under a separate Employee Information Notice to be prepared specifically for employees and presented to the relevant employees separately.

2. PRINCIPLES RELATING TO THE JOB APPLICANT INFORMATION NOTICE

Personal data belonging to candidates applying for employment with our Company may additionally be processed for the purposes of receiving and evaluating job applications, reviewing candidate suitability, conducting recruitment processes, and planning potential future employment needs.

Within this scope, personal data belonging to candidate employees may, in particular, be processed for the following purposes:

• receiving, recording, and evaluating job applications,

• reviewing curriculum vitae, experience, education, and competency information,

• evaluating suitability for the position, role adequacy, and job requirements,

• conducting interview, assessment, reference check, and recruitment organization processes,

• communicating with the candidate,

• carrying out human resources planning, talent pool management, and evaluation for suitable positions that may arise in the future,

• conducting recruitment processes in a secure and verifiable manner,

• evaluating cases involving fraud, false statements, identity fraud, or security risks,

• fulfilling legal, administrative, and corporate obligations to the extent necessary,

• establishment, exercise, and protection of rights.

The categories of personal data that may be processed in job application processes may mainly include the following:

• identity information,

• contact information,

• curriculum vitae and career information,

• education and certificate information,

• professional experience information,

• foreign language and competency information,

• reference information,

• interview notes and assessment records,

• other information and documents shared by the candidate,

• transaction security information to the extent necessary,

• special categories of personal data to the extent lawful and necessary under the applicable legislation.

Legal Grounds for Processing Job Application Data: Personal data belonging to candidates within the scope of job applications is processed, pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye (“KVKK”) and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, on the following legal grounds:

• being directly related to the establishment of a contract,

• being necessary for the data controller to fulfil its legal obligations,

• being necessary for the legitimate interests of the data controller,

• being necessary for the establishment, exercise, or protection of a right.

Personal data may also be processed, primarily under the Labour Law No. 4857, the Turkish Code of Obligations No. 6098, the relevant human resources, employment, and labour law legislation to the extent applicable, and the relevant labour and data protection legislation in force in the United Arab Emirates, for the following purposes:

• conduct of recruitment processes,

• evaluation of candidate suitability,

• conduct of reference and verification processes,

• human resources planning,

• implementation of the Company’s recruitment policies,

• creation of a candidate pool for suitable positions that may arise in the future,

• prevention of fraud, false statements, and security risks,

• conduct of legal processes and fulfilment of evidentiary obligations.

For data processing activities requiring explicit consent, the explicit consent of the data subject is obtained.

Data processing activities relating to candidate employees are not assessed within the scope of this customer / visitor information notice, but under a separate Job Applicant Information Notice to be prepared specifically for candidate employees and presented to the data subjects separately.

3. PRINCIPLES RELATING TO THE SUPPLIER / BUSINESS PARTNER INFORMATION NOTICE

Personal data belonging to suppliers, sellers, business partners, consultants, representatives, intermediaries, distributors, individual service providers, corporate solution partners, and their authorized persons / employees / contact persons with whom our Company works within the scope of luxury consumption, concierge, premium customer experience, product supply, cross-border logistics, payment, digital infrastructure, marketing, communication, operations, consultancy, audit, security, insurance, customs clearance, finance, accounting, law, technology, archiving, delivery, courier, organization, and similar activities may additionally be processed.

Within this scope, within the framework of supplier / business partner relationships, personal data may, in particular, be processed for the following purposes:

• pre-contractual assessment and establishment of the business relationship,

• supplier / business partner selection, suitability, and competence assessment,

• establishment, performance, execution, and termination of contracts,

• conduct of ordering, supply, delivery, logistics, coordination, and operational processes,

• conduct of payment, collection, accounting, and finance processes,

• ensuring internal operational coordination,

• conduct of communication and relationship management,

• conduct of risk, compliance, fraud prevention, security, and quality control processes,

• conduct of high-value product protection, insurance, transportation, and delivery security processes,

• conduct of customs, import, export, cross-border supply, and international trade processes,

• fulfilment of legal, administrative, financial, technical, and contractual obligations,

• conduct of audit, reporting, record-keeping, and evidentiary processes,

• establishment, exercise, and protection of rights.

The categories of personal data that may be processed in supplier / business partner processes may mainly include the following:

• identity information,

• contact information,

• duty / title / company affiliation information,

• contract and transaction information,

• financial and banking information,

• invoice and payment information,

• delivery / logistics / operational information,

• transaction security and log information,

• legal transaction and compliance information,

• authority / signature / representation information,

• identity verification and suitability assessment information to the extent necessary.

Legal Grounds for Processing Supplier / Business Partner Data: Personal data belonging to suppliers, business partners, sellers, consultants, service providers, and their authorized persons is processed, pursuant to Article 5 of the Law No. 6698 on the Protection of Personal Data of the Republic of Türkiye (“KVKK”) and the Federal Decree-Law No. 45 of 2021 Concerning the Protection of Personal Data (“PDPL”) in force in the United Arab Emirates, on the following legal grounds:

• being directly related to the establishment or performance of a contract,

• being necessary for the data controller to fulfil its legal obligations,

• being necessary for the establishment, exercise, or protection of a right,

• being necessary for the legitimate interests of the data controller,

provided that this does not prejudice the fundamental rights and freedoms of the data subject.

Personal data may also be processed, primarily under the Turkish Code of Obligations No. 6098, the Turkish Commercial Code No. 6102, the Tax Procedure Law No. 213, the Law No. 6502 on the Protection of Consumers, the Law No. 6563 on the Regulation of Electronic Commerce, to the extent applicable in relation to website and digital infrastructure processes the Law No. 5651 and relevant secondary legislation, and the relevant trade, finance, data protection, and compliance legislation in force in the United Arab Emirates, for the following purposes:

• establishment and conduct of contractual processes,

• conduct of supply, order, delivery, and logistics processes,

• conduct of payment, collection, accounting, and finance processes,

• conduct of cross-border trade, customs, and operational processes,

• ensuring business continuity and operational activities,

• fulfilment of audit, record-keeping, evidentiary, and regulatory compliance obligations,

• prevention of fraud and misuse risks,

• protection of the rights and interests of the Company.

That can be processed for these purposes.

Data processing activities relating to supplier / business partner relationships are not assessed within the scope of this customer / visitor information notice, but under a separate Supplier / Business Partner Information Notice to be prepared specifically for the relevant data subject group and presented to the data subjects separately.

COMMON PRINCIPLES RELATING TO THE APPLICATION OF SEPARATE INFORMATION NOTICES

The separate information notices to be prepared by our Company for the above-mentioned data subject groups shall be drafted to separately and specifically include the following details regarding the relevant process:

• the identity of the relevant data controller,

• the categories of personal data processed,

• the purposes of processing,

• the legal grounds,

• the methods of data collection,

• the recipient groups and purposes of transfer,

• whether there is any transfer abroad,

• the data retention / storage approach,

• the application procedures and rights of the data subject.

It is organized in a way that includes separate and process-specific law elements.

In cases where the same natural person may establish a relationship with the Company in more than one capacity (for example, both as a customer and a supplier representative, both as a job applicant and a customer, both as a consultant and an authorized representative of a business partner, etc.), our Company may assess the data subject data within separate data processing activities appropriate to the nature of the relevant capacity. In such cases, more than one information notice may apply simultaneously in respect of different data processing processes relating to the same person.

In the processing of personal data, the principles of purpose relevance, limitation, proportionality, data minimization, accuracy, currency, security, and retention limited to the storage period shall be observed.

With respect to data processing activities requiring explicit consent, the necessary information shall additionally be provided to the data subject and explicit consent processes shall be conducted separately; the privacy notice and the explicit consent text cannot be used interchangeably. The Turkish Personal Data Protection Authority also emphasizes that the information notice must clearly include the identity of the data controller, the purpose, transfer, method/legal ground, and the rights of the data subject, and that the information notice and explicit consent must be regulated separately.

Our Company reserves the right, depending on the country of operation, the relevant data controller, the transaction process, the data category, the recipient, the service model, and the applicable legislation, to update, expand, narrow, segment, or separate on a process basis the separate information notice referred to in this text.

UPDATE

The company reserves the right to amend and update this clarification text at any time in accordance with any changes in the company’s practices or the applicable legislation.

Date: 30.04.2026