Logo
KVKK Compliance

INFINITYQ ADVANCED TECHNOLOGY AND ARTIFICIAL INTELLIGENCE SYSTEMS INDUSTRY AND TRADE JOINT STOCK COMPANY (“INFINITYQ”)

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Document Name: InfinityQ Personal Data Protection and Processing Policy (the “Policy”)
Target Audience: All natural persons whose personal data is processed by InfinityQ
Prepared by: InfinityQ
Version: 1.0
Effective Date: 13.04.2026

In the event of any conflict between the Turkish-language version in which this Policy was prepared and any translation, the Turkish text shall prevail.

© INFINITYQ ADVANCED TECHNOLOGY AND ARTIFICIAL INTELLIGENCE SYSTEMS INDUSTRY AND TRADE JOINT STOCK COMPANY, 2026. This document may not be reproduced or distributed without the written permission of InfinityQ.

SECTION 1 – INTRODUCTION

1.1. Introduction

Within the scope of the activities carried out by INFINITYQ ADVANCED TECHNOLOGY AND ARTIFICIAL INTELLIGENCE SYSTEMS INDUSTRY AND TRADE JOINT STOCK COMPANY (“InfinityQ”), the protection of personal data is among the fundamental priorities. This InfinityQ Personal Data Protection and Processing Policy (the “Policy”) explains the principles adopted in the personal data processing activities carried out by InfinityQ, together with the basic principles regarding the compliance of these activities with the provisions of Law No. 6698 on the Protection of Personal Data (the “Law”). In this framework, the Policy aims to inform data subjects and ensure the necessary transparency by providing detailed information about the personal data processing activities carried out by InfinityQ. With the awareness of this responsibility, InfinityQ processes and protects personal data within the scope of this Policy.

1.2. Scope

This Policy concerns data subjects other than InfinityQ employees and covers all personal data processed by InfinityQ by fully or partially automated means, or by non-automated means provided that they form part of a data filing system. Detailed information on the relevant data subject groups is provided in Annex 2 (“Data Subjects”) of this Policy.

1.3. Application of the Policy and Relevant Legislation

The legal regulations in force regarding the processing and protection of personal data shall apply primarily. In the event of any inconsistency between the provisions of the legislation in force and this Policy, InfinityQ accepts that the provisions of the relevant legislation shall prevail. This Policy regulates the procedures and principles for giving concrete form to and implementing the rules and obligations set out by the legislation in force within the framework of InfinityQ’s practices.

1.4. Effectiveness of the Policy

This Policy issued by InfinityQ is dated 13.04.2026. In the event that all or any part of the Policy is updated, the effective date of the current text shall be revised accordingly. The Policy is published on InfinityQ’s website and is also made available to data subjects upon their request.

SECTION 2 – MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

Pursuant to Article 12 of the Law, InfinityQ takes the necessary technical and administrative measures appropriate to the nature of the data, in order to prevent the unlawful processing of personal data, unauthorized access to such data, its transfer, and any risk that could harm data security, and to ensure the preservation of personal data. In this context, InfinityQ implements administrative measures aimed at ensuring an adequate level of security in line with the principle decisions and guidelines published by the Personal Data Protection Board (the “Board”); it carries out, or ensures the carrying out of, the necessary audits.

2.2. Protection of Special-Category Personal Data

Because special-category personal data carries the risk of causing victimization or discrimination for data subjects if processed unlawfully, it is subject to special protection under the Law. Accordingly, pursuant to Article 6 of the Law, “special-category personal data” is defined as data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, as well as health, sexual life, biometric and genetic data. The technical and administrative measures taken by InfinityQ for the protection of personal data are applied separately and within the framework of higher security standards for special-category personal data. In this context, the adequate measures stipulated in the Board’s Decision No. 2018/10 dated 31/01/2018 are implemented in line with the principles explained in the Policy on the Processing and Security of Special-Category Personal Data; activities carried out in this framework are regularly monitored and audited within the scope of the audits performed at InfinityQ. Detailed explanations regarding the processing of special-category personal data are provided in Article 3.3 of this Policy.

2.3. Raising Awareness and Auditing of Business Units Regarding the Protection and Processing of Personal Data

In order to prevent the unlawful processing of personal data or unauthorized access to such data and to ensure the secure preservation of personal data, InfinityQ ensures that regular training is provided to the relevant business units to raise awareness among employees. The training and awareness activities organized by InfinityQ are prepared on the basis of the “Personal Data Security Guide” published by the Personal Data Protection Board on its official website. Through the training and awareness activities carried out, it is aimed that the personal data processing activities carried out by employees in performing their duties are conducted in accordance with the Law and the relevant secondary legislation. In this context, InfinityQ establishes the necessary systems to ensure that newly joining employees, as well as existing employees, gain awareness regarding the protection of personal data; where needed, it receives support from consultants in these processes. In addition, participation in training, seminars and information activities is evaluated taking into account updates in the relevant legislation, and new training programs are organized accordingly.

SECTION 3 – MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation

3.1.1. Processing in Accordance with the Law and the Rule of Good Faith. Personal data is processed in accordance with the rule of general trust and good faith, in a manner that does not harm the fundamental rights and freedoms of individuals. In this framework, personal data is processed to the extent required by InfinityQ’s business activities and limited thereto.

3.1.2. Ensuring that Personal Data is Accurate and, Where Necessary, Up to Date. InfinityQ takes the necessary measures to ensure that personal data is accurate and up to date throughout the period it is processed, and establishes the necessary mechanisms to ensure the accuracy and currency of personal data at specified periods.

3.1.3. Processing for Specified, Explicit and Legitimate Purposes. InfinityQ clearly sets out the purposes for processing personal data and processes it for purposes connected with its business activities.

3.1.4. Being Connected with, Limited to and Proportionate to the Purposes for Which They are Processed. InfinityQ collects personal data only to the nature and extent required by its business activities and processes it limited to the specified purposes.

3.1.5. Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose of Processing. InfinityQ retains personal data for the period necessary for the purpose for which it is processed and for the minimum period stipulated in the relevant legislation. In this context, InfinityQ first determines whether a retention period for personal data is stipulated in the relevant legislation and, if a period has been determined, acts in accordance with it. If there is no legal period, personal data is retained for the period necessary for the purpose for which it is processed. At the end of the determined retention periods, personal data is destroyed in accordance with periodic destruction periods or upon the data subject’s application, using the determined destruction methods (deletion and/or destruction and/or anonymization).

3.2. Conditions for the Processing of Personal Data

Apart from the data subject’s explicit consent, the basis for a personal data processing activity may be only one of the conditions set out below, or more than one condition may be the basis for the same processing activity. Where the processed data is special-category personal data, the conditions set out under Article 3.3 (“Processing of Special-Category Personal Data”) of this Policy shall apply.

  • (i) Existence of the data subject’s explicit consent. One of the conditions for processing personal data is the data subject’s explicit consent, which must be disclosed for a specific matter, based on information, and with free will. Where the processing conditions set out below exist, personal data may be processed without the need for explicit consent.
  • (ii) Being expressly provided for in the laws.
  • (iii) Being necessary to process personal data to protect the life or physical integrity of the person or another person where consent cannot be obtained due to actual impossibility.
  • (iv) Being directly related to the establishment or performance of a contract to which the data subject is a party, provided that processing is necessary.
  • (v) Being necessary for InfinityQ to fulfil its legal obligation.
  • (vi) The data subject having made their personal data public, limited to the purpose of making it public.
  • (vii) Being necessary to process data for the establishment, exercise or protection of a right.
  • (viii) Being necessary to process data for the legitimate interests of InfinityQ, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Processing of Special-Category Personal Data

As a rule, the processing of special-category personal data is prohibited. However, InfinityQ processes special-category personal data in compliance with the principles set out in this Policy and where the following conditions set out in Article 6 of the Law exist:

  • (i) Existence of the data subject’s explicit consent.
  • (ii) Being expressly provided for in the laws.
  • (iii) Being necessary to process special-category data to protect the life or physical integrity of the person or another person where consent cannot be obtained due to actual impossibility.
  • (iv) The data subject having made their special-category data public in accordance with their own will, limited to the purpose of making it public.
  • (v) Being necessary to process data for the establishment, exercise or protection of a right.
  • (vi) Being necessary for processing by persons under an obligation of confidentiality or authorized institutions and organizations, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services.
  • (vii) Being necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance.
  • (viii) Processing by foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade-union purposes, in relation to their current or former members and affiliates or persons in regular contact with them, provided that it complies with the legislation to which they are subject and their purposes, is limited to their fields of activity, and is not disclosed to third parties.

3.4. Informing the Data Subject

During the collection of data subjects’ personal data, InfinityQ informs them — in accordance with Article 10 of the Law and the secondary legislation — about who, as data controller, processes their personal data and for what purposes, with whom and for what purposes it is shared, by which methods it is collected, the legal basis for its processing, and the rights they have within the scope of the processing of their personal data.

3.5. Transfer of Personal Data

In line with lawful personal data processing purposes and by taking the necessary security measures, InfinityQ may transfer the data subject’s personal data and special-category personal data to third parties (third-party companies, third-party natural persons). In this regard, InfinityQ acts in accordance with the regulations stipulated in Articles 8 and 9 of the Law. Detailed information on this subject can be accessed from Annex 4 (“Annex 4 – Third Parties to Whom Personal Data is Transferred by InfinityQ and the Purposes of Transfer”) of this Policy.

3.5.1. Transfer of Personal Data to Third Parties Resident in Türkiye. Where one or more of the data processing conditions stated below exist, personal data may be transferred to third parties by InfinityQ with due care and by taking all necessary security measures, including the methods stipulated by the Board: the data subject consenting to the transfer; the relevant activities being expressly provided for in the laws; the transfer being directly related to and necessary for the establishment or performance of a contract; the transfer being mandatory for InfinityQ to fulfil a legal obligation; the data having been made public by the data subject (limited to the purpose of making it public); the transfer being mandatory for the establishment, exercise or protection of the rights of InfinityQ, the data subject or third parties; the transfer being mandatory for InfinityQ’s legitimate interests provided that it does not harm the data subject’s fundamental rights and freedoms; or the transfer being mandatory to protect the life or physical integrity of the person or another, where consent cannot be obtained due to actual impossibility.

3.5.2. Transfer of Personal Data to Third Parties Resident Abroad. The transfer of personal data abroad by InfinityQ is carried out in accordance with Article 9 of the Law and the principles set out in this Policy, by taking technical and administrative measures, as follows: (i) Transfer based on an adequacy decision given by the Board regarding the relevant country, international organization or sectors within a country, provided one of the conditions in Articles 5 and 6 of the Law exists; (ii) Transfer based on appropriate safeguards (such as agreements, binding corporate rules, standard contracts or undertakings) where there is no adequacy decision, provided one of the conditions in Articles 5 and 6 exists and the data subject has the opportunity to exercise their rights and to apply for effective legal remedies in the country of transfer; and (iii) on an incidental basis in the exceptional cases specified in the Law.

3.5.3 & 3.5.4. Transfer of Special-Category Personal Data. The transfer of special-category personal data to third parties resident in Türkiye and abroad is carried out in compliance with the conditions set out in Article 6 of the Law, by taking the adequate measures stipulated by the Board, and — for transfers abroad — in accordance with the adequacy-decision and appropriate-safeguards mechanisms set out in Article 9 of the Law.

SECTION 4 – CATEGORIZATION OF THE PERSONAL DATA PROCESSED BY INFINITYQ AND THE PURPOSES OF PROCESSING

The categories of personal data processed by InfinityQ, the data subject groups, the purposes of processing and the related collection methods are set out in detail in the annexes to this Policy: Annex 1 (Personal Data Processing Purposes), Annex 2 (Data Subjects), Annex 3 (Personal Data Categories) and Annex 4 (Third Parties to Whom Personal Data is Transferred and the Purposes of Transfer).

SECTION 5 – STORAGE AND DESTRUCTION OF PERSONAL DATA

InfinityQ retains personal data for the period stipulated in the relevant legislation or, where no period is stipulated, for the period required for the purpose for which it is processed. At the end of the determined retention periods, personal data is destroyed in accordance with periodic destruction periods or upon the data subject’s application, using the determined destruction methods (deletion, destruction or anonymization), in line with InfinityQ’s Personal Data Retention and Destruction Policy.

SECTION 6 – RIGHTS OF DATA SUBJECTS AND THE EXERCISE OF THESE RIGHTS

6.1. Rights of the Data Subject

Pursuant to Article 11 of the Law, every data subject has the right to: learn whether their personal data is processed; request information if their personal data has been processed; learn the purpose of processing and whether the data is used in accordance with that purpose; know the third parties to whom personal data is transferred, domestically or abroad; request the correction of personal data if it is incomplete or inaccurate; request the deletion or destruction of personal data within the framework of the conditions set out in Article 7 of the Law; request that the correction, deletion or destruction operations be notified to the third parties to whom personal data has been transferred; object to a result arising against the data subject by analysis of the processed data exclusively through automated systems; and request compensation for damage if the data subject suffers damage due to the unlawful processing of personal data.

6.2. Exercise of the Data Subject’s Rights

Data subjects may submit their requests regarding the above rights to InfinityQ, in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller, by filling in the “Data Subject Application Form” that they can access via InfinityQ’s website.

6.3. Response to Applications by InfinityQ

InfinityQ will conclude the requests in the application free of charge, as quickly as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

Annexes

This Policy includes the following annexes, which set out in detail the personal data processing purposes, data subject groups, personal data categories, and the third parties to whom personal data is transferred together with the purposes of transfer:

  • Annex 1 – Personal Data Processing Purposes
  • Annex 2 – Data Subjects
  • Annex 3 – Personal Data Categories
  • Annex 4 – Third Parties to Whom Personal Data is Transferred by InfinityQ and the Purposes of Transfer

The detailed enumerations in these annexes correspond to the categories and purposes set out in InfinityQ’s privacy notices. In the event of any conflict between this English translation and the Turkish original of the Policy and its annexes, the Turkish text shall prevail.