Personal Data Protection and Privacy Policy

When you visit the website ( www.zelome.co ) owned by LUK BOTANİK ENDÜSTRİ VE TİCARET AŞ (“the Company”), in addition to the information texts regarding “membership, quick membership and shopping transactions” on the site, the rules in the “Personal Data and Privacy Policy” below apply.

1. Data Protection

The Company and/or third parties contracted by the Company take the necessary precautions to ensure the security of data obtained through cookies while browsing the website and the data entered by visitors/members/customers (hereinafter referred to as "customer").

Information entered by customers on the website (excluding product reviews) is not visible to other customers.

If the data entered by the customer constitutes personal data within the meaning of Law No. 6698 on the Protection of Personal Data ("the Law"), this data is collected in accordance with Article 10 of the Law, after fulfilling the obligation to inform, and by securing the legal grounds set forth in Article 5 of the Law.

The Company takes utmost care to protect the data (whether personal data or not) shared by the customer, both among its employees and with third parties with whom it must be shared. Data is not shared with third parties unless necessary, and when it is necessary to share it, it is shared only to the extent and for the purpose required.

2. Cookies Used on the Web Page

The website ( www.zelome.co ) uses various types of cookies. These include session cookies, persistent cookies, essential cookies, functionality cookies, analytical cookies, commercial cookies, and third-party cookies.

Cookies are small pieces of data placed on computers and mobile devices to ensure the proper functioning and improvement of the visited website, to personalize and improve the user experience, to allow visits to sites without logging in, and/or to send commercial and social notifications (which may be visible even when the internet browser and/or relevant mobile application are closed), and generally to provide general or customized information, advertisements, and promotions to site users/visitors, both on the site itself and on other sites (including social media networks and online advertising networks).

Cookies are stored on computers and devices for a period appropriate to their purpose, provided that the legally mandated maximum period is not exceeded.

Visitors using our website (including mobile versions) are deemed to have accepted the aforementioned application and the processing of the relevant cookies for the purposes and under the conditions stipulated in the personal data legislation and other parts of this information text (including transfers, sharing, and use by third parties).

Visitors can disable cookies and/or stop receiving these notifications at any time by adjusting the settings of the programs and/or operating systems and/or internet browsers on their devices (in which case, our Site/the relevant device/program may not function as desired and/or visitors may not be informed of the notification content).

3. PAYMENT SECURITY

You can use two payment methods for purchases made through the website: bank transfer and card payment. If you pay by bank transfer, the Company does not access any information that could pose a risk to you. If you wish to pay by card, the Company works with payment institutions licensed under Turkish legislation. Obtaining this license requires meeting a certain security standard in the industry, and in this sense, the Company aims to ensure that your payment transaction is carried out securely.

4. WEBSITES AND LINKS BELONGING TO OTHER PARTIES

The Company's website may contain links to other websites and internet platforms belonging to third parties. The Company does not guarantee the security or privacy procedures of the platforms accessed through these links, and the Company cannot be held responsible for any damages that may occur to the customer.

5. COMPANY POLICY ON THE PROTECTION OF PERSONAL DATA WITHIN THE COMPANY

Aim

The Law No. 6698 on the Protection of Personal Data ("the Law"), published in the Official Gazette dated 07.04.2016 and numbered 29677, aims to protect the fundamental rights and freedoms of individuals, primarily the right to privacy, in the processing of personal data, and to regulate the obligations of natural and legal persons processing personal data and the procedures and principles they must comply with. This Personal Data Storage and Destruction Policy ("the Policy") has been prepared to determine the procedures and principles regarding the storage and destruction activities of personal data carried out within the Company. In this sense, the storage and destruction of personal data are carried out in accordance with the Policy.

Scope

Personal data of “company employees, job applicants, interns, shareholders, supplier employees and officials, individuals purchasing products or services, representatives, visitors and other third parties” are covered by this Policy, and this Policy applies to all record media owned or managed by the Company where personal data is processed and to all activities related to the processing of personal data.

Abbreviations and Definitions

  • Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
  • Explicit Consent: Consent given freely and based on informed knowledge regarding a specific matter.
  • Anonymization: The process of rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data.
  • Employee: Company staff.
  • Electronic Environment: Environments where personal data can be created, read, modified, and written using electronic devices.
  • Non-Electronic Media: All written, printed, visual, and other media that are outside of electronic media.
  • Data Subject: The natural person whose personal data is being processed.
  • Relevant User: Individuals within the data controller organization, or those acting under the authority and instructions of the data controller, who process personal data, excluding the person or unit technically responsible for the storage, protection, and backup of the data.
  • Destruction: The deletion, destruction, or anonymization of personal data.
  • Law: Law No. 6698 on the Protection of Personal Data.
  • Recording Medium: Any medium containing personal data processed wholly or partly automatically, or by non-automatic means as part of a data recording system.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Personal Data Processing Inventory: An inventory created by data controllers detailing their personal data processing activities based on their business processes; associating these activities with the purposes and legal basis for processing, data category, recipient group, and data subject group; and specifying the maximum retention period for the purposes for which the personal data is processed, the personal data intended for transfer to foreign countries, and the measures taken regarding data security.
  • Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, keeping, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system.
  • Board: Personal Data Protection Board
  • Special Categories of Personal Data: Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
  • Periodic Destruction: The process of deleting, destroying, or anonymizing personal data that will be carried out automatically at recurring intervals as specified in the personal data retention and destruction policy, when all the conditions for processing personal data stipulated in the law cease to exist.
  • Policy: Personal Data Storage and Destruction Policy
  • Supplier: A natural or legal person who provides services to the company under a specific contract.
  • Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by the data controller.
  • Data Recording System: A recording system in which personal data is processed by structuring it according to specific criteria.
  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
  • Data Controllers Registry Information System: An internet-accessible information system created and managed by the Presidency, which data controllers will use for applications to the Registry and other related transactions.
  • VERBIS: Data Controllers Registry Information System
  • Regulation: Regulation Regarding the Deletion, Destruction, or Anonymization of Personal Data.


RESPONSIBILITIES AND DUTIES

All units and employees of the company actively support the responsible units in ensuring the proper implementation of the technical and administrative measures taken within the scope of the Policy, training and raising the awareness of unit employees, monitoring and continuous auditing, and taking technical and administrative measures to ensure data security in all environments where personal data is processed, in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the lawful storage of personal data.

RECORDING MEDIA

Personal data is stored on servers, cloud providers, physical archives, and via email within the Company.

INSTRUCTIONS REGARDING STORAGE AND DISPOSAL

Personal data belonging to "company employees, job applicants, interns, shareholders, supplier employees and officials, individuals purchasing products or services, representatives, visitors, and employees of other third parties, institutions, or organizations contacted" is stored and destroyed by the company in accordance with the law. Detailed explanations regarding storage and destruction are provided below.

Storage Information

Article 3 of the law defines the concept of processing personal data, Article 4 states that processed personal data must be relevant, limited, and proportionate to the purpose for which it is processed, and must be retained for the period stipulated in the relevant legislation or for the period necessary for the purpose for which it is processed, and Articles 5 and 6 list the conditions for processing personal data. Accordingly, personal data within the scope of our company's activities is stored for the period stipulated in the relevant legislation or for the period appropriate to our processing purposes.

Legal Reasons Requiring Concealment

Personal data processed within the scope of the company's activities is retained for the period stipulated in the relevant legislation. In this context, personal data is stored based on the explicit consent of the data subject, or, if one or more of the following reasons exist in the specific case, without the explicit consent of the data subject:

a) If it is explicitly provided for in the laws,

  • Law No. 6698 on the Protection of Personal Data,
  • Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through Such Publications.
  • Law No. 6331 on Occupational Health and Safety,
  • Turkish Code of Obligations No. 6098,
  • Turkish Commercial Code No. 6102
  • 213 p. Tax Procedure Law
  • Law No. 5510 on Social Security and General Health Insurance,
  • Law No. 4982 on the Right to Information,
  • Law No. 3071 on the Exercise of the Right to Petition,
  • Labor Law No. 4857,
  • Law No. 6563 on the Regulation of Electronic Commerce.
  • Law No. 6502 on Consumer Protection,
  • This and other laws and secondary legislation relating to the Company's activities.


b) The processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract.

c) It must be necessary for the data controller to fulfill its legal obligations.

d) It must have been made public by the person concerned themselves,

e) Data processing is necessary for the establishment, exercise or protection of a right.

f) The processing of data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Processing Purposes Requiring Storage

The company stores the personal data it processes within the scope of its activities for the following purposes:

  • Implementing information security processes,
  • Execution of employee/intern/student selection and placement processes.
  • Managing the job application processes for prospective employees.
  • Fulfilling obligations arising from employment contracts and legislation for employees,
  • Managing employee benefits and advantages processes,
  • Implementing employee satisfaction and engagement processes,
  • Conducting audit and ethics activities,
  • Other,
  • Conducting educational activities,
  • Execution of access permissions,
  • Ensuring that activities are carried out in accordance with the legislation,
  • Managing finance and accounting operations,
  • Ensuring the security of physical spaces,
  • Execution of assignment processes,
  • Following and managing legal affairs,
  • Conducting internal audit/investigation/intelligence activities,
  • Conducting communication activities,
  • Planning of human resources processes,
  • Conducting/supervising business activities,
  • Conducting occupational health and safety activities,
  • Receiving and evaluating suggestions for improving business processes,
  • Conducting activities to ensure business continuity,
  • Managing the processes for purchasing goods/services,
  • Execution of goods/services production and operation processes,
  • Execution of goods/services sales processes,
  • Execution of customer relationship management processes
  • Organization and event management,
  • Conducting performance evaluation processes,
  • Execution of risk management processes,
  • Conducting storage and archiving activities.
  • Conducting social responsibility and civil society activities,
  • Execution of contract processes,
  • Conducting strategic planning activities,
  • Tracking requests/complaints,
  • Ensuring the security of data controller operations,
  • Managing investment processes,
  • Conducting talent/career development activities,
  • Providing information to authorized persons, institutions and organizations,
  • Creating and tracking visitor records.


Reasons Requiring Destruction

Personal data;

  • Amendments or repeals of the relevant legal provisions forming the basis for processing,
  • The purpose requiring its processing or storage ceases to exist,
  • In cases where the processing of personal data is carried out solely based on explicit consent, the withdrawal of explicit consent by the data subject is prohibited.
  • In accordance with Article 11 of the law, the Company's acceptance of the data subject's application for the deletion and destruction of their personal data,
  • If the company rejects an application from the data subject requesting the deletion, destruction, or anonymization of their personal data, finds the response insufficient, or fails to respond within the time limit stipulated by law, the data subject may file a complaint with the Board, and if this request is deemed appropriate by the Board,
  • If the maximum retention period for personal data has expired and there are no circumstances justifying the retention of personal data for a longer period, the data will be deleted, destroyed, or anonymized by the Company upon the request of the data subject, or automatically deleted, destroyed, or anonymized.


TECHNICAL AND ADMINISTRATIVE MEASURES

In order to ensure the secure storage of personal data, prevent its unlawful processing and access, and to ensure its lawful destruction, the Company shall take technical and administrative measures in accordance with Article 12 and Article 6, paragraph four of the Law, within the framework of adequate measures determined and announced by the Board for special categories of personal data.

PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the retention period stipulated in the relevant legislation or the retention period necessary for the purpose for which they were processed, personal data will be destroyed by the Company, either automatically or upon the request of the data subject, in accordance with the provisions of the relevant legislation, using the "deletion, destruction or anonymization" method most suitable to the Company.

STORAGE AND DISPOSAL PERIODS

Personal data processed within the scope of the company's activities is retained for the period stipulated in the relevant legislation.



PERIODIC DESTRUCTION PERIOD

In accordance with Article 11 of the Regulation, the Company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out within the Company every year in June and December. All employees are responsible for ensuring that the data under their control is destroyed in accordance with this policy. In this context, they are obliged to notify the destruction officer at the end of the retention periods.

PUBLICATION AND CONFIDENTIALITY OF POLICY

The policy, in its original printed copy, is kept in the relevant file at the Company.

POLICY UPDATE PERIOD

The policy is reviewed as needed, and the necessary sections are updated.

ENTRY INTO FORCE AND ABOLITION OF THE POLICY

The policy shall be deemed to enter into force on the date of signature.

If a decision is made to revoke the Policy, the old copies bearing original signatures will be cancelled by the Company's Board of Directors (by stamping or writing "cancelled") and signed, and kept by the Company for at least 5 years.

TRANSFER OF PERSONAL DATA

Your personal data may only be shared with our group companies, business partners, customers with whom we have agreements and to whom we provide services, suppliers, auditing companies, or public institutions or organizations authorized to request this data due to a legal obligation, and other relevant authorities, for the purposes of conducting the Company's activities, maintaining business relationships between data owners and our customers and/or conducting meetings for this purpose, offering services, opportunities and possibilities, and improving service quality, based on your explicit consent or within the framework of the security and confidentiality principles specified in the Law, both domestically and internationally, provided that the necessary security measures are taken.

The rights of the Personal Data Subject, as listed in Article 11 of the Personal Data Protection Law ("the Law"), will be addressed in response to the following requests from the relevant individuals:

a) To find out whether the relevant individuals' personal data is being processed and which personal data is being processed,

b) Obtaining information regarding the purposes of the processing activity,

c) Knowing the third parties to whom the data subjects transfer their personal data, whether domestically or internationally.

d) Requesting the correction of personal data if it has been processed incompletely or incorrectly.

e) Requesting the deletion or destruction of personal data in accordance with the law.

f) In case of a request for correction, deletion or destruction of personal data; requesting that the actions taken be notified to third parties to whom the personal data has been transferred,

g) The right to object to a result that is detrimental to the individual, arising solely from the analysis of processed data by automated systems.

h) Obtaining copies of your personal data.

How can you exercise your rights regarding your personal data?

You can submit your requests under Article 11 of the KVKK (Law on Protection of Personal Data), which regulates the rights of data subjects, to us in accordance with the "Notification on the Procedures and Principles for Applications to the Data Controller".

INFORMATION ABOUT THE DATA CONTROLLER:

Company Name: LUK BOTANİK ENDÜSTRİ VE TİCARET AŞ

Head Office Address: Kordonboyu Mah. Ankara Cad. İST MARİNA B Blok No 147 B Daire:354 Kartal-İstanbul Kartal VD 609 105 2228

Branch Address: Barış SB. Mahallesi 5002 SK, Yüksek Teknoloji Binası Blok No:3 41400 Gebze Kocaeli

Phone: 0537 772 8070

E-Mail Address: info@luk.com.tr