ININAL PAYMENTS AND ELECTRONIC MONEY SERVICES INC.
USER DISCLOSURE TEXT

Updated:01/09/2023

Dear User;

We, as İNİNAL ÖDEME VE ELEKTRONİK PARA HİZMETLERİ A.Ş. ("Company" or "İninal"), aim to inform you, our valuable Ininal card product and service users, with this Clarification Text regarding how we process personal data within the scope specified in Article 10 of the Personal Data Protection Law No. 6698 ("KVK" or "Law"). We attach importance to the security and protection of your personal data that you share with us.

1. WHAT IS THE PURPOSE AND SCOPE OF THE DISCLOSURE STATEMENT?

Ininal is a "Data Controller" as defined in the Law. In this regard, we process your personal data in accordance with the Law and take appropriate, measured and adequate administrative and technical measures to protect your personal data. You can review our Privacy Policy for information on the processing of personal data and basic concepts related to personal data.

2. WHO ARE WE AS DATA CONTROLLERS?

We, as the data controller, fulfill our obligations arising from the law and Board decisions by taking administrative measures and technical measures at an appropriate and measured level. The contact information you can reach us regarding our imprint and personal data is as follows:

Title :

İNİNAL ÖDEME VE ELEKTRONİK PARA HİZMETLERİ A.Ş.

Address:

Mecidiyeköy Yolu Caddesi No:12 Trump Towers 2. Kule Kat:9 N:448 Şişli/Istanbul

Our Websites:

https://www.ininal.com/

Phone:

+ 0850 311 77 01

e-mail (for Data subject application):

kvkbasvuru@ininal.com

3. WHICH OF YOUR PERSONAL DATA DO WE PROCESS?

We process the personal data and sensitive personal data of our Prepaid Ininal Card ("Ininal Card" or "Card") users (and their legal representatives for users under the age of 18) in the categories listed below.

Category

Description

Identity

Name and surname, TR ID number, Parent's name, Date of birth, Place of birth, Identity card serial number, etc.

Contact

E-mail address, Contact address, Registered e-mail address (REM), Telephone number, etc.

Legal Action

Information in correspondence with judicial authorities, information in the case file, parent/guardian information,

Customer Transaction

Transaction owner information, transaction number, date of creation of the transaction, date of processing, payment date, transaction amount, all kinds of requests and complaints submitted by users, all kinds of comments added during the realization of the transaction and all kinds of records and reports related to them, etc.

Physical Space Security

Entry and exit registration information of employees and visitors, Camera records, etc.

Transaction Security

Password information, security question, certificate, encryption key, IP address information, website login and exit information, user name surname, CVV2, CVC2 code, etc.

Risk Management

All information that can be used within the scope of KYC (Know Your Customer Principles), AML (Anti-Money Laundering) and Antifraud (Anti-Fraud) financial security and risk management activities

Finance

Bank name, account number, IBAN number, balance information, etc.

Marketing

Shopping history information, Survey, Cookie records, Discount- Information obtained through campaign work, etc.

Visual and Auditory Records

Such as photos in the ID, images on social media channels, call center audio recording.

Philosophical Belief, Religion, Sect and Other Beliefs

Information on religious affiliation in identity documents,

Biometric Data

Face ID for identification and verification

Other Information

Signature, signature circular, etc.



 FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?

Your collected personal data will be processed in accordance with the principles, principles and procedures specified in Articles 4, 5 and 6 of the Law within the framework of the following purposes:

o Opening a User/Membership account,

o Obtaining Parent/legal representative approval for minors

o Cooperating with licensed organizations for international transfers,

5. BY WHICH MEANS DO WE PROCESS AND PROTECT PERSONAL DATA?

We process your data in accordance with the principles set out in Article 4 and the conditions set out in Articles 5 and 6 of the Law.

Your personal data is processed automatically or non-automatically in electronic media such as instant messaging, e-mail, Ininal mobile application, online customer support line, call center, servers, social media and rarely in physical media such as some office documents.

We, as the Company, take all necessary technical and administrative measures in an appropriate and measured manner to protect the personal data we process and to prevent unauthorized access and victimization of data subjects. In this framework, we strive to ensure that our applications, software and information systems comply with the standards and are kept up-to-date, that data transfer agreements are signed with the parties with whom data is shared, and that our employees who touch personal data act in accordance with the "Privacy Undertaking" we receive from our employees who touch personal data.

In addition, your personal data is kept by Ininal in accordance with PCI DSS within the scope of the User's financial data security

6. WHY AND WITH WHOM DO WE SHARE PERSONAL DATA?

The necessary personal data of our Ininal card users may be transferred for the purposes listed below; in accordance with Articles 8 and 9 of the Law, to organizations with which we have a business relationship, Group Companies, domestic public and private institutions/organizations and platforms originating abroad, which are service providers and solution partners whose administrative, legal and technical services we benefit from.

Ininal, as a data controller, performs the necessary controls to the extent possible to ensure that the institutions and organizations with which it shares data fulfill their obligations arising from the Law, and secures the obligations of the parties through data transfer agreements, data processing agreements and undertakings.

6.1 What is the Nature and Scope of Domestic Sharing/Access?

We share personal data with the following resident data controllers and data processors.

1- With banks; For the purposes of carrying out operational processes for the payment of Ininal Card products and services,

2- With the Law Office; For the purposes of Conducting Legal Affairs and Litigation, Completing the Contract Processes, Informing the Authorized Persons, Institutions and Organizations,

3- With our Managers and Partners; For the purposes of Executing Management Activities,

5- With Group Companies and Business Partners; For the Purposes of Execution / Supervision of Business Activities, Customizing and recommending Ininal Card and services according to user taste, usage habits and needs, providing benefits to the User, organizing personalized campaigns and promotional activities, Ensuring legal and commercial business security

6- With card organizations such as MasterCard International, Visa International, Troy; For the purpose of enabling debit card, credit card and prepaid card users to make payments between banks and merchant banks;

7- With official institutions and organizations such as BRSA, Central Bank of the Republic of Turkey, FCIB, Interbank Card Center, judicial authorities, police and law enforcement units, For the purpose of providing Information to Authorized Persons and Institutions, in order to fulfill the Audit and Notification Obligations pursuant to Laws No. 6493 and 5549,

8- With the GSM Operator and SMS Supplier, Completion of the approval and activation processes for enabling users who prefer to make advantageous purchases from contracted merchants, organizing personalized campaigns and promotional activities,

9- With Information Companies (external service providers related to information systems); For the purposes of Execution of Information Security Processes, Backup of Data, operation of the website

10- With the Representative Institutions; For the purposes of establishing the İnınal card user agreement and verifying the user information;

11- With institutions licensed from the CBRT; For the purpose of providing international money transfer services to our users;

6.2. What is the Nature and Scope of Overseas Sharing/Access?

The Company may share your personal data via WhatsApp originating in the USA for the purposes of Execution of Communication Activities, Ensuring Customer Satisfaction, Using an Instant Messaging Platform in order to Respond Faster to Requests, Questions and Comments from Users, Execution of Product / Service Sales Processes, Execution of Office Business and Operations.

The service provider's privacy policy can be found at the following link:

1- WhatsApp Privacy Policy

7. FOR WHICH LEGAL REASONS DO WE PROCESS YOUR PERSONAL DATA?

Your personal data may be processed primarily based on the condition of "explicit consent" as stated in Article 5 of the Law. It is also mentioned in the same article,your personal data may be processed "without seeking explicit consent" for the following purposes.

a) To fulfill the provisions of the relevant legislation to which it is subject, based on the legal reason "expressly stipulated in the law",

b) To fullfill the requirements of the User Agreement to which you are a party, based on the legal reason of "establishment or performance of the Agreement",

c) To fulfill the legal obligations stipulated in the relevant legislation, such as responding to the information-document requests of institutions/organizations that we are obliged to audit and notify, such as FCIB, CBRT, judicial authorities, based on the legal reason that "the data controller can fulfill its legal obligation",

d) “To made public by the person concerned",

e) To be a means of proof in possible disputes, to receive legal consultancy and technical support based on the legal reason of "establishment, use or protection of a right"

f) To cooperate with representative organizations in order to expand the use of Ininal card and to increase brand value and awareness in the sector, provided that it does not harm the fundamental rights and freedoms of the data subject, based on the legal reason that data processing is mandatory for the "legitimate interests" of the data controller.

In this extent, we process your personal data within the framework of the following laws and other legislation in accordance with Article 5/a of Law No. 6698:

1- The Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions,

2- The Law No. 5549 on Prevention of Laundering Proceeds of Crime

3- The Turkish Commercial Code No. 6102

4- The Law No. 6563 on the Regulation of Electronic Commerce

5- The Law No. 6098 on Turkish Code of Obligations

6- The Law No. 213 on Tax Procedure

7- The Law No. 6473 on Value Added Tax

8- The Law No. 6698 on the Protection of Personal Data Art. 5/f (Legitimate Interest)

9- The Law No. 6698 on the Protection of Personal Data Art. 5/ç (Legal Obligation)

10- The Decree Law No. 660 on the Organization and Duties of the Public Oversight, Accounting and Auditing Standards Authority

11- The Regulation on the Procedures and Principles Regarding the Fees to be Charged to Financial Consumers

12- The Regulation on Measures to Prevent Laundering Proceeds of Crime and Financing of Terrorism

13- The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers

14- The Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services

Especially the "Communiqué on the Management and Audit of Information Systems of Payment Institutions and Electronic Money Institutions” and other sub-regulations such as CBRT regulations, biometric data is required for authentication purposes for the abovementioned regulations. In this respect, Ininal authenticates our users who request Ininal Plus service with the help of facial model algorithm using only facial ID system. Your personal data in this category are processed based on the explicit consent condition pursuant to Article 6/3 of Law No. 6698, in accordance with the other principles and principles in the Law and the Guidelines on the Issues to be Considered in the Processing of Biometric Data published by the PDP Authority, and are only recorded in our own systems and can only be shared with public institutions and organizations authorized by special legislation such as Laws No. 5549 and 6493, to which Ininal is affiliated, for transactions such as inspection and audit.

 WHAT ARE YOUR RIGHTS AS A DATA OWNER?

As personal data owners as listed in Article 11 of the Law, you have the right to demand

 HOW CAN YOU EXERCISE YOUR RIGHTS REGARDING PERSONAL DATA?

You can obtain information about your rights and the application process within the scope of Article 11 of the Law, which regulates the rights of the data subject, on our "Personal Data Owner Applications" " page and you can apply to us by using the Personal Data Owner Application Form"  on the same page.

I HAVE READ AND UNDERSTOOD THE DISCLOSURE TEXT.