Personal Data Processing and Protection Policy
1.INTRODUCTION
At METX DİJİTAL BİLİŞİM TEKNOLOJİ ANONİM ŞİRKETİ ("CoinTR" or the "Company"), we place utmost importance on the lawful protection and processing of all personal data ("Personal Data") in accordance with the Personal Data Protection Law No. 6698 (“Law”). We conduct all our planning and activities with this care. As a company, we do not consider the protection and processing of Personal Data solely in terms of compliance with the relevant legislation and regulations, but we place the value we give to people at the core of our approach. With this awareness, as a company, we implement all necessary administrative and technical measures for the protection and processing of Personal Data.
2.PURPOSE
The purpose of this Personal Data Processing and Protection Policy (“Policy”) is to protect the fundamental rights and freedoms of individuals to the maximum extent, particularly the right to privacy regulated in Article 20 of the Constitution, in the protection and processing of Personal Data in line with the purpose of the Law. Additionally, it aims to inform Personal Data Owners about the obligations of our Company and the procedures and principles it will comply with under the Law. In line with the purpose of the Policy, explanations will be provided regarding the personal data processing activities carried out lawfully by our Company and the systems adopted for the protection of personal data. In this context, individuals whose personal data are processed by our Company, especially our customers, potential customers, and third parties, will be informed.
3.SCOPE
This Policy covers the Personal Data processed by the Company, including our customers, the real persons authorized to represent legal entity customers, potential customers, and their employees, provided that they are natural persons.
Our Policy is applied to all personal data processing activities owned or managed by the Company. It has been prepared considering the KVKK (Personal Data Protection Law) and other relevant legislation related to Personal Data, as well as the applicable international standards in this field.
4.DEFINITIONS AND ABBREVIATIONS
“COMPANY”, “CoinTR”: Refers to METX DİJİTAL BİLİŞİM TEKNOLOJİ ANONİM ŞİRKETİ, the operator of the Platform, an independent private law legal entity established under Turkish Law. CoinTR conducts commercial activities on its own behalf and is not an agent, branch, or representative of any domestic or foreign legal entity.
“WEBSITE”: Refers to the cryptocurrency trading system managed by CoinTR, including all web pages, web applications, and application programming interfaces (API) offered at the internet address www.CoinTR.com.
“PLATFORM”: Refers to the website composed of the domain name www.CoinTR.com and its subdomains, as well as the mobile applications offered on the Android and IOS operating systems owned by CoinTR.
“KVKK”, “LAW”: Refers to the Personal Data Protection Law No. 6698.
5.PROCESSING OF PERSONAL DATA
5.1. GENERAL PRINCIPLES IN THE PROCESSING OF PERSONAL DATA
Personal Data are processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. Our Company processes Personal Data in compliance with the relevant legislation and the requirements of the principle of good faith and uses them within these limits.
5.1.1. Being Accurate and Up-to-Date When Necessary
Our Company ensures that the Personal Data it processes is accurate and up-to-date, considering the fundamental rights and legitimate interests of the Personal Data Owners. In this regard, our Company takes the necessary measures to maintain the accuracy and currency of the Personal Data.
5.1.2. Processing for Specific, Explicit, and Legitimate Purposes
Our Company clearly and precisely determines the legitimate and lawful purposes for personal data processing. Personal Data is processed only to the extent necessary for fulfilling the duties conferred by law and for the products and services it offers. The purposes for which Personal Data will be processed are identified before the Personal Data processing activity begins.
5.1.3. Being Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed
Our Company processes Personal Data in a manner that is relevant and limited to what is necessary for achieving the specified purposes, avoiding the processing of Personal Data that is not related to or necessary for the realization of the purpose.
5.1.4. Retaining for the Period Stipulated in the Relevant Legislation or Required for the Purpose for Which They Are Processed
Our Company retains Personal Data only for the period stipulated in the relevant legislation or as required for the purpose for which it is processed. In this context, our Company first determines whether a retention period is specified in the relevant legislation and complies with this period if specified. If no period is specified, Personal Data are retained for the duration necessary for the purpose for which it was processed. Upon expiration of this period or elimination of the reasons requiring processing, such Personal Data will be deleted, destroyed, or anonymized by the Company.
5.2. CONDITIONS FOR PROCESSING PERSONAL DATA
The Company does not process Personal Data without the explicit consent of the data subject. However, our Company may process Personal Data without the explicit consent of the data subject to the following conditions.
5.2.1. Explicitly Provided for by Laws
Our Company may process the Personal Data of Personal Data Owners without their explicit consent if it is explicitly provided for by laws.
5.2.2. Cases Where the Data Subject Is Unable to Give Consent Due to Actual Impossibility or Where Consent Cannot Be Legally Validated and Processing is Necessary for the Protection of Life or Physical Integrity
In cases where the data subject is unable to give consent due to actual impossibility or where their consent cannot be legally validated, Personal Data may be processed if it is necessary to protect the life or physical integrity of the data subject or another person.
5.2.3. Processing of Personal Data of the Parties to a Contract, Provided That It Is Directly Related to the Establishment or Performance of the Contract
Personal Data may be processed if it is necessary for the processing of the Personal Data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract.
5.2.4. Necessary for Compliance with a Legal Obligation to Which Our Company Is Subject
Personal Data of the data subject may be processed if it is necessary for the Company to fulfill its legal obligations as a data controller.
5.2.5. Personal Data Made Public by the Data Subject
If the data subject has made their Personal Data public themselves, the relevant Personal Data may be processed.
5.2.6. Processing is Necessary for the Establishment, Exercise, or Protection of a Right
Personal data may be processed if it is necessary for the establishment, exercise, or protection of a right.
5.2.7. Processing is Necessary for the Legitimate Interests of Our Company, Provided That It Does Not Harm the Fundamental Rights and Freedoms of Personal Data Owners
Personal Data may be processed if it is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
5.2.8. Explicit Consent
One of the conditions for processing Personal Data is the explicit consent of the data subject. The explicit consent of the data subject must be based on specific information and be given freely concerning a particular matter. If any of the conditions specified in Article 5/2 (a), (b), (c), (ç), (d), (e), or (f) of the Law do not exist, the Company's Personal Data processing activities are carried out based on the explicit consent of the data subject for these processing activities.
5.3. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
Special categories of Personal Data are processed by our company under the following conditions, provided that appropriate measures are taken, as determined by the Authority, when the explicit consent of the data subject is not available:
Special categories of Personal Data other than those relating to the health and sexual life of the data subject, in cases provided for by law,
Special categories of Personal Data relating to the health and sexual life of the data subject may be processed only by persons or authorized institutions and organizations that are under an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.
6. METHOD AND LEGAL REASON FOR PROCESSING PERSONAL DATA
Your Personal Data is processed by the Company through various channels including our website, social media channels, mobile and digital applications, user communications via phone/mobile/internet channels, and written and digital applications made to the Data Controller. This also includes verbal, written, visual, or electronic channels, in accordance with the KVKK legislation. Your personal data, obtained through these channels, is processed based on at least one of the Personal Data processing conditions specified in Articles 5 and 6 of the Law. The processing of Personal Data is carried out in compliance with the general principles outlined in the Law, especially the principles stated in Article 4 concerning the processing of Personal Data.
7. YOUR PROCESSED PERSONAL DATA
In this section, the types of Personal Data belonging to Users that are processed by the Company as part of the services provided, and that are considered Personal Data under the Law, as well as the purposes for which these Personal Data are processed, are listed below.
Data Category | Processed Personal Data | Purpose of Processing |
Identity and Contact Data | Your name, surname, gender, and age information, photo, TCKN, date of birth, email address, mobile phone number, Registered Electronic Mail Address | ● Membership processes ● Identity verification processes |
Residential Address | ● Execution of information security processes ● Fulfillment of legal obligations ● Follow-up and execution of legal affairs ● Management of processes related to the establishment and execution of the contract ● Execution of communication activities ● Provision of information to authorized persons, institutions, and organizations |
|
● Management of customer relationship processes ● Management of requests and complaints ● Management of business processes |
||
Payment Transaction Data | Bank/investment firm/payment institution account information, invoice, IBAN, tax office information, wallet address | ● Enabling the user to perform buying and selling transactions ● Management of finance and accounting processes ● Fulfillment of legal obligations ● Provision of information to authorized persons, institutions, and organizations ● Execution of contract processes |
Transaction Security Data | IP address, device information, log records, password and password information, cookie information, website login and logout times, location data, wallet activity, cryptocurrency trading data | ● Ensuring that activities are carried out in accordance with legislation ● Provision of information to authorized persons, institutions, and organizations ● Ensuring information and transaction security and preventing malicious use ● Follow-up and execution of legal processes ● Ensuring the security of platform-related operations |
Visual and Audio Data | Selfie image, photo, online/offline video image via digital applications, call center voice recording | ● Management of customer communication processes ● Ensuring that activities are carried out in accordance with legislation ● Provision of information to authorized persons, institutions, and organizations ● Follow-up and execution of legal processes |
Marketing Data (With explicit consent) | Cookie Records | ● Execution of advertising/campaign/promotion processes ● Execution of product/service marketing processes ● Conducting marketing analysis activities |
8.TRANSFER OF PERSONAL DATA
Your Personal Data held by CoinTR is securely stored and are not transferred to third parties except in the following cases. Your processed Personal Data, for the purposes mentioned above and in accordance with the conditions stipulated by the Law, may be transferred to:
CoinTR Employees, Cloud Service Providers, Institutions that are required to share Personal Data as per the legislation, Banks, Call Centre, Cargo Companies, Biometric Data identification companies, Survey Companies, Overseas 3. Service Providers, Website Security Service Providers, International official organisations as required by law, Institutions that are obliged to transfer Personal Data as explicitly stipulated in the laws, Financial Crimes Investigation Board (MASAK) Presidency, BDDK (Banking Regulation and Supervision Agency, CMB - Capital Markets Board, Turkish Courts, Tax Offices, Cyber Crimes Units through Prosecution Offices, Agencies we work with, Marketing Department, Customer Service Specialists, Risk-Management Department, Operator Institutions, Overseas Data Transfer Centres, Domestic Audit Firms, Financial Consultancy Service Providers, Company's affiliates, subsidiaries, parent companies, subsidiaries, group companies, shareholders, business partners and suppliers limited to the purpose of providing our products and services, cargo companies that the Company works with, Customer Loyalty Service Providers, To the law firm that the Company works with, To the survey companies that the company works with, Online Invoice Companies, Data Security Providers, Overseas audit companies, domestic service providers in order to fulfil legal compliance obligations, Overseas audit companies and financial consultancy services providers, Customer information (invoices and information on invoices) to be provided to these companies in case we receive overseas audit services, Overseas business partners, service providers, our business partners and suppliers limited to the purpose of providing our products and services, the Company's affiliates, subsidiaries, main partner companies, overseas cargo companies that the Company works with, overseas survey companies that the Company works with, Data Security Providers (Data Penetration Tests, Security Measures) Voice Recognition, Recording Service Providers Security Service Providers YOUR PERSONAL DATA ARE TRANSFERRED.
CoinTR takes all necessary technical and administrative measures to ensure the protection of your Personal Data when it is transferred nationally or internationally. The data processing activity in the form of data transfer abroad will be carried out with the "explicit consent" of the data subject. CoinTR will make reasonable efforts to ensure that such third parties take the necessary technical and administrative measures to protect the Personal Data transferred.
9.PROCEDURES AND PRINCIPLES REGARDING THE TRANSFER OF PERSONAL DATA ABROAD
Pursuant to the eleventh paragraph of Article 9 and subparagraph (e) of the first paragraph of Article 22 of the Law, the Procedures and Principles Regarding the Transfer of Personal Data Abroad, prepared and published in the Official Gazette No. 32598 on July 10, 2024, shall be adhered to. Compliance will be ensured in accordance with the first paragraphs of Articles 5, 6, and 7 of the Procedures and Principles Regarding the Transfer of Personal Data Abroad.
a) Personal Data may only be transferred abroad by the data controller and data processor in accordance with the procedures and principles set forth in the Law and the relevant regulation. In the event that Personal Data is transferred by the data processor, it is also obligatory to comply with the instructions of the data controller.
b) The provision of the first paragraph shall also apply to subsequent transfers of Personal Data transferred abroad and to transfers to international organizations.
c) Provisions in other laws regarding the transfer of Personal Data abroad are reserved.
Procedures for the transfer of Personal Data abroad
d) Personal Data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 of the Law exists and one of the following circumstances occurs:
e) The existence of an adequacy decision regarding the country to which the transfer will be made, the sectors within the country, or international organizations.
f) In the absence of an adequacy decision, one of the appropriate safeguards specified in Article 10 must be provided by the parties, provided that the data subject has the opportunity to exercise their rights and seek effective legal remedies in the country to which the transfer will be made.
g) In the absence of an adequacy decision and if none of the appropriate safeguards specified in Article 10 can be provided by the parties, Personal Data may only be transferred abroad by data controllers and data processors on an occasional basis if one of the exceptional circumstances specified in Article 16 is present.
h) Without prejudice to the provisions of international agreements, Personal Data may be transferred abroad with the permission of the Board, taking into account the opinion of the relevant public institution or organization, only if Turkey’s or the relevant individual’s interest would be significantly harmed.
Transfer of Personal Data abroad by the data processor
i) In the event that Personal Data is transferred abroad by the data processor, the data processor must act within the purpose and scope determined by the data controller, on behalf of the data controller, and in accordance with the instructions given by the data controller. The data processor shall take all necessary technical and administrative measures to ensure an appropriate level of security according to the nature of the Personal Data, to prevent unlawful processing, unlawful access, and to ensure the safeguarding of Personal Data.
j) The transfer of Personal Data abroad by the data processor does not remove the responsibility of the data controller regarding compliance with the procedures and principles set forth in the Law and the relevant regulations, and the provision of safeguards. The data controller is obligated to ensure that the technical and administrative measures specified in the first paragraph are taken by the data processor.
k) If the data processor is obligated to notify the standard contract pursuant to the fifth paragraph of Article 14, the data processor shall fulfill the notification obligation without the need for instructions from the data controller.
10. RETENTION PERIOD OF PERSONAL DATA
CoinTR will act in accordance with Law No. 6698, the Regulation on the Deletion, Destruction, or Anonymization of Personal Data ("Regulation"), and the deadlines set by authorized public institutions, organizations, judicial authorities, and the relevant provisions of the Financial Crimes Investigation Board ("MASAK"), only to the extent required and limited by law. CoinTR will fulfill its obligations under Article 12 of the Regulation in response to users who request the destruction of their Personal Data in accordance with Article 13 of the Law.
Identity and Contact Data | 10 YEARS, this information will be registered as long as the user has an active membership. |
Marketing Data | This information will be registered as long as the user has an active membership for 6 months-2 years. |
Payment Transaction Data | 10 years. This information will be stored as long as the user has an active membership. |
Transaction Security Data | 10 years. This information will be stored as long as the user has an active membership. |
Visual and Audio Data | 10 years. This information will be stored as long as the user has an active membership. |
If the purpose of processing Personal Data has ended and the retention periods determined by the relevant legislation and the Company have come to an end, Personal Data can only be stored for the purpose of constituting evidence in possible legal disputes, to assert the relevant right related to Personal Data, or to establish a defense. In determining the retention periods, the statute of limitations for asserting the mentioned right and examples of previous requests addressed to our Company on the same issues, despite the expiry of the statute of limitations, are considered. In this case, the stored Personal Data will not be accessed for any other purposes, and access to the relevant Personal Data is provided only when it is required for the relevant legal dispute. Upon the expiry of the aforementioned period, Personal Data will be deleted, destroyed, or anonymized.
11. INFORMATION REGARDING COOKIES
You can know more about cookies in the “Cookie Policy” on the Platform.
12. SECURITY OF PERSONAL DATA
12.1. Our Obligations Regarding the Security of Personal Data
We take all necessary administrative and technical measures, considering technological capabilities and implementation costs, to ensure that all Personal Data are:
Prevented from being processed unlawfully,
Prevented from being accessed unlawfully,
Stored securely in accordance with the law.
12.2. Measures We Take to Prevent the Unlawful Processing of Personal Data
Conducting and commissioning necessary audits within our Company,
Training and informing our employees about the lawful processing of Personal Data,
Evaluating the activities conducted by all business units in details, and processing Personal Data specific to the commercial activities carried out by the relevant units based on the results of these evaluations,
Including provisions in contracts with third parties who process Personal Data on behalf of our Company, ensuring that these relevant parties take necessary security measures,
Notifying the Personal Data Protection Authority (KVKK) in case of unlawful disclosure or data breach and conducting the necessary investigations and measures as stipulated by the legislation.
12.2.1. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
To prevent unlawful access to Personal Data, we:
Employ staff with necessary technical expertise,
Periodically update and renew technical measures where necessary,
Establish access authorization procedures within our Company,
Define procedures for reporting our technical measures and audit processes,
Create and periodically audit data recording systems used within our Company in compliance with legislation,
Develop and implement emergency response plans against potential risks,
Train and inform our employees about access and authorization concerning Personal Data,
Include provisions in contracts with third parties who process, store, or access Personal Data on behalf of our Company to ensure that these relevant parties take necessary security measures,
Establish security systems in line with technological advancements to prevent unlawful access to Personal Data.
12.2.2. Measures Taken in Case of Unlawful Disclosure of Personal Data
We take all necessary administrative and technical measures to prevent the unlawful disclosure of Personal Data and review and update these measures in accordance with our relevant procedures. If we detect unauthorized disclosure of Personal Data, we have established systems and infrastructures to notify the relevant data subjects and the Personal Data Protection Authority (KVKK).
Despite all the administrative and technical measures taken, if an unlawful disclosure occurs and the KVKK deems it necessary, this situation may be announced on the KVKK's website or by other means as may be directed by the KVKK.
13. RIGHTS OF THE DATA SUBJECT
Data subjects have the right to:
-
Learn whether Personal Data is being processed,
-
Request information if their Personal Data have been processed,
-
Learn the purpose of processing Personal Data and whether they are used in accordance with their purpose,
-
Being informed of the identities of the third parties to whom Personal Data is transferred, locally or abroad,
-
Request the correction of incomplete or incorrect Personal Data and to request that the relevant process be notified to third parties to whom Personal Data is transferred,
-
Request the deletion or destruction of Personal Data, despite being processed in accordance with the Law and other relevant legal provisions, if the reasons for processing or to request that the relevant process be notified to third parties to whom personal data is transferred are no longer valid,
-
Object to the occurrence of any event that is to their detriment through the analysis of processed Personal Data exclusively by automated systems,
-
Demand compensation for the damages in case of unlawful processing of Personal Data.
13.1. EXERCISING RIGHTS RELATED TO PERSONAL DATA
The data subjects can submit their request regarding their Personal Data either through a separate method determined by the Authority or by sending a written and wet-signed application to the address of our Company at Maslak Mah. Bilim Sk. Sun Plaza Blok No: 5a Iç Kapı No: 20 Sarıyer/ İstanbul, or by sending an email from their registered email address to [...@...], or by sending an electronically signed request to the CoinTR KEP address [....@hs01.kep.tr].
Requests and applications submitted to CoinTR by the data subjects must be in Turkish and should at least include the following:
Name, surname, date and wet signature if the application is in writing,
Turkish ID number if a Turkish citizen, residence permit and ID number if not a Turkish citizen,
Residential or workplace address for notification,
Electronic mail address and telephone number, if any,
The subject of the request must be specified, and all kinds of information and documents related to the request must be attached to the application.
Requests related to Personal Data will be concluded within a maximum of 30 (thirty) days free of charge. However, if the process incurs an additional cost, a fee will be charged according to the tariff determined by the Personal Data Protection Board. During the application or evaluation process, additional information and documents may be requested. It is important to note that the application date will be considered as the date the document is received by the Company for written applications, and the date the application reaches the Company for other methods.
If your request is to be made on behalf of someone else, a power of attorney and other documents verifying your identity must be attached to your application. If a response containing Personal Data is to be given to you or an action related to processed Personal Data is to be taken based on your application, and if the application is not made in person, through a notary, or via KEP, the Company may request you to verify your identity to ensure that the Personal Data is not delivered to the wrong persons or that malicious individuals do not take action on behalf of the actual data subjects.
In cases where the application is rejected, the response is found insufficient, or the response is not provided within the specified time, the applicant has the right to file a complaint with the Board within 30 (thirty) days from the date of learning the response and in any case within 60 (sixty) days from the date of application.
14. ENFORCEMENT AND UPDATES
This Policy is deemed to have entered into force upon its publication on the Platform.
This Policy is reviewed at least once a year and updated as necessary in accordance with the established applicable laws and principles.
The Company reserves the right to make changes to this Policy in parallel with legal regulations. The most updated version of the Policy can be accessed from the Platform.