Policy on Protection and Processing of Personal Data

The Law on Protection of Personal Data No. 6698 came into force by being published in the Official Gazette dated 07.04.2016. In summary, the Law defines personal data, the processing and protection thereof, sets out the general conditions for processing and protecting personal data, and determines the sanctions to be applied in case of non-compliance with the processing and protection rules.

DEFINITIONS

Explicit Consent: Consent related to a specific subject, based on information and declared with free will,
Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person, even when matched with other data,
President: The President of the Personal Data Protection Authority,
Data Subject (Related Person): The natural person whose personal data is processed,
Personal Data: Any information relating to an identified or identifiable natural person,
Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means,
Board: The Personal Data Protection Board,
Authority: The Personal Data Protection Authority,
Data Processor: The natural or legal person who processes personal data on behalf of the data controller upon its authorization,
Data Filing System: The system where personal data is processed by being structured according to specific criteria,
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

In this context, INVICTUS (hereinafter referred to as the "COMPANY") is the "DATA CONTROLLER".

PERSONAL DATA

According to KVKK No. 6698, “Personal Data” means any information relating to an identified or identifiable natural person. Personal data cannot be processed without the explicit consent of the data subject. However, the COMPANY may process personal data without the explicit consent of the data subject in the following exceptional cases specified under the KVKK:

It is expressly provided for by the laws.
It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the actual impossibility or whose consent is not deemed legally valid.
It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
It is mandatory for the data controller to fulfill its legal obligation.
The data has been made public by the data subject himself/herself.
Data processing is mandatory for the establishment, exercise or protection of a right.
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

SPECIAL CATEGORIES OF PERSONAL DATA

“Special Categories of Personal Data” refers to your data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometrics and genetics. Special categories of personal data are prohibited from being processed without the explicit consent of the data subject. However, personal data other than health and sexual life may be processed without explicit consent in cases foreseen by laws. Personal data relating to health and sexual life may only be processed without explicit consent by persons or authorized institutions and organizations under the obligation of secrecy, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services and financing.

COLLECTION OF PERSONAL DATA

The COMPANY may obtain personal data of customers, employees, employee candidates, and suppliers with whom it has a relationship for any reason, directly or indirectly, from all kinds of written, oral and electronic media, third parties and/or legal authorities.

PERSONAL AND SPECIAL CATEGORIES OF PERSONAL DATA PROCESSED BY THE COMPANY

Personal and special categories of personal data processed by our company are shown in detail in the ANNEX-1 table below.

PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

The COMPANY processes personal data within the framework of the following principles:

Compliance with the law and rules of good faith
Being accurate and up-to-date when necessary
Processing for specific, explicit and legitimate purposes
Being connected, limited and proportionate to the purpose for which they are processed
Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed

PURPOSES AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

Personal data is collected and processed in accordance with KVKK No. 6698 for the purposes specified below and legal grounds specified in Annex-1 Data Table (pg. 6-12) and legal reasons specified in Annex-1 Data Table (pg. 12-13):

Fulfilling the COMPANY's legal obligations in accordance with the Health Services Fundamental Law, Social Insurance and General Health Insurance Law, Medical Laboratory Regulation, Regulation on Personal Health Data and other relevant legislation,
Sharing many personal data such as heart rate and rhythm, body temperature, blood pressure, respiratory rate, oxygen and stress levels, blood sugar amount, sleep patterns collected through wearable technological products, which are the main subject of activity of the application, with the doctors selected by the users, providing the monitoring service by the doctors selected by the user, and performing the necessary tests and examinations by the doctors. The sole responsibility of the COMPANY in this process consists of analyzing the data flowing into the application after tracking it and transferring it to the doctor. The COMPANY's responsibility ends with performing the necessary analyzes. Subsequent developments are between the doctor and the user. The COMPANY has no responsibility. Delays that may occur in servers may by caused by the manufacturer firm Huawei, and the COMPANY is not responsible for negative situations that may occur due to these delays.
Providing, sending and transferring documents and results regarding relevant services,
Planning and managing the COMPANY's internal functioning and service delivery,
Fulfilling risk management and quality improvement processes,
Sharing requested information with private insurance companies and institutions within the scope of financing of health services,
Identity verification,
Performing invoicing transactions,
Sharing requested information and documents with the Ministry of Health and other regulatory and supervisory institutions in accordance with relevant legislation,
Carrying out registration procedures for the Person Requesting Health Service, tracking appointments, making relevant reminders,
Ensuring the physical space security of the COMPANY
Carrying out all kinds of commercial activities conducted by the Company,
Planning and execution of Company activities, operational processes and order tracking,
Tracking, planning and execution of finance and accounting transactions,
Obtaining after-sales support services for goods or services purchased by the Company,
Planning and execution of corporate communication activities,
Ensuring business continuity,
Management and execution of relations with business partners and/or suppliers,
Creation and execution of information technologies,
Ensuring the security of Company headquarters and/or offices,
Ensuring the legal and commercial security of the Company and persons in business relations with the Company,
Verifying the identity of employees,
Contacting employees or their families in case of emergency,
Making position changes within the Company,
Developing, managing, improving human resources, finance, accounting processes within the Company,
Fulfilling legal obligations regarding the maintenance of the employment relationship and continuing the work relationship,
Ensuring physical space security within the workplace,
Documenting the use of leave during working hours due to legal proceedings of the personnel,
Determining whether there is any health obstacle for the personnel to perform the position they work in,
Conducting research on the doctor who will see personal data approved by the user and integrated into the application,
Conducting research on employee candidates,
Contacting the employee candidate, evaluating whether they are suitable for the position within the company in terms of required knowledge and professional experience and physical health status,
Developing, managing, improving human resources processes within the Company and facilitating employment relationship processes for candidates who become employees,
Fulfilling other legal obligations.

TRANSFER OF PERSONAL DATA DOMESTICALLY

KVKK regulates that personal data cannot be transferred without the explicit consent of the data subject, but can be transferred without explicit consent if one of the conditions specified in Article 5/2 and, provided that adequate measures are taken, Article 6/3 of the Law exists. Accordingly, personal data may be transferred in the following cases:

Existence of explicit consent of the data owner,
It is expressly provided for by the laws,
It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the actual impossibility or whose consent is not deemed legally valid,
It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,
It is mandatory for the data controller to fulfill its legal obligation,
The personal data has been made public by the data subject himself/herself,
Data processing is mandatory for the establishment, exercise or protection of a right,
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Special categories of personal data are divided into two as health and sexual life data and other special categories of personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data).

Regarding data on health and sexual life; It is shared with persons or authorized institutions and organizations under the obligation of secrecy for purposes such as protection of public health, the user's selected doctor seeing user data and calling the user for examination or directing via audio/video communication tools, medical diagnosis, treatment and care services, planning and management of health services and financing, provided that adequate measures are taken in any case.

Regarding special categories of personal data other than health and sexual life; It is shared with third parties after being foreseen in laws and provided that adequate measures are taken in any case.

TRANSFER OF PERSONAL DATA ABROAD

The COMPANY may transfer personal data abroad under the following conditions:

Existence of explicit consent of the data owner
Existence of one of the conditions specified in Article 5/2 and Article 6/3 of KVKK and in the foreign country to which personal data will be transferred; (i) Existence of adequate protection, (ii) In case of lack of adequate protection, the data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the Board's permission involves.

Your data is stored by the main service provider Huawei via servers located in Germany, and the transfer of your data abroad is in question only at the point of data storage. You should also examine the existing foreign data storage text in detail regarding this.

PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED

Personal data may be transferred to legally authorized public institutions and organizations, legally authorized private law legal entities, doctors selected by the user and integrated into the system, and our other business partners, shareholders, company officials, and employees within the scope of the purposes specified in this policy.

RETENTION AND DELETION OF PERSONAL DATA

The COMPANY retains personal data in accordance with legal regulations and processing purposes by taking necessary security measures (detailed in Annex-1 Data Table pg. 13-14). In case the reasons requiring processing cease to exist (if the processing purpose has ended; relevant legislation and retention periods determined by the Company have expired; excluding purposes such as constituting evidence in possible legal disputes or asserting the relevant right depending on personal data or establishing a defense), personal data is deleted, destroyed or anonymized ex officio or upon the request of the data subject.

RIGHTS OF DATA OWNERS

Personal data owners have the following rights in accordance with Article 11 of the KVKK;

To learn whether personal data is processed,
To request information if personal data has been processed,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To know the third parties to whom personal data is transferred domestically or abroad,
To request correction of personal data in case of incomplete or incorrect processing,
To request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of KVKK,
To request notification of the transactions made pursuant to subparagraphs (e) and (f) to third parties to whom personal data has been transferred,
To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
To request compensation for the damage in case of loss due to unlawful processing of personal data.

APPLICATION TO THE DATA CONTROLLER

You must submit your requests regarding your rights listed above by filling out the application form at http://www.heartincare.com or via a written document to the COMPANY's open address found on the http://www.heartincare.com website via post, or by sending it to one of the [email protected] e-mail addresses. The COMPANY, as the data controller, concludes the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

ANNEX-1: DATA TABLE

DATA TYPE	DATA INFORMATION	DATA SUBJECT GROUP	PURPOSE OF DATA PROCESSING
IDENTITY INFORMATION	Name-Surname, T.R. Identity No., Date of Birth, Place of Birth, Photo, Old Identity Card or New Identity Card info, Driver's license, passport info, Marital status (only for employees/candidates), Spouse/Child identity/contact info, Parent name-surname, Marriage certificate copy.	Emergency Contact, Potential Buyer, Employee Candidate, Employee, Supplier Employee/Official, Product/Service Buyer, Parent/Guardian/Representative, Third parties receiving analysis results upon customer request, Shareholder/Partner, Doctor	Execution of Emergency Management Processes, Execution of Information Security Processes, Execution of Employee Candidate / Intern / Student Selection and Placement Processes, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Audit / Ethics Activities, Execution of Training Activities, Execution of Access Authorizations, Execution of Activities in Compliance with Legislation, Execution of Finance and Accounting Affairs, Ensuring Physical Space Security, Follow-up and Execution of Legal Affairs, Execution of Communication Activities, Planning of Human Resources Processes, Execution / Audit of Business Activities, Execution of Occupational Health / Safety Activities, Execution of Business Continuity Activities, Execution of Goods / Services Purchasing Processes, Execution of Customer Relations Management Processes, Execution of Storage and Archive Activities, Execution of Contract Processes, Follow-up of Requests / Complaints, Informing Authorized Persons, Institutions and Organizations, Execution of Management Activities
CONTACT INFORMATION	Address, phone, e-mail info.	Emergency Contact, Potential Buyer, Employee Candidate, Employee, Supplier Employee/Official, Product/Service Buyer, Parent/Guardian/Representative, Third parties receiving analysis results upon customer request, Shareholder/Partner	Execution of Emergency Management Processes, Execution of Information Security Processes, Execution of Employee Candidate Application Processes, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Training Activities, Execution of Activities in Compliance with Legislation, Planning of Human Resources Processes, Execution / Audit of Business Activities, Execution of Occupational Health / Safety Activities, Execution of Customer Relations Management Processes, Execution of Storage and Archive Activities, Execution of Contract Processes, Follow-up of Requests / Complaints, Informing Authorized Persons, Institutions and Organizations, Execution of Management Activities, Execution of Communication Activities
LOCATION INFORMATION	Location info	Employee, Doctor, User	Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Activities in Compliance with Legislation, Execution of Communication Activities, Planning of Human Resources Processes, Execution of Storage and Archive Activities, Execution of Contract Processes, Informing Authorized Persons, Institutions and Organizations, Execution of Management Activities
EMPLOYEE & PERSONNEL FILE INFO	CV, employment entry-exit declarations, signed payrolls, all kinds of leave request/departure forms, employment contracts, overtime consent, maternity leave, workable/unworkable reports, breastfeeding leave petitions, rest and incapacity reports, OHS and personnel training documents, military status document for male employees and all kinds of documents legally required in the personnel file.	Employee	Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Fringe Benefits and Interests Processes for Employees, Execution of Audit / Ethics Activities, Execution of Training Activities, Execution of Activities in Compliance with Legislation, Execution of Finance and Accounting Affairs, Execution of Assignment Processes, Follow-up and Execution of Legal Affairs, Planning of Human Resources Processes, Execution of Occupational Health / Safety Activities, Execution of Business Continuity Activities, Execution of Storage and Archive Activities, Execution of Wage Policy, Informing Authorized Persons, Institutions and Organizations, Execution of Management Activities
LEGAL TRANSACTION INFO	Correspondence with judicial authorities,	Doctor, Employee, Supplier official, Product/Service Buyer, Parent/Guardian/Representative	Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Activities in Compliance with Legislation, Execution of Finance and Accounting Affairs, Follow-up and Execution of Legal Affairs, Execution of Storage and Archive Activities
CUSTOMER TRANSACTION INFO	Bank account number, IBAN number, credit card info, billing and invoice info, interest amount and rate to be paid, debt balance, credit balance, promissory note, check info	Doctor, Product/Service Buyer	Execution of Activities in Compliance with Legislation, Execution of Finance and Accounting Affairs, Follow-up and Execution of Legal Affairs, Execution of Goods / Services Purchasing Processes, Execution of Contract Processes, Informing Authorized Persons, Institutions and Organizations
PHYSICAL SPACE SECURITY	CCTV recordings.	Doctor, Employee, Employee Candidate, Product/Service Buyer, Visitor	Execution of Audit / Ethics Activities, Execution of Access Authorizations, Ensuring Physical Space Security, Execution of Storage and Archive Activities, Ensuring Security of Movable Property and Resources, Informing Authorized Persons, Institutions and Organizations
TRANSACTION SECURITY INFO	Website password – username info.	Doctor (Business Partner), User	Execution of Information Security Processes, Execution of Access Authorizations, Execution / Audit of Business Activities, Execution of Management Activities
FINANCE INFORMATION	Bank account number, IBAN number etc.	Doctor, Employee, Supplier official, Product/Service Buyer,	Execution of Employee Satisfaction and Loyalty Processes, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Activities in Compliance with Legislation, Execution of Finance and Accounting Affairs, Follow-up and Execution of Legal Affairs, Execution / Audit of Business Activities, Execution of Goods / Services Purchasing Processes, Execution of Storage and Archive Activities, Execution of Contract Processes, Execution of Wage Policy, Execution of Management Activities
PROFESSIONAL EXPERIENCE and EDUCATION INFO	Education status, certificate course/seminar info, foreign language info, training received during working life, diploma info, interview notes, former workplace info.	Doctor, User, Employee, Employee Candidate	Execution of Employee Candidate / Intern / Student Selection and Placement Processes, Execution of Employee Candidate Application Processes, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Training Activities, Execution of Activities in Compliance with Legislation, Execution of Assignment Processes, Execution / Audit of Business Activities, Execution of Storage and Archive Activities, Execution of Contract Processes, Execution of Wage Policy, Execution of Talent / Career Development Activities, Informing Authorized Persons, Institutions and Organizations
VISUAL AND AUDIO RECORDS	Visual and audio records; photos etc.	Doctor, Employee, Employee Candidate, User	Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Employee Candidate Application Processes, Execution of Activities in Compliance with Legislation, Execution of Storage and Archive Activities, Execution of Contract Processes, Ensuring Security of Data Controller Operations, Informing Authorized Persons, Institutions and Organizations, Execution of Management Activities
HEALTH INFORMATION	Including but not limited to data collected through wearable technological products such as BMI, heart rate and rhythm, body temperature, blood pressure, respiratory rate, oxygen and stress level, blood sugar amount, sleep pattern, examination data obtained after doctor control, genetic disease info from parents, biometric and genetic data; all kinds of health data necessary for the execution of the work, legally mandatory health documents, disability status document, health reports, occupational disease records if any, employment entry examination form, blood type info in driver's license/old ID, statement regarding previous major illness or surgery	Doctor, Employee, Employee Candidate, Product/Service Buyer	Transmitting user health data, which is the main subject of the company's activity, to the doctor selected by the user, Execution of Emergency Management Processes, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Employee Candidate Application Processes, Execution of Activities in Compliance with Legislation, Execution / Audit of Business Activities, Execution of Occupational Health / Safety Activities, Execution of Business Continuity Activities, Execution of Storage and Archive Activities, Execution of Contract Processes
CRIMINAL CONVICTION – SECURITY MEASURES	Criminal conviction and security measures info; criminal record etc.	Employee, Employee Candidate, User	Execution of Employee Candidate Application Processes, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Activities in Compliance with Legislation, Planning of Human Resources Processes, Execution / Audit of Business Activities, Execution of Storage and Archive Activities, Execution of Contract Processes, Informing Authorized Persons, Institutions and Organizations
GENETIC DATA	…	Product/Service Buyer, Doctor	Transmitting user health data, which is the main subject of the company's activity, to the doctor selected by the user, Execution of Activities in Compliance with Legislation, Execution / Audit of Business Activities, Execution of Business Continuity Activities, Execution of Storage and Archive Activities, Execution of Contract Processes, Informing Authorized Persons, Institutions and Organizations
POTENTIAL EMPLOYEE INFO	CV, interview notes, tests during interview, reference info, military status info, other info in INVICTUS JOB APPLICATION FORM etc.	Employee Candidate	Execution of Employee Candidate / Intern / Student Selection and Placement Processes, Execution of Employee Candidate Application Processes, Execution of Assignment Processes, Planning of Human Resources Processes, Execution / Audit of Business Activities, Execution of Business Continuity Activities, Execution of Storage and Archive Activities

DOMESTIC TRANSFER GROUPS

Company employees, natural persons or private law legal entities, shareholders, business partners, suppliers, authorized public institutions and organizations.

INTERNATIONAL TRANSFER GROUPS

No data transfer is made abroad.

LEGAL GROUNDS

FOR EMPLOYEE – CUSTOMER / BUSINESS PARTNER / SUPPLIER: Data is processed based on the legal grounds of "it is expressly provided for by the laws, it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, it is mandatory for the data controller to fulfill its legal obligation, and it is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject" pursuant to Article 5 of KVKK.
FOR EMPLOYEE CANDIDATE: Data is processed based on the legal grounds of "it is expressly provided for by the laws, it is mandatory for the data controller to fulfill its legal obligation, and it is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject" pursuant to Article 5 of KVKK.

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN

Network security and application security are provided.
Closed system network is used for personal data transfers via network.
Key management is applied.
Security measures within the scope of procurement, development and maintenance of information technology systems are taken.
Security of personal data stored in the cloud is provided.
Disciplinary regulations containing data security provisions are available for employees.
Training and awareness studies on data security are carried out for employees at regular intervals.
KVKK Coordination Board has been established.
Data Breach Response Plan has been Prepared and put into Effect.
Corporate policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Data masking measures are applied when necessary.
Confidentiality undertakings are made.
Authorities of employees who change duties or leave the job in this field are removed.
Current anti-virus systems are used.
Firewalls are used.
Signed contracts contain data security provisions.
Extra security measures are taken for personal data transferred via paper and related documents are sent in confidential document format.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is tracked.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Security of physical environments containing personal data against external risks (fire, flood etc.) is provided.
Security of environments containing personal data is provided.
Personal data is reduced as much as possible.
Personal data is backed up and security of backed up personal data is also provided.
Current risks and threats have been determined.
Protocols and procedures regarding special categories of personal data security have been determined and are implemented.
Intrusion detection and prevention systems are used.
Cyber security measures have been taken and their implementation is constantly monitored.
Encryption is performed.
Awareness of data processors service providers regarding data security is ensured.

* This document is for informational purposes.