With this Information Notice, it is aimed to inform you that your personal data you have provided to bogazicict3.net (the “Website”) may be processed by the Website in the manner stated in this information notice and limited to the purposes specified herein, within the scope of the Personal Data Protection Law No. 6698 (“Law”) and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform (“Communiqué”); and that your personal data may be transferred to the persons stated below, both domestically and abroad.

Information as the Data Controller As Boğaziçi University Center for Targeted Therapy Technologies (Boğaziçi CT³), whose detailed corporate information is published below, and acting as the Data Controller pursuant to the Law No. 6698, your personal data may, within the framework explained on this page; be recorded, stored, updated, disclosed/transferred to third parties where permitted by legislation, classified, and processed in the ways set out under the Law.

How your personal data may be processed Pursuant to the Law No. 6698, the personal data you share with Boğaziçi CT³ may be obtained fully or partially, automatically or non-automatically provided that it forms part of any data recording system, and may be processed by us by being recorded, stored, modified, reorganized; in short, by being subject to any operation performed on the data. Any operation performed on personal data within the scope of the Law is deemed as “processing of personal data”.

Purposes and legal grounds for processing your personal data The personal data you share will be processed in accordance with the Law No. 6698 and relevant secondary legislation; in order to duly perform the requirements of the services we provide to our clients and in line with the requirements of the contract and technology, and to improve our products and services; to record identity, address and other necessary information to identify the transaction holder within the scope of Law No. 6563 on the Regulation of Electronic Commerce, Law No. 6502 on the Protection of Consumers, the Regulation on Service Providers and Intermediary Service Providers in Electronic Commerce published in the Official Gazette dated 26.08.2015 and numbered 29457, the Distance Contracts Regulation published in the Official Gazette dated 27.11.2014 and numbered 29188, and other relevant legislation; to prepare all records and documents that will constitute the basis of transactions in payment systems that are mandatory in the field of banking and electronic payments, and in electronic contracts or paper-based processes; to comply with information retention, reporting and notification obligations stipulated by legislation and other authorities; and to be able to provide information to public prosecutors’ offices, courts and relevant public officials upon request and as required by legislation in matters related to public security and legal disputes.

Method of collecting your personal data The data provided by our clients who conduct transactions on bogazicict3.net are processed by Boğaziçi CT³ in accordance with our clients’ consents and the provisions of the legislation. Users’ preferences on pages accessed by using their username and password, IP records of transactions performed, cookie data collected by the browser and data including browsing duration and details, and location data; are collected and processed verbally, in writing or electronically through our sales and marketing department employees, our agents, our dealers, paper forms, business cards, channels such as digital marketing and call centers; furthermore, data obtained indirectly through different channels—data obtained from websites, campaign and similar purpose (micro) websites and social media, e-newsletter reading or click actions, data provided by publicly available databases, and publicly shared profiles and data from social media platforms (Facebook, Twitter, Google, Instagram, Snapchat etc.)—may also be processed and collected.

Storage and protection of personal data Your personal data will be kept confidentially in the databases and systems at Boğaziçi CT³ pursuant to Article 12 of the Law; and will not be shared with third parties under any circumstances except for legal obligations and the provisions stated in this document.

Boğaziçi CT³ is obliged, pursuant to Article 12 of the Law, to take software measures such as hashing, encryption, logging, access management, and physical security measures, in order to prevent unlawful processing of personal data, to prevent unauthorized access, and to ensure secure storage. In the event that it is learned that personal data have been obtained by others through unlawful means, the situation will be immediately reported to the Personal Data Protection Board in compliance with the legal regulation and in writing.

Keeping personal data accurate and up to date Pursuant to Article 4 of the Law, Boğaziçi CT³ has an obligation to keep your personal data accurate and up to date. Within this scope, in order for Boğaziçi CT³ to fulfill its obligations arising from the applicable legislation, our clients are required to share accurate and up-to-date data or update them via the website/mobile application.

Rights of the personal data owner under the Law No. 6698 Article 11 of the Law No. 6698 entered into force on 07 October 2016 and, pursuant to the said article, the rights of the Personal Data Owner from this date onwards are as follows:

By applying to Boğaziçi CT³ (data controller), the Personal Data Owner has the right to; learn whether personal data are processed, request information if personal data have been processed, learn the purpose of processing and whether they are used in accordance with that purpose, know the third parties to whom personal data are transferred domestically or abroad, request correction if personal data are processed incompletely or inaccurately, request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law, request notification of the correction, deletion or destruction operations to third parties to whom personal data have been transferred, object to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems, and request compensation for damages in case personal data are processed unlawfully. The Data Controller Representative to be appointed by Boğaziçi CT³ will be announced in the Data Controllers Registry and on the internet address where this document is published once the legal infrastructure is established.

Personal Data Owners may direct their questions, opinions or requests through any of the communication channels below:

E-mail: [email protected]