1. Purpose and Scope

In accordance with the Personal Data Protection Law No. 6698 ("PDPL"), your personal data may be processed by Ottoo Yazılım A.Ş ("Tutku.ai") as the Data Controller.

The main purpose of this Personal Data Protection Policy ("Policy") is to provide explanations regarding the personal data processing activities conducted by Tutku.ai in a lawful manner and the systems adopted for the protection of personal data, ensuring transparency by informing individuals whose personal data is processed by Tutku.ai.

This Personal Data Protection Policy ("Policy") is applied in all activities related to the processing and protection of personal data managed by Tutku.ai, along with detailed data procedures.

2. Principles to be Followed While Processing Personal Data

Tutku.ai, in all Personal Data Processing activities, acts in accordance with the general principles outlined below, as specified in Article 4 of the Personal Data Protection Law No. 6698 (PDPL):

• Personal data is processed in a lawful, honest, and transparent manner.

• Personal data is collected for specific, explicit, and legitimate purposes.

• Personal data is processed in a way that is relevant, limited, and necessary for the purpose for which it is processed.

• Personal data is accurate and, when necessary, kept up to date, and is deleted or corrected without delay when it is no longer necessary.

• Personal data is retained for the period prescribed by relevant legislation or for as long as necessary for the purpose for which it was processed.

3. Collection, Processing, and Purposes of Processing Personal Data

In accordance with Articles 5 and 6 of the Personal Data Protection Law No. 6698, your personal data may be processed for the following purposes, without exceeding the boundaries set forth:

For the execution of business related to Tutku.ai's specific commercial activities:

• Establishment, performance, and post-contractual services of contracts

• Notification to official institutions

• Fulfillment of legal obligations

• Planning, tracking, and execution of finance and accounting activities

• Data security and information technology services, including physical and electronic network security efforts for Tutku.ai's internet services

For increasing brand awareness:

• Activities aimed at increasing the awareness of the Tutku.ai brand

• Organization of various events

• Management and resolution of service-related requests and complaints

• Activities for receiving, evaluating, and concluding requests and complaints

For corporate relations:

• Management, development, planning, and execution of relationships with users or business partners

• Execution of communication activities

• Activities such as external training for Tutku.ai employees and partners

For ensuring the legal, technical, and commercial security of Tutku.ai and individuals/entities in a business relationship with Tutku.ai:

• Providing information to official institutions for legal obligations and fulfilling audit-related activities and duties

• Ensuring the physical and electronic security of Tutku.ai, its premises, and parties in a relationship with Tutku.ai

• Keeping records of parties involved in a business relationship with Tutku.ai

• Ensuring the accurate and up-to-date maintenance of data

• Planning and execution of occupational health and safety processes

• Fulfillment of obligations related to any visitors entering or exiting Tutku.ai premises in accordance with the law.

4. Methods of Processing Personal Data and Legal Basis

Personal data may be obtained from the data subject or from third parties to whom the data subject has explicitly consented. Personal data may be processed using the following methods: collection, recording, organizing, storing, structuring, modifying, adapting, using, transferring, deleting, destroying, and anonymizing.

Personal data may be processed by one or more of the above methods without the explicit consent of the data subject, provided that one of the legitimate grounds listed in Article 5 of the PDPL exists:

• Clearly prescribed by laws and relevant regulations

• Necessary for the protection of the life or bodily integrity of the data subject or another person, where the data subject is unable to express consent due to physical impossibility or when their consent is not legally recognized

• Necessary for processing personal data directly related to the establishment or performance of a contract

• Necessary for the data controller to fulfill their legal obligation

• Made public by the data subject themselves

• Necessary for the establishment, exercise, or protection of a right

• Necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.

5. Cookie Policy

Cookies

During your visit to the Tutku.ai website, cookies, which are small data files, are used to allow computers and operating systems to automatically recognize you. This method utilizes information obtained from previous visits to our site and services provided. When you open the Tutku.ai website, a cookie is placed on your computer, allowing your preferences to be saved and enhancing your online experience. Cookies do not collect any personal information about you, do not transmit any personal information to contact you, and do not transfer any information from your computer. We use cookies to identify the sections of the Tutku.ai website that interest you most and offer you more of these sections during your visit.

Web Beacons

Web beacons are internet tools that help us understand whether a page has been visited. When we send information regarding e-commerce services or the general structure of our site, we may use web beacons to see how many of the emails we send have been opened. Electronic images and advertisement headings, often seen as part of a web page, function as web beacons. Third-party advertising networks advertising on the Tutku.ai website may use cookies and/or web beacons in their advertisements. Tutku.ai has no control over these cookies and/or web beacons used by third parties.

Disabling the Protection System

Tutku.ai accepts no responsibility for any material or immaterial damages arising from the disabling of the protection system due to hacking, malicious software, or reverse engineering.

In the future, Tutku.ai, the creators of any content on this website, its employees, or the authorized individuals and organizations on the website, shall not be held legally or criminally liable for any material or immaterial damages that may arise from failure to read or comply with these terms.

6. Storage and Destruction of Personal Data

Many regulations in the legislation require personal data to be stored for a specific period. Therefore, we store the personal data we process for the duration stipulated by the relevant legislation, or if no such duration is specified, for the period necessary for the purposes of processing the personal data.

In cases where we process personal data for multiple purposes, personal data will be deleted, destroyed, or anonymized automatically or upon request if all processing purposes no longer exist, or if there are no legal barriers to their deletion, and if the data subject requests such action.

Purposes Requiring Data Storage

Tutku.ai stores the personal data it processes within the scope of its activities for the following purposes:

• Conducting information security processes

• Managing employee satisfaction and engagement processes

• Fulfilling contractual and legal obligations for employees

• Managing finance and accounting activities

• Ensuring physical security of premises

• Managing assignment processes

• Handling legal affairs

• Managing procurement/sales and post-sales support processes

• Executing and auditing business activities

• Managing occupational health and safety activities

• Managing contract processes

• Providing information to authorized individuals, institutions, and organizations

Reasons for Destruction

Personal data will be deleted, destroyed, or anonymized in the following cases:

• Changes to or the annulment of the legal provisions that form the basis for its processing

• When the purpose requiring its processing or storage no longer exists

• If the processing of personal data is based solely on explicit consent, and the data subject withdraws their consent

• If a request for deletion or destruction of personal data is made in accordance with the rights granted under Article 11 of the PDPL, and Tutku.ai accepts the request

• If Tutku.ai rejects a request for the deletion or destruction of personal data or provides an insufficient response, or fails to respond within the time period stipulated by the PDPL, and the data subject files a complaint with the Personal Data Protection Board (the Board), and the Board deems the request appropriate

• When the maximum period for storing personal data has passed and there is no justifiable reason to store it longer

In these cases, the data will be deleted, destroyed, or automatically deleted or anonymized by Tutku.ai.

7. Transfer of Personal Data

Your personal data processed for the purposes outlined may be transferred, in accordance with the basic principles set forth in the PDPL and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the PDPL, for the execution of processes, to authorized public institutions and organizations, our business partners, shareholders, relevant private individuals, banks, service providers, companies providing support services to carry out our activities, and institutions offering legal consultancy and financial advisory services to Tutku.ai, as well as independent audit companies, within the framework of legal obligations and restrictions.

Except for cases where the transfer of personal data to administrative and judicial institutions and organizations is required by the PDPL or relevant legislation, Tutku.ai does not transfer personal data belonging to data subjects to other individuals without the explicit consent of the data subject. However, in cases specified in Articles 5 and 6 of the PDPL, personal data will be transferred to the relevant institutions and organizations without the need for explicit consent, due to the existence of a legal basis for processing.

8. Confidentiality

We understand the importance of maintaining the confidentiality of your personal data and, as Tutku.ai, we adhere to this confidentiality. In this context, only authorized personnel from Tutku.ai can access your personal data. Tutku.ai takes all necessary technical and administrative measures to protect the personal data it collects and ensure that unauthorized people do not access it. We also ensure that our clients and potential clients are not harmed. This includes ensuring that software complies with standards, selecting third parties with care, and adhering to data protection policies within the company.

Tutku.ai implements the following measures to ensure data privacy and security:

Administratively:

• Conducts risk audits to identify current risks and threats.

• Periodically conducts awareness training for employees.

• Has established personal data security policies and procedures.

• Embraces the principle of data minimization, striving to reduce personal data as much as possible.

Technically:

• Ensures cybersecurity.

• Monitors personal data security.

• Secures environments containing personal data.

• Stores personal data in secure areas and cloud computing systems.

• Takes the necessary software and hardware measures for the procurement, development, and maintenance of information technology systems, processing personal data in accordance with the conditions stipulated by the law.

9. Your Rights as the Data Subject

As the data subject, you can submit your requests regarding your rights in writing and with a wet signature to the address: Meydan Street No: 1/55, Maslak Mahallesi, Sariyer, Istanbul, Turkey. Depending on the nature of the request, Tutku.ai will respond as quickly as possible, and in any case, within thirty (30) days, free of charge. However, if the process requires an additional cost, a fee determined by the Board will be charged.

Under Article 11 of the PDPL, your rights are as follows:

• Learn whether your personal data is being processed, and if processed, request information about it.

• Learn the purpose of processing your personal data and whether they are being used in accordance with their purpose.

• Learn about the third parties to whom your personal data is transferred, both domestically and abroad.

• Request correction if your personal data is incomplete or inaccurate.

• Request the deletion or destruction of your personal data in accordance with the conditions set forth in Article 7.

• Request the notification of third parties to whom your personal data has been transferred about the correction, deletion, or destruction actions taken in accordance with (d) and (e).

• Object to any result that emerges against you as a result of the processing of your data solely by automated systems.

• Request compensation for any damage you have suffered due to unlawful processing of your personal data.

10. Request for Updating Your Information

The personal data we collect must be accurate and, when necessary, up to date. Therefore, if there is any change in your personal data, you can inform the relevant department of Tutku.ai.

This Policy was prepared on 26.06.2025 date. In case of any changes in the text, the effective date and content of the modified text will be valid.