PABBLER PRIVACY POLICY AND USER CLARIFICATION TEXT

The objective of this Privacy Policy And User Clarification Text (“ Policy”) is to provide information on terms and conditions regarding the processing of personal data that is obtained from the users (“Usersor You”) that is required for services provided and administered by the Pabbler Lojistik Teknoloji ve Turizm Anonim Sirketi (“Company”) over the internet site at “ www.pabbler.com” address and Android and iOS applications (“Site”) and/or received form the Users during the use of the Site (“Services”) . Definitions under Pabbler User Agreement (“Agreement”) published in the Site shall apply to interpretation of any term that is not defined in this Policy.

You can feel safe while using the Site. However, please note that no system is fully secure. Even though we take all steps necessary to protect your data, there is always a risk of non-security. Therefore, we would like to remind you that you should be very careful while disclosing your personal data. Other than to the personal data requested by the Company, processing of data that is provided by You without request of the Company shall not be deemed as personal data processed by the Company in accordance with this Policy. For this reason, we notify You to refrain from disclosing your other personal data that is not requested by the Company, including but not limited with your voice, photos send via e-mail message or any other communication channel.

Which Data is Processed?

This section describes each group of personal data that correspond to the data collected, personal data of Users that is processed within the scope of services offered by the Company and considered as personal data in accordance with Personal Data Protection Law No. 6698 (“ Law”) and data beyond the scope of personal data and data collected using cookies. Unless otherwise specified, the term “personal data” and “special categories of personal data” shall include the following information in accordance with the provisions and conditions under this Policy.

Personal Data:

o Data Collected for Registration Purposes:

For Natural Persons: Name, surname, e-mail address, telephone number, address details, user’s photograph, Republic of Turkey identification number, passport, bank account details,

For Legal Persons: Corporate name, tax registration number, e-mail address, telephone number, address details

o Data Collected for Travel Procedures

▪ Departure and arrival points, date, address details

o Data Collected for Invoice/ Note of Expenses: Name, surname, trade name, Republic of Turkey identification number, tax registration number, bank account details

o Other Data: Data related with all kinds of corresponds exchanged during provision of Services or for Services, browsing and/or user session (IP address, geographical location, unique device identifier, etc.).

o Social Media Accounts: Information such as name, surname, e-mail address, telephone number, profile photo from your social media account will be processed in case you sign up to the Site, using your social media accounts in order to user Services.

Data Processed Using Cookies: For detailed information on your data processed, including IP Address, type of device, operating system and browser details, please refer to “Pabbler Cookies Policy” published in the Site.

Data anonymized in a non-reversible manner in accordance with Article 3 and 7 of the Law shall not be considered as personal data and processing activities in connection with such data shall be carried out without being bound by provisions of this Policy.

User guarantees that data constituting subject matter of this Policy are true and up-to-date and they shall be updated in case of any changes in such data. Company shall not be held liable for any consequence in case User refrains from sharing up-to-date information.

Data Collected Upon Anonymization

Travel information, location details, payment details of Users

What Are the Purposes of Processing Your Data?

Company may process personal data provided by Users and new data the Company derives using such personal data for the purpose of ensuring that Users benefit from the Site in an uninterrupted manner; providing and improving Services offered in the Site; achieving the purposes of using personal data that are regulated under this Policy and Agreement; performing verification of identity in connection with the accuracy of information disclosed by Users during subscription to the site; ensuring data security for Users; providing uninterrupted customer support and technical support; communication general or personalized notifications (or promotions); creating statistical data from User’s data in order to provide and improve Services of Company or business partners; complying with obligations of the Company that arise from the law and regulation; and preventing existing or future legal disputes.

About Cookies

Company may use cookies, a technical communication file, to obtain information on the use of Site by the Company and Users; process data for this purpose and transfer them to third persons to the extent required for analysis services for the purpose of processing for analysis services offered by third persons. The aforementioned technical communication files are small text files sent to the browser of Users by the Site for the purpose of storing in the cache. Technical communication file stores status and preference settings about a specific website and facilitates the internet use. Technical communication file is designed to obtained statistical information on Site such as time-coded number of users, number of visitors, purpose of visitors, number of visits by a specific user, the duration of visit, etc., and to assist placement of dynamic advertisements and contents for customizing the page based on user preferences; and it is used for the aforementioned purposes. Technical communication file is not designed to retrieve any other information from the main memory. Original design of browsers permits technical communication files; however, Users may configure browser settings to prevent the receipt of technical communication file or receive a warning about the receipt of technical communication file if they desire to do so. Please refer to “Pabble Cookies Policy” for details on cookies. Company determines and uses IP address of Users as required, in order to identify system-related problems and solve such problems immediately. IP addresses may also be used to make general definition of Users and collect comprehensive demographic information.

Who Is Authorized to Access Your Data?

Company will be entitled to share personal data provided by Users and new data generated by Company using such personal data, with external service providers and other third persons for the purpose of providing and/or improving Services; improving User experience and achieving one of the purposes specified under the headline “ What are the Purposes of Processing Your Data?”.

During the providing of Services, name, surname and location data of Users will be shared with other Users within the scope of processes performed by Users. In case Users perform such processes, it shall be deemed that they have consented to such sharing.

Company shall also be entitled to process personal data subject to this Policy and share them with third persons without obtaining consent of Users in case of exemptions under Articles 5 and 8 of the Law and/or applicable legislation. Some of these events are provided below:

➢ Clear provisions under the Laws permitting such use;

➢ Compulsory disclosure for protecting life and physical integrity of a person or any other person in case the relevant person is not able to provide consent due to actual incapability or his/her consent is not valid under the applicable law;

➢ Requirement to process personal data in case such processing is directly related with execution or performance of an agreement including the Agreement;

➢ Compulsory data processing for the fulfilment of a legal obligation by Company;

➢ Information made public by Users;

➢ Compulsory data procession necessary for vesting, using or protecting any right;

➢ Compulsory data processing for legitimate interests of Company provided that fundamental

rights and freedoms of Users are not jeopardized.

Company has right to transfer personal data to providers (directly to providers, to affiliates, sub-contractors of providers or services providers with proven track of reliability at international level) located in any part of the world, other than country of residence of Users in order to receive data hosting service subject to the limitation with the performance of the aforementioned objectives.

Right to Access Data and Request Correction

Data Subject may submit an application to the Company in order to;

➢ Get information as to whether personal data are processed or not;

➢ Get information on the extent of processing if data are processes;

➢ Get information on the purpose of processing personal data and as to whether they were used in accordance with the purpose;

➢ Get information on local and foreign third parties who were transferred personal data;

➢ Request correction if personal data were processed inaccurately or incompletely;

➢ Request deletion or destruction of personal data in accordance with the conditions stipulated in the applicable legislation;

➢ Request notification of deletion, correction and destructions made in accordance with the applicable legislation to third persons;

➢ File objection against unfavourable results obtained through analysis using automatic systems only;

➢ Claim compensation of losses and damages that may arise from illegal processing of personal data.

by submitting an application to the data supervisor. Users shall exercise right to apply that arises from the law, in parallel with the aforementioned requests, by using one of the methods specified under paragraph 1, article 13 of the Law and other applicable legislation or other methods stipulated by Personal Data Protection Board. Methods existing under the Law are as follows:

a) Application Form provided in the Site in accordance with Personal Data Protection Law (“Application Form”) will be completed, signed and sent to Kilicali Pasa Mahallesi Defterdar Yokusu Sk. Civa Apt. Apt. No: 46/4 Beyoğlu/Istanbul address (by personal delivery with a document that confirms identity of the applicant.)

b) Application Form will be completed, signed with “secure electronic signature” defined in Electronic Signature Law No. 5070, and form with secure electronic signature will be sent to e-mail address at [*] (Subject of E-mail will be “Information Request Under Personal Data Protection”.)

c) Application Form will be completed; signed and sent to Company’s head office address at Kilicali Pasa Mahallesi, Defterdar Yokusu Sk. Civa Apt. Apt. No: 46/4 Beyoğlu/Istanbul via notary public (“Information Request Pursuant to Personal Data Protection Law” will be written on the notification envelope .)

A special power of attorney should be issued in the name of the person filing an application for and on behalf of data subject in order to allow a person other than applicant himself to file an application.

Duration of Keeping Personal Data

Company shall act in accordance with provisions of the Law No. 6698 and Regulation on Deletion, Destruction or Anonymization of Personal Data (“ Regulation”). Company will store personal data provided by Users for the purpose of achieving objectives related with the nature of Services specified under this Policy and Agreement, for the duration of Services in order to ensure that Users benefit from the Site and Services, and destroy personal data during the first periodical destruction following the date on which destruction obligation arises in accordance with the Regulation. Company will comply with obligations arising from Article 12 of the Regulation towards Users that request destruction of personal data in accordance with Article 13 of the Law.

Measures and Commitments on Data Security

Company undertakes to perform and procure the performance of technical and administrative measures aimed at ensuring appropriate security level for the purposes of:

➢ preventing illegal processing of personal data;

➢ preventing illegal access to personal data;

➢ Undertake to take necessary technical and administrative measures to ensure the appropriate level of security in order to protect personal data

Company is not entitled to disclose personal data obtained about Users to other persons and process beyond the purpose of processing in breach of this Policy and Law No. 6698.

In case a link is provided in the site for access to another application, Company shall not be held responsible in connection with the privacy policies and contents of that application.

Communication Consent

By providing the electronic communication consent described in this Policy, you will provide consent for the collection, storage, processing, use and transfer of your personal data, for the purpose of offering you various advantages and performing all kinds of electronic communications aimed at personalized advertisements, sales, marketing, surveys, booking privilege, etc, and sending other communication messages. Company shall communicate Users via e-mail for the purpose of verification with e-mail address during sign-up; verification of identity when password is forgotten; creating an internet site; customizing the internet site when required; posting advertisements over the internet site; sharing the internet site; making security notifications; sending e-invoices, and by telephone or via SMS for the purpose of verifying telephone number during sign-up, making notifications as a dual-factor verification method; verifying identity when password is forgotten and sending security notifications.

Company shall take all kinds of measures for secure storage of personal data in accordance with Article 12 of the Law and prevention of unauthorized access and illegal processing.

Confidentiality of Users Due to Age Limit

Company shall not deliberately collect and record personal data of individuals below 18 years of age. If you are below 18 years of age, please note that you should not use the Platform and Services and disclose your personal data to Company. Company shall take reasonable steps to delete when it is understood that personal data of an individual below 18 years of age was collected.

Policy Revisions

Company may revise provisions of this Policy any time by publishing revisions on the Site. Policy provisions revised by Company take effect on the date of release. Company shall serve necessary notifications to Users in order to inform about revisions to this Policy.

Settlement of Disputes

This Policy is governed by the Laws of the Republic of Turkey. Any dispute that may arise from this Policy or in connection with this Agreement shall be referred to jurisdiction of Istanbul Centre (Caglayan) court and enforcement offices.