WEBSITE PRIVACY AND SECURITY POLICY

Galeri Kristal Turizm İnşaat Pazarlama ve Ticaret Anonim Şirketi (the “Company”) considers the privacy of the information shared by visitors to its website as a fundamental principle. Therefore, this “Privacy Policy” has been created to inform you about which of your information is processed, by what methods, with which third parties it is lawfully shared with your permission, and how it is protected by the Company.

This Privacy Policy also explains how you can verify the accuracy of your data and how you can request the deletion of such information by contacting the Company via its website. All services provided to individuals through all communication channels by the Company are collectively referred to as "Services."

This policy aims to ensure user privacy and the security of personal data regarding all operations carried out through the websites https://crystalhotels.com.tr and https://nirvanahotels.com.tr. In this context, all payment transactions carried out via the Virtual POS system (and/or other integrated institutions) are conducted in accordance with security standards.

Every user who uses the site is deemed to have accepted the terms of this policy.

Data Controller

Personal data refers to any information that identifies or makes identifiable a natural person, such as name, surname, date of birth, or phone number.

Your personal data is processed by Galeri Kristal Turizm Construction, Marketing and Trade Inc., with its headquarters located at Havaalanı Yolu Üzeri Serik Caddesi No:113 Altınova, Kepez / Antalya, as the data controller under Law No. 6698 on the Protection of Personal Data (KVKK), and in accordance with relevant legal regulations, the decisions/announcements of authorized authorities, and within the framework of this Privacy Policy.

The Company respects your concerns regarding the protection of your privacy and personal data. In this respect, the Company processes your personal data in compliance with all data protection legislation, especially the KVKK, ensures their secure storage, and takes all necessary security measures against unauthorized access.

This Privacy Policy explains the categories of personal data collected by the Company through the communication channels listed below, the purposes and processes of their collection, the recipient groups they may be transferred to, your rights related to the protection of your data, and the other explanations the Company is obliged to provide under the law.

Scope of the Privacy Policy and Collected Data

Information to be used and processed relating to a specific individual is only possible if that person voluntarily enters data or gives explicit consent. Entering data or providing explicit consent indicates that the individual agrees to the conditions stated below. When the website is visited, certain information is stored on the website server.

Such information may include:

- Name

- Surname

- Address

- Email

- Phone

- Identification number

Based on this data, some conclusions may be drawn about the user. However, this personal data can only be used anonymously. If such data is transferred to an external service provider, the necessary procedures are carried out in accordance with applicable legal regulations on data security.

If you voluntarily provide personal information, the Company undertakes to use and process this data within the limitations prescribed by law or as stated in the user’s consent declaration.

Purposes for the use of personal data and cookies are listed below:

- Personalizing user experiences

- Access to websites

- Ensuring communication with users

- Competition

- Advertising and marketing

- Conducting analysis and market research

- Managing and maintaining website records

As part of the provided services, the Company may obtain and transfer information about service recipients within the scope of this Privacy Policy and within legal limits. Such data transfers are conducted according to the terms set by third parties, current agreements, and existing legal regulations. This Privacy Policy does not reflect the privacy practices of third parties, and the Company is not responsible for their policies or practices. The policy does not apply to data collected through applications not controlled by the Company, data collected via links on third-party sites, or campaigns, promotions, or other advertisements on third-party sites sponsored or participated in by the Company. The Company is not responsible for how third parties collect, store, and use personal data through their own websites.

Privacy of Minors Under the Age of Eighteen

Our website contains content intended for individuals under the age of eighteen. Any data collected from individuals under the age of eighteen is only gathered with the consent of their parent or legal guardian.

Use of Cookies

The Company may obtain certain personal data by using a technical communication file (cookie). These cookies are small text files sent to the user’s browser by a website and stored in main memory. Cookies simplify Internet usage by saving preferences and site statuses. They help gather statistical information about the number of users, visit purposes and frequency, and duration, and generate dynamic content and advertisements on customized user pages.

Cookies are not designed to retrieve personal data from main memory or emails. Most browsers are set to accept cookies by default, but users can adjust their settings to reject cookies or to receive alerts when a cookie is sent. The Company is not responsible for any malfunction resulting from such changes.

Cookies used on the website may include:

- Names of sites visited during session

- Keywords used to find the website

- Name of the Internet service provider

- IP address and/or location

- Operating system of the accessing device

Data Required for Online Shopping and Reservation Payments

The Company values your security in transactions made on the website. Therefore, your credit card information is only used during the order process and is not stored in our database.

All payments are processed with 3D Secure support via the Garanti BBVA Virtual POS infrastructure.

• Your card information is not recorded in our system; you are directed directly to the bank system.

• Data transmitted during payment is protected using SSL (Secure Socket Layer) technology.

• The site uses infrastructure compliant with PCI DSS (Payment Card Industry Data Security Standard).

Links to Other Websites

The Company’s website may include links to third-party websites. This Privacy Policy does not apply to those websites, and the Company does not accept any responsibility for them.

Data Updates and Changes

The Company may modify the content of this Privacy Policy at any time to maintain compliance with data protection principles and relevant legislation. Changes are published on the Company’s websites, and you may access the latest version at https://crystalhotels.com.tr and https://nirvanahotels.com.tr. Continued use of the Company’s services after the changes means acceptance of the updated policy. The revised terms take effect on the date of publication on the website.

Categories of Processed Personal Data and Purposes of Processing

Shared personal data is processed in accordance with the KVKK and related regulations to fulfill the requirements of services provided to customers, to develop our products and services, to inform public authorities in cases related to public safety and legal disputes when required by law, and to offer a broad range of opportunities to our members or legally share such opportunities with authorized individuals and institutions. They are also used to analyze advertising preferences.

Data Retention Period

Data shared directly during membership or when purchasing products or services is stored during the membership or transaction period. Data shared for newsletter subscriptions is retained as long as the subscription continues.

Methods of Processing Personal Data

According to Law No. 6698 on the Protection of Personal Data (KVKK), personal data shared with Galeri Kristal Turizm Construction, Marketing and Trade Inc. may be obtained, recorded, stored, altered, reorganized, and processed through automated or non-automated means, whether in whole or in part, as part of a data recording system. All such actions are deemed as 'processing of personal data' under the KVKK.

Information on Third Parties or Institutions to Whom Personal Data May Be Transferred

For the purposes stated above, personal data shared with Galeri Kristal Turizm Construction, Marketing and Trade Inc. may be transferred to main shareholders, shareholders, advertisers, domestic and international subsidiaries, affiliated companies using the Company’s infrastructure, business partners, service providers, and legally authorized public authorities when necessary, particularly in response to binding court orders.

Our regulations regarding cookies used for advertising purposes are part of the 'Cookie Policy of Galeri Kristal Turizm Construction, Marketing and Trade Inc.', which forms a component of this Privacy and Personal Data Protection Policy. For more information, please refer to the Cookie Policy.

Rights of the Data Subject

Data subjects may always exercise their right to access their data. In addition, subject to meeting relevant conditions, the rights provided under Article 11 of the KVKK may be exercised, including:

• The right to rectification,

• The right to erasure,

• The right to restrict processing,

• The right to lodge a complaint with the data protection authority,

• The right to data portability.

Where data is processed based on the Company’s legitimate interests, the data subject has the right to object based on personal circumstances. The Company will cease processing unless it can demonstrate compelling legitimate grounds overriding the interests, rights, and freedoms of the data subject, or where the processing is necessary for legal claims.

Where consent has been given for the processing of personal data, such consent may be withdrawn at any time.

Under the law, all requests, complaints, and suggestions regarding your personal data can be submitted to the Company in writing along with proof of identity to the address below, via email to [email protected], or using a secure electronic signature to the Company’s registered electronic mail address at [email protected]