CONCERNING THE PROTECTION OF PERSONAL DATA CUSTOMER INFORMATION TEXT

As Blutrade Information Technologies Joint Stock Company ("Blutrade" or "Company"), we have prepared this information text to inform you about the processing of your personal data within the scope of our activities, in accordance with the Personal Data Protection Law No. 6698 ("PDPL") and the relevant legislation. Your personal data processed within the scope of your transactions related to the services provided in the context of crypto assets may vary. You can find detailed information about your personal data processed by Blutrade below.

A.Your Personal Data Processed in Processes Related to Crypto Asset Transactions

Which Personal Data of Yours are Processed and What are the Processing Purposes and Legal Reasons for Your Personal Data?

1.Identity Data

·Processed Personal Data: Identification type, identification document's expiration date, first name, last name, date of birth, country of birth, city of birth, gender, marital status, nationality, Turkish ID card information (TCKN, serial number, wallet number, father's name, mother's name, place of birth, province, district, neighborhood, volume number, family row number, row number, household number, page number, registration number, place of issuance, reason for issuance, date of issuance, previous last name), signature

· Legal Reason and Processing Purposes

a.Establishment or Performance of the Contract

· Execution of Service Sales Processes
· Execution of Risk Management Processes
· Ensuring the Security of Data Controller Operations
· Execution of Post-Sales Support Services
· Tracking Requests/Complaints
· Execution of Contract Processes
· Execution of Post-Sales Support Services
· Execution of Audit/Ethical Activities
· Execution of Finance and Accounting Tasks
· Execution of Information Security Processes

b.The Legal Obligation of the Data Controller

· Ensuring Compliance with Legislation in Activities
· Tracking and Execution of Legal Affairs
· Providing Information to Authorized Persons, Institutions, and Organizations
· Prevention of Fraud and Deception

2.Communication Data

·Processed Personal Data: Address information, e-mail address, communication address, phone number

· Legal Reason and Processing Purposes

a.Establishment or Performance of the Contract

· Execution of Service Sales Processes
· Execution of Communication Activities
· Execution of Risk Management Processes
· Execution of Customer Relationship Management Processes
· Ensuring the Security of Data Controller Operations
· Tracking Requests/Complaints
· Execution of Contract Processes
· Execution of Post-Sales Support Services

b.The Legal Obligation of the Data Controller

3.Customer Transaction Data

· Processed Personal Data: Call center records, account opening, transaction and amount information, request information

· Legal Reason and Processing Purposes

a.Establishment or Performance of the Contract

· Execution of Service Sales Processes
· Execution of Risk Management Processes
· Execution of Customer Relationship Management Processes
· Ensuring the Security of Data Controller Operations
· Tracking Requests/Complaints
· Execution of Contract Processes
· Execution of Post-Sales Support Services
· Execution of Finance and Accounting Tasks

b.The Legal Obligation of the Data Controller

4.Transaction Security Data

· Processed Personal Data: IP address information, website/mobile application login/logout information, password and passphrase information, MAC address, device information, GPS

· Legal Reason and Processing Purposes

Establishment or Performance of the Contract

· Execution of Service Sales Processes
· Ensuring the Security of Data Controller Operations
· Execution of Information Security Processes

b.The Legal Obligation of the Data Controller

· Ensuring Compliance with Legislation in Activities
· Tracking and Execution of Legal Affairs
· Yetkili Kişi, Kurum ve Kuruluşlara Bilgi Verilmesi
· Sahteciliğin ve Dolandırıcılığın Önlenmesi

5.Financial Data

· Processed Personal Data: Financial performance information, money transfers to the account, IBAN information, bank account number, cryptocurrency information, account history information

· Legal Reason and Processing Purposes

a.Establishment or Performance of the Contract

· Execution of Service Sales Processes
· Execution of Risk Management Processes
· Ensuring the Security of Data Controller Operations
· Execution of Contract Processes
· Execution of Finance and Accounting Tasks

b.The Legal Obligation of the Data Controller

6.Marketing Data

· Processed Personal Data: Cookie records, information obtained through campaign activities, usage habits)

· Legal Reason and Processing Purposes

a.Explicit Consent

· Conducting Marketing Analysis Studies
· Conducting Personalized Advertising Activities
· Improving, Optimizing, and Personalizing the Experiences Related to Our Services

7.Visual and Audio Recordings

· Processed Personal Data: Photo image, front and back of identification documents, customer selfie, motion video for identification purposes

· Legal Reason and Processing Purposes

a.Establishment or Performance of the Contract & Legitimate Interest of the Data Controller

· Ensuring the Security of Data Controller Operations
· Execution of Contract Processes
· Conducting Audit / Ethical Activities
· Prevention of Fraud and Deception
· Identification and Verification of Identity

b.What are the methods of collecting your personal data?

The personal data related to the cryptocurrencies mentioned above are collected through the entry form and user agreement on our website and application, integrated programs within the application, email, cookies and information systems, our call center, your identity image, video recordings, and oral and written documents you declare.

C.Do we transfer your personal data to a third party?

Your personal data related to the cryptocurrency transactions mentioned above may be transferred to authorized persons, institutions, and organizations based on the legal obligation of the data controller to fulfill legal obligations for the purposes of providing information, carrying out activities in compliance with legislation, preventing fraud and deception, and following up legal affairs. Your personal data related to cryptocurrency transactions may also be transferred to cloud service providers abroad based on your explicit consent for the purpose of carrying out information security processes and ensuring company-wide information and business management.

D.What are your rights regarding your personal data?

Regarding your personal data, you have the right to:

· Learn whether your personal data has been processed or not,
· Request information if your personal data has been processed,
· Learn the purpose of processing your personal data and whether they are being used for their intended purpose,
· Know the third parties to whom your personal data have been transferred domestically or abroad,
· Request the correction of your incomplete or inaccurate data,
· Request the deletion or destruction of your personal data in accordance with the conditions stipulated in the KVKK legislation,
· Ask for the notification of the third parties to whom your personal data has been transferred, in case of correction, deletion, or destruction of your data,
· Object to the emergence of a result against yourself as a result of the exclusively automatic analysis of processed data,
· Demand compensation if you have suffered damages due to the illegal processing of your personal data.

E.How can you use your rights?

You can reach us for your applications and requests regarding your personal data:

· By sending a signed letter and a photocopy of your ID to our official address via cargo,
· Via the Support button on our mobile application,
· By contacting our support@ortakapp.com or destek@ortakapp.com email address where we receive all kinds of questions, complaints, and requests,
· By sending a petition signed with a mobile signature or secure electronic signature to our KEP address,
· By using the Support section on our official website www.ortakapp.com,
· By filling out the "Related Person Application Form" on our official website.

According to the Communiqué on the Procedure and Principles of Application to the Data Controller, the application of the Relevant Person (Applicant) must contain the name, surname, explanation, signature if on paper, T.R. identity number, application date (passport number if the applicant is a foreigner), settlement or workplace address for notification purposes, if any, the electronic mail address for notification purposes, if any, the telephone number, and information about the subject of the request.

The Relevant Person should clearly state the requested issue in a clear and understandable manner in the application that includes explanations about the requested right. Information and documents related to the application must be attached to the application. The subject of the request must be related to the applicant's person, and if acting on behalf of someone else, the applicant must be specifically authorized in this regard, and this authorization must be documented (special power of attorney). In addition, the application must contain the applicant's identity and address information, and identity verification documents must be attached to the application. Requests made by unauthorized third parties on behalf of others will not be considered.

F.How long does it take to process your requests regarding the processing of your personal data?

Your requests regarding your personal data will be evaluated and responded within a maximum of 30 days from the date we receive them. If your request is evaluated negatively, the reasons for rejection will be sent to the address you provided in your application via electronic mail, postal service, or one of the notification methods such as SMS to your registered mobile phone via our mobile application.