PROTECTION AND PROCESSING OF PERSONAL DATA

PRIVACY AND PERSONAL DATA PROTECTION POLICY

Protection of personal data MUSE TEKSTİL VE TİCARET LİMİTED ŞİRKETİ (“MISSMUSE”) is an important issue. As the data controller, MISSMUSE adopts the principles stipulated by the KVK Law in order to comply with the Law on the Protection of Personal Data No. 6698 (“KVK Law”). fulfill its obligations to ensure safety. The Privacy and Personal Data Protection Policy regulated in this context is made available to natural persons whose personal data are processed (“Relevant Person”).

1. Scope and Purpose of Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy;

The methods and legal reasons for collecting personal data, Which groups of people's personal data are processed (Data Subject Person Group Categorization), Which category of personal data is processed for these groups of persons (Data Categories) and sample data types, In which business processes and for what purposes this personal data is processed. Technical and administrative measures taken to ensure the security of personal data, To whom and for what purpose personal data can be transferred, Personal data retention periods, Profiling and Segmentation What are the rights of the Relevant Persons on their personal data and how they can use these rights, It explains how they can change their positive or negative preferences in receiving commercial messages, Personal data sharing with official authorities, Cookie Usage and Management.

2. Personal Data Collection Methods and Legal Reasons

MISSMUSE personal data can be collected in aural, electronic or written form through the Websites, mobile applications of the Websites, social media accounts, cookies, call center, notifications from administrative and judicial authorities and other communication channels, in accordance with the personal data processing conditions specified in the KVK Law and in accordance with this Privacy Policy. / It collects in line with the legal reasons specified in the Personal Data Protection Policy.

3. Data Subject Person Group Categorization

MISSMUSE categorizes the data subject groups, whose personal data are processed in the personal data processing processes and activities related to these processes, as follows. In addition, in accordance with the personal data processing conditions specified in the 5th and 6th articles of the KVK Law, and in line with the legal reasons specified in this Privacy/Personal Data Protection Policy, the personal data of other individual groups (consultant, educator, blogger) can be processed.

3.1 Data Categories and Example Data Types

3.1.1 Member Customer

Credential: Name, surname, date of birth, gender, T.R. identification number

Location Information: City, county (www.missmuse.com delivery address of the purchase made via

Communication information: mobile phone, e-mail address, address, zip code, landline phone

Financial Information: Tax office, billing information

Customer/Member Information: Membership information, membership ID number

Customer/Member Transaction Information: Purchased product/s, shopping amount, shopping date, call center call records, commercial communication permission, used campaigns/competitions, coupons used, information about the order

Risk Management Information: IP address

Transaction Security Information: Password, password information

Marketing Information: Reviews showing cookie records, targeting information, habits and likes

Audio Data: Call center call recordings

Legal Action and Compliance Information: Start and end time of the service provided, type of service used, amount of data transferred, commercial electronic message permission given by the Relevant Person in electronic environment, membership agreement approved, corporate membership agreement, other legal texts and agreements that enable to benefit from the services offered by MISSMUSE

Marketing Information: Marketing sms, e-mail messages or calls made by the call center based on the commercial electronic message permission given by the person concerned

Request/Complaint Management/Reputation Management Information: Records of the complaints and/or requests submitted by the person concerned via the website, mobile application, social media accounts or call center regarding the product or service purchased, and the actions taken during the evaluation or management of these requests

3.1.2. Guest Customer (users who shop on the site without being a member)

Credential: Name, surname, date of birth, gender, T.R. identification number

Location Information: City, county (delivery address for purchases made through missmuse.com)

Communication information: mobile phone, e-mail address, address, zip code, landline phone

Financial Information: Tax office, billing information

Guest Customer Transaction Information: Purchased product/products, shopping amount, shopping date, call center call records, commercial communication permission, used campaigns, order information

Risk Management Information: IP address

Transaction Security Information: Password, password information

Marketing Information: Reviews showing cookie records, targeting information, habits and likes

Audio Data: Call center call recordings

Legal Action and Compliance Information: The start and end time of the service provided, the type of service used, the amount of data transferred, the commercial electronic message permission given by the Related Person in electronic environment, other legal texts and contracts that enable to benefit from the services offered by MISSMUSE

Marketing Information: Marketing sms, e-mail messages or calls made by the call center based on the commercial electronic message permission given by the person concerned

Request/Complaint Management/Reputation Management Information: Records of the complaints and/or requests submitted by the person concerned via the website, mobile application, social media accounts or call center regarding the product or service purchased, and the actions taken during the evaluation or management of these requests

3.1.3. Online Visitor

Transaction Security Information: Password, mobile phone, password information

Legal Transaction Information/Risk Management Information: IP address

Legal Action and Compliance Information: The start and end time of the service provided, the type of service utilized, the amount of data transferred.

3.1.4. Person on whose Name the Purchased Product will be Delivered

Credential: Name, surname, date of birth, gender, T.R. identification number

Location Information: City, county (delivery address for purchases made through missmuse.com)

Communication information: mobile phone, e-mail address, address, zip code, landline phone

Financial Information: Tax office, billing information

3.1.5. Vendor/Supplier/Candidate Vendor/Vendor or Supplier Employee or Official

Credential: TR Identity Number, Name Surname

Communication information: e-mail address, telephone, KEP address, address, mobile phone

Financial Information: Account No, Tax Office, Tax Identification Number, tax plate, IBAN

Legal Action and Compliance Information: Signature circular, activity certificate,

Special Qualified Personal Data/Legal Transaction Information: Signature

Visual Information: Photograph

4. In Which Business Processes and For What Purposes Personal Data Are Used

4.1. Member Customer Personal Data

Execution of membership transactions, “missmuse.com” e-commerce platforms (“platform”) operated by MISSMUSE; For the existing Member Customers with commercial electronic message approval, for the purpose of improving the services offered over the website, developing new services and providing information about it, and for the execution of the Membership Agreement established with the Member Customer; Analyzing the preferences, tastes and needs of the Member Customer and providing special promotion, opportunity and benefit to the Member Customer, remarketing, targeting, profiling and analysis in line with the express consent of the Member Customer, Promotion and marketing of products and services, Resolving Member Customer problems and complaints, Improving Member Customer experience on both the platform and mobile application, Monitoring of accounting and purchasing transactions, Legal processes and compliance with legislation, Answering information requests from administrative and judicial authorities, Information and Ensuring transaction security and preventing malicious use, Making necessary arrangements to ensure that the processed data is up-to-date and correct

4.2. Guest Customer (users who shop on the site without being a member) Personal Data

To be able to shop from the Platforms as a "guest", To improve the services offered on the Platforms, to develop new services and to provide information about it, For Guest Customers who have commercial electronic message approval; Analyzing the preferences, tastes and needs of the Guest Customer and providing special promotion, opportunity and benefit to the Guest Customer, Remarketing, targeting, profiling and analysis in line with the explicit consent of the Guest Customer, Promotion and marketing of services, Resolution of Guest Customer problems and complaints, Improvement of Guest Customer experience on both the platform and mobile application, Follow-up of accounting and purchasing transactions, Compliance with legal processes and legislation, Answering information requests from administrative and judicial authorities, Information and transaction security and preventing malicious use, Making necessary arrangements to ensure that the processed data is up-to-date and accurate, Fulfilling legal obligations

4.3. Online Visitor Personal Data

Processing of online visitor data within the scope of Law No. 5651, Legal processes and compliance with legislation, Answering information requests from administrative and judicial authorities, Ensuring information and transaction security and preventing malicious use, Fulfilling legal obligations

4.4. Personal Data of the Person to whom the Purchased Product will be Delivered

Execution of product delivery processes, Follow-up of accounting and purchasing transactions, Legal processes and compliance with legislation, Answering information requests from administrative and judicial authorities, Ensuring information and transaction security and preventing malicious use, Making necessary arrangements to ensure that the processed data is up-to-date and correct, Fulfillment of legal obligations

4.5. Seller/Supplier/Candidate Vendor/Vendor or Supplier Employee or Official Personal Data

Execution of contract processes, Follow-up of accounting and purchasing transactions, Legal processes and compliance with legislation, Answering information requests from administrative and judicial authorities, Ensuring information and transaction security and preventing malicious use, Making necessary arrangements to ensure that the processed data is up-to-date and correct, Legal fulfillment of obligations

5. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

MISSMUSE undertakes to take all necessary technical and administrative measures and to show due diligence to ensure the confidentiality, integrity and security of your personal data.

MISSMUSE takes the necessary measures to prevent unauthorized access, misuse, unlawful processing, disclosure, alteration or destruction of personal data. MISSMUSE uses generally accepted security technology standards such as firewalls and Secure Sockets Layer (SSL) encryption when processing personal data. In addition, when sending your personal data to MISSMUSE through the website, mobile application and mobile site, this data is transferred using SSL.

Regarding the prevention of unlawful access to the personal data that MISSMUSE processes, the prevention of illegal processing of this data and the protection of personal data: All areas on the website or mobile application from which personal data are taken are protected by SSL. creates and implements access authorization and control matrices for its employees, In order to ensure that personal data is not accessed unlawfully; Makes periodic penetration tests, tests the system's resistance to unauthorized access, Uses Pseudonymization (pseudonymous data) method for all secondary data processing other than the primary processing purpose. Pseudonymous uses encryption methods in the systems where this data is located in order to make it impossible to identify the person concerned, and applies a stricter access authorization and control policy to this data. Personal data processed through cookies belonging to third parties from which service is received, are deleted from the systems of third parties if the membership is terminated.

Despite MISSMUSE taking the necessary information security measures, in the event that personal data is damaged or in the hands of unauthorized third parties as a result of attacks on the platforms operated by MISSMUSE or the MISSMUSE system, MISSMUSE immediately notifies you and the Personal Data Protection Board and takes the necessary measures.

6. To Whom Personal Data Can Be Transferred And For What Purpose

MISSMUSE transfers personal data to third parties only for the purposes specified in this Privacy and Personal Data Protection Policy and in accordance with Articles 8 and 9 of the KVK Law. Member Customer/Guest Customer data processed in this context and the person to whom the purchased product will be delivered are shared with the seller and the cargo company, and these data can also be accessed by the call center when necessary. The information of the person on whose behalf an invoice will be issued is shared with the cargo company for the purpose of sending the invoice to the relevant person.

Mobile phone number and/or e-mail address of the Member Customer/Guest Customer; Based on the commercial electronic message approval, it is shared with the commercial electronic message tool service provider in order to promote, advertise, offer benefits and opportunities in line with shopping preferences, tastes and habits.

Website or mobile application usage preferences and browsing history are shared with our domestic/abroad business partners from whom cookie service is obtained, for the purpose of segmentation and communication with the Member Customer/Guest Customer in line with their tastes and preferences. Personal data transfers within this scope are carried out through the secure environment and channels provided by the relevant third party. Depending on the content and scope of the service received from third parties; In all cases where there is no need to transfer the personal data of the Member Customer/Guest Customer, the transfer is made using Pseudonymous data (pseudonymous data).

Member Customer/Guest Customer data are shared with companies that will conduct market research in order to increase customer satisfaction and loyalty.

In addition to the technical measures to ensure their security, the personal data subject to domestic and international transfers we mentioned above; Considering that the other party of the legal relationship is a data controller or a data processor, it is also legally protected by the provisions in line with the KVK Law included in our contracts.

While transferring personal information to countries other than Turkey during the sharing of information as stated above, it is ensured that the data is transferred in accordance with this policy and as permitted by the applicable law regarding data protection.

7. Personal Data Retention Periods

MISSMUSE preserves the personal data it processes in accordance with the KVK Law for the periods stipulated in the relevant legislation or required by the purpose of processing. In our Personal Data Retention and Disposal Policy, these periods are approximately as follows:

Call Center audio recordings	3 years	Law No. 6563 and related secondary legislation
Membership and order records	10 years	Law No. 6098
All records related to accounting and financial transactions	10 years	Law No. 6102, Law No. 213
Cookies	Up to 540 days
Commercial electronic message confirmation records	1 year from the date of withdrawal of consent	Law No. 6563 and related secondary legislation
Traffic information about online visitors	2 years	Law No. 5651
Information and/or CVs received due to job application	1 year
Personal data of Member Customer/Guest Customers	10 years after the legal relationship ends; 6563 3 years in accordance with the law and related secondary legislation	Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502
Personal data regarding suppliers	10 years after the legal relationship ends	Law No. 6102, Law No. 6098 and Law No. 213
Personal data received for the purpose of usability testing research	2 weeks

 

You can review our Cookie Policy for the retention periods of personal data we obtain through cookies.

8. Profiling and Segmentation

Using the personal data processed by MISSMUSE Member Customer/Guest Customer;

Regarding the Member Customer/Guest Customer who has given consent to receive commercial electronic messages, it carries out profiling and segmentation in order to prepare more suitable content for the Member Customer/Guest Customer's tastes and preferences, and to make advertisements, promotions and discounts. In terms of Member Customer/Guest Customer who have not given commercial electronic message approval, profiling and segmentation is carried out;

Studies such as product improvement (determining the most sold or unsold product categories), modeling by analyzing shopping preferences, organizing campaigns for customer groups with the potential to buy a certain product and uploading it to the system, and taking actions to increase sales potential are carried out.

Within the scope of profiling and segmentation studies, the personal data of the Member Customer/Guest Customer, especially name and surname, mobile phone, e-mail or address information, are not used directly, instead, transactions are made with the Member Customer/Guest Customer IDs assigned to them. The personal data of the Customer/Member is protected by the use of the Member Customer/Guest Customer ID or in other words pseudonymous data. Member Customer/Guest Customer IDs are accessible only to relevant persons or departments within MISSMUSE. These IDs assigned to the Member Customer/Guest Customer are kept encrypted by MISSMUSE in the system, and access to this section is only given to limited persons.

8. What are the Rights of the Related Persons on their Personal Data and How They Can Use These Rights

The rights of the Relevant Person on the personal data processed by MISSMUSE in accordance with article 11 of the KVK Law are listed below:

• Learning whether personal data is processed or not,
• If personal data has been processed, requesting information about it,
• Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
• Knowing the third parties to whom personal data is transferred at home or abroad,
• Requesting correction of personal data in case of incomplete or incorrect processing,
• Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVK Law,
• Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
• Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• To request the compensation of the damage in case of loss due to unlawful processing of personal data.

In order to exercise your rights over your personal data; www.missmuse.com You can access your account from the "My Account" section of the website, mobile application and mobile site with the extension extension and make the necessary changes, updates and/or deletions. In addition, you can make your application and exercise your rights through the methods specified in the "Application Form" issued in accordance with Article 13 of the KVK Law on the website or mobile application of electronic commerce platforms operated by MISSMUSE.

9. How Relevant Persons Can Change Their Positive or Negative Preferences for Receiving Electronic Commercial Messages

You can change or update your positive or negative preferences for receiving commercial electronic messages, which you have given while subscribing to the website or mobile application of the electronic commerce platforms operated by MISSMUSE, by accessing the "My Account" section at any time.

Termination of membership does not mean withdrawing your consent to receive commercial electronic messages. For this reason, be sure to complete all the procedures to revoke your consent.

In terms of cookie management, you can follow the steps specified in our Cookie Policy.

10. Personal Data Sharing with Official Authorities

MISSMUSE, your personal data regarding your visit or subscription to electronic commerce platforms and mobile applications operated by MISSMUSE, and your traffic information such as your navigation information; In order for MISSMUSE to fulfill its obligation under the law (in cases where MISSMUSE has a legal or administrative obligation to notify or provide information, including but not limited to the fight against crime, the threat of state and public safety, etc.), the public authorities who are legally authorized to request such information will be able to share with institutions and organizations.

11. Cookie Usage and Management

You can review our Cookie Policy for detailed information about the cookies used by MISSMUSE, types of cookies, their purposes, storage periods and cookie management.

12. Terms of Deletion, Destruction and Anonymization of Personal Data

MISSMUSE stores the personal data it processes through its website, mobile application or mobile site for the periods stipulated by the relevant laws and/or for the periods required by the purpose of processing, pursuant to articles 7, 17 of the KVK Law and article 138 of the Turkish Penal Code. In the event that these periods expire, it will delete, destroy or anonymize Personal Data in accordance with the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

Deletion of personal data by MISSMUSE means the process of making personal data inaccessible and unusable for the relevant users in any way. MISSMUSE creates and implements a user-level access authorization and control matrix for this. It takes the necessary measures to perform the deletion in the database.

Destruction of personal data by MISSMUSE means the process of making personal data inaccessible, unrecoverable and reusable by anyone.

Anonymization of personal data by MISSMUSE means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

MISSMUSE explains in detail the methods of deletion, destruction and anonymization and the technical and administrative measures it has taken within the scope of the Personal Data Storage and Disposal Policy prepared in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. In this Policy, the period of time for the periodic destruction stipulated by the Regulation is determined as 6 months.

13. Changes to the Privacy/Personal Data Protection Policy

MISSMUSE can always make changes to this Privacy/Personal Data Protection Policy. These changes will become effective immediately upon the publication of the amended new Privacy/Personal Data Protection Policy. You, our members, will be informed about the changes in this Privacy/Personal Data Protection Policy.