KVKK Privacy Notice

This KVKK Privacy Notice ("Notice") is prepared in accordance with Article 10 of Turkish Law No. 6698 on the Protection of Personal Data ("KVKK") and the related Communiqué on the Procedures and Principles for Fulfilling the Obligation of Disclosure, to inform data subjects about how their personal data is processed by ENA Innovation Sağlık ve Yazılım Teknolojileri San. Tic. A.Ş.

Data Controllers Registry (VERBİS): ENA Innovation is registered with the Veri Sorumluları Sicili (VERBİS — Data Controllers Registry) maintained by the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu). Registration information is accessible through the VERBİS portal at verbis.kvkk.gov.tr.

---

1. Data Controller Identity#

The data controller responsible for your personal data is:

---

2. Purposes of Personal Data Processing#

ENA Innovation processes your personal data for the following purposes, in accordance with KVKK Article 5 and 6:

1. Account management and identity verification — Creating and managing your EnaGate and EnaSpace accounts, verifying your identity, and managing login sessions.

2. Performance of the service contract — Providing access to the EnaSpace ecosystem products and features you have subscribed to, including EnaFeedback, EnaSmartway, EnaQuality, and EnaTto.

3. Billing and invoicing — Issuing electronic invoices, collecting subscription fees, and maintaining financial records as required by Turkish tax legislation (VUK, KDV).

4. Legal compliance and regulatory obligations — Complying with Turkish tax law, commercial law, and other applicable legislation, including record-keeping obligations.

5. Log management under Law No. 5651 — Maintaining system access logs and internet traffic logs as required by Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications. These logs are retained for the legally mandated period.

6. Security and fraud prevention — Detecting and preventing unauthorized access, identity fraud, and malicious activity that may affect platform integrity or other users.

7. Customer support — Responding to support requests, resolving technical issues, and communicating necessary service updates.

8. Product improvement — Using anonymized or aggregated usage data to improve service quality and performance.

9. Marketing and promotional communications (with consent) — Sending commercial communications about new features, promotions, or ecosystem products, where you have given explicit consent. You may withdraw this consent at any time by clicking the unsubscribe link in any marketing email or by contacting [email protected] with subject line "Marketing Opt-Out".

10. Platform notification delivery and tenant integrations — EnaSpace products may deliver operational SMS and email notifications (alerts, confirmations, transactional messages) to end users and stakeholders as part of their core functionality. When platform delivery applies, outbound SMS for Turkish (+90) numbers is delivered via NetGSM (licensed Turkish mobile messaging gateway) and non-Turkish numbers via Bird (global SMS platform); transactional email is delivered via Resend. These providers act as sub-processors and process recipient contact data solely for message delivery. Certain products (including EnaFeedback) also allow Tenants to configure bring-your-own SMS gateways (Twilio, Infobip, NetGSM, Bird, or custom webhook) and outbound webhooks to Tenant-specified endpoints (e.g., Slack, Microsoft Teams, n8n). Integration credentials are stored encrypted at rest; event and SMS data is transmitted on the Tenant's instructions. Tenant-designated receiving systems and BYO SMS providers are not ENA Innovation sub-processors. All such processing on behalf of end-user notification and integration activity is carried out under the Tenant's instructions (the Tenant is the Data Controller) and is governed by the applicable Data Processing Agreement.

---

3. Legal Basis for Processing#

The processing of your personal data is carried out in accordance with the following legal bases under KVKK Article 5:

---

4. Categories of Personal Data Processed#

Identity Data: Name, surname, email address, phone number, username.

Contact Data: Email address, phone number, billing address.

Financial Data: Invoice information, payment confirmation details (payment card data is processed exclusively by our licensed payment processors — PayTR for domestic transactions, Paddle for international transactions — and is not stored by ENA Innovation).

Technical/Transactional Data: IP address, browser information, device type, operating system, session and authentication tokens, system access logs.

Usage Data: Feature usage patterns, access timestamps, product interaction data (processed in anonymized or aggregated form for analytics). Platform analytics are collected via a self-hosted, privacy-first analytics platform which does not use tracking cookies and does not collect personally identifiable information; data collected through this platform does not constitute personal data under KVKK.

Special Category Data: ENA Innovation does not intentionally collect any special category personal data (sensitive data) as defined by KVKK Article 6 through the standard platform registration and use process. However, Tenant customers using products such as EnaQuality in the healthcare sector may upload data that qualifies as special category data. Tenants are fully responsible for ensuring such data is processed only with explicit consent of data subjects or under another applicable legal basis under KVKK Article 6, and that the appropriate technical and organizational safeguards required by KVKK Article 6(4) are in place.

---

5. Domestic Data Transfers#

Personal data may be shared with the following domestic parties:

• PayTR Ödeme Hizmetleri A.Ş.: For processing subscription payments from Turkish customers.
• Authorized accountants and tax advisors retained by ENA Innovation for legal compliance purposes.
• Competent public authorities (courts, regulatory authorities, law enforcement) when legally required.

---

6. International Data Transfers#

ENA Innovation primarily stores personal data within the Republic of Türkiye on Huawei Cloud's TR-West-1 (Istanbul) infrastructure. However, limited categories of data may be transferred outside Türkiye in the following circumstances.

Legal Framework — KVKK Amendment (Law No. 7499, effective April 1, 2024). International data transfers are governed by the amended KVKK Article 9 framework, which establishes the following hierarchy of transfer mechanisms:

1. Adequacy decision issued by the KVKK Board (Kurul) for the recipient country — no adequate countries have been formally designated as of the effective date of this Notice.
2. Appropriate safeguards including: (a) standard contractual clauses (standart sözleşme maddeleri) approved by the KVKK Board; (b) binding corporate rules; or (c) written undertakings (taahhüt) approved by the KVKK Board.
3. Explicit consent of the data subject, where permitted as a residual mechanism under KVKK Article 9(2).

Paddle (Ireland/United Kingdom): For international subscription billing (non-TRY payments), billing and transaction data is shared with Paddle.com Inc. Paddle operates under EU GDPR and Standard Contractual Clauses. For KVKK compliance, the transfer relies on written contractual undertakings and, where required as a supplementary measure, explicit consent obtained during the subscription checkout process.

AI and cloud service components: Certain platform features may utilize AI or cloud infrastructure operated outside Türkiye. In such cases: personal data is minimized to the extent technically possible; transfers are conducted through the applicable KVKK Article 9 mechanism described above; and data subjects are informed through Policy updates of any material changes.

Users will be informed of any new international transfers that materially affect their data through a Policy update at least 30 days before the transfer commences.

---

7. Retention Periods#

Following the applicable retention period, personal data is permanently deleted, anonymized, or destroyed in accordance with KVKK's Personal Data Storage and Disposal Regulation.

---

8. Security Measures (KVKK Article 12)#

ENA Innovation implements and maintains the technical and administrative measures required under KVKK Article 12 to prevent unlawful processing of personal data, unlawful access to personal data, and to ensure the preservation of personal data. These measures include encryption in transit (TLS 1.3) and at rest (AES-256), multi-tenant logical data isolation, role-based access control, 24/7 monitoring, and periodic access reviews. Detailed information is available in our Security Infrastructure notice.

---

9. Rights of Data Subjects Under KVKK Article 11#

As a data subject under KVKK, you have the following rights:

1. Right to learn whether your personal data is being processed.
2. Right to request information about the processing, if it is being processed.
3. Right to know the purpose of processing and whether it is used in accordance with that purpose.
4. Right to know third parties to whom data is transferred domestically or abroad.
5. Right to request correction of incomplete or inaccurate data and notification of the correction to third parties.
6. Right to request deletion or destruction when the grounds for processing have ceased to exist, and notification of this to third parties.
7. Right to object to automated decision-making that has adverse consequences for you, including profiling.
8. Right to claim compensation for damages resulting from unlawful processing.

---

10. How to Submit a Request#

To exercise your rights under KVKK Article 11, you may submit a written application using one of the following methods:

By email: [email protected] — Subject line must include "KVKK Başvurusu" (KVKK Application). You must attach a copy of your identity document (passport or ID card) to verify your identity.

By post: ENA Innovation Sağlık ve Yazılım Teknolojileri San. Tic. A.Ş., Battalgazi Mah. Eskişehir Yolu Bulv., A.N.S. Kampüsü, Zafer Teknopark, Merkez/Afyonkarahisar, Türkiye — envelope must be marked "KVKK Başvurusu".

Application Requirements. Your application must include: your name and surname, contact information, the specific right you wish to exercise, and a description of your request. Applications submitted in Turkish will be prioritized.

Response Time. We will respond to your application within 30 (thirty) days from receipt. Responses will be provided free of charge; however, if the application requires excessive processing, a fee as determined by the KVKK Board may apply.

If your application is rejected or you are dissatisfied with our response, you have the right to file a complaint with the Kişisel Verileri Koruma Kurumu (KVKK Board) at www.kvkk.gov.tr.

---

11. Contact#

ENA Innovation Sağlık ve Yazılım Teknolojileri San. Tic. A.Ş. Battalgazi Mah. Eskişehir Yolu Bulv., A.N.S. Kampüsü, Zafer Teknopark, Merkez/Afyonkarahisar, Türkiye

• Email: [email protected]
• Phone: +90 850 308 45 91
• MERSİS: 0334130943400001