The confidentiality of personal data is of utmost importance to FINNOVA, and personal data will be protected with the highest care by FINNOVA. This Policy explains how personal data will be processed and protected. FINNOVA commits to exercising the highest diligence to ensure the security of personal data. FINNOVA notifies in advance that personal data will not be collected if unnecessary or will cease to be collected when not required for the purp
Data Controller
According to Article 3 of the Law, real or legal persons who determine the purposes and means of processing personal data and manage the place where the data is systematically kept (data recording system) are referred to as data controllers. FINNOVA Kripto Varlık Alım Satım Platformu A.Ş. is the data controller regarding the data of our valued users.
Data Controller: FINNOVA Kripto Varlık Alım Satım Platformu Anonim Şirketi
Address: Barbaros Mah. Begonya Sk. Alive Tower No:7/15 Ataşehir/İstanbul
Tax Office: Kozyatağı
Tax Number: 3881587414
Purpose
FINNOVA Kripto Varlık Alım Satım Platformu A.Ş. operates a platform providing crypto asset trading services. The protection of personal data is of great sensitivity and importance for FINNOVA and is a priority for the company. This Personal Data Protection Policy sets forth the principles and standards adopted to ensure compliance with legislation in the processing and protection of personal data, regulated and protected primarily under the Constitution of the Republic of Turkey, Law No. 6698 on the Protection of Personal Data, and other relevant legislation.
This policy aims to establish FINNOVA's own standards in protecting personal data and to ensure compliance with these standards, as well as fulfilling legal obligations and best protecting the interests of users whose personal data has been collected.
Scope
The provisions of this policy cover all information systems, physical and environmental areas, related systems and regulations involved in the processing of personal data collected by FINNOVA within the scope of its activities and legal obligations. It also includes all personnel within FINNOVA’s departments as well as employees of firms providing support and consultancy services. Any action violating this policy is subject to sanctions pursuant to KVKK and relevant legislation.
Definitions
FINNOVA or Company: Refers to FINNOVA Kripto Varlık Alım Satım Platformu Anonim Şirketi, headquartered at the specified address.
Personal Data: Any information relating to an identified or identifiable natural person.
KVKK or Law: Refers to Law No. 6698 on the Protection of Personal Data.
Data Subject: The person whose personal data is being processed.
Data Controller: The real or legal person who determines the purposes and means of processing personal data, responsible for establishing and managing the data recording system.
Data Processor: Real or legal persons who process personal data on behalf of the data controller based on authorization.
Data Recording System: A system where data received from the data subject is organized and processed according to various criteria.
Explicit Consent: The declaration of consent given freely by the data subject with sufficient information about the matter, unambiguously and limited only to the related processing.
Special Category Personal Data: Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and appearance, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, biometric and genetic data.
Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use, whether by automated means or not.
Anonymization of Personal Data: Making personal data impossible to associate with any person.
Clarification Text: The text used for fulfilling the obligation to inform.
Platform: Refers to the domain www.FINNOVA.net, including all subdomains, web pages, internet applications, APIs managed by FINNOVA, as well as the mobile applications provided on Android and iOS operating systems.
Policy: Refers to the FINNOVA Personal Data Protection Policy.
Fundamental Principles in Processing Personal Data
FINNOVA bases its processing of personal data on the following fundamental principles pursuant to Article 4 of the Personal Data Protection Law:
|
PRINCIPLE |
EXPLANATION |
|
Compliance with laws and principles of fairness |
FINNOVA acts in accordance with the principles set forth by laws and other legal regulations in the processing of personal data. |
|
Accuracy and updating when necessary |
Considering the interests and fundamental rights and freedoms of the parties, FINNOVA ensures that personal data is accurate and updated when necessary. |
|
Processing for specific, explicit, and legitimate purposes |
FINNOVA commits to making the personal data processing activity understandable by the data subject, explaining on which legal basis it is performed, and clarifying the purpose of the processing in sufficient detail. |
|
Relevance, limitation, and proportionality with the purpose of processing |
FINNOVA knows and acts accordingly to process personal data only to the extent necessary for the realization of the purposes and avoids processing data unrelated or unnecessary to the purpose. |
|
Retention for the period prescribed by applicable legislation or necessary for the purpose of processing |
FINNOVA retains personal data for a period compatible with the purpose for which they were processed. |
Processing of Special Categories of Personal Data
Article 6 of the Personal Data Protection Law lists special categories of personal data. These include data related to race, religious belief, sect or other beliefs, ethnic origin, philosophical belief, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures. Special categories of personal data may be processed by FINNOVA based on the explicit consent of the data subject, or if such consent is not obtained, in cases prescribed by law, provided that adequate security measures are taken.
Transfer of Personal Data
FINNOVA exercises utmost care in the transfer of personal data domestically and abroad in accordance with the applicable legislation. FINNOVA may transfer personal data to third parties within Turkey. FINNOVA will take all necessary security measures as prescribed by law and other regulations, including outsourcing, for processing and storing personal data in Turkey. Unless otherwise stipulated by relevant legislation, FINNOVA may transfer personal data abroad with the explicit consent of the data subject.
To provide higher quality service to users and to conduct operations more effectively, personal data such as full name, date of birth, residence address, and contact details may be transferred to domestic and international third parties with whom FINNOVA has business relations, including project and program partners, consultancy service providers, support service providers, auditing and support organizations, social media service providers, infrastructure providers, and call center service providers, to the extent necessary for the work.
Transfer of Personal Data (Continued)
The transfer of personal data is conducted in accordance with Articles 8 and 9 of Law No. 6698. The company carries out transfers to business partners, employees, subcontractors and suppliers, public institutions, and legally authorized private persons and authorities, provided that all legally prescribed security measures are taken. With the user's consent to receive electronic commercial communications, the user's phone number and email address may be shared with third-party commercial electronic service providers for offering benefits and opportunities.
FINNOVA may share data with overseas business partners if necessary. Personal data may be transferred abroad to third parties such as cloud service providers, hosting companies, IT, and server service providers under security measures and in compliance with the law. Data transferred abroad will be done so with the explicit consent of the users. Personal data transferred domestically or internationally will be subject to strict controls and transferred in compliance with the Personal Data Protection Law.
Conditions for Processing and Sharing Data
Personal data can only be processed or shared in a lawful and fair manner. One of the following conditions must be met for personal data processing or sharing. These processes are periodically audited by FINNOVA.
|
CONDITION |
EXPLANATION |
|
Explicit Consent of the Data Subject |
The data subject must freely give clear, unambiguous consent regarding the processing and sharing of their personal data, limited to that specific process, with adequate information. |
|
Explicit Legal Provision |
When explicitly provided by law, personal data can be processed or shared without consent from the data subject. |
|
Impossibility of Consent |
When the data subject cannot express consent due to factual impossibility, or in cases where the protection of life or physical integrity of the data subject or others is at risk, personal data may be processed or shared without consent. |
|
Legal Obligation |
FINNOVA may process or share personal data without consent when required to fulfill legal obligations to public institutions and authorities. |
|
Establishment, Use or Protection of a Right |
If processing or sharing is necessary for the establishment, exercise or protection of a right, personal data may be processed or shared. |
|
Direct Relation to a Contract |
When FINNOVA and the data subject are parties to a contract, personal data may be processed or shared if directly related to the establishment or performance of the contract. |
|
Legitimate Interests |
Personal data may be processed or shared if necessary for legitimate interests of the parties, provided that fundamental rights and freedoms are not harmed. |
|
Public Disclosure by Data Subject |
If the personal data has been made public by the data subject, it may be processed or shared accordingly. |
Data Security
In case of any breach of personal data security, including cyberattacks, intrusion attempts, or data theft, FINNOVA shall notify the Personal Data Protection Board and the relevant individuals as soon as possible and no later than 72 hours after becoming aware of the incident.
FINNOVA implements authorization controls to access archives or server rooms where personal data is stored and takes measures to prevent unauthorized entry. The physical security of areas where personal data is stored is carefully maintained.
FINNOVA will update security measures in line with changes in legislation. The company is sensitive about training and experience of personnel who are in close contact with personal data. Periodic audits will be conducted, and necessary precautions will be taken if potential risks are identified. FINNOVA personnel are aware that personal data will not be disclosed to others or used beyond the intended processing purpose. FINNOVA strives to minimize the collection of personal data and takes all legal and administrative measures necessary for data security.
Necessary measures are taken to ensure the security of personal data stored on devices or in cloud environments. In addition to firewalls and gateways in information systems, system-level measures prevent security vulnerabilities such as data copying. Control mechanisms are established against software and hardware failures that may cause data loss.
FINNOVA has implemented physical and software security measures and established control mechanisms to ensure data security.
FINNOVA avoids taking any risks that may cause security threats. Visitors noticing any security vulnerabilities are kindly requested to send an email explaining the details of the security issue along with their full name to destek@finnova.com.tr.
Risk Assessment
FINNOVA identifies and evaluates risks associated with the processing of personal data. The risks related to personal data processing are managed within the scope of this Policy to avoid non-compliance. If an activity is likely to pose a high risk to the fundamental rights and freedoms of the data subject, FINNOVA conducts a data protection impact assessment. Based on the results of this assessment, the data subject is contacted and informed about the potential risks.
Data Protection Principles
FINNOVA protects personal data in accordance with the following principles:
Obtaining Explicit Consent and Disclosure Obligation
The explicit consent declaration is a text based on informing the data subject about the processing, transfer, and storage of personal data and is approved by free will. Explicit consent is obtained in a written or systemically verifiable manner from the user. The data subject may withdraw the explicit consent at any time. Explicit consent texts and other forms obtained are stored by the relevant department.
In accordance with Article 10 of the Personal Data Protection Law, the disclosure text includes the purposes of data processing, recipients and purposes of transfer, methods and legal basis of data collection, users’ rights, and the retention period of personal data.
Anonymization, Deletion, and Destruction of Personal Data
If the reasons requiring the processing of personal data under the law cease to exist, such personal data shall be deleted, destroyed, or anonymized ex officio or upon the request of the data subject. FINNOVA reserves the right not to comply with requests of the data subject when retention of data is required by law.
FINNOVA performs the anonymization, deletion, and destruction processes in the most appropriate manner according to the data and activity, in line with the guidelines published by the Personal Data Protection Board.
FINNOVA will identify personal data that are unnecessary or whose retention is unlawful among the personal data it stores. If cloud services are used, it will check whether data is stored by the service provider and ensure anonymization, deletion, or destruction where necessary. Access channels to personal data will be identified and unauthorized channels will be blocked.
Personal data kept in paper format must be shredded whenever possible. If shredding is not feasible, the data will be irreversibly obscured by crossing out, painting, or erasing with permanent ink so that it cannot be read by technological means. Physical data must be destroyed; if destruction is impossible, the media must be dismantled or destroyed. Personal data and documents on central servers must be deleted with the operating system’s delete command or access by relevant users must be blocked. Rows containing personal data in databases must be deleted.
Merely deleting personal data records is not sufficient when destruction is required. Personal data subject to destruction must be shredded into small pieces that cannot be understood according to the medium, demagnetized, physically destroyed, or overwritten to render them unrecoverable. All copies of encryption keys must be destroyed.
Personal data to be anonymized must have all direct and indirect identifiers removed or modified so that the data can no longer be linked to the data subject. Anonymization methods such as variable/record removal, regional masking, data swapping, noise addition, generalization, top and bottom coding, sampling, microaggregation will be applied accordingly. Statistical methods such as K-Anonymity, L-Diversity, and T-Closeness are also used as safeguards
Commercial Communications
When registering to FINNOVA’s Platform or afterwards, the User can change their positive or negative preference to receive commercial communications such as promotional, advertising, or notification messages by sending an email to support@finnova.com.tr or contacting our Customer Support Team. Due to workload and updates, the preference communicated by the User to FINNOVA may be processed within one week. During this one-week period, communications may continue to be sent to the User or may be stopped despite the request. Termination of the User’s membership does not mean the cessation of commercial electronic communication. Also, the User must revoke the consent previously given for receiving commercial communications.
User Rights under the Personal Data Protection Law
As a data subject under Article 11 of the Personal Data Protection Law, your rights are as follows:
To apply regarding your personal data under the law, you must submit your applications in accordance with Article 13 of KVKK and Article 5 of the Communiqué on Application Procedures to the Data Controller published in the Official Gazette No. 30356 dated 10.03.2018.
FINNOVA will conclude applications made in accordance with relevant legislation within 30 days at the latest, in line with Article 13 of the Personal Data Protection Law. Your request will be either accepted or rejected, and the reasoned response will be communicated in writing or electronically to the applicant. If the requested transaction requires additional fees, the tariff set by the Personal Data Protection Board will apply.
If you wish to apply under the legislation, you may choose one of the following methods:
Acceptance and Enforcement
This policy is published on the Company's website (https://finnova.com.tr/) and comes into effect as of the date of publication. The user accepts this policy upon registration. This Policy has been prepared in accordance with relevant legislation, and FINNOVA reserves the right to update and modify this Policy in line with changes in the legislation.
Your identity images and selfie photos are shared with the "Sumsub" platform for verification purposes.