Privacy Notice on The Processing of Personal Data

Doktar Teknoloji Anonim Şirketi (“Doktar”, “we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Notice explains how we collect, use, disclose, retain, and protect your personal data when you use the Application, including both its mobile (iOS/Android) and web-based platforms.

This Privacy Notice is provided separately from any explicit consent you may give for specific data processing activities (e.g., marketing communications). Consent is not required to agree to this notice.

1. Who We Are

1. Data Controller:
   Doktar Teknoloji Anonim Şirketi
   Reşitpaşa Mahallesi Katar Caddesi İTÜ Arı Teknokent 3 Binası No: 4 İç Kapı No: B301 Sarıyer/İstanbul (post: 34467)
   MERSIS number:0309-0343-8730-0011
2. Contact Details:
• Email: support@doktar.com
• Phone: +90 (850) 433 6477
• Address: Reşitpaşa Mahallesi Katar Caddesi İTÜ Arı Teknokent 3 Binası No: 4 İç Kapı No: B301 Sarıyer/İstanbul (post: 34467)
3. Scope:
   This Privacy Notice applies to personal data collected through the Application, including both mobile and web-based platforms. For more details about how your data is handled in the context of our broader services (e.g., website visits, offline interactions), please refer to any additional privacy statements we may provide.

2. What Personal Data We Collect

Depending on how you use the mobile or web-based Application, we may collect the following categories of personal data:

1. Identity Data: Name, surname, user ID, or other identifiers.
2. Contact Data: Email address, phone number, mailing address.
3. Account Credentials: Login credentials (phone number or other System Access Tools).
4. Field & Location Data: GPS coordinates, field information, or other geographic details to provide satellite imagery and agronomic recommendations.
5. Device & Usage Data:
• Device type, operating system, unique device identifiers, IP address.
• Log information about your sessions, features used in the Application, crash reports, and activity logs.
6. Payment & Transaction Data (if you subscribe to paid services): Payment card details (tokenized by the app store or payment processor), transaction history, invoicing information.
7. Marketing & Communication Preferences: Records of your opt-ins or opt-outs for receiving marketing or commercial communications.

Sensitive Personal Data: We generally do not request or require sensitive data (e.g., health information, race, religion). If you choose to provide it, you do so under your own responsibility. We will handle it under this Privacy Notice as applicable.

3. How We Collect Your Personal Data

We collect personal data about you from various sources and through different methods, depending on how you interact with the Application (both mobile and web-based platforms). These methods include:

1. Directly from You (User-Provided Information):

· When you register for an account via the mobile or web platform.

· When you submit information by filling out forms within the Application (e.g., field details, crop types, contact details).

· When you contact us for support, provide feedback, or communicate with Doktar via email, chat, or phone.

· When you participate in surveys, promotions, or marketing campaigns we organize (if you opt in).

2. Automatically Collected Through Technology:

· When you access or use the Application, we automatically collect certain technical data and usage information, including:

o Device information (device type, operating system, device identifiers).

o IP address and location data (based on IP or device settings).

o Log and event data (e.g., login timestamps, feature usage logs).

o Clickstream data and interaction records within the mobile and web-based Application.

· We collect this data using cookies, SDKs , pixels, log files, and similar tracking technologies integrated into both the mobile and web versions of the Application.

3. From Third Parties and External Sources:

· When you log in using third-party services (if applicable), such as app stores (Apple App Store, Google Play) or social login providers (when enabled).

• From payment processors (for example, information confirming successful payment or transaction details).
• From business partners or service providers , who may provide us with additional information to supplement our records or provide integrated services within the Application.

4. Purposes and Legal Bases for Processing

We process your personal data under one or more of the following legal bases (as defined by GDPR Article 6 and Turkish Law No. 6698 (“KVKK”) where relevant):

1. Performance of a Contract (GDPR Art. 6(1)(b))
• To provide the services described in the Terms (e.g., satellite imagery, weather data, irrigation scheduling).
• To administer your account, authenticate your login, and communicate essential information about the Application.
2. Legitimate Interests (GDPR Art. 6(1)(f))
• To analyze usage trends, improve our Application functionality, or develop new services (while considering your data protection rights).
• To protect our rights and interests (e.g., fraud prevention, security measures, defense in litigation).
3. Consent (GDPR Art. 6(1)(a))
• Where required by law (e.g., sending direct marketing messages or using non-essential cookies).
• You can withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
4. Legal Obligations (GDPR Art. 6(1)(c))
• To comply with legal requirements (e.g., tax and accounting rules, or responding to lawful requests by government authorities).

Below is a breakdown of the personal data categories we process, their purposes, and the corresponding legal bases under GDPR and PDPR.

5. How We Use Your Personal Data

1. Providing the Service:
• Displaying and analyzing satellite imagery of your fields.
• Offering agronomic advice (irrigation programs, fertilization recommendations, etc.).
• Facilitating subscription services and in-app purchases.
2. Account Management & Support:
• Verifying your identity when you log in.
• Sending operational communications (e.g., confirmations, subscription or account status alerts).
3. Analytics & Improvements:
• Understanding user behavior to optimize features, fix issues, and improve performance.
• Conducting internal research or aggregated analytics (e.g., usage statistics).
4. Marketing & Communications (if you opt in):
• Sending promotional messages about new features, updates, or relevant agricultural topics.
• Allowing you to manage your communication preferences (opt out any time).
5. Compliance & Protection:
• Complying with legal obligations.
• Enforcing or defending against legal claims, preventing fraud, and securing our systems.

6. Disclosures Of Your Personal Data

We only share personal data with third parties in the following circumstances:

1. Service Providers: We may share data with trusted vendors (e.g., hosting providers, analytics platforms, payment processors) who process data on our behalf and under our instructions.
2. Affiliates / Group Companies: For internal administrative purposes or to provide integrated services, subject to the same security and privacy obligations.
3. Legal Obligations: We may disclose data if required by law or if necessary to respond to lawful requests by public authorities (e.g., courts, regulatory agencies).
4. Business Transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the relevant third party.
5. With Your Consent: We may share data for other purposes if you expressly consent.

We do not sell or rent your personal data to third parties. For information about cross-border transfers, please see Section 7.

7. International Data Transfers

Doktar processes and stores your personal data on Microsoft Azure servers located within the European Union. We do not transfer your personal data outside the European Economic Area (EEA) or Turkey.

If we need to transfer your personal data outside of the EEA or Turkey in the future, such transfers will be conducted in compliance with applicable data protection laws, including GDPR and KVKK. Appropriate safeguards, such as Standard Contractual Clauses (SCCs), will be implemented where necessary.

8. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including the provision of our services, compliance with legal, accounting, and reporting requirements, and protection of our legitimate interests.

The exact duration for which we retain personal data depends on several factors, including:

• The nature of the personal data;
• The purpose for which it is collected and processed;
• Our legal and regulatory obligations (e.g., tax laws requiring the retention of certain transaction records);
• Whether retention is necessary to protect our legal rights (e.g., in case of disputes or litigation);
• User requests for account deletion or withdrawal of consent (where applicable).

Once the retention period ends, or where you request deletion and there is no overriding legal basis for continued retention, we securely delete or anonymize your personal data.

For more detailed information about our data retention criteria or to request deletion of your personal data, you can contact us at: support@doktar.com.

9. Your Rights (GDPR & KVKK)

Depending on the applicable law (GDPR, KVKK), you may have the following rights:

1. Right of Access:You have the right to request confirmation of whether we process your personal data and access to that data.

2. Right to Rectification:You have the right to request the correction of inaccurate or incomplete personal data.

3. Right to Erasure: You may request the deletion of your personal data under certain conditions (e.g., when it is no longer necessary for the purpose it was collected).

4. Right to Restrict Processing:ou can request that we restrict processing of your personal data where you contest its accuracy, object to processing, or believe processing is unlawful.

5. Right to Data Portability:You can request your personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another controller.

6. Right to Object:You have the right to object to our processing of your personal data where processing is based on legitimate interests or for direct marketing purposes.

7. Account Deletion Request:You can request the deletion of your account.

8. Rights Related to Automated Decision-Making:You can request not to be subject to decisions based solely on automated processing.

9.1. How to Exercise Your Rights

You can submit a request to exercise your rights by contacting us via one of the following methods:

• Email: support@doktar.com
• Online Data Request Form: https://r.doktar.io/privacy
• Postal Address: Reşitpaşa Mahallesi Katar Caddesi İTÜ Arı Teknokent 3 Binası No: 4 İç Kapı No: B301 Sarıyer/İstanbul (post: 34467)

For KVKK requests, you can submit your application in accordance with Article 13 of the Law and the Communiqué on the Procedures and Principles of Application to the Data Controller.

We will respond to your request as soon as possible and within one month at the latest (or within 30 days for KVKK applications), in accordance with applicable data protection laws.

If we reject your request, we will inform you of the reasons in writing or electronically.

9.2. Complaints

If you believe that we have not adequately addressed your request or if you are concerned about how we process your personal data, you have the right to lodge a complaint with:

• The Turkish Personal Data Protection Authority (KVKK Authority): https://www.kvkk.gov.tr
• The Data Protection Authority in your country of residence (if you are located in the European Economic Area).
  Contact details of European supervisory authorities can be found here: https://edpb.europa.eu/about-edpb/board/members_en

10. Security Measures

We take the protection of your personal data seriously and implement appropriate technical and organizational measures to ensure its security, confidentiality, integrity, and availability, in accordance with Article 32 of the GDPR and Article 12 of the KVKK.

Our security measures include, but are not limited to:

Technical Measures:

• Encryption: We use industry-standard encryption protocols (TLS/SSL) to protect personal data in transit. Data at rest is encrypted using AES-256 encryption on our cloud servers.
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, controlled through role-based access control (RBAC) and multi-factor authentication (MFA).
• Network Security: Our infrastructure is protected by firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).
• Backups and Disaster Recovery: We perform regular data backups and have disaster recovery and business continuity plans in place.
• Monitoring and Logging: Continuous monitoring and logging of system activities help us detect and respond to potential security threats in real time.

Organizational Measures:

• Data Protection Policies: We maintain comprehensive data protection and information security policies that outline how personal data is processed and protected.
• Employee Training: All employees and contractors receive regular training on data protection, privacy, and information security best practices.
• Confidentiality Agreements: All personnel with access to personal data are bound by confidentiality obligations.
• Vendor Risk Management: We conduct due diligence and impose contractual obligations on our third-party service providers to ensure they implement adequate security measures.
• Data Protection Impact Assessments (DPIAs): We carry out DPIAs where processing presents a high risk to the rights and freedoms of individuals, in line with GDPR and KVKK requirements.
• Regular Audits and Assessments: We conduct regular internal audits and engage third-party security assessments to ensure compliance with data protection laws and internal policies.

Although we implement and maintain reasonable security measures to protect your personal data, no system is completely secure. If you believe your personal data has been compromised, please contact us immediately at support@doktar.com.

11. Third-Party Links & Features

The Application may contain links to third-party websites or integrations with third-party services. We are not responsible for the privacy practices of such third parties. We encourage you to review their privacy policies before providing any personal data.

12. Updates To This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our data practices or legal obligations. We will notify you of material changes by posting the revised notice in the Application or via other appropriate channels. The Effective Date at the top indicates when the notice was last updated.

13. Contact Us

If you have any questions, concerns, or wish to exercise your rights regarding your personal data, please contact us at:

• Doktar Teknoloji Anonim Şirketi
• Email: support@doktar.com
• Phone: +90 (850) 433 6477
• Address: Reşitpaşa Mahallesi Katar Caddesi İTÜ Arı Teknokent 3 Binası No: 4 İç Kapı No: B301 Sarıyer/İstanbul (post: 34467)

We will do our best to address your inquiry promptly.