Data Protection Statement for AloTech

Data Controllers

The controllers as per the EU General Data Protection Regulation (“GDPR”) are:

AloTech (Turkey)

Head Quarter:
NidaKule Plaza, Kozyatağı Mahallesi, Değirmen Sokak, No:18 Kat:13 D:22, 34720 Kadıköy/İstanbul, Turkey
Website: https://alotech.com.tr/
E-Mail: kvkk@alo-tech.com
General Manager: Mr. Cenk Soyak

Technopark Office – Branch Office:
YTÜ Davutpaşa Kampüsü Teknoloji Geliştirme Bölgesi, Ar-Ge 1 Binası, B Blok Zemin Kat No: 2, Esenler, 34220 İstanbul, Türkiye
Website: https://alotech.com.tr/
E-Mail: kvkk@alo-tech.com

United States of America

Subsidiary Office:
651 N Broad Street, Suite 206, Middletown, 19709, New Castle
Website: https://alotech.com.tr/
E-Mail: kvkk@alo-tech.com
General Manager: Mr. Cenk Soyak

Branch Office:
1 East Erie St. Suite 525 PMB 4651, Chicago, IL, 60611
Website: https://alotech.com.tr/
E-Mail: kvkk@alo-tech.com

Representative of AloTech

Mr. Bektaş Doğan
Bucharest Sector 4, Strada PANSELELOR, No. 6, O CAMERĂ, Block 142, Staircase 2, Floor 4, Apt. 76, Bucharest, Romania
Website: https://alotech.com.tr/
E-Mail: kvkk@alo-tech.com
Trade Register: J40/15090/2021

Data Protection Officer of AloTech

Path Düsseldorf GmbH
Certified DPO: Kemal Hakan Hasserbetci
Lise-Meitner Strasse No: 6, 40878 Ratingen, Germany
E-Mail: h.hasserbetci@pathdusseldorf.de & hakan@pathdusseldorf.com
General Manager: Kemal Hakan Hasserbetci
HRB 74806 Düsseldorf
Steuer Nr.: 147/5857/1411
USt-IdNr.: DE300087677

What is GDPR (General Data Protection Regulation)

The General Data Protection Regulation (GDPR) was approved by the European Commission (EC) on 27 April 2016 and becomes law on 25 May 2018. It replaces the previous European Commission legislation which dealt with data protection, which was the Data Protection Directive of 1995, and one of the major differences between the GDPR and the previous law is that the GDPR is a Regulation rather than a Directive. This means that it automatically becomes law in each of the countries that make up the European Union without each of these countries needing to create their own, individual laws (in contrast with the previous Directive where, in each of the member states, a separate Data Protection Act had to be passed by the relevant state legislative body to enact it).

The GDPR document itself is eighty-eight pages long and consists of two main parts:

• Recitals: 173 numbered paragraphs that lay out the principles and intentions of the Regulation; if you like, the background. (The Recitals are important because they provide additional details and insight into the purpose and functions of the Articles.)
• Articles: The 99 sections that set out the detail of the Regulation – this is the part that must be complied with.

GDPR concerns the personal data of EU citizens wherever that data is held. This means that if your organization is not based in the European Union but has customers (or suppliers or other parties) within it whose data you hold, the GDPR applies to you. Leading on from this, it means that if your organization doesn’t look after that data in the way the GDPR requires, your organization may be subject to the penalties that the Regulation allows. If you do experience a breach of personal data, you have no choice but to tell the relevant supervisory authority about it. Keeping a serious data breach to yourself is no longer an option. But the mainstay of what the GDPR is about is forcing organizations to take the protection of the personal data of EU citizens seriously.

Aim and Scope of our Policy

We hereby thank and appreciate you for visiting our website and your interest in our services we offer all around the world including EU, US, Middle East & APAC. The websites and our unique offerings are designed and done available by the companies in AloTech as mentioned above.

We are 100% committed to protecting your personal data. In this Privacy Policy, we clearly underline how we collect your personal data, that means for which purposes we do, what we do with your personal data and naturally what rights you as data subjects have based on what legal grounds, steps we according to GDPR have to take and to protect your personal data and choices you are provided with respect to the use of your personal data. We take your privacy into our consideration since your privacy is so important not only to our management but also all the company colleagues, and the third parties who are acting as our processors and sub-processors.

As a matter of fact, we use your personal information only to manage your customer account/profile, to provide the services you order, to keep you informed about our services, in case you have consented. The protection, confidentiality, and integrity of your personal information is very much important to each member of our organization.

Our Data Protection Notice clarifies our unique approach to any Personal Data which may be collected from you by us and the purpose of processing your Personal Data as a Data Controller of our clients and 3rd party partners and as a Data Processor of clients’ customers. As Data Processor, we process End Customer Data of our clients on behalf of our clients who are named as Data Controllers in GDPR. The personal data transferred from sender to receiver in general might be named as all electronic data, messages sent by clients and received by AloTech. Some of your personal Data either is processed by us and or by our processors and sub-processors.

In our platform called AloTech designed and offered to our clients, some available embedded services also include processing of personal data on behalf of our clients who are Data Controller of their end customers, related with applications and tools where AloTech platform offers. As we are not acting as Data Controller of the hosted data, and we are only the one named Data Processor according to GDPR and our clients called Data Controller define the purposes of the processing.

We make a commitment to ensuring that personal data of our website visitors processed in line with GDPR, and domestic laws and all visitors conduct themselves in line with this, and other related policies. Where third parties process data on behalf of us, we will ensure that the third party takes such measures in order to maintain our commitment to protecting data. In line with GDPR, we understand that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.

Personal Data: Information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.

Special Categories of Personal Data: Data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).

Data Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Children: This website is not designed or intended for use by children under the age of 16. We do not knowingly collect any Personal Data from anyone under the age of 16 without the prior, verifiable consent of a parent or guardian. Such parent or guardian may have the right, upon request, to view the information provided by the child and require that it be deleted. Moreover, all minors should seek their parent’s or guardian’s permission prior to using or disclosing any Personal Data on this website or online resource.

Personal Data

Personal Data: Any kind of information can be personal data provided that it relates to an identified or identifiable person. Personal data covers information pertaining to the private life of a person, which also includes professional activities, as well as information about his or her public life. Under EU law, information contains data about a person if:

• An individual is identified or identifiable by this information; or
• An individual, although not identified, can be singled out by this information in a way which makes it possible to find out who the data subject is by conducting further research.

Data Subject

Data Subject: Under EU law, natural persons are the only beneficiaries of data protection rules (Article 1) and only living beings are protected under European data protection law (Recital 27. See also Article 29 Working Party (2007), Opinion 4/2007 on the concept of personal data, WP 136, 20 June 2007, p. 22.) The General Data Protection Regulation (GDPR) defines personal data as any information relating to an identified or identifiable natural person.

Both types of information are protected in the same manner under European data protection law. Direct or indirect identifiability of individuals requires continuous assessment, “taking into consideration the available technology at the time of the processing and technology developments”. (General Data Protection Regulation, Recital 26.)

The GDPR stipulates that a natural person is identifiable when he or she “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person” (General Data Protection Regulation, Art. 4 (1)).

Data Subject Rights

Data Subject Rights in General: Every data subject has the right to information about processing of his or her personal data by a data controller, with limited exceptions. Data subjects shall have the right to:

• Access their own data and obtain certain information about the processing.
• Have their data rectified by the controller processing their data if the data are inaccurate.
• Have the controller erase their data, as appropriate, if the controller is processing their data illegally.
• Temporarily restrict processing.
• Have their data ported to another controller under certain conditions.
• Object to processing on grounds relating to their particular situation or the use of their data for direct marketing purposes.
• Not be subject to decisions based solely on automated processing, including profiling, that have legal effects or that significantly affect them.
• Obtain human intervention on the part of the controller, express their point of view, and contest a decision based on automated processing.

If you have given us your consent, you can revoke it at any time with effect for the future.

You can contact your local supervisory authority at any time with a complaint. Your local supervisory authority depends on your state of residence, your work, or the alleged infringement. A list of supervisory authorities (for the non-public sector) and their addresses can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Data Protection Principles

All personal data obtained and held by us will:

• Be processed fairly, lawfully, and in a transparent manner.
• Be collected for specific, explicit, and legitimate purposes.
• Be adequate, relevant, and limited to what is necessary for the purposes of processing.
• Be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay.
• Not be kept for longer than is necessary for its given purpose.
• Be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage by using appropriate technical or organisational measures.
• Comply with the relevant GDPR procedures for international transferring of personal data.

In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:

• The right to be informed.
• The right of access.
• The right for any inaccuracies to be corrected (rectification).
• The right to have information deleted (erasure).
• The right to restrict the processing of the data.
• The right to portability.
• The right to object to the inclusion of any information.
• The right to regulate any automated decision-making and profiling of personal data.

Data Processing

We process personal data of our users only insofar as this is necessary to provide a functioning website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies to cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.

We use the personal information as collected during your visit to our websites to make using them as convenient as possible for you and to protect our IT systems against attacks and other unlawful activities.

In case you share additional information with us – for example, by filling out a registration form, contact form – we will use that information for the designated purposes. We use personal data to the extent that we are legally obliged to do so.

Your personal data will not be passed to third parties for purposes other than those mentioned. We will only pass on your personal data to third parties if:

• You have given your express consent.
• The processing is necessary to process a contract with you.
• The processing is necessary to fulfil a legal obligation.
• The processing is necessary to protect legitimate interests and there is no reason to believe that you have an overriding interest worthy of protection in not disclosing your data.

Legal Basis:

• Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a GDPR as legal basis.
• In the processing of personal data necessary for the performance of a contract of which the data subject is a party, Art. 6 para. 1 lit. b GDPR as legal basis. This also applies to processing operations required to carry out pre-contractual actions.
• Insofar as processing of personal data is required to fulfil a legal obligation that is subject to our company, Art. 6 para. 1 lit. c GDPR as legal basis.
• If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, Art. 6 para. 1 lit. f GDPR as legal basis for processing.

The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage is deleted. It may also be stored if provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires unless there is a need for further storage of the data for conclusion of a contract or fulfilment of the contract.

Processing of Data Outside the EU/EEA: Your data will in part also be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”), which may have a lower data protection level than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your data, e.g. by concluding specific agreements with our contractual partners (copy available on request), or we will ask for your explicit consent to such processing.

Use of Data for Marketing: We never sell or transfer your Personal Data to any non-affiliated entity for their own direct marketing use unless we provide clear notice to you and obtain your explicit consent. If you would like more information about this practice and your choices to opt out of having this information, see our Cookies Policy.

Records

We keep records of its processing activities including the purpose for the processing and retention periods in our HR Data Record. These records will be kept up to date so that they reflect current processing activities.

Access to Data

Our visitors have a right to be informed whether we process personal data relating to them and to access the data that we hold about them. Requests for access to this data will be dealt very carefully and based on the GDPR.

Our visitors can inform us immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. We will take immediate steps to rectify the information.

Data Security

We adopt procedures designed to maintain the security of data when it is stored and transported.

• All files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them.
• All files or written information of a confidential nature are not left where they can be read by unauthorised people.
• We check regularly on the accuracy of data being entered into computers.
• We always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them.
• We use computer screen blanking to ensure that personal data is not left on screen when not in use.

Personal data relating to our visitors should not be kept or transported on laptops, USB sticks, or similar devices.

We store your IP address and the name of your Internet service provider for seven days. This is for security reasons; in particular, to prevent and detect attacks on our websites or attempts at fraud.

Deleting Your Personal Data

IP address of our visitors, which we store for security purposes, will be deleted after seven days. We delete your personal information as soon as the purpose that it was collected for and processed has been fulfilled.

International Data Transfers

We do not transfer any personal data which has been collected in EU to any recipients outside of the EU through AloTech Platform.

Personal Data Breach Notification

Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the Company becoming aware of it and may be reported in more than one instalment.

Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.

If the breach is sufficient to warrant notification to the public, we will do so without undue delay.

Provision of the Website and Creation of Log Files

When you access our website, information of a general nature is automatically collected by means of a cookie. This information (in the form of server log files) includes the type of web browser, the operating system used, the domain name of your internet service provider, and similar information. This is exclusively information which does not allow any conclusions to be drawn about your person.

This information is technically necessary in order to correctly deliver the content you have requested from websites and is mandatory when using the internet. They are processed in particular for the following purposes:

• Ensuring a trouble-free connection of the website.
• Ensuring smooth use of our website.
• Evaluating system security and stability.
• For other administrative purposes.

Whenever you visit our websites, we keep some information about the browser and operating system you are using; the date and time of your visit; the usage of features on the website; how often you visit individual websites; the names of the files you access; the amount of data transferred; the Web page from which you accessed our website; whether by clicking links on our websites or entering a domain directly into the input field of the same tab (or window) of the browser in which you have our websites open.

According to GDPR, IP addresses are considered personally identifiable information (PII) and we are using Google Fonts embedded on our site. Our website stores the fonts on AloTech’s assigned server on cloud and loads it locally as Google is not involved in the loading process and the IP address is not transmitted to Google, basically meaning our website can host the fonts locally without violating GDPR.

Legal Basis: The processing of your personal data is based on our legitimate interest from the aforementioned purposes for data collection. We do not use your data to draw conclusions about you personally. The recipients of the data are only the Data Controller and, if applicable, the contract processor.

The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user’s IP address must be kept for the duration of the session.

Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

For these purposes, our legitimate interest in the processing of data pursuant to Art. 6 para. 1 lit. f GDPR.

The data will be deleted when it is no longer necessary for the purpose of its collection. In the case of collecting the data for providing the website, this is the case when the respective session is completed.

In the case of storing the data in log files, this is the case after no more than seven days. An additional storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no contradiction on the part of the user.

How to Use Cookies

Like many other websites, we use cookies on our site. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not harm your device, do not contain viruses, Trojans, or other malicious software. Cookies automatically provide us with certain data, such as your IP address, browser, operating system, and internet connection.

Using the information contained in cookies enables us to make it easier for you to navigate our web pages and to display them correctly.

The data processed by cookies are for the purposes mentioned in order to safeguard our legitimate interests as well as third parties according to Art. 6 para. 1 sentence 1 lit. f GDPR required.

Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or always a hint appears before a new cookie is created. However, disabling cookies completely may mean that you cannot use all features of our website.

We will never pass the data collected by us to third parties or make any connection with personal data without your permission.

If you wish, you can use our website without cookies. Internet browsers are usually set up to accept cookies. In general, you can deactivate the use of cookies at any time via the settings of your browser. Please use your internet browser’s help functions to find out how you can change these settings. Please note that some features of our website may not work if you have disabled the use of cookies. Please click our Cookies Policy for details.

What Personal Information Do We Collect?

We require certain personal information in order to provide you with this service. You enter some of this data in our websites and/or directly by email, fax, or by post. If you become our partner or customer, then we will create an account in our files.

We receive some of your personal information indirectly from your devices by recording how you interact with our services (such as through cookies) and we also obtain your data as you share using the following omni channels:

• Fax
• Email
• Telephone
• Social network
• AloTech website

As a matter of fact, we process the following details you shared with us under your permission:

• First and last name
• Salutation (Mr, Mrs, no salutation, title)
• E-mail address
• Telephone number
• Reason for contact
• IP address

Our website has a contact form available, which can be used as electronic contact. If you enter your data, the data entered in the input mask will be transmitted to us and saved.

At the time of sending the message, the following data is also stored:

• Time to fill out the form
• User Agent of the sender
• Date and time

For the processing of the data in the context of the sending process, your consent is obtained and referred to this privacy statement.

Alternatively, contact via the provided e-mail address is possible. In this case, the user’s personal data transmitted by e-mail will be stored.

In this context, there is no disclosure of the data to third parties. The data is used exclusively for processing the conversation.

Legal Basis:

• The legal basis for the processing of the data is in the presence of the consent of the user Art. 6 para. 1 lit. a GDPR.
• The legal basis for the processing of the data transmitted in the course of sending an e-mail is Article 6 (1) lit. f GDPR. If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.

The processing of the personal data from the input mask serves us only to process the contact. In the case of contact via e-mail, this also includes the required legitimate interest in the processing of the data.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the input form of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the relevant facts have been finally clarified.

The additional personal data collected during the sending process will be deleted at the latest after a period of seven days.

Opposition and Removal Possibility

The user has the possibility at any time to revoke his consent to the processing of the personal data. If the user contacts us by e-mail, he may object to the storage of his personal data at any time. In such a case, the conversation cannot continue.

All personal data stored in the course of contacting will be deleted in this case.

Changes to Our Privacy Policy

We reserve the right to adapt this privacy policy to ensure that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply for your next visit.

Questions and Complaints

If you have any questions or concerns about the way we use your personal information, please contact our Data Protection Officer: Mr. K. Hakan Hasserbetci, kvkk@alo-tech.com.

Effective Date

September 30, 2025