PRIVACY AND SECURITY

Disclosure Text

Explicit Consent Text Disclosure Text TÖDEB Arbitration Committee Privacy Policy Contract for One Time Transaction Commercial Electronic Message Notification Text Security Information Terms and Conditions Cookie Policy Mobile App Privacy Policy Framework Agreement

A ÖDEME VE ELEKTRONİK PARA HİZMETLERİ A.Ş.

Privacy Notice Regarding the Processing of Your Personal Data

This Privacy Notice has been prepared regarding the processing of personal data within the scope of electronic money issuance, payment services, money transfer, mobile payment, POS services, bill payment intermediation, agency activities and other related products and services provided by A Ödeme ve Elektronik Para Hizmetleri Anonim Şirketi A.Ş. (“Morpara” or the “Company”).

Our Company processes your personal data in its capacity as data controller in accordance with Article 10 of the Personal Data Protection Law No. 6698 (“KVKK”) and the provisions of the Communiqué on the Principles and Procedures to be Followed in Fulfilment of the Obligation to Inform, and this Notice aims to inform the relevant data subjects.

Morpara adopts compliance with the general principles set forth under Article 4 of the KVKK in the processing of personal data while carrying out its activities. In this context, your personal data are processed;

• In compliance with the law and the principles of good faith,

• Accurately and, where necessary, kept up to date,

• For specific, explicit and legitimate purposes,

• In a manner that is relevant, limited and proportionate to the purposes for which they are processed and

• Retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Morpara takes the necessary technical and administrative measures to ensure the security of personal data during the provision of payment and electronic money services and carries out its data processing activities in compliance with the applicable legislation.

1. Data Controller and Contact Information

Trade Name : A Ödeme ve Elektronik Para Hizmetleri Anonim Şirketi

Address : Esentepe Mah. Büyükdere Cad. Astoria Blok No: 127 İç Kapı No: 63 Şişli / İstanbul

MERSİS No : 0001215647700001

Trade RegistryNo : 304884-5

Communication channels regarding your applications within the scope of the KVKK are additionally specified in the section titled “Your Rights and Application Methods” of this Notice.

2. Timing and Method of Disclosure

2.1. This Privacy Notice is effective together with additional disclosures that may be made when necessary pursuant to the legislation in the following circumstances, (i) during customer onboarding and identity verification processes including the establishment of framework agreements, (ii) during the use of products and services provided by the Company, (iii) during request, complaint and call center processes and (iv) where otherwise required by applicable legislation. The disclosure is provided in an accessible manner through digital channels such as the website and mobile application if available, contract and application screens, representative points, POS and merchant referrals, call center or IVR systems and other similar physical or electronic environments.

2.2. In cases where your personal data are not obtained directly from you, for example through sources such as KPS or APS systems, KKB or the Banks Association of Republic of Türkiye Risk Center, disclosure shall be provided in accordance with Article 6 of the Communiqué on Disclosure within a reasonable time, at the time of the first communication or at the time of the first transfer depending on the nature of the specific case. Such disclosure may be made through notification including in-app notification if a mobile application exists, e-mail or SMS, an information page accessible via the website or similar methods.

3. Processed Personal Data of Yours

3.1. Personal data that may be processed by our Company may include the following categories and sample data types depending on the nature of our activities and the services we provide. The examples below do not mean that all of the listed data are processed for every user. The personal data subject to processing may vary depending on the service provided, the usage scenario and the legal basis.

Data Category		Description
Biometric Data	:	Facial image, liveness test data and similar data.
Document Data	:	Contracts, court and administrative authority documents and similar records.
Financial Data	:	Bank or payment account information including IBAN and account numbers, card information generally subject to masking or tokenization, balance and financial transaction information, payment and transfer amounts, transportation card loading or transaction information if applicable.
Physical Security Data	:	Headquarters entry and exit system records, visitor records, camera recordings and similar data.
Visual and Audio Records	:	Call center voice recordings, image recordings in case of video calls, photographs or selfie records for identity verification purposes if applicable.
Legal Transaction Data	:	Correspondence with judicial or administrative authorities and information contained in files, records relating to dispute and investigation processes.
Contact Data	:	Telephone number, e-mail address, postal address and similar information.
Transaction Security Data	:	IP address, device identity, session information, login and logout logs, application and service usage records, security verification data. Raw passwords are not stored. Where necessary cryptographic or hashed verification data may be retained.
Identity Data	:	Name and surname, Turkish identity number, passport number, identity card information and photograph contained therein, criminal record, population registry information, residence information, driving license information and CV information.
Corporate Data	:	Company title, tax number, tax certificate, signature circulars, information regarding company executives and employees.
User Transaction Data	:	Transaction owner information, transaction number, creation date, processing date, payment date, transaction amount and similar data.
User Data	:	User name and surname, user or account identifiers, user group role or authorization information, password verification data stored in cryptographic or hashed form without retaining raw passwords.
Location Data	:	Location information depending on application settings and device permissions only to the extent required by the relevant service.
Professional Experience Data	:	Occupation, title, employment information and education status depending on the products and services.
Customer Transaction Data	:	Account or mobile wallet transactions, money transfer or payment instructions, transaction history, transaction verification records, call center records and notes, request and complaint information, contractual transaction records.
Special Categories of Personal Data – Health Information	:	Statements regarding disability status and related health information provided within this scope only where necessary for the relevant process.
Marketing Data	:	Campaign participation and usage information, shopping history, cookie records, survey responses, declarations regarding preferences and interests, marketing communication consent records.
Risk Management Data	:	Fraud and abuse indicators, warning and evaluation records within the scope of AML and CFT controls, risk monitoring and tracking information, evaluation information obtained from institutions such as the Risk Center or KKB to the extent permitted by legislation, verification and inquiry results from systems such as the Central Bank of the Republic of Türkiye, the Revenue Administration and KPS or APS.
Request and Complaint Management Data	:	Requests and complaints submitted by users, comments added during transactions and related records and reports.
Representative Data	:	Name, surname, address and similar information of authorized representatives.
Compliance Process Query Data	:	Information and query results relating to processes carried out within the scope of national and international compliance criteria.

4. Methods of Obtaining Your Personal Data

4.1. Your personal data may be obtained directly from you through the Company’s digital channels such as the website or mobile application if available, customer onboarding screens and application forms, contract and information processes, call center or IVR, e-mail, representative or business partner channels and similar communication channels.

4.2. Personal data may also be obtained through automated or partially automated methods from public systems or authorized institutions for the purposes of identity verification and regulatory compliance processes such as KPS or APS verification systems, institutions that may be queried within the limits permitted by legislation such as KKB and the Banks Association of Republic of Türkiye Risk Center, the Revenue Administration, judicial or administrative authorities, as well as suppliers and business partners providing support services or outsourced services on behalf of the Company, representatives, dealers or sales channels and merchants.

4.3. In transactions carried out through merchants and POS devices, data relating to the relevant payment transaction may be transmitted to our Company through the merchant or technical providers in accordance with the transaction flow in order to complete the transaction and ensure security. In such scenarios our Company may support transaction based disclosures through directions on digital channels including in-app directions if a mobile application exists and through disclosure texts on the website. Merchants are also expected to fulfil their own disclosure obligations within the scope of their role as independent data controllers.

5. Purposes and Legal Bases for Processing Your Personal Data

5.1. Our Company may process your personal data for the purposes listed below based on the processing conditions specified under Articles 5 and 6 of the KVKK. The same data category may be processed for more than one purpose and legal basis. In all cases processing shall be relevant, limited and proportionate to the purpose.

Personal Data Category	Purposes of Processing	Legal Bases
Biometric Data	Carrying out identity verification processes within the scope of remote identity verification, liveness testing and fraud prevention	Expressly provided for by laws pursuant to Article 5/2(a) of the KVKK. Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract, pursuant to Article 5/2(c) of the KVKK. Processing is necessary for the data controller to fulfil its legal obligations pursuant to Article 5/2(ç) of the KVKK.
Identity, Contact, Financial, Risk Management, Customer Transaction, Transaction Security, Professional Experience, Visual and Audio Records	Receipt and assessment of your application request for the products and services offered by the Company	Expressly provided for by laws pursuant to Article 5/2(a) of the KVKK. Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract, pursuant to Article 5/2(c) of the KVKK. Processing is necessary for the data controller to fulfil its legal obligations pursuant to Article 5/2(ç) of the KVKK. Processing is necessary for the establishment, exercise or protection of a right pursuant to Article 5/2(e) of the KVKK.
Identity, Contact, Risk Management, Customer Transaction, Visual and Audio Records, Financial, Transaction Security, Professional Experience	Provision of all products and services offered by the Company and performance of the related transactions	Expressly provided for by laws pursuant to Article 5/2(a) of the KVKK. Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract, pursuant to Article 5/2(c) of the KVKK. Processing is necessary for the data controller to fulfil its legal obligations pursuant to Article 5/2(ç) of the KVKK. Processing is necessary for the establishment, exercise or protection of a right pursuant to Article 5/2(e) of the KVKK.
Identity, Contact	Carrying out communication and information processes regarding the products and services offered by the Company	Expressly provided for by laws pursuant to Article 5/2(a) of the KVKK. Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract, pursuant to Article 5/2(c) of the KVKK. Processing is necessary for the data controller to fulfil its legal obligations pursuant to Article 5/2(ç) of the KVKK.
Identity, Financial, Visual and Audio Records, Contact, Legal Transaction, Customer Transaction, Risk Management, Transaction Security, Professional Experience	Carrying out compliance processes including checking national and international lists, identification and fulfilment of know your customer obligations in accordance with the legislation on prevention of laundering proceeds of crime and financing of terrorism and secondary legislation	Expressly provided for by laws pursuant to Article 5/2(a) of the KVKK. Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract, pursuant to Article 5/2(c) of the KVKK. Processing is necessary for the data controller to fulfil its legal obligations pursuant to Article 5/2(ç) of the KVKK.
Identity, Financial, Contact, Legal Transaction, Risk Management, Customer Transaction, Professional Experience, Transaction Security	Fulfilment of information provision, reporting and other obligations under Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, the related secondary legislation, the legislation on prevention of laundering proceeds of crime and other applicable legislation	Expressly provided for by laws pursuant to Article 5/2(a) of the KVKK. Processing is necessary for the data controller to fulfil its legal obligations pursuant to Article 5/2(ç) of the KVKK.
Identity, Contact, Marketing	Planning and managing access authorizations of our business partners, representatives, service providers and or suppliers to information, and managing relations with business partners and or suppliers	Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract, pursuant to Article 5/2(c) of the KVKK. Processing is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the relevant person, pursuant to Article 5/2(f) of the KVKK.
Health	Designing and carrying out the application process for mobile wallet and other products and services in the event that disability status is declared	Expressly provided for by laws pursuant to Article 5/2(a) of the KVKK. Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract, pursuant to Article 5/2(c) of the KVKK.
Identity, Financial, Marketing, Customer Transaction, Contact, Professional Experience, Transaction Security	Carrying out marketing activities, including promotion, advertising, planning and execution of campaigns, presenting offers on digital media, analysis and reporting, customer satisfaction activities, survey activities, personalization based on interests and sending commercial electronic messages	Explicit consent pursuant to Article 5(1) of the KVKK.

6. Information Regarding Automated Analysis, Scoring and Decision Support Processes

6.1. Our Company may carry out analysis and evaluations on certain data through automated systems for the purposes of fraud prevention, transaction security, compliance and risk management. Such analyses may result in outcomes such as requesting additional verification steps for security reasons, temporarily holding or reviewing transactions deemed risky, or triggering control processes within the scope of suspicious transaction assessments. Pursuant to Article 11 of the KVKK you have the right to object and submit your request if you believe that a result against you has arisen solely through analysis carried out by automated systems.

7. To Whom and For What Purposes Your Personal Data May Be Transferred

Your personal data may be transferred to the recipient groups listed below in accordance with Articles 8 and 9 of the KVKK provided that such transfer is relevant, limited and proportionate to the processing purposes.

i. Parties to the Transaction and Institutions Necessary for the Provision of the Service

For the execution of mobile wallet, payment and transfer transactions, the necessary data may be shared with the bank or electronic money or payment institutions to which the transfer is made, institutions issuing bills, transportation card service providers, merchants and institutions with which you establish a payment or collection relationship solely to the extent required for the completion of the transaction.

ii. Business Partners Representatives Suppliers and Service Providers

Data may be transferred to suppliers and service providers providing support services such as information technology infrastructure, cloud hosting, cyber security, call center, customer support, auditing, accounting, logistics or courier services if applicable, messaging services and fraud prevention services to the extent necessary for the performance and security of the service. These parties act under the instructions of our Company and within the scope of data security obligations.

iii. Legal Processes and Consultancy

Personal data may be transferred to lawyers, law firms, notaries, auditors, independent audit rating or valuation institutions and consultants for the purposes of conducting legal processes, establishing exercising or protecting rights and fulfilling legal obligations.

iv. Authorized Public Institutions and Judicial or Administrative Authorities

Data may be shared with institutions such as the Central Bank of the Republic of Türkiye, MASAK, the Banking Regulation and Supervision Agency, the Personal Data Protection Authority and Board, the Revenue Administration, the Information and Communication Technologies Authority, TÖDEB, Spor Toto, the National Lottery Administration, the Banks Association of Republic of Türkiye, law enforcement authorities, public prosecutors, courts, enforcement offices and other authorized public institutions and judicial or administrative authorities in order to fulfil legal obligations or comply with official requests.

v. Risk and Fraud Prevention Institutions and System Integrations

Within the scope of risk management identity verification and compliance processes, data may be shared with public systems such as KPS or APS, KKB, the Banks Association of Republic of Türkiye Risk Center, the Interbank Card Center and other verification or risk infrastructures permitted by the legislation.

vi. Corporate Group or Financial Group Transfers

Your personal data may be shared with companies and persons within the same group of companies for the purposes of fulfilling compliance program obligations arising from legislation and conducting group based support services within the framework of Article 8 of the KVKK and by taking necessary security measures. Such transfers are limited to customer due diligence, compliance program practices, audit activities and operational processes permitted by legislation.

8. Transfer Abroad

8.1. Morpara carries out the transfer of personal data abroad in accordance with Article 9 of the KVKK, the relevant secondary legislation and the decisions of the Personal Data Protection Board.

Within this scope, your personal data may be transferred abroad in the following cases;

To countries for which an adequacy decision has been issued by the Personal Data Protection Board,
Provided that appropriate safeguards stipulated under the KVKK are ensured, for example within the scope of standard contractual clauses or other safeguard mechanisms determined by the Board,
Within the scope of exceptional data transfer cases regulated under the KVKK and the relevant legislation.

Morpara ensures that all cross border data transfer processes are conducted in compliance with data security requirements, purpose limitation and proportionality principles and applicable legislation.

8.2. Due to the nature of payment services, in certain transactions one of the transaction parties or the relevant service provider may be located abroad. In such cases, in order to ensure the secure and uninterrupted execution of the payment transaction, limited personal data strictly necessary for the transaction may be shared with the relevant payment institution, bank, card scheme, financial infrastructure provider or service provider located abroad in line with the payment instruction or transaction request given by the customer.

Within this scope;

Your personal data continue to be stored in Türkiye,
Only the data strictly necessary for the execution of the payment transaction are transferred abroad,
The transfer process is carried out in compliance with the principles of proportionality, data minimization and purpose limitation under the KVKK.

• For example;

a. In international money transfers to a recipient located abroad, the recipient information, transaction amount and payment description necessary for the completion of the transaction may be transmitted to the relevant financial institutions,

b. In international card based payment transactions, certain transaction data may be shared with international card schemes or payment infrastructure providers within the scope of authorization and settlement processes.

Such data transfers are carried out in compliance with Article 9 of the KVKK regarding cross border data transfers and by implementing the necessary technical and administrative security measures.

9. Retention Periods

9.1. Our Company retains your personal data for the periods stipulated by the relevant legislation and in any case limited to the period required for the purposes of processing. Legislation related to the payment and electronic money sector, MASAK obligations, financial transaction record keeping requirements, audit requirements and limitation periods are taken into account in determining retention periods. Data whose retention period has expired are deleted destroyed or anonymized in accordance with the KVKK and the relevant legislation.

10. Your Rights and Application Methods

10.1. Pursuant to Article 11 of the KVKK you have the right to learn whether your personal data are processed, request information if they have been processed, learn the purpose of processing and whether they are used in accordance with that purpose, learn the third parties to whom your data are transferred, request correction of incomplete or inaccurate data, request deletion or destruction, object to results arising against you through automated analysis and request compensation for damages.

10.2. You may submit your requests regarding these rights through the following methods:

Written application	:	You may submit your request to our headquarters provided that your identity is verified or send it through a notary public.

Via registered electronic mail	:	You may send your request to the address aodeme@hs03.kep.tr using a secure electronic signature or mobile signature.

Via e-mail	:	You may send your request from the e-mail address registered in our system including a secure electronic signature or mobile signature to kvkk@morpara.com

10.3. Our Company shall conclude your requests within a maximum of 30 days in accordance with the KVKK and the relevant legislation. If a fee is stipulated by the Board an amount may be charged in accordance with the relevant tariff.

11. Updates

11.1. This Privacy Notice may be revised in line with changes in legislation and updates in our activities. Updates may be announced to you through appropriate methods and the current version of the notice can be accessed through our website and the Company’s digital channels.