PERSONAL DATA PROTECTION AND PROCESSING POLICY
OTOVADE PLUS OTOMOTİV HİZMETLERİ VE TİCARET ANONİM ŞİRKETİ
Last Updated: [../../2026]
1. Introduction
Protection of personal data is one of the key priorities of OTOVADE PLUS OTOMOTİV HİZMETLERİ VE TİCARET ANONİM ŞİRKETİ, operating under the OtoVade+ brand.
The Company undertakes to process and protect personal data obtained within the scope of its automotive services, vehicle sales, installment-based vehicle ownership solutions, customer relations, digital applications, marketing activities, supplier and business partner relations in accordance with the Turkish Personal Data Protection Law No. 6698 and applicable legislation.
This Policy explains the basic principles regarding personal data processing, processing purposes, data categories, transfer of personal data, retention and destruction, data security, and the rights of data subjects.
2. Scope
This Policy applies to personal data processed by the Company, excluding employee personal data which may be regulated under separate internal policies.
The data subject categories covered by this Policy include:
- Customers,
- Potential customers,
- Individuals applying for vehicle purchase or installment plans,
- Website visitors,
- Persons filling out contact forms,
- Persons contacting the Company via phone, WhatsApp, email, or social media,
- Guarantors or collateral providers,
- Persons making payments,
- Suppliers,
- Business partners,
- Dealers, galleries, service providers, and their representatives,
- Job applicants,
- Physical visitors,
- Public institution representatives,
- Related third parties.
3. Personal Data Processing Principles
OtoVade+ processes personal data in accordance with the following principles:
- Lawfulness and fairness,
- Accuracy and being up to date where necessary,
- Processing for specific, explicit, and legitimate purposes,
- Being relevant, limited, and proportionate to the processing purpose,
- Retention only for the period required by law or by the purpose of processing.
4. Legal Grounds for Processing
Personal data may be processed based on one or more of the following legal grounds:
- Explicitly provided by law,
- Necessary for the establishment or performance of a contract,
- Necessary for compliance with the Company’s legal obligations,
- Necessary for the establishment, exercise, or protection of a right,
- Legitimate interests of the Company, provided that fundamental rights and freedoms are not harmed,
- The data has been made public by the data subject,
- Necessity to protect life or physical integrity,
- Explicit consent where required.
5. Special Categories of Personal Data
Special categories of personal data include information such as race, ethnic origin, political opinion, religion, health data, sexual life, union membership, criminal conviction data, biometric and genetic data.
OtoVade+ avoids processing special categories of personal data unless necessary. Where such processing is legally or contractually required, the Company processes such data in accordance with applicable law and by taking necessary administrative and technical measures.
6. Methods of Data Collection
The Company may collect personal data through:
- Website,
- Contact and application forms,
- Phone calls,
- WhatsApp Business communications,
- Email correspondence,
- Social media accounts,
- Digital advertising campaign forms,
- Physical forms,
- Vehicle sales and installment agreements,
- Payment and collection documents,
- Invoices and accounting records,
- Business partners and suppliers,
- Dealers, galleries, service providers, insurance and inspection companies,
- Authorized public institutions,
- Security camera records,
- Cookies and similar digital technologies.
7. Purposes of Processing
Personal data may be processed for the following purposes:
- Conducting vehicle sales processes,
- Receiving and evaluating installment-based vehicle ownership applications,
- Verifying customer identity and contact information,
- Managing contract processes,
- Carrying out vehicle delivery and documentation processes,
- Managing payment, collection, and accounting transactions,
- Conducting risk assessment and customer eligibility analysis,
- Following up delayed payments and collection processes,
- Providing after-sales support services,
- Managing customer relations,
- Handling requests, suggestions, and complaints,
- Conducting advertising, campaign, and marketing activities,
- Managing commercial electronic communication permissions,
- Measuring website and digital channel performance,
- Improving user experience,
- Managing supplier, partner, dealer, and service provider relations,
- Following legal processes and protecting Company rights,
- Complying with legal obligations,
- Providing information to authorized institutions,
- Ensuring information security and physical location security,
- Carrying out archive and retention activities.
8. Categories of Personal Data Processed
The Company may process the following categories of personal data:
- Identity information,
- Contact information,
- Customer information,
- Customer transaction information,
- Financial information,
- Vehicle information,
- Risk management information,
- Transaction security information,
- Marketing information,
- Request and complaint information,
- Legal transaction information,
- Visual and audio records,
- Physical location security information,
- Job applicant information,
- Special categories of personal data where necessary.
9. Profiling and Segmentation
OtoVade+ may conduct profiling and segmentation activities for individuals who have given permission for commercial electronic communications.
These activities may be carried out to:
- Offer campaigns suitable for the vehicle segment the user is interested in,
- Prepare content suitable for down payment and installment preferences,
- Provide more relevant advertising and promotional content,
- Communicate new services, campaigns, and advantages,
- Better analyze customer needs,
- Improve service quality and product variety.
For individuals who have not given commercial electronic communication permission, marketing communications will not be sent. However, limited analyses may be carried out for operational, service improvement, customer satisfaction, and risk management purposes in accordance with the law.
10. Transfer of Personal Data
OtoVade+ may transfer personal data to third parties domestically or, where permitted by applicable legislation, abroad, for lawful processing purposes and by taking necessary security measures.
Personal data may be shared with:
- Suppliers,
- Business partners,
- Authorized dealers,
- Vehicle galleries,
- Service providers,
- Insurance companies,
- Vehicle inspection companies,
- Consultants,
- Lawyers and legal advisors,
- Financial advisors and auditors,
- Banks and payment institutions,
- Software, CRM, cloud, and hosting providers,
- Advertising and marketing service providers,
- Digital analytics and advertising platforms,
- Authorized public institutions,
- Legally authorized private institutions.
11. International Transfer of Personal Data
If certain digital infrastructure, advertising, analytics, CRM, email, cloud, or server services used by OtoVade+ are located outside Türkiye, personal data may be transferred abroad.
Such transfers are carried out in accordance with the provisions of the Turkish Personal Data Protection Law and the regulations issued by the Turkish Personal Data Protection Authority regarding international data transfers.
12. Retention and Destruction of Personal Data
Personal data is retained for the period required under applicable legislation or for the period necessary for the purpose of processing.
When the reasons requiring processing cease to exist, personal data is deleted, destroyed, or anonymized by the Company ex officio or upon the request of the data subject, in accordance with applicable law.
13. Personal Data Security
OtoVade+ takes necessary administrative and technical measures to prevent unlawful processing, unauthorized access, disclosure, transfer, loss, or damage of personal data.
Administrative measures include employee awareness, confidentiality obligations, access limitations, supplier agreements, and internal procedures.
Technical measures include secure systems, access controls, log records, firewalls, backup, encryption, and server security controls.
14. Data Breach Notification
In case personal data is obtained by unauthorized persons or a data security breach occurs, OtoVade+ evaluates the incident in accordance with applicable law and notifies the Turkish Personal Data Protection Board and relevant data subjects where necessary.
15. Rights of Data Subjects
Under Article 11 of the Turkish Personal Data Protection Law, data subjects have the right to:
- Learn whether their personal data is processed,
- Request information if their data has been processed,
- Learn the purpose of processing and whether the data is used in accordance with that purpose,
- Know the third parties to whom personal data is transferred domestically or abroad,
- Request correction of incomplete or inaccurate data,
- Request deletion or destruction of personal data,
- Request notification of correction or deletion to third parties to whom data has been transferred,
- Object to results against them arising from analysis exclusively through automated systems,
- Claim compensation for damages arising from unlawful processing.
16. Application Method
Data subjects may submit their requests regarding their rights through the following channels:
Company Name:
OTOVADE PLUS OTOMOTİV HİZMETLERİ VE TİCARET ANONİM ŞİRKETİ
Brand:
OtoVade+
Website:
[www.otovade.com]
Email:
[info@otovade.com]
KEP Address:
[To be added]
Address:
[Official company address to be added]
Applications will be evaluated and concluded as soon as possible and no later than 30 days, depending on the nature of the request.