Privacy policy

1. Introduction

1.1 Purpose

The Personal Data Retention and Destruction Policy (“Policy”) has been prepared by Catchpad Sports Education and Entertainment Technologies Inc. (“Catchpad”) to define the processes, procedures, and principles regarding the retention and destruction activities.

Catchpad aims to process the personal data of its employees, job applicants, suppliers, and other third parties in accordance with the Constitution of the Republic of Turkey, international agreements, the Personal Data Protection Law No. 6698 ("KVKK"), and other relevant legislation, ensuring that the rights of the relevant individuals are effectively exercised.

The processes related to the retention and destruction of personal data are carried out in accordance with the Personal Data Retention and Destruction Policy ("Policy") prepared by Catchpad in this context.

1.2 Abbreviations and Definitions

Recipient Group: Real or legal persons to whom personal data is transferred by the data controller.
Explicit Consent: Consent that is informed and freely given regarding a specific issue.
Anonymization: The process of making personal data unidentifiable and untraceable to a specific or identifiable person, even when combined with other data.
Employee: Real persons employed by Catchpad under a service contract.
Job Applicant: Real persons who have applied for employment with Catchpad.
Electronic Environment: Environments where personal data can be created, read, modified, and written through electronic devices.
Non-Electronic Environment: All written, printed, visual, or other environments outside of electronic environments.
Supplier: Real persons or simple companies providing goods and/or services to Catchpad under a specific contract.
Data Subject: The natural person whose personal data is processed.
Destruction: The process of deleting, erasing, or anonymizing personal data.
KVKK: Personal Data Protection Law No. 6698.
Recording Environment: Any environment where personal data is processed by automatic or non-automatic means, as part of a data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: The inventory created by data controllers detailing personal data processing activities based on their business processes, including purposes, legal basis, categories, recipient groups, and retention periods.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, modifying, organizing, disclosing, transferring, or using.
Board: The Personal Data Protection Board.
Special Categories of Personal Data: Information about a person's race, ethnicity, political opinions, philosophical beliefs, religion, sect, health, sexual life, criminal convictions, and biometric or genetic data.
Periodic Destruction: Deletion, destruction, or anonymization of personal data that occurs at regular intervals when the conditions for processing no longer exist.
Policy: Personal Data Retention and Destruction Policy.
Data Processor: A real or legal person authorized by the data controller to process personal data on its behalf.
Data Registration System: The system where personal data is structured and processed based on certain criteria.
Data Controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data registration system.
VERBIS: Data Controllers’ Registry Information System.
Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published on October 28, 2017, in the Official Gazette.

1.3 Scope of the Policy and Data Subjects

This Policy applies to individuals whose personal data is processed by Catchpad, including employees, board members, job applicants, suppliers, visitors, and third parties. It will be applied only to these individuals and does not apply to legal entities or the data of legal entities.

Catchpad informs the aforementioned data subjects regarding the law by publishing this Policy on its website. For Catchpad employees, the "Personal Data Processing Policy" will apply. If data does not fall under the definition of "Personal Data" or is not processed by the methods specified above, this Policy will not apply.

The data subjects covered by this Policy are as follows:

Catchpad Employees: Real persons employed by Catchpad under a service contract.
Catchpad Board Members: Real persons appointed as board members or legal representatives of the company.
Job Applicants: Real persons who have applied for employment or submitted their resumes and related information for Catchpad's review.
Suppliers: Real persons supplying goods or services to Catchpad.
Third Party: Other real persons who do not fall under any personal data subject category in the Personal Data Protection and Processing Policy prepared for Catchpad employees.

2. Responsibilities and Task Distribution

Catchpad and all units and employees with access to personal data are responsible for ensuring that technical and administrative measures are implemented as required by the Policy and relevant legislation, increasing awareness through training, monitoring, and continually auditing to prevent unlawful processing of personal data.

The following positions are responsible for the retention and destruction processes:

Position	Unit	Duty
HR Manager	Human Resources	Ensure the personal data of employees and applicants are stored and processed according to the Policy.
Finance Manager	Finance	Ensure the financial data of employees and applicants are stored and processed according to the Policy.
IT Department	Information Tech	Ensure the personal data in Catchpad's IT environment is stored and processed according to the Policy.

3. Recording Environments

Personal data is securely stored in compliance with the law in the following environments:

Electronic Environments	Non-Electronic Environments
Servers (domain, backup, email, database, web, file sharing)	Paper
Software (office software, portal software)	Manual data recording systems (Data Information Forms)
Information security devices (firewalls, attack detection and prevention, log files, antivirus, etc.)	Printed paper filing systems
Personal computers (desktops, laptops)
Mobile devices (Notebooks)
Removable storage (USB, Memory Cards, etc.)

4. Retention and Destruction Explanations

Catchpad stores personal data of employees, job applicants, and suppliers in compliance with KVKK and secondary legislation and destroys it after the retention period expires. The details of retention and destruction are outlined below.

4.1 Retention Explanations

Catchpad stores the personal data of employees, job applicants, and suppliers for the periods required by the purpose of processing and as prescribed by relevant laws.

4.1.1 Legal Reasons for Retention

Catchpad retains personal data for the periods specified in the relevant laws, including:

Personal Data Protection Law No. 6698
Turkish Code of Obligations No. 6098
Public Procurement Law No. 4734
Labor Law No. 4857
Health and Safety at Work Law No. 6331
Turkish Commercial Code No. 6102
Income Tax Law No. 193, etc.

4.1.2 Reasons for Retention Related to Processing Activities

Catchpad stores personal data for various purposes, such as employee management, communication, and legal obligations.

4.2 Destruction Explanations

Personal data must be destroyed when:

The reason for processing no longer exists.
The purpose for processing or storing personal data is no longer valid.
Explicit consent is withdrawn.
The retention period expires.

5. Technical and Administrative Measures

Catchpad takes the following technical and administrative measures to ensure the secure storage, lawful processing, and destruction of personal data.

5.1 Technical Measures

Catchpad has taken the following technical measures:

Access control and user authorization through access and authorization matrices.
Security policies via enterprise active directories.
User account management, network security, application security, encryption, attack detection, and prevention systems.
Logging records required by the 5651 Law.
Backup systems.
Environmental security measures for IT systems.

5.2 Administrative Measures

Catchpad has implemented the following administrative measures:

Employee training on the prevention of unlawful processing, unauthorized access, and data preservation.
Confidentiality agreements for employees.
Disciplinary procedures for non-compliance with security policies.
Regular internal and random audits.

6. Personal Data Destruction Techniques

When the reasons for destruction occur, personal data is destroyed by Catchpad through the following techniques:

6.1 Data Deletion

Data will be deleted using the following methods:

On Servers: Access rights are revoked and the data is deleted.
In Electronic Environments: Data is rendered inaccessible and unrecoverable by other users.
In Physical Environments: Data is made inaccessible and unrecoverable by employees, and it may be marked, erased, or painted over to make it unreadable.

6.2 Data Destruction

Paper-based personal data will be destroyed using shredders or burning methods.

6.3 Data Anonymization

Catchpad does not anonymize personal data.

7. Retention and Destruction Periods

Catchpad defines the retention periods for personal data processing in its Personal Data Processing Inventory.

8. Periodic Destruction Period

Catchpad's periodic destruction period is set to 6 months. Therefore, periodic destruction will occur every March and October.

9. Publication and Storage of the Policy

The Policy will be published in both physical and electronic formats.

10. Policy Update Period

The Policy will be reviewed and updated as necessary.

11. Enforcement and Revocation

The Policy is considered effective once published and will be revoked by canceling previous copies after at least five years.