BARFAS AUTOMATION TECHNOLOGIES LTD.
General Clarification Text on Processing of Personal Data

This clarification text has been prepared by Barfas Otomasyon Teknolojileri Limited Şirketi ("Company") as the data controller in accordance with Article 10 of the Law No. 6698 on the Protection of Personal Data (KVKK) and other relevant legislation provisions.

• In physical environments (forms, contracts, security cameras, etc.),
• Electronic media (our website, e-mail, mobile applications, customer portals, social media, etc.)

through automatic or non-automatic means, verbally, in writing or digitally.

Your personal data is processed within the scope of your explicit consent or the legal reasons specified in Articles 5 and 6 of the KVKK. In this context:

• It is directly related to the conclusion or performance of the contract,
• Fulfillment of our legal obligations,
• Protection of our legitimate interests,
• Explicitly stipulated in the law,
• Explicit consent

In such cases, your personal data are processed.

Your personal data obtained is processed within the following scope in order to carry out the Company's activities:

• Execution of customer and supplier relations,
• Providing sales, maintenance, technical service, installation and support services,
• Execution of finance, accounting, human resources and administrative processes,
• Occupational health and safety procedures,
• Execution of contract and proposal processes,
• Conducting quality control, audit, reporting and data security activities,
• Fulfillment of obligations arising from relevant legislation.

Your personal data collected;

• With business partners, suppliers, banks, cargo companies, law, accounting and consulting firms operating in Turkey,
• Legally authorized public institutions and organizations

Pursuant to Article 8 of the LPPD, it may be shared in a limited, measured and purpose-related manner.

If foreign servers or cloud-based systems are used, this data may be considered to have been transferred abroad.

Your personal data are retained for the period required by the purposes for which they are processed and for the mandatory retention periods stipulated in the relevant legislation. At the end of these periods, your data will be deleted, destroyed or anonymized.

Pursuant to Article 11 of the LPPD, you may exercise the following rights by applying to our Company:

• a) Learn whether your personal data is being processed,
• b) If processed, to request information about it,
• c) Learning the purpose of processing and whether it is used in accordance with its purpose,
• ç) To know the third parties to whom the data is transferred domestically or abroad,
• d) Request correction if incomplete or incorrectly processed,
• e) To request the deletion or destruction of data within the scope of Article 7 of the KVKK,
• f) Request notification to third parties to whom these transactions are transferred,
• g) Do not object if you are disadvantaged as a result of analysis by automated systems,
• ğ) Request compensation for damages if you have suffered damage due to an unlawful transaction.

"You can send your requests regarding your personal data (within the scope of Article 11 of the KVKK) in writing to our company headquarters by registered mail with return receipt requested; You can send it by registered electronic mail (KEP), secure electronic signature / mobile signature or e-mail. Your applications will be finalized free of charge within 30 days at the latest, depending on the nature of the request. In case of rejection or incomplete response, a reasoned response is given."

• Encrypted data transmission with HTTPS/TLS.
• Regular security patches at the server level and the principle of least-privilege.
• Restricting database access with authorization separation and strong password/policy.

• Role-based access (RBAC) and audit trails.
• Rate-limit and IP-based protections for suspicious interference.

• Input validation, parametric queries (against SQL injection), CSRF/XSS measures.
• Up-to-date dependency management and regular code review.

• Regular backup and restore tests.
• Incident response procedures and notification processes.