KVKK Disclosure Text

1. IDENTITY OF THE DATA CONTROLLER

In accordance with the Law No. 6698 on the Protection of Personal Data ("Law"), your personal data may be processed by AB ORTADOĞU DIŞ TİCARET VE EĞİTİM HİZMETLERİ LTD. ŞTİ. ("Company" or "TestEd") as the data controller within the scope explained below.

2. CATEGORIZATION OF PROCESSED PERSONAL DATA

2.1. Data Collected from Corporate Customer Authorities

Identity Data:

• Name, surname

• T.C. identification number (for invoice)

• Title

Contact Data:

• Email address

• Phone number (mobile/business)

• Address information

• KEP address

Customer Transaction Data:

• Platform usage logs

• Purchase history

• Contract information

• Support request records

Financial Data:

• Bank account information

• Invoice information

• Tax number/taxpayer information

• Payment history

2.2. Data Collected from Platform Users (Employees)

Identity Data:

• Name, surname

• Date of birth (optional)

• Gender (optional)

Professional Data:

• Employer company

• Department

• Position/title

• Employee ID (assigned by company)

• Seniority information

Education and Competency Data:

• Test results

• Competency analyses

• Personality inventory results

• Development areas

• Education history (optional)

2.3. Data Collected from Demo/QR Code Users

• Name, surname (optional)

• Email address

• Demo test results

• QR code information

• Test completion time

3. PURPOSES OF PROCESSING PERSONAL DATA

Your personal data collected by our company is processed for the following purposes:

3.1. Service Delivery Purposes

• Implementation and management of online assessment tests

• Conducting personality inventory and competency analyses

• Reporting and analyzing test results

• Providing development recommendations

• Preparing corporate reports

• Supporting talent management processes

3.2. Fulfillment of Legal Obligations

• Maintaining log records within the scope of Law No. 5651

• Maintaining invoice and accounting records within the scope of tax legislation

• Fulfilling requests of authorized public institutions

• Compliance with legal retention periods

3.3. Communication and Customer Services

• Responding to user support requests

• Informing about platform updates

• Sending training and webinar invitations

• Conducting customer satisfaction surveys

4. METHOD AND LEGAL BASIS OF COLLECTING PERSONAL DATA

Your personal data is collected electronically. This data is processed based on the following legal grounds:

5. PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED AND TRANSFER PURPOSES

Your collected personal data may be transferred to the following parties within the framework of personal data processing conditions and purposes specified in Articles 8 and 9 of the Law:

5.1. Domestic Transfers

• Corporate Customers: Employee test results and analyses are shared only with relevant company authorities

• Business Partners: Technical infrastructure providers necessary for service delivery

• Suppliers: Email sending services, SMS services

• Public Institutions: Authorized public institutions as required by relevant legislation

• Law Offices: For conducting legal processes

5.2. International Transfers

• Cloud Service Providers: AWS (Ireland), Google Cloud (Europe)

• Analytics Tools: Google Analytics (USA)

6. RETENTION PERIOD OF PERSONAL DATA

Your personal data is retained for the periods required by the processing purposes. The following criteria are considered when determining retention periods:

7. RIGHTS OF THE PERSONAL DATA SUBJECT

Pursuant to Article 11 of KVKK, as personal data subjects, you have the following rights:

• Learning whether your personal data is being processed

• Requesting information about it if your personal data has been processed

• Learning the purpose of processing your personal data and whether they are used in accordance with their purpose

• Knowing the third parties to whom your personal data has been transferred domestically or abroad

• Requesting correction of your personal data if it is incomplete or incorrectly processed and requesting notification of this operation to third parties to whom your personal data has been transferred

• Requesting deletion or destruction of your personal data if the reasons requiring its processing have ceased to exist, even though it has been processed in accordance with KVKK and other relevant legal provisions, and requesting notification of this operation to third parties to whom your personal data has been transferred

• Objecting to the emergence of a result against you through the analysis of your processed data solely by automated systems

• Requesting compensation for damages if you suffer damage due to unlawful processing of your personal data

8. EXERCISING THE RIGHTS OF THE PERSONAL DATA SUBJECT

8.1. Application Method

To exercise the rights stated above:

• Email: You can apply to kvkk@tested.com.tr with information identifying your identity

• Mail: You can send your wet-signed petition to "Feneryolu Mh. Bağdat Cd. Gazimuhtarpaşa Sk. Feneryolu Sitesi No:59/53 Kadıköy/Istanbul"

• KEP: You can apply to abortadoguticaret@hs01.kep.tr with a secure electronic signature

• Online Form: You can fill out the form at tested.com.tr/kvkk-basvuru

8.2. Application Process

• Applications are answered within 30 days at the latest

• Applications are free of charge (A fee may be requested if the process requires an additional cost)

• Identity verification is performed

• The application result is communicated to you in written or electronic form

9. SECURITY OF PERSONAL DATA

Our company takes the following technical and administrative measures to ensure the security of your personal data:

9.1. Technical Measures

• Secure data transmission with SSL certificate

• Firewall and antivirus systems

• Data encryption (AES-256)

• Regular security tests and penetration tests

• Backup and disaster recovery systems

• Log records and monitoring systems

9.2. Administrative Measures

• Signing confidentiality agreements with employees

• Data access authorization matrix

• Regular KVKK training

• Data breach response procedure

• Supplier and business partner audits

10. COOKIE USAGE

Cookies are used on our website. For detailed information about cookie usage, please review our Cookie Policy.

11. IN CASE OF DATA BREACH

In case of a data breach that may affect the security of your personal data:

• The Personal Data Protection Board is notified within 72 hours

• Relevant persons are informed as soon as possible

• Necessary technical and administrative measures are taken to remedy the breach

This disclosure text was last updated on 01.08.2025.