I. Website Privacy Policy

By visiting this website and using the services provided through this site, you agree to the terms set forth in this "Privacy Policy" regarding the use and protection of the information we obtain about you and the services you request. By visiting this website and requesting to benefit from the services provided through this site, you have deemed to accept the terms specified in this "Privacy Policy". The protection of personal data is a fundamental policy of our company. Even before any legal regulations, our company and its subsidiaries have attached great importance to the confidentiality of personal data and have adopted this as a working principle, providing employees with working instructions in line with this principle. We also commit to complying with all the responsibilities imposed by the Law on the Protection of Personal Data. The principles of personal data protection of our company also include our subsidiaries.

II. Scope and Amendment of Personal Data Protection and Processing Policy

This Policy, prepared by VİVA KNİDOS DOĞA SAĞLIK TURİZMİ VE TİCARET ANONİM ŞİRKETİ (hereinafter referred to as the data controller or the company), has been prepared in accordance with the Law on the Protection of Personal Data No. 6698 ("KVKK"). The Law has entered into force with all its provisions as of today. The data obtained with your consent or other legal grounds specified in the Law will be used for the purpose of improving the quality of the services we provide, enhancing the services offered to you, and improving our quality policy. Some of the data we have is de-identified and anonymized, no longer considered personal data. These data may be used for statistical purposes and are not subject to the provisions of the Law or our Policy. Our Company's Personal Data Protection and Processing Policy aims to protect the automatically obtained data of our customers, customer prospects, employees, customers and employees of companies working in partnership with us, and other individuals, and includes provisions regarding the protection of such data. Our Company reserves the right to amend its data processing and retention policy in compliance with the Law and in order to better protect personal data.

III. Basic Principles of Personal Data Processing and Transfer Abroad

a) Compliance with the law and principles of honesty: Our company questions the source of the data collected or received from other companies and attaches importance to obtaining them in a lawful and honest manner. In this context, our company provides necessary warnings and notifications to third parties (including agents and other intermediaries) who sell the services we offer, in order to protect personal data.

b) Accuracy and updating when necessary: Our company attaches importance to ensuring that all data within the organization are accurate, free from incorrect information, and, when there are changes in personal data, they are updated upon notification.

c) Processing for specified, explicit, and legitimate purposes: Our company processes data only for the purposes for which they have been obtained with the consent of individuals during the provision of services. Data is not processed, used, or made available for purposes other than the intended purpose.

d) Being relevant, limited, and proportionate to the purposes for which they are processed: Our company uses data only to the extent necessary for the purposes for which they are processed and as required by the service.

e) Retention for the period prescribed in the relevant legislation or as long as necessary for the purposes for which they are processed: Our company retains data arising from contracts for the periods specified by the Law, the requirements of commercial and tax law. However, when these purposes no longer exist, the data is deleted or anonymized.

It is important to note that these principles apply regardless of whether our company has collected or processed the data with consent or in accordance with the law. Your personal data may be shared with hotels, airlines, transfer service providers located abroad, and the relevant foreign agency in order to complete your reservation and provide the service to you. Your personal data may also be shared with other electronic platforms, both domestically and internationally, in order to enable search, reservation, and accommodation for your stay. Personal data may be shared with official institutions authorized to request information and documents from private legal entities in accordance with their own establishment laws.

In addition, when you enter our company's website and accept the cookie disclosure text that appears, your personal data may be transferred to and shared with platforms and applications located abroad for the purpose of improving customer experience, better serving customers and visitors with the products and services offered by our company, tailoring presentation and recommendations according to the needs, preferences, and usage habits of customers/visitors, and determining our company's strategies.

IV. Rights of the Data Subject

According to Article 20 of the Turkish Constitution, everyone has the right to be informed about their personal data, and in accordance with Article 11 of the Law on the Protection of Personal Data ("KVKK"), the right to request information is among the rights of the data subject. In this context, our company is responsible for providing the necessary information when the data subject requests information, and with this Privacy Notice, our company provides information to the data subject regarding how the right to request information is exercised and how the requests are evaluated. Data subjects have the following rights under the KVKK:

• The right to learn whether their personal data is being processed or not, • If their personal data has been processed, the right to request information regarding such processing, • The right to learn the purpose of the processing of their personal data and whether they are being used in accordance with this purpose, • The right to know the third parties to whom their personal data has been transferred, both domestically and internationally, • The right to request the correction of their personal data if it is incomplete or inaccurate, • The right, within the framework of the conditions specified in Article 7 of the KVKK, to request the deletion/destruction of their personal data and notification of such actions to third parties to whom the personal data has been transferred, • The right to object to any negative consequences arising from the automated processing of their personal data, • The right to request compensation in case of damages arising from the unlawful processing of their personal data.

V. Deletion of Personal Data

When the legally required retention periods expire, legal proceedings are completed, or other requirements cease to exist, our company automatically deletes, destroys, or anonymizes personal data either on its own or upon the request of the data subject.

VI. Accuracy and Data Currency

Data within our company is generally processed based on the statements made by the data subjects themselves. Our company is not required to verify the accuracy of the data declared by customers or individuals contacting our company, nor is it done for legal and operational reasons. The declared data is considered to be accurate. The principle of accuracy and currency of personal data is also embraced by our company. Our company updates the personal data it processes from official documents received or at the request of the data subject. Necessary measures are taken for this purpose.

VII. Privacy and Data Security

Personal data is confidential, and our company adheres to this confidentiality. Only authorized individuals within the company can access personal data. Necessary technical and administrative measures are taken to protect the personal data collected by our company, prevent unauthorized access, and ensure that our customers and prospective customers are not affected. In this regard, software is designed to meet standards, third parties are carefully selected, and data protection policies are followed within the company. Due to Covid-19 and contagious diseases, additional health data may be requested or collected from our employees, and the collected data may be shared with relevant authorities.

VIII. Customer, Prospective Customer, and Business Partner Data

If a contractual relationship is established with our customers and prospective customers, the collected personal data can be used without obtaining their consent. However, this usage is carried out within the scope of the contract purpose. Data is used for the better execution of the contract and the requirements of the service, and it is updated by contacting customers when necessary. On the other hand, the data provided by prospective customers (potential customers) is processed to provide them with easier and higher quality service. If these data do not turn into a contractual relationship upon their request, they will be deleted.

IX. Business and Solution Partner Data, Commercial Communications, and Membership

Our company adheres to legal compliance when sharing data with business and solution partners. Data sharing with business and solution partners is carried out to the extent required by the service and with a commitment to data confidentiality. These parties are obliged to take necessary measures to ensure data security. According to the Regulation on Commercial Communication and Commercial Electronic Messages, electronic commercial messages can only be sent to individuals who have given prior consent. The explicit consent of the recipient is a prerequisite for sending promotional electronic communications. Our company complies with the details of the "consent" as defined by the relevant regulations. In order to send electronic communications, personal data is transferred to service providers and to relevant companies in accordance with the Regulation on Commercial Electronic Messages. If you become a member of our system, the personal data you share with us for the membership process will be processed in our systems. If you choose to sign up for our system using Facebook, Google, or other social media tools, certain information provided by the social media platform, such as your name, surname, profile picture, and email address, may be accessed and transferred to our company's systems. Our company complies with the law regarding the processing of data through automated systems. Information obtained from these data without explicit consent of individuals cannot be used against them. However, our company may make decisions regarding individuals based on data within its own system.

X. Processing of Special Categories of Personal Data

According to the Law, individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction, and security measures-related data, as well as biometric and genetic data, are considered as special categories of personal data. Our company takes additional measures determined by the Board when processing special categories of personal data. Our company may process special categories of personal data with the consent of individuals only for the purposes for which they were collected, in order to provide better services. The accommodation facility where you make a reservation through us may request certain personal data, including special categories of personal data such as health data related to themselves and their close contacts, in accordance with the circulars and legal regulations related to Covid-19. These personal data may be shared with official authorities and healthcare institutions when necessary.

XI. Cookie Policy

Like many websites, our company uses cookies and similar technologies to improve the user experience and enhance service quality. If you do not consent to the use of cookies, we kindly ask you not to continue using the website or to change your cookie preferences as indicated in this Policy. Please note that disabling cookies may result in the loss of certain features and functionality of the website. Cookies are small text files stored on your computer or mobile device when you visit a website. These files may contain your IP address, session information, pages visited, and other data. Cookies allow the website to remember your preferences, keep your session open, or provide you with relevant content. For detailed information about cookies, you can visit www.aboutcookies.org and www.allaboutcookies.org .

XII. Protection of Credit Card and Payment Information

The payment and credit card information obtained from you for the services we provide is transmitted to and stored by a third-party service provider that operates in accordance with the Payment Card Industry Data Security Standards (PCI DSS) security standards until the date of payment collection. The security standards established under PCI DSS were created by a council formed by leading payment card service providers such as American Express, Discover, JCB International, Mastercard, and Visa Inc. The purpose of these standards is to implement secure payment solutions and ensure that merchants, service providers, financial institutions, and organizations secure their payment systems and prevent card data breaches. Our company shares your credit card and other payment information in accordance with these standards with a third-party security service provider that has Level 1 security certification, and the information will be stored until the service fees are collected as mentioned above. After this date, the information will be retained for a certain period to ensure transaction security. By using our services through Odamax.com, you acknowledge that you have expressly consented to the storage of your credit card and payment information in the aforementioned systems within the scope described above. If you choose to store your credit card information and passwords on websites other than our systems, such as Chrome or password managers, you may encounter certain risks. Our company is not responsible for these risks.

DATA PROCESSING INFORMATION NOTICE

VIVA KNIDOS NATURE HEALTH TOURISM AND TRADE JOINT STOCK COMPANY (hereinafter referred to as the "data controller" or "company") presents this information notice ("Notice") to inform customers, business partners, and other third parties with whom it has a relationship about the protection, privacy, and security of personal data.

This Notice has been prepared to fulfill the data controller's obligation as the "Data Controller" under the Personal Data Protection Law No. 6698 ("KVKK"), in accordance with Article 10 of the KVKK, regarding the processing of personal data (such as name, address, phone number, email address, and any other information pertaining to an identified or identifiable natural person) collected and/or obtained within the scope of planning and execution of accommodation, catering, leisure activities, offering services, establishing and/or performing consultancy agreements, and conducting recruitment processes. The company acts as a data controller within the scope of processing personal data. Personal data can be processed and retained in accordance with the KVKK and related legislation.

Data Subject's Requests

You can submit your requests regarding the aforementioned rights to kvkk@kairosvalley.com or to the address provided below in writing. If the processing of such requests incurs a cost, VIVA KNIDOS NATURE HEALTH TOURISM AND TRADE JOINT STOCK COMPANY may request the data subject to pay a fee determined by the Personal Data Protection Board.

Address : HIZIRŞAH MAH. HIZIRŞAH KÜME EVLERİ NO: 252, DATÇA / MUĞLA

Phone : 0252 441 26 26

Email : kvkk@kairosvalley.com