Customer Personal Data Protection Policy

Customer Personal Data Protection Policy (“Policy”) includes information about how Getir Perakende Lojistik A.Ş. (“Getir”) protect customers' personal data (any information that identifies or serves to identify a person), the rules we comply with when processing personal data and our processing processes of personal data.

In the first part of the Policy, we included technical rules such as the principles we comply with when processing personal data and the legal grounds we based on. In the second part, we include explanations about the processing processes of customers’ personal data.

Click here to access the privacy statement about the processing of customer personal data.

For explanations of the terms we use in the Policy, you may review the last part of this document.

For all your questions regarding the processing of your personal data, you may contact us at kisiselveriler@getir.com.

1. RULES OF PERSONAL DATA PROCESSING

2. PROCESSES OF PERSONAL DATA PROCESSING


1. RULES OF PERSONAL DATA PROCESSING

Principles of Personal Data Processing

While processing your personal data, we ensure compliance with the data processing principles stated below.

Legal Grounds for Personal Data Processing

We process your personal data based on the legal grounds specified in Articles 5 and 6 of the Law on the Protection of Personal Data. We explicitly state these legal grounds in the privacy statements we provide them to the data subjects.

The legal grounds we based on when processing our customers' personal data are as follows:

While making this assessment, we perform balance tests by comparing the fundamental rights and freedoms of the person with the legitimate interest that will arise, based on the criteria specified in the Decision of the Board dated 25/03/2019 and numbered 2019/78.

If there is at least one of the legal grounds specified in the Law so that personal data can be processed, we do not ask for explicit consent of the data subject. We only ask explicit consent in the absence of legal grounds stated in the Law.

Factors Considered When Asking for Explicit Consent

Explicit consent is described in the Law as "consent on a particular subject, based on the information and disclosed with free will". When asking the explicit consent of data subject, we consider the following three factors:

  1. Being related to a particular subject → We ask for the explicit consent of the data subject for specific data processing activity/activities and ensure that the consent letters are understandable.
  2. Information-based → We present consent letters and privacy statements together/on the same channel; we support the data subject to understand the results of the data processing activity.
  3. Disclosure with free will → While asking for their consent, we avoid misleading statements that may defect their will.

Personal Data Security

We take the necessary technical and organizational measures to ensure the protection of your personal data. For example, we use detection and prevention softwares to detect and prevent potential cyber-attacks; we determine employees' access to personal data and use data loss prevention software.

Rights of the Data Subjects

Article 11 of the Law on the Protection of Personal Data regulates the rights of the data subjects (natural persons whose personal data are processed). These rights are as follows:

  1. To learn whether Getir processes your personal data,
  2. To request information if your personal data is processed,
  3. To learn the purpose for processing your personal data and whether these are processed in accordance with intended purposes,
  4. To learn whether your personal data has been transferred to third parties; if it is transferred, learning the third parties within the country or outside the country to which it is transferred,
  5. In case your personal data is processed incompletely or inaccurately, to request rectification of these and to request the notification of the transactions made in this respect, if any, to third parties with whom we shared your personal data,
  6. Despite the fact that we have processed your personal data in accordance with the Law and the relevant legislation, to request the deletion or destruction of your personal data in case where the grounds of processing is no longer present and to request the notification of the transactions made in this respect, if any, to third parties which we shared your personal data,
  7. To object to occurrence of any unfavorable consequence for you by means of analysis of the processed personal data exclusively through automated systems,
  8. If you incurred losses due to the unlawful processing of your personal data, to request the compensation of your loss.

You can choose the methods below to exercise your rights and submit your requests to Getir:

  1. You may send your request to kisiselveriler@getir.com by using your e-mail address registered in our systems.
  2. You may send your requests in written to Etiler Mah. Tanburi Ali Efendi Sok. Maya Residences Sit. T Blok No:13/334 Beşiktaş/İstanbul.
  3. You may use the other methods stated in the Communiqué on the Application Procedure and Principles to the Data Controller.

2. PROCESSES OF PERSONAL DATA PROCESSING

In this part of the Policy, we included sample processes to better express how we process your personal data. In addition, we have specified topics such as which personal data Getir processes, and for what purposes this personal data processes.

Process Descriptions Personal Data
Account Registration Performing mobile application membership/registration, verifying the identity and address of the user. Name-surname, phone number, e-mail address, password information.
Order and Payment Receiving the payment, confirming order and delivering your products as selected via the mobile application to your address. Name-surname, address, order and payment information.
Mobile Application Notifications Sending mobile application notifications about products you have purchased/interested in (you can change your notification preferences at any time in the "Communication Options" section of the application). Personal data about your name, surname, preference, likes, interests and usage habits.
Request/Complaint Management In case you send us your requests/comments/complaints about our products or delivery, following and concluding the request/complaint process. Name-surname, request/complaint information.
Marketing Communication Informing you about the most suitable products and opportunities for you in accordance with your communication preferences, examining your preferences, likes, interests, and usage habits. Personal data about your name, surname, preference, likes, interests and usage habits.

Processed Personal Data

As part of the service we offer to our customers, we process your personal data listed below:

Identity &Contact Finance Customer Transaction Location Transaction Security
Name-surname, customer ID, advertisement ID, gender, age, phone number, e-mail and address Information regarding payments and payment methods Shopping history, order information, number of orders, application usage information, invoice information, request/complaint information Your location information processed with permission granted at mobile application opening or via device settings Device operating system and version, device type, device ID, hardware model, IP address, user transaction records, password information

In addition to this information, we process your personal data regarding your preferences, likes, interests and usage habits and your information obtained as a result of the analysis of your data mentioned above (for example, the most ordered products in the Getir mobile application).

Collecting Methods of Personal Data

We collect mobile application users' personal data via the Getir mobile application by automatic and partially automatic methods.

If you contact us through the following channels, we collect your personal data through these channels:

Purposes of Personal Data Processing

As Getir, we process your personal data within the country or outside the country for the following purposes:

Transfer of Personal Data

We share your personal data with the following parties within the country or outside the country, for the following purposes:

Getir Distributors, Couriers and GetirFood Restaurants Conducting communication between distributors, couriers, restaurants and customers, conducting customer order transactions, informing the couriers about the address to which the order will be delivered.
Business Partners & Suppliers Getting support from suppliers related to the products and services offered by Getir to its customers, conducting financial and accounting processes, managing business partner and supplier relations.
Authorized Persons, Institutions or Organizations Providing information to authorized persons, institutions, or organizations, fulfilling our legal obligations, conducting legal processes and conducting our activities in accordance with the legislation.

Use of Identification Technologies

We use identification technologies that enable us to record user transactions and match the device information with the transactions performed in the application in order to ensure that users perform their mobile application experiences in the best way. For information about the use of identification technologies, you may review the Information Regarding Identification Technologies.

Terms

Descriptions of the terms we use in the Policy are as follows:



Last Update: 18/08/2020