Privacy and Personal Data Protection

Covalent Labs İlaç ve Kozmetik Anonim Şirketi attaches utmost importance to the protection of individuals' fundamental rights and freedoms, including the right to respect for private and family life as enshrined in constitutional and human rights instruments. Within this framework, the Company takes care that personal data are processed and protected lawfully and acts on this basis in all planning and operations.

The Company does not regard the protection and lawful processing of personal data merely as regulatory compliance; rather, it places human dignity at the core of its approach. Acting with this awareness, the Company implements all necessary administrative and technical measures to securely store personal data and to prevent unlawful processing.

In this context, the conditions for the processing and transfer of personal data produced or shared during the use of the website www.covalentlabs.com.tr are set out below in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation, "GDPR") and applicable EU law.

1. Definitions

Website: The website located at www.covalentlabs.com.tr.

Applicable Law / Regulation: Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and relevant EU secondary legislation, together with applicable national implementing laws.

Personal Data: Any information relating to an identified or identifiable natural person.

Online Visitor / Data Subject: All persons who access the Website. Included within the Visitor group under the Company's policies.

Supervisory Authority: The competent data protection authority (Data Protection Authority / Supervisory Authority) in the applicable EU Member State.

Company: Covalent Labs İlaç ve Kozmetik Anonim Şirketi

Hosting Provider: Natural or legal persons who provide or operate systems that host services and content on the Internet.

2. Personal Data Processed

Depending on the Online Visitor's access to and activities on the Website, the following categories of personal data may be processed:

For Online Visitors who visit the Website:

• Technical and security information (e.g., IP address, site traffic information, access timestamps).

For Online Visitors who complete forms on the Website:

• Identity information (name, surname)
• Contact information (email address, telephone number)

In addition to the items listed above, other data that may be necessary for the operation, development and security of the Website may be processed in compliance with the GDPR. In such cases, detailed information will be provided at the relevant data processing points.

3. Method and Legal Basis of Personal Data Collection

4. Purposes of Personal Data Processing

Processing of personal data for the purpose of sending commercial electronic communications (direct marketing) is subject to the Online Visitor's explicit consent where required by applicable law.

The Website does not employ third-party cookies for tracking or advertising. Only cookies strictly necessary for the operation and security of the Website may be used. Online Visitors may disable cookies via their browser settings or request notification before cookies are set. Disabling cookies may impair certain functions of the Website.

Information on how to manage (and disable) cookies in commonly used browsers:

• Chrome: https://support.google.com/accounts/answer/61416
• Internet Explorer: https://support.microsoft.com/tr-tr/help/17442/windows-internet-explorer-delete-manage-cookies
• Mozilla Firefox: https://support.mozilla.org/tr/products/firefox/protect-your-privacy/cookies
• Safari: https://support.apple.com/tr-tr/guide/safari/manage-cookies-and-website-data-sfri11471/mac

5. Recipients and Purpose of Transfers of Personal Data

6. Rights of the Data Subject under the GDPR

Covalent Labs İlaç ve Kozmetik Anonim Şirketi informs data subjects of their rights and the procedures for exercising them, and implements the necessary internal, administrative and technical arrangements to facilitate their exercise.

Under Articles 15–22 of the GDPR and related provisions, data subjects have the following rights:

• The right to obtain confirmation as to whether or not personal data concerning them are being processed (right of access; Article 15).
• The right to obtain information if their personal data have been processed (Article 15).
• The right to obtain the purpose of processing and to know whether personal data are being used in accordance with those purposes (Article 15).
• The right to know the recipients or categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries (Article 15).
• The right to request rectification of inaccurate personal data and to have incomplete personal data completed (Article 16).
• The right to request erasure ('the right to be forgotten') where applicable under Article 17.
• The right to request restriction of processing in accordance with Article 18.
• The right to data portability (Article 20), where applicable.
• The right to object to processing of personal data on grounds relating to their particular situation where processing is based on legitimate interests (Article 21).

Requests and applications relating to the exercise of these rights may be submitted by completing the Data Subject Request Form and by delivering it in writing to the address " undefined " in person, or by sending it via a notary, or by electronic means using a registered e-mail (KEP) address "undefined" or by using a secure electronic signature or mobile signature where applicable.

If the data subject's request is submitted using an electronic mail address which has previously been notified to the Company and is registered in the Company's records, the request may also be sent to info@covalentlabs.com.tr.

Applications must include the following mandatory information:

• Name and surname and signature (if the application is in writing),
• For Turkish citizens: T.C. identity number; for foreigners: nationality, passport number or identity document number where applicable,
• Address for notification or business address,
• If available, the electronic mail address, telephone and fax numbers to be used for notification,
• The subject matter of the request.

Relevant information and documents substantiating the application should be attached to the request.

The Company will respond to requests without undue delay and in any event within one month of receipt in accordance with GDPR Article 12(3). Where necessary and taking into account the complexity and number of requests, the Company may extend this period by a further two months, informing the data subject of such extension within one month of receipt of the request together with the reason(s) for the delay. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either charge a reasonable fee taking into account administrative costs or refuse to act on the request as permitted by GDPR Article 12(5).

7. Data Security

The Company is obliged to take all appropriate administrative and technical measures to prevent unlawful processing of personal data and unlawful access to personal data, to ensure the preservation of personal data and to achieve an appropriate level of security.

Where the Website contains links or redirects to other websites or applications, the Company does not control and is not responsible for the data protection practices or privacy statements of those sites or applications, and does not accept liability for their content.

By using the Website, the Online Visitor acknowledges that they have read and understood the terms of this Privacy and Personal Data Protection Notice and that they have been informed about the processing of their personal data as described herein.