Logo
Owners Portal

Personal Data Protection And Processing Policy

1. GENERAL INFORMATION ABOUT THE POLICY

Maxibnb Tourism Inc. ("Maxihomes") ("Company") acts as a "Data Controller" under Law No. 6594. Within the scope of Law No. 6698, Personal Data Protection Law ("Law"), the personal data of all natural persons related to our Company, including but not limited to our customers, visitors, website users, and company shareholders, is our priority. The personal data of employees of institutions with which we cooperate, shareholders and authorized personnel, as well as our employees and job candidates are processed in accordance with the Law and secondary regulations, enabling the persons concerned to effectively exercise their rights as personal data holders. In carrying out our activities, our Company carries out operations related to the processing, storage, and transfer of personal data of all personal data holders related to our Company in accordance with this Personal Data Protection and Processing Policy ("Policy"). The fundamental principle of this Policy and our Company regarding the processing of such personal data is the protection of the fundamental rights and freedoms of such personal data and natural persons whose personal data is collected, and the adoption of all necessary administrative and technical measures/actions for this purpose.

Purpose of the Policy

The primary purpose of this Policy is to determine the methods to be followed regarding the processing, storage, transfer, deletion, or anonymization of personal data transferred to us by personal data holders during our business, social responsibility, and similar activities. As a "data controller" under the Law, our Company operates within the framework of the principles provided for in the Law. In this context, we aim to ensure transparency by providing necessary information to personal data holders, especially our customers, potential customers, job candidates, company shareholders, company authorized personnel, and visitors. This includes information about personal data processed by institutions with which we cooperate and third parties processed by Maxibnb Tourism Inc. companies.

Scope of the Policy

This Policy covers our employees, job candidates, shareholders/partners, visitors, business partners, customers, potential customers, suppliers, affiliates, website users/visitors, and other personal data holders associated with our Company during the conduct of our activities. In other words, all personal data holders identified with our Company during the execution of our operations. This Policy does not apply to any data relating to legal entities.

In the event of a conflict between the currently applicable legislation regarding personal data processing and protection and this Policy, the provisions of the applicable relevant legislation will be applied.

Policy Effective Date

This Policy was approved by the Company and entered into force on January 1, 2026. The previous version of this Policy previously published on our website is hereby repealed as of the date this Policy enters into force. Should any changes be required to this Policy, the relevant provisions will be revised accordingly. The details of such changes to this Policy are provided in Section 11 of this Policy.

2. CLASSIFICATION OF PERSONAL DATA

2.1. Personal Data

The term 'personal data' includes any information relating to a natural person whose identity is determined or can be determined. In this Policy, the term personal data will also include special category personal data as per applicable legislation.

Sensitive Personal Data

Special category personal data includes: race or ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, physical appearance and clothing, membership in associations, foundations or unions, health-related data, sexual life or sexual orientation, criminal convictions, security measures-related data, and biometric and genetic data of natural persons.

3. DATA SUBJECT GROUPS AND DATA CATEGORIES

3.1. Personal Data Classification

The personal data in the categories below is processed by the Company in accordance with Article 10 of the Law, with information provided to data subjects. In this section, information is provided regarding which personal data under these categories are processed for data subject groups defined in this Policy, and what types of personal data are processed within the scope of these categories. Such personal data, being part of a data recording system, is processed either partially or completely through automated or non-automated systems and includes data that is clearly understood to belong to a natural person whose identity is determined or can be determined.

3.2. Personal Data Categories

  • Identity Information: Name and surname information.
  • Contact Information: Telephone number, email address, and other contact information.
  • Geolocation Data: City information.

4. PROCESSING OF PERSONAL DATA

4.1. General Principles for Processing Personal Data

Personal data is processed by the Company in accordance with the procedures and principles provided for in the Law and this Policy. While processing such personal data, the Company acts in accordance with the following principles:

  • Compliance with applicable laws and the principle of integrity
  • Ensuring that personal data is accurate and kept current as necessary
  • Processing personal data for specific, clear, and legitimate purposes
  • Processing personal data in a manner connected, limited, and proportionate to the processing purpose
  • Storing personal data for the period provided for in applicable legislation or required for the purposes of processing

4.2. Conditions for Processing Personal Data

The Company does not process personal data without the explicit consent of the personal data holder. However, personal data may be processed without the explicit consent of the personal data holder in the following cases:

  • The processing of personal data is expressly provided for in the relevant law
  • The processing of such personal data is necessary to protect the life or physical integrity of the data holder or another person, and in such cases, the data holder cannot express explicit consent due to actual impossibility or the consent is not legally valid
  • Processing is directly related to the conclusion or performance of a contract, and such personal data processing is necessary for the data controller to fulfill its legal obligations
  • The data holder has made information public themselves (i.e., previously disclosed to the public), and the legal interest in protecting such personal data has been eliminated, allowing processing without explicit consent
  • Such personal data processing is necessary for the establishment, use, or protection of any claim or right, provided it does not cause material harm
  • Processing is necessary for the legitimate interests of the data controller, subject to the rights and freedoms of the data subject

4.3. Conditions for Processing Special Category Personal Data

The Company does not process Special Category Personal Data without the explicit consent of the relevant person. The Company will take necessary steps to implement sufficient measures determined by the Personal Data Protection Board for processing such Special Category Personal Data.

4.4. Purposes of Processing Personal Data

Personal Data collected by the Company is processed for the following purposes within the scope of the personal data processing conditions set forth in Articles 5 and 6 of the Law. In cases where the processing of personal data for the purposes listed below does not meet any of the conditions provided for in the Law, the Company obtains the explicit consent of the personal data holder for such processing.

  • Performance of information and/or data security procedures
  • Creating, updating, and developing services to be provided to our customers by identifying the interests and needs of our customers
  • Ensuring compliance with legal obligations required or mandated by legal regulations
  • Providing campaigns and promotions
  • Conducting advertising and marketing activities

5. TRANSFER OF PERSONAL DATA

5.1. Conditions for Transferring Personal Data

As a Company, we act in accordance with the conditions provided for in the Law and the decisions and regulations adopted by the Board of Management, and we take necessary actions. The Company does not transfer personal data and special category personal data to any natural or legal person without the explicit consent of the Personal Data Holder, except in exceptional circumstances provided for in applicable legislation. However, personal data may be transferred in the following cases:

  • In the circumstances described in Section 2 of Section 4 of this Policy or
  • For sensitive personal data, in the circumstances described in Section 2 of Section 4 of this Policy, the means used by the Company for the transfer of such personal data consist of corporate intranet, electronic mail, printed copies, MS Excel spreadsheets, VPN, secure file transfer, and similar methods

International Transfer Conditions for Personal Data

As a general rule, personal data cannot be transferred abroad without the explicit consent of the Data Holder.

5.2. Purposes of Transferring Personal Data and Third Parties to Whom Personal Data is Transferred

Personal data may be transferred to the following parties for the purposes stated in Section 4 of this Policy:

  • Our suppliers
  • Business partners and business connections
  • Affiliates and group companies
  • Maxibnb Tourism Inc.
  • Government institutions and organizations legally authorized
  • Legally authorized private persons/organizations
  • Our shareholders
  • Our domestic and foreign server service providers
  • Audit firms, subject to the implementation of all necessary technical and administrative measures in accordance with the principles and rules described in this Policy

6. METHOD AND LEGAL BASIS FOR COLLECTION OF PERSONAL DATA

6.1. Method and Legal Basis for Collection of Personal Data

Personal Data is collected by the Company through various means such as our website, emails, application forms, request forms, secure electronic transactions, printed forms, registration forms, and physical channels through technical and procedural methods, or verbally and in writing. As part of providing our business services to our customers, being part of a data recording system, either partially or completely through automated systems or non-automated systems, or in the digital environment, the execution of our commercial activities in this scope is based on applicable legislation, contracts, receivables, commercial practices, and principles of integrity, and such legitimate reasons that can be applied based on these, and the fulfillment of legal obligations in this scope. The Company, our customers, and through the establishment of a business relationship with us fulfills the requirements of that business relationship and establishes, uses, protects and exercises the mutual rights of parties in this scope, and maintains such business relationships with our Company. The Company maintains the fundamental rights and freedoms of personal data holders and acts in the legitimate interests of the Company. In this context, the characteristic methods of collecting Personal Data, the purposes of collecting personal data, and the activities conducted in this scope are as follows:

Security Camera Monitoring at Building and Facility Entrances and Inside

Within the scope of security camera monitoring activities, the Company aims to improve the excellence of the provided services, ensure the reliability of these services, ensure the security of the Company, its customers, and other persons, and protect customer interests. Personal data related to such customer services is processed.

Monitoring of Visitor Entry and Exit Operations at Building and Facility Entrances and Inside

The Company processes personal data for the purpose of ensuring security and the purposes defined in this Policy for monitoring visitor entry and exit operations at Company buildings and facilities. The names, surnames, and vehicle license plates of persons visiting the Company building as guests are taken, and personal data holders are properly informed through materials placed in various parts of Company buildings or otherwise accessible.

Website Visitors

The Company uses technical methods (such as cookies) to record the online website activities of visitors to its websites in order to enable visitors to navigate the websites for the purposes of visiting them, allowing visitors to visit specific content and conduct online advertising activities. Our website's "Cookie Policy" is presented to our site visitors, and comprehensive information is provided to these visitors in accordance with our obligation to provide necessary information.

Company Mobile Applications

To facilitate the provision of services offered by our Company to our customers, we develop mobile applications that our customers use for their mobile devices. Within the scope of our obligation to provide necessary information to our customers using our mobile applications, comprehensive information is provided immediately before customers enter any personal information, and explicit consent is obtained from customers.

7. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Deletion, Destruction, or Anonymization of Personal Data

When the conditions for processing Personal Data cease to exist, the Company undertakes to delete, destroy, or anonymize Personal Data at its own initiative or upon request of the personal data holder, subject to the provisions of other laws and regulations. When Personal Data is deleted, such data is destroyed in a manner that prevents its reuse or recovery. Data destruction operations are carried out during periodic destruction periods determined by the Company, with the destruction operation documented by an official report.

Period for Storage and Destruction of Personal Data

The Company stores Personal Data for the period provided for in applicable legislation. If the retention period for personal data is not regulated in this legislation, Personal Data is processed for the period required by Company procedures and business practices in relation to the operations performed during processing of such personal data, and after that, such personal data may be deleted, destroyed, or anonymized. When the purpose of processing personal data ceases and the retention periods provided for in applicable legislation and/or determined by the Company have also expired, such personal data can only be retained for the purpose of serving as evidence in possible legal disputes or claiming or defending rights relating to such personal data. In such cases, the Company determines the retention periods for personal data based on previous examples received in requests, regardless of the statutory provisions, taking into account the statute of limitations periods, among other circumstances. In this case, retained personal data cannot be accessed for another purpose and can only be accessed if it is necessary to use them in the resolution of legal disputes. Upon expiration of the retention period defined in this paragraph, such personal data is deleted, destroyed, or anonymized.

8. MEASURES TAKEN FOR PERSONAL DATA SECURITY

To prevent Personal Data processed by the Company from being processed in violation of law, unlawfully processed, and unlawfully accessed, sufficient security levels are maintained, and necessary technical and administrative measures and required controls are implemented or will be implemented to ensure the protection of Personal Data processed by the Company.

8.1. Technical Measures Taken for Personal Data Security

These measures are limited to measures aimed at ensuring the security and protection of personal data and include:

  • Network security and application security are provided, closed computer network systems are used for personal data transfers over networks
  • Necessary security measures are taken regarding the purchase, development, and maintenance of information processing systems
  • Required internal technical organization is provided
  • Data masking is applied as a measure when deemed necessary for the processing and storage of personal data in accordance with applicable legislation
  • Technical infrastructure is established to ensure the security of databases intended for personal data storage
  • Established technical infrastructure procedures are subject to follow-up and controls
  • Reporting procedures are determined for technical measures taken and control processes
  • Technical measures are periodically updated and revised
  • Related risks are reviewed and necessary technological solutions are developed
  • Up-to-date anti-virus protection systems, firewalls, and similar software or hardware security products are used, and security systems compliant with technological developments are established
  • Applications collecting personal data undergo periodic security scans and identified security vulnerabilities are eliminated
  • Backup programs are used in accordance with applicable legislation to ensure secure storage of personal data
  • Access to data storage areas and/or data is strictly limited to authorized personnel and the purpose for which data is stored. Log records are kept for access to data storage areas where personal data is stored, and unauthorized access or access attempts are immediately reported to authorized personnel
  • Logs are periodically reviewed
  • Expert technical personnel are employed
  • User account management and authorization control systems exist and are monitored
  • Logs are kept in a manner that prevents any user intervention
  • When special category personal data needs to be transferred by email, such special category personal data is always transferred using encryption and KEP address (registered email address) or corporate email account
  • Secure encryption and/or cryptographic keys are used for sensitive personal data and managed by different departments
  • Cyber attack detection and prevention systems exist
  • Penetration testing is conducted
  • Cyber security measures are taken and their implementation is subject to continuous review
  • Encryption is provided

8.2. Administrative Measures Taken for Personal Data Security

These measures, limited to measures for the protection of personal data, include:

  • Corporate policies and procedures regarding access to personal data, data security, data use, storage, and destruction have been established, including policies regarding the use of tools and equipment for the use of databases and applications containing personal data processing and disclosure
  • Employees are properly informed and trained on the protection and processing of personal data in accordance with applicable laws
  • Regular data security training and awareness activities are organized for employees
  • Measures to be taken are determined in contracts and/or corporate policies with our published employees, in case personal data is unlawfully processed by our company employees
  • Contracts and procedures concluded with our employees contain provisions imposing obligations to prevent the unlawful processing, disclosure, and unlawful use of personal data, and awareness and control activities are conducted in this scope
  • Company employees are subject to data security discipline penalties
  • Our employees are informed that they have obligations not to disclose personal data in their possession to others in violation of the Law and not to process it outside the purposes of processing, and that such obligations continue to be valid even after they leave their positions, and that such employees have committed in writing not to disclose or process such personal data
  • Corporate policies regarding access, data security, use, storage, and destruction of personal data are established and implemented
  • Contracts properly concluded between the Company and the parties to which personal data is transferred contain provisions requiring the parties receiving personal data to take necessary security measures for the protection of personal data and to ensure compliance with such measures in their institutions
  • The scope of access to personal data by Company employees is determined based on such employees' roles and responsibilities, access authorization to personal data is limited accordingly, authorities are periodically reviewed, authorization matrices are created, and the authorities of employees who leave or change positions are revoked
  • Current developments in data security, confidentiality of private life, and personal data protection are monitored, and necessary legal and technical consultation services are obtained for taking necessary actions
  • The compliance of data processors and other data controllers with whom cooperation is conducted with the Law and secondary legislation is investigated, necessary instructions are provided, and awareness is created regarding compliance
  • Issues related to personal data security are reported without delay in a proper manner
  • Personal data security is monitored
  • Personal data volume is reduced as much as possible
  • Personal data is subject to backup, and the security of personal data subject to backup is also ensured
  • Internal periodic and/or random audits are conducted or commissioned
  • Existing risks and threats are identified
  • Protocols and procedures regarding the security of special category personal data have been determined and implemented
  • Necessary security measures are taken at entry and exit points to environments/spaces containing personal data
  • Environments containing personal data are protected against external risks (e.g., fire, flood)
  • Service providers processing personal data are made aware of data security
  • Technical personnel are hired accordingly
  • A system has been established and implemented to ensure timely notification to relevant personal data holders and the Personal Data Protection Board in the event that such personal data is unlawfully accessed by unauthorized persons

Physical Measures Taken for Personal Data Security

  • Occupation-based physical access controls are implemented in places where personal data is stored
  • Documents and archiving/storage equipment containing personal data are kept in locked cabinets
  • Card access systems are used in work areas
  • Work areas are monitored by closed-circuit television (CCTV) systems without interference with employee privacy
  • Documents containing personal data and storage devices are securely destroyed in accordance with the rules and principles provided for in the Personal Data Protection Law and this Policy, and are subject to backup to prevent data loss

Procedure to be Followed in Case of Unauthorized Disclosure of Personal Data

In accordance with Article 12 of the Law, the Company notifies the relevant data holder and the Board within the shortest time possible and no later than 72 hours from the time it discovers that Personal Data processed has been unlawfully accessed by third parties.

8.3. Supervision of Measures Taken for Personal Data Protection

In accordance with Article 12 of the Personal Data Protection Law, the Company conducts or commissions internal audits every 6 months when it deems necessary. Audit results are reported to the relevant department within the Company's internal procedures, and necessary actions are taken to improve the measures taken.

Employee Awareness and Supervision Regarding Personal Data Protection and Processing

The Company ensures that necessary training is provided to existing employees and employees newly hired in any business unit to create awareness about preventing the unlawful processing and unlawful access of personal data and ensuring the protection of such personal data. Awareness training is provided to the Company's existing employees every 4 months.

9. RIGHTS OF PERSONAL DATA HOLDERS

9.1. Explanation to be Provided to Personal Data Holder

In accordance with Article 10 of the Law, during the collection of Personal Data, the Company provides explanation/information to the personal data holder regarding the identity of the Company representative if any, the purposes of processing Personal Data, who it is processed for and for what purposes, the Personal Data being processed, the method and legal basis for collection of personal data, and the rights of the Personal Data Holder.

9.2. Rights of Personal Data Holder

In accordance with Article 11 of the Law, the Company informs personal data holders as follows regarding their rights:

  • The right to learn whether such personal data is being processed
  • The right to request information if such personal data has been processed
  • The right to learn the purpose of processing personal data and whether it is used in accordance with its purpose
  • The right to have information about domestic or foreign third parties to whom personal data is transferred
  • The right to request the correction of personal data if the processed personal data contains incomplete or incorrect information
  • The right to request the deletion or destruction of personal data within the framework of the conditions provided for in Article 7 of the Law
  • The right to request notification of third parties to whom personal data is transferred regarding operations carried out in accordance with items (d) and (e) of Article 11 of the Law
  • The right where a result is produced against the personal data holder as a result of the processed data being analyzed exclusively through automated systems
  • The right to seek compensation for damages and/or injury when the personal data holder is harmed and/or suffers injury due to the unlawful processing of their personal data

9.3. Exercise of Rights by Personal Data Holder

Personal data holders can submit requests for the exercise of the rights defined in this Policy through our website at maxi.homes by completing the "Request Form" and in accordance with the conditions described below and through the methods explained on our website. The details are contained in the "Request Form."

Right of Personal Data Holder to File a Petition with the Personal Data Protection Board

If the personal data holder's request is rejected by the Company, the personal data holder does not find the answer provided sufficient, or the Company does not respond within the time limit, the personal data holder may file a formal complaint with the Board within thirty (30) days from receipt of the response and in any case within sixty (60) days from the date of the request.

Right of Data Controller to Reject Personal Data Holder's Request

The Company has the right to reject requests submitted by personal data holders when certain conditions specified in this Policy are met. The situations in which the Company, in its capacity as Data Controller, may exercise the right to reject personal data holder requests are as follows:

  • Regarding personal data subject to requests made by the relevant personal data holder
  • If the personal data is processed for research, planning, statistics, and similar purposes after official statisticalization and anonymization of such personal data
  • If personal data is processed in a manner that does not harm or violate freedom of expression within the scope of national defense, national security, crime against the public, or for purposes such as art, history, literature, or science, security, public order, economic security, privacy, or related personality rights
  • If such personal data is processed within the scope of preventive, protective, and intelligence activities conducted by authorized public institutions and organizations determined and authorized by law for purposes of ensuring national defense, national security, public security, public order, or economic security
  • If such personal data is processed by judicial or execution authorities in relation to investigation, prosecution, litigation, or enforcement
  • If processing personal data is necessary for the prevention of crime or criminal investigation
  • Processing of personal data previously made public by the personal data holder
  • Processing of personal data is necessary for the performance of supervision or regulatory duties by authorized public institutions and organizations determined and authorized by law and public professional organizations, or for discipline or prosecution
  • If personal data processing is necessary to protect the State's economic and financial interests in budget, tax, and financial matters
  • If the personal data holder's request is of a nature that could impede the rights and freedoms of others
  • In requests requiring disproportionate effort
  • In situations where the requested information is public information, the Company, in its capacity as Data Controller, may exercise the right to reject the request

10. PERSONNEL RESPONSIBLE FOR COMPLIANCE WITH THIS POLICY

By decision of the Company's top management, a Personal Data Committee has been established within the Company for the management of this Policy and other policies arising from and related to this Policy. The Personal Data Committee is authorized and responsible for the implementation of all necessary procedures for the storage and processing of personal data belonging to Personal Data Holders in accordance with law, this Policy, and other policies arising from and related to this Policy. The main responsibilities of the Personal Data Committee are:

  • Establishment and implementation of fundamental policies related to Personal Data Protection and Processing, and submission to top management for approval
  • Determination of performance and procedures related to the implementation and control of policies related to Personal Data Protection and Processing, provision of internal assignment and coordination in this context, and submission to top management for approval
  • Identification of necessary actions to ensure compliance with the Personal Data Protection Law and related legislation, and submission to top management for approval, as well as ensuring supervision and coordination of the implementation of such actions
  • Increasing awareness within the Company and among other institutions with which we cooperate regarding Personal Data Protection and Processing
  • Identification of possible risks related to the processing of personal data by the Company and ensuring that all necessary actions are taken, and submission of improvement suggestions to top management for approval
  • Determination of training activities regarding the protection of personal data and the implementation of policies, and ensuring their implementation
  • Final and definitive resolution of requests submitted by personal data holders
  • Coordination of information and training activities aimed at ensuring that personal data holders are properly informed about operations and legal rights regarding personal data processing
  • Modification of fundamental policies related to Personal Data Protection and Processing, and submission to top management for approval regarding the implementation of such policies
  • Following developments and regulations related to Personal Data Protection, making recommendations to top management regarding actions to be taken within the Company in accordance with these developments and regulations
  • Coordination of relations between the Committee and the Personal Data Protection Board
  • Performance of other functions to be assigned by the Company's top management regarding the protection of personal data

11. REVISIONS AND AMENDMENTS

The Company reserves the right to make amendments to this Policy and other policies arising from and related to this Policy in accordance with any changes in the Law and secondary legislation, Board decisions, and/or developments in the sector. This includes any matter regarding legislation and its implementation. Any changes to this Policy are immediately incorporated into the text, and comments regarding such changes are provided in this section.

This Personal Data Protection and Processing Policy was approved by the Company on January 20, 2026, and entered into force by being published on the website.

footer backgroundfooter backgroundfooter background
Maxihomes Logo

©2026 Maxibnb Turizm Anonim Şirketi. All rights reserved.

Privacy NoticeCookie Policy