Privacy and Personal Data Protection
COVALENT LABS İLAÇ VE KOZMETİK ANONİM ŞİRKETİ
PRIVACY AND PERSONAL DATA PROTECTION NOTICE FOR WEBSITE VISITORS
VERSION: 1.0
Effective Date: 18 / 12 / 2025
Covalent Labs İlaç ve Kozmetik Anonim Şirketi attaches utmost importance to the protection of individuals' fundamental rights and freedoms, including the right to respect for private and family life as enshrined in constitutional and human rights instruments. Within this framework, the Company takes care that personal data are processed and protected lawfully and acts on this basis in all planning and operations.
The Company does not regard the protection and lawful processing of personal data merely as regulatory compliance; rather, it places human dignity at the core of its approach. Acting with this awareness, the Company implements all necessary administrative and technical measures to securely store personal data and to prevent unlawful processing.
In this context, the conditions for the processing and transfer of personal data produced or shared during the use of the website www.covalentlabs.com.tr are set out below in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation, "GDPR") and applicable EU law.
1. Definitions
Website: The website located at www.covalentlabs.com.tr.
Applicable Law / Regulation: Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and relevant EU secondary legislation, together with applicable national implementing laws.
Personal Data: Any information relating to an identified or identifiable natural person.
Online Visitor / Data Subject: All persons who access the Website. Included within the Visitor group under the Company's policies.
Supervisory Authority: The competent data protection authority (Data Protection Authority / Supervisory Authority) in the applicable EU Member State.
Company: Covalent Labs İlaç ve Kozmetik Anonim Şirketi
Hosting Provider: Natural or legal persons who provide or operate systems that host services and content on the Internet.
2. Personal Data Processed
Depending on the Online Visitor's access to and activities on the Website, the following categories of personal data may be processed:
For Online Visitors who visit the Website:
- Technical and security information (e.g., IP address, site traffic information, access timestamps).
For Online Visitors who complete forms on the Website:
- Identity information (name, surname)
- Contact information (email address, telephone number)
In addition to the items listed above, other data that may be necessary for the operation, development and security of the Website may be processed in compliance with the GDPR. In such cases, detailed information will be provided at the relevant data processing points.
3. Method and Legal Basis of Personal Data Collection
Personal data are collected automatically or semi-automatically through the use of the Website and by completing the contact/communication form, and are retained only for the period necessary for the purposes of processing.
Personal data are processed based on the Online Visitor's consent where required (GDPR Article 6(1)(a) and Article 7). In addition, personal data may be processed without obtaining explicit consent where processing is based on other lawful bases set out in GDPR Article 6(1), including:
- necessity for compliance with a legal obligation to which the data controller is subject (Article 6(1)(c));
- necessity for the performance of a contract to which the data subject is party (Article 6(1)(b));
- necessity to protect the vital interests of the data subject or another natural person (Article 6(1)(d));
- necessity for the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e));
- necessity for the purposes of the legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject (Article 6(1)(f)).
4. Purposes of Personal Data Processing
Personal data are processed, within the scope permitted by the GDPR and as necessary for the activities carried out on the Website, for the following purposes:
- Site traffic and information security processing: "site traffic information" is processed to carry out information security processes and to ensure the security and functioning of the Website.
- Compliance with data retention or logging obligations imposed by EU or national law, including obligations arising from the ePrivacy Directive (Directive 2002/58/EC) and applicable national legislation, for which hosting providers may be subject to record-keeping or retention duties.
Processing of personal data for the purpose of sending commercial electronic communications (direct marketing) is subject to the Online Visitor's explicit consent where required by applicable law.
The Website does not employ third-party cookies for tracking or advertising. Only cookies strictly necessary for the operation and security of the Website may be used. Online Visitors may disable cookies via their browser settings or request notification before cookies are set. Disabling cookies may impair certain functions of the Website.
Information on how to manage (and disable) cookies in commonly used browsers:
Chrome: https://support.google.com/accounts/answer/61416
Internet Explorer: https://support.microsoft.com/tr-tr/help/17442/windows-internet-explorer-delete-manage-cookies
Mozilla Firefox: https://support.mozilla.org/tr/products/firefox/protect-your-privacy/cookies
Safari: https://support.apple.com/tr-tr/guide/safari/manage-cookies-and-website-data-sfri11471/mac
5. Recipients and Purpose of Transfers of Personal Data
Where one of the lawful bases under GDPR Article 6(1) exists, personal data may be transferred, for the purposes set out in Article 4 above and subject to appropriate safeguards, to the Company's corporate group entities inside and outside the European Economic Area (EEA) and to competent public authorities as required by applicable law.
International transfers outside the EEA will be carried out only where appropriate safeguards are in place (e.g., an adequacy decision by the European Commission, standard contractual clauses adopted by the Commission, binding corporate rules, or other lawful transfer mechanisms under Chapter V of the GDPR) or where another lawful derogation applies. Such transfers will be subject to technical and organisational safeguards to protect personal data.
6. Rights of the Data Subject under the GDPR
Covalent Labs İlaç ve Kozmetik Anonim Şirketi informs data subjects of their rights and the procedures for exercising them, and implements the necessary internal, administrative and technical arrangements to facilitate their exercise.
Under Articles 15–22 of the GDPR and related provisions, data subjects have the following rights:
▪ The right to obtain confirmation as to whether or not personal data concerning them are being processed (right of access; Article 15).
▪ The right to obtain information if their personal data have been processed (Article 15).
▪ The right to obtain the purpose of processing and to know whether personal data are being used in accordance with those purposes (Article 15).
▪ The right to know the recipients or categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries (Article 15).
▪ The right to request rectification of inaccurate personal data and to have incomplete personal data completed (Article 16).
▪ The right to request erasure ('the right to be forgotten') where applicable under Article 17.
▪ The right to request restriction of processing in accordance with Article 18.
▪ The right to data portability (Article 20), where applicable.
▪ The right to object to processing of personal data on grounds relating to their particular situation where processing is based on legitimate interests (Article 21).
▪ The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them, and rights related to such processing (Article 22).
▪ The right to withdraw consent at any time where processing is based on consent (Article 7(3)).
▪ The right to lodge a complaint with a supervisory authority (Article 77) and to seek judicial remedies.
Requests and applications relating to the exercise of these rights may be submitted by completing the Data Subject Request Form and by delivering it in writing to the address " undefined " in person, or by sending it via a notary, or by electronic means using a registered e-mail (KEP) address "undefined" or by using a secure electronic signature or mobile signature where applicable.
If the data subject's request is submitted using an electronic mail address which has previously been notified to the Company and is registered in the Company's records, the request may also be sent to info@covalentlabs.com.tr.
Applications must include the following mandatory information:
▪ Name and surname and signature (if the application is in writing),
▪ For Turkish citizens: T.C. identity number; for foreigners: nationality, passport number or identity document number where applicable,
▪ Address for notification or business address,
▪ If available, the electronic mail address, telephone and fax numbers to be used for notification,
▪ The subject matter of the request.
Relevant information and documents substantiating the application should be attached to the request.
The Company will respond to requests without undue delay and in any event within one month of receipt in accordance with GDPR Article 12(3). Where necessary and taking into account the complexity and number of requests, the Company may extend this period by a further two months, informing the data subject of such extension within one month of receipt of the request together with the reason(s) for the delay. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either charge a reasonable fee taking into account administrative costs or refuse to act on the request as permitted by GDPR Article 12(5).
The Company may accept or refuse the request, providing the grounds for any refusal in writing or electronically. If a request is accepted, the Company shall take the necessary actions without undue delay and inform the Data Subject. If any fee was charged and the request is refused due to the Company's error, any fee charged will be refunded to the data subject.
In the event of refusal, insufficient response, or failure to respond within the statutory period, the data subject has the right to lodge a complaint with the competent Supervisory Authority and to pursue other legal remedies within the timelines provided by applicable law.
7. Data Security
The Company is obliged to take all appropriate administrative and technical measures to prevent unlawful processing of personal data and unlawful access to personal data, to ensure the preservation of personal data and to achieve an appropriate level of security.
Where the Website contains links or redirects to other websites or applications, the Company does not control and is not responsible for the data protection practices or privacy statements of those sites or applications, and does not accept liability for their content.
By using the Website, the Online Visitor acknowledges that they have read and understood the terms of this Privacy and Personal Data Protection Notice and that they have been informed about the processing of their personal data as described herein.