Data Retention and Disposal Policy

This Data Retention and Disposal Policy has been prepared by Core Sağlık Hizmetleri Ve Kozmetik Ürünleri İmalat San. A.Ş. (“Company”) in accordance with the Turkish Personal Data Protection Law No. 6698 (“KVKK”), the Regulation on Deletion, Destruction or Anonymization of Personal Data, and other relevant secondary legislation.

The purpose of this Policy is to set out the principles, procedures, and methods regarding the retention, deletion, destruction, and anonymization of personal data processed by the Company through its e-commerce platforms, digital channels, and business processes.

Scope

This Policy applies to all personal data processed by the Company, whether obtained through the website, mobile interfaces, customer service channels, marketing activities, contractual relationships, or other lawful means. It covers personal data belonging to customers, visitors, members, suppliers, business partners, and other third parties.

Principles Regarding Retention of Personal Data

Personal data are retained by the Company only for the minimum period necessary to fulfill the purpose for which they are processed and to comply with applicable legal obligations. Retention periods are determined in accordance with the principles set forth under KVKK, including lawfulness, data minimization, purpose limitation, and proportionality.

The Company retains personal data for periods required by tax legislation, commercial law, consumer protection regulations, electronic commerce legislation, and other applicable laws. Where no specific legal retention period is stipulated, personal data are retained for as long as required by the legitimate interests of the Company, provided that such interests do not override the fundamental rights and freedoms of data subjects.

Retention Periods by Data Category

Identity and contact information are retained for the duration of the contractual relationship and for the legally required periods thereafter. Order, transaction, invoicing, and payment-related records are retained in accordance with tax and commercial legislation. Customer communication records are retained for a reasonable period to manage disputes, complaints, and customer service processes. Marketing and communication consent records are retained until the data subject withdraws consent or until the relevant processing purpose ceases.

Technical data such as log records and IP address information are retained for periods necessary to ensure information security, system integrity, and fraud prevention, in accordance with applicable legislation.

Circumstances Requiring Deletion, Destruction, or Anonymization

Personal data are deleted, destroyed, or anonymized by the Company in cases where the purpose of processing ceases to exist, the relevant legal retention period expires, the data subject withdraws consent where consent constitutes the legal basis for processing, or processing becomes unlawful for any reason.

Deletion, destruction, or anonymization processes are carried out even if personal data have been processed lawfully in the past, provided that retention is no longer justified under KVKK.

Methods of Deletion and Destruction

Deletion refers to rendering personal data inaccessible and unusable for relevant users. Destruction refers to the physical or logical destruction of personal data in a manner that makes it impossible to recover. Anonymization refers to processing personal data in such a way that it can no longer be associated with an identified or identifiable natural person.

The Company applies appropriate technical and administrative methods for deletion and destruction, including secure deletion from digital systems, overwriting, de-identification, physical destruction of printed materials, and restriction of access rights.

Periodic Review and Disposal Process

The Company conducts periodic reviews to identify personal data whose retention periods have expired. Such reviews are carried out at regular intervals in accordance with internal procedures. Personal data identified during these reviews are deleted, destroyed, or anonymized without delay.

All disposal processes are documented to ensure accountability and compliance with KVKK.

Data Security During Disposal

During deletion, destruction, and anonymization processes, the Company takes all necessary technical and administrative measures to ensure data security and prevent unauthorized access, disclosure, or misuse. Disposal processes are performed by authorized personnel only.

Responsibilities

Company employees and authorized personnel involved in personal data processing and disposal activities are responsible for complying with this Policy. Violations may result in disciplinary action and legal consequences.

Updates to the Policy

The Company reserves the right to amend this Policy in line with legislative changes, regulatory guidance, and operational requirements. Updated versions of the Policy shall become effective upon publication on the Company’s website.