HONORED TO MEET YOU

WELCOME TO ACOREN
ABOUT US PEOPLE JOBS & CAREERS EVENTS & WEBINARS
VALUE ADDED ENGINEERING

SERVICES
CONSULTANCY CONSTRUCTION & DESIGN EMPLOYEE TRAINING SOFTWARE DEVELOPMENT TESTING & INSPECTION
PEOPLE COME FIRST

APPROACH
CLIENT EXPERIENCE INTEGRATED DESIGN & CONSTRUCTION LIFE OF THE BUILDING
CONTACT

HONORED TO MEET YOU

WELCOME TO ACOREN
ABOUT US PEOPLE JOBS & CAREERS EVENTS & WEBINARS
VALUE ADDED ENGINEERING

SERVICES
CONSULTANCY CONSTRUCTION & DESIGN EMPLOYEE TRAINING SOFTWARE DEVELOPMENT TESTING & INSPECTION
PEOPLE COME FIRST

APPROACH
CLIENT EXPERIENCE INTEGRATED DESIGN & CONSTRUCTION LIFE OF THE BUILDING
CONTACT

|
Contact

Legal document

PRIVACY NOTICE
( version: 2026-01-08-v2 )

Version: 2026-01-08-v2
Effective Date: 8 January 2026

PRIVACY NOTICE

1. Purpose and Scope

This document has been prepared in order to explain matters regarding the processing of personal data within the scope of the acoren.com network (“Network”) operated by ACOREN MÜHENDİSLİK LİMİTED ŞİRKETİ (“ACOREN”) and the digital services provided through this Network.

This Notice covers;

- Those who access the Acoren.com network for general access,
- Contracted service recipients (Engineering services and related digital services)
- Employees or business partners (to the extent related to Network access and use)

2. Data Controller

Name: ACOREN MÜHENDİSLİK LİMİTED ŞİRKETİ
Location: A. Nafiz Gurman Mah. Sırpsındığı Sk. No:3/2, 34173 Güngören / İstanbul – Türkiye
KEP: acoren@hs01.kep.tr
Network: www.acoren.com
E-mail: info@acoren.com

3. Processed Personal Data

Depending on the nature of the services provided, personal data may be processed in a limited manner. These data are as follows:

- Name Surname
- E-mail address
- Phone number
- Company name
- Username / Login Information
- IP address
- User Information (account and service records, language preferences, cookie/consent preferences and similar operational user information)

4. Purposes of Processing Personal Data

Personal data are processed for the following purposes:

- Service provision and operation of the Network
- Fulfillment of contract terms
- Maintaining access/download records for documents provided via the customer portal and evidencing delivery
- Ensuring technical security, preventing unauthorized access, detecting and resolving errors
- Fulfillment of legal obligations
- Usage counting/measurement and development of the Network

These processes are carried out so that service recipients can use the professional/technical software and applications offered through the Network securely and so that the necessary information exchange can be ensured.

5. Legal Basis

Personal data are processed on the basis of the data collection methods and processing conditions specified below, within the scope of the Personal Data Protection Law No. 6698 (KVKK) and relevant law/legislation.

Data collection method:

Data may be collected; (i) by being declared by the user through forms/portal areas on the Network, (ii) automatically in a technical manner during the use of the service (e.g., IP, session/device information, log records, cookie preferences), and (iii) via e-mail, phone and similar communication channels during/in the course of the contract process/implementation.

Data processing conditions (legal basis):

- Within the scope of being directly related to and necessary for the establishment or performance of a contract: creating an account, identity verification, customer portal, and provision of contracted services.
- Within the scope of the data controller fulfilling its legal obligation: fulfilling obligations arising from the law and responding to official requests.
- Within the scope of the necessity of data processing for the establishment, exercise or protection of a right: management of disputes, request/complaint processes, and keeping records that may serve as evidence.
- Within the scope of the data controller’s legal interest (legitimate interest): ensuring information security, preventing unauthorized access, error detection and maintaining network security (provided that it does not harm the fundamental rights and freedoms of the relevant person).
- Within the scope of explicit consent: non-essential cookies (e.g., analytics/measurement and marketing/advertising performance measurement cookies) and other cases requiring explicit consent.

As a rule, ACOREN aims not to process special categories of personal data; in cases where processing is required, the necessary conditions are ensured in accordance with the relevant provisions of the KVKK.

6. Transfer of Personal Data

Personal data may be shared only to the extent required by the service and limited to the following groups of service providers:

- Hosting (hosting/cloud) service providers (e.g., DigitalOcean, etc.)
- E-mail service providers (e.g., GoDaddy, etc.)
- Analytics/measurement and advertising performance measurement service providers (e.g., Google Analytics, Google Ads/DoubleClick, etc.)

ACOREN does not “sell” personal data; it aims not to transfer personal data for third parties to use for their own purposes (including independent marketing activities). However, analytics/measurement and (referred to as “marketing cookies” in the interface) advertising performance measurement tools enabled with user consent may process certain technical identifiers through cookies and similar methods and may produce counted (statistical) reports.

Within the scope of advertising performance measurement and analytics/measurement, no processing is carried out with the aim of directly identifying the user. Personal data are not processed for direct marketing communication purposes (e.g., marketing via ads/e-newsletters/SMS/phone calls). Analytics/measurement and advertising performance measurement processes carried out via non-essential cookies are conducted only if user consent is obtained.

If the infrastructure/processing activities of service providers are located outside Türkiye, the transfer of personal data abroad may be in question. In this case, the transfer is carried out in accordance with the conditions regarding cross-border transfers under the KVKK and, to the extent applicable, by providing appropriate safeguard instruments. Upon request, appropriate information is provided regarding the scope and basis of the transfer.

7. Behavioral (Log) Records and Technical Security

ACOREN takes the necessary technical and managerial measures in order to operate securely the engineering services it carries out and the software it provides through the acoren.com network. Within the scope of its activities, limited technical behavioral (log) records may be kept in order to ensure the security of the Network, debug errors and prevent unauthorized access.

Log records that may be kept may include, by way of example and limited to the purpose:
- IP information, time and date information, session/request identifier
- User agent (browser/device information) and technical data such as language preferences
- Accessed network endpoint, transaction type, response code, error logs
- Records of file/document download actions in the customer portal (downloaded file identifier/name, download date-time (UTC), user account)
- Login/logout, authorization attempts, and records related to security incidents
Within the customer portal, the “last downloaded” information for a given file may be displayed to the user for informational purposes.

Behavioral (Log) records are processed for the purposes of; (i) detecting and preventing information security incidents, (ii) monitoring system performance and resolving errors, and (iii) preserving records that may serve as evidence in audit and dispute situations. Behavioral records (Logs) are not used outside these purposes, and data minimization is applied to the extent possible.

Access to behavioral (log) records is restricted by an authorization matrix; records are protected with appropriate security measures (access control, authorization, encryption when necessary, audit trails, network and system security measures).

Retention period: Behavioral (Log) records are retained for as long as necessary for the relevant purpose and by taking into account relevant dispute/audit processes and limitation periods; as a rule, they are retained for a maximum of 2 (two) years. Longer retention is applied only in the event of a concrete security incident, an ongoing investigation, or a dispute, and limited to this. At the end of the period, behavioral records (Logs) are deleted, destroyed or anonymized.

8. Cookies

Cookie types that may be used on the acoren.com network are limited to the following:

- Essential cookies: session, security and language preferences
- Analytics cookies: usage counting/measurement (e.g., Google Analytics)
- Marketing cookies for advertising performance measurement: measurement of advertising performance and attribution notifications/reports (e.g., Google Ads, DoubleClick)

Essential cookies may be used without being subject to user consent, as they are necessary for the operation and security of the Network.

Analytics cookies and marketing cookies for advertising performance measurement are used only with user consent; these cookies are not activated unless user consent is given. Cookie consents can be changed and withdrawn by users at any time; withdrawal is provided in a way that is as easy as giving consent. Users may also manage cookie preferences through browser settings.

In this Notice, the term “Marketing cookies” refers to the category name in the cookie consent interface; cookies within this category are not used by ACOREN for direct marketing communication (SMS/e-mail/phone) purposes and are activated only with user consent, solely for advertising performance measurement/attribution notifications (reports).

Given consents are recorded and stored in a verifiable manner when necessary.

9. Retention Periods

Personal data are retained for as long as necessary for the provision of services, ensuring security, fulfilling legal obligations and resolving disputes; when the purpose ceases to exist, they are deleted, destroyed or anonymized.

10. User Rights (KVKK)

Data subjects have the following rights within the scope of Article 11 of the KVKK:

- To learn whether personal data are processed,
- To request information if personal data have been processed,
- To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
- To know the third parties to whom personal data are transferred domestically or abroad,
- To request correction of personal data if they have been processed incompletely or inaccurately,
- To request deletion, destruction or anonymization of personal data within the framework of the conditions stipulated in the KVKK,
- To request notification of third parties to whom personal data have been transferred regarding correction and deletion/destruction/anonymization,
- To oppose (object to) a result that is to the detriment of the person arising from the analysis of processed data, in particular by self-operating (automatic) systems,
- To request compensation for damages in case of suffering damage due to unlawful processing of personal data.

Requests regarding these rights may be submitted via “info@acoren.com” or via the KEP address “acoren@hs01.kep.tr”. In applications, identity verification/additional information may be requested when necessary. Applications are concluded as soon as possible and no later than 30 days, depending on the nature of the request.

In cases where the application is rejected, the response is found insufficient, or no response is given in due time; the data subject may apply to the Personal Data Protection Board (KVKK) within 30 days after the day on which they learn of the data controller’s response and in any case within 60 days after the day of application.

11. Applicable Law and Competent Court

This Privacy Notice is subject to the law of the Republic of Türkiye.

In case of disputes, Istanbul Courts and Enforcement Offices are competent.

12. Contact

For any questions and official notifications;

E-mail: info@acoren.com
KEP: acoren@hs01.kep.tr

13. Entry into Force

This Privacy Notice enters into force on the effective date stated on the acoren.com network.
ACOREN may update this document and, in case of an update, the “Version” and “Effective Date” information are updated.

14. Compliance

ACOREN aims to act in accordance with the laws of the Republic of Türkiye within the scope of the processing of personal data and the provision of digital services. In this framework, primarily the following regulations and general principles are taken into consideration;

- Personal Data Protection Law No. 6698 (KVKK) and related secondary legislation,
- Turkish Code of Obligations and other relevant legislation,
- Applicable provisions within the scope of e-commerce, distance services and consumer legislation (if any),
- General compliance principles regarding information security and digital services.

ACOREN may update its processes regarding the protection of personal data within the scope of this Privacy Notice in line with changes in laws and developments in practice.

HONORED TO MEET YOU

WELCOME TO ACOREN

VALUE ADDED ENGINEERING

SERVICES

PEOPLE COME FIRST

APPROACH