Data Storage

YOUSIZER.COM PERSONAL DATA STORAGE AND DESTRUCTION POLICY 04.01.2026

1. PURPOSE AND SCOPE OF THE POLICY

This Personal Data Storage and Destruction Policy ("Policy"),www.yoursizer.comThis policy has been prepared by Yoursizer.com ("Company" or "Data Controller"), operating at [address], in accordance with the provisions of the Law No. 6698 on the Protection of Personal Data (KVKK) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation") and other relevant legislation. The main purpose of the policy is to ensure that our Company, in its capacity as Data Controller, fully complies with the general principles specified in Article 4 of the KVKK (lawfulness and fairness, accuracy and, where necessary, up-to-date information, processing for specific, explicit and legitimate purposes, being relevant, limited and proportionate to the purpose, and retention for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed) in the processing of personal data.

This Policy transparently explains the purposes for which the personal data of all users of the Yoursizer.com platform (website, mobile application, and integrated widgets) will be stored, the duration of storage, the legal and technical grounds for processing, and the methods by which the data will be securely destroyed when the processing purpose ceases to exist. This policy is binding on all departments, employees, and external service providers (data processors) within our company and ensures the application of full transparency and accountability principles in data governance. By adopting national and international best practices in the field of personal data protection, the Policy prioritizes the protection of the fundamental rights and freedoms of data subjects.

2. DEFINITIONS AND ABBREVIATIONS

In the implementation of this Policy, the definitions contained in Article 3 of the Law No. 6698 on the Protection of Personal Data (KVKK), Article 4 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and other relevant legislation have been taken as the basis. Some basic terms and abbreviations used within the scope of the Policy are explained below:

•Anonymization: This refers to rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data (KVKK Article 3/b). In the specific case of Yoursizer.com, this encompasses the irreversible severance of the identity link, particularly for data used for algorithm improvement and aggregate research purposes.

•Biometric Data (Body Measurements): Under Article 6 of the Law on the Protection of Personal Data, this refers to physical measurements such as height, leg length, waist circumference, shoulder width, chest, and hips that uniquely identify a person's body shape, and are considered special categories of personal data.

•3D Avatar: This refers to a digital three-dimensional model representing a person's physical characteristics, generated from their body measurements through our algorithms. This avatar is a unique representation created by processing biometric data.

•Secure Deletion: This is the process of rendering personal data completely inaccessible and unusable for the relevant users (Regulation Article 8). It is achieved through methods such as deleting data and overwriting it with other data using software.

•Data Subject: Refers to the natural person whose personal data is being processed (KVKK Article 3/ç). In the specific case of Yoursizer.com, it refers to the platform users. ● Destruction: This refers to the deletion, destruction, or anonymization of personal data (Regulation Article 4/c).
•Recording Medium: Refers to any medium containing personal data processed wholly or partly automatically, or processed non-automatically as part of a data recording system (Regulation Article 4/d).

•Personal Data: Refers to any information relating to an identified or identifiable natural person (KVKK Article 3/d).

•Processing of Personal Data: This refers to any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system (KVKK Article 3/e).

•Cryptographic Destruction: This involves rendering encrypted data unreadable and unusable by irreversibly destroying its encryption keys. This method is particularly used for encrypted backups.

•KVKK refers to the Law on the Protection of Personal Data, numbered 6698 and dated 24/3/2016.

•Periodic Destruction: This refers to the deletion, destruction, or anonymization of personal data that will be carried out automatically at recurring intervals as specified in the personal data retention and destruction policy, when all the conditions for processing personal data stipulated in the law cease to exist (Regulation Article 4/ğ).

•Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system (KVKK Article 3/ı). In this Policy, it refers to Yoursizer.com.

•Regulation: Refers to the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

•Destruction: This is the process of rendering personal data inaccessible, irretrievable, and unusable by anyone in any way (Regulation Article 9). It also includes the irreversible destruction of physical media.

3. RESPONSIBILITIES AND DIVISION OF DUTIES

To ensure the efficient execution, monitoring, and sustainability of personal data storage and destruction processes within Yoursizer.com, a specific distribution of responsibilities and duties has been established in accordance with the organizational chart. This distribution has been created by strictly adhering to the principles of "need-to-know" and "least privilege".

3.1. Senior Management (Management Team):

•The company assumes corporate ownership of KVKK (Personal Data Protection Law) compliance, approves personal data protection policies, and allocates the necessary resources for the implementation of these policies.

•It makes final decisions in supplier and subcontractor selection, and approves strategic decisions regarding the acceptance or mitigation of data protection risks.

•It initiates crisis management in critical events such as data breaches and approves formal notification processes.

•It reviews periodic audit reports and approves necessary improvement actions. 3.2. Technical Management / CTO (Chief Technical Officer):
•They are responsible for the technical design of the data architecture, retention periods, and destruction processes.

•The access control model (RBAC) oversees the implementation of encryption key management, logging mechanisms, backup policies, and other technical security controls. ● It manages access to the production environment and oversees the approval processes for critical changes.

•A separate data field for biometric data enables the technical integration of specialized security measures, such as pseudonymization strategies.

3.3. Software Team (Backend/Platform):

•It ensures compliance with data minimization principles in systems that improve data collection and processing processes.

•It implements retention period rules, secure deletion, and anonymization functions at the software level.

•They are responsible for the technical implementation of user requests (deletion, access, correction).

•It ensures that data sharing limits are maintained and data security standards are implemented in APIs and integrations.

•It enables the implementation of a "four-eyes" (double-check) mechanism in critical destruction processes; that is, the initiation and approval of a destruction process are carried out by two people with different levels of authority.

3.4. Software Team (Frontend/Widget/Mobile):

•It is responsible for ensuring that cookies and explicit consent mechanisms are presented correctly in the user interface.

•It enables the triggering of relevant scripts and SDKs based on user approval. ● It correctly distinguishes between optional and required fields in data entry forms. ● It provides client-side security (e.g., XSS, CSRF protection).

3.5. DevOps/Systems Administrator (Within the Software Team):

•They are responsible for cloud infrastructure management, network security, continuous integration/continuous deployment (CI/CD) processes, and environment separation (development, testing, production).

•Backup rotation involves secure management of encryption keys, setup of monitoring and alert systems, and tracking of security updates.

•It ensures the integrity and accessibility of data recording systems and logs. 3.6. GDPR Compliance Officer (Appointed Person within Management):

•It monitors the currency and compliance with legislation of information texts and explicit consent statements.

•It keeps its personal data processing inventory up-to-date and monitors the implementation of its storage and destruction policies.

•It checks the compliance of data protection clauses in supplier contracts.
•It coordinates internal audit processes, prepares reports, and monitors regulatory changes.

3.7. Authorization Matrix and Control Mechanisms: Our company manages access and processing authorizations for personal data with a detailed authorization matrix. This matrix specifies in writing the data categories each role can access (e.g., biometric data, logs, communication data) and the actions they can perform (read, write, delete, export). Multi-factor authentication (MFA) and strong authentication methods are mandatory for access to production environments. All access and administrative actions are logged in detail and these logs are monitored regularly. Access to backups is also strictly restricted, and backup and destruction processes are recorded. Periodic access reviews (e.g., every 6 months) are conducted, and the authorizations of departing personnel are immediately terminated. This structure ensures that the processes of storing, protecting, and destroying personal data within Yoursizer.com are carried out in a transparent, traceable, and auditable manner.

4. RECORDING MEDIA AND SECURITY MEASURES

Personal data processed by Yoursizer.com is stored in various recording media, either wholly or partially automated or non-automated as part of a data recording system. These media vary depending on the nature of the data and the purposes of processing, but the highest level of security measures are taken for each medium.

4.1. Recording Media: Your personal data is primarily stored on the following recording media:

•Digital Environments:

•Cloud Infrastructure: Hosted in highly secure data centers by internationally recognized cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP). This infrastructure is used for data storage, processing, and backup processes.

•Databases: Relational and NoSQL databases (e.g., PostgreSQL, MongoDB) are the primary environments for storing structured data such as user account information, body measurements, 3D avatar parameters, and transaction data.

•Servers: Application servers and log servers store technical data and access logs related to the system's operation.

•Backup Environments: Cloud-based backup services and/or separate storage units are environments where regularly performed backups are stored to prevent data loss. ● Email Systems: User communications, support requests, and notifications can be stored on email servers.

•File Storage Systems: Files uploaded by the user or generated by the system (e.g., documents attached to support requests) are stored in secure file storage services. ● Physical Environments:

•In rare cases, physical documents such as printed forms, contracts, or invoices may also be archived due to legal requirements or operational needs. Such documents are kept in locked cabinets and areas protected from unauthorized access.

4.2. Security Measures: In accordance with Article 12 of the Personal Data Protection Law (KVKK), all necessary technical and administrative measures are taken to ensure the secure storage of personal data and to prevent unlawful processing and access. Additional and stricter measures are applied, particularly for sensitive personal data such as biometric data.

4.2.1. Technical Measures:

•Encryption:

•Encryption During Transmission (TLS/SSL): Personal data is protected by encryption using the Transport Layer Security (TLS) protocol in all communication between the platform and user devices (web, mobile application, widget). This prevents

unauthorized access to data.

•Encryption at Rest: Personal data stored in databases and file storage systems is encrypted using strong encryption algorithms. Encryption keys are securely managed through a separate and restricted key management system (KMS). This ensures that the data remains unreadable even in the event of unauthorized access.

•Access Control and Authorization:

•Role-Based Access Control (RBAC): Access to personal data is restricted according to the principle of role-based authorization (least privilege) in line with employees' job descriptions and authorization matrix. Each employee is only granted access to the data necessary to perform their job.

•Multi-Factor Authentication (MFA): Multi-factor authentication (MFA) methods are mandatory for accessing sensitive systems and data. This significantly reduces the risk of unauthorized access.

•Access Logs: Access to personal data is logged in detail, including information on who accessed which data and when. These logs are regularly monitored and analyzed for anomaly detection. The integrity and accessibility of the logs are ensured. ● Network Security:

•Firewalls and Web Application Firewalls (WAFs): Network traffic is monitored through firewalls and WAFs, and unauthorized access is prevented. WAFs provide protection, especially against attacks targeting web applications.

•Network Segmentation: Databases, application servers, and other critical systems are separated from each other through network segmentation, preventing the spread of a potential security breach.

•Vulnerability Management and Penetration Testing: Systems undergo regular vulnerability scans and penetration tests. Identified vulnerabilities are prioritized and addressed. Security updates and patches are applied regularly.

•Additional Measures for Biometric Data:

•Separate Data Area: Biometric data, such as body measurements and 3D avatar parameters, are stored in highly secure data areas with more restricted access, logically separated from other personal data.

•Pseudonymization: Biometric data is separated from directly identifying information and associated with a token or user ID. This makes direct identification more difficult when analyzing datasets.

•Access Policy: Access to biometric data is restricted with a much narrower authorization matrix. The number of personnel authorized to access this data is kept to a minimum, and such access is subject to additional control mechanisms.

4.2.2. Administrative Measures:

•Staff Training and Awareness: All employees receive regular training on personal data protection, data security, and this Policy. Employee awareness levels are continuously increased.
•Confidentiality Agreements: Confidentiality agreements are signed with all employees and business partners who have access to personal data.

•Internal Policies and Procedures: Detailed internal policies and procedures are established and kept up-to-date on issues such as data minimization, data storage, data destruction, access control, and data breach response plans.

•Supplier/Subcontractor Management: In contracts with third-party data processors from whom we receive services, data security, confidentiality, and breach notification obligations in accordance with the provisions of the KVKK (Personal Data Protection Law) are clearly stated, and compliance with these obligations is periodically audited. For international transfers, appropriate safeguards such as standard contract clauses or undertakings are provided in accordance with Article 9 of the KVKK.

•Audit and Incident Response Plan: Data processing processes and security measures are audited regularly. An incident response plan is in place to ensure a rapid and effective response in the event of a data breach.

4.3. Backup Policy:

•Backup Frequency and Type: To ensure business continuity and prevent data loss, personal data is regularly backed up. The backup frequency is determined according to the criticality level of the data (e.g., daily, weekly).

•Backup Security: Backups are stored in encrypted form on physically or logically separate media from live systems, and access to them is strictly restricted. Access to backup media is limited to authorized personnel only and is protected by multi-factor authentication.

•Backup Retention Periods: Backup retention periods are determined according to the "minimum requirement" principle and managed in a way that does not exceed the maximum retention periods in the live system. For example, backups for biometric data sets are kept in short cycles (e.g., daily/weekly rotation between 30-90 days), while backups for usage/log data are kept similarly between 30-180 days depending on operational needs. These periods are reviewed periodically according to the infrastructure used and risk assessment.

•Backup Destruction: Expired backups are securely deleted using automated rotation mechanisms. Encrypted backups also undergo cryptographic destruction (secure destruction of keys). Secure physical destruction procedures are applied to backups stored in physical media. These processes are verified through periodic checks and documented.

5. STORAGE TIME MATRIX ACCORDING TO DATA CATEGORIES

Yoursizer.com, when determining the maximum period for which personal data is necessary for the purpose for which it is processed, adheres to the principle of "retention for the period stipulated in the relevant legislation or necessary for the purpose for which it is processed" in accordance with Article 4/2-d of the KVKK (Personal Data Protection Law). The following factors are considered in determining retention periods: the purpose of processing, relevant legal obligations (e.g., tax legislation, commercial bookkeeping obligations), statute of limitations periods for the establishment/use/protection of rights and the need for proof, the continuation/withdrawal of consent in consent-based transactions, and data minimization principles. Below is a matrix of retention periods according to basic data categories:

Data Category	Purpose of Processing Legal reason	Maximum Storage Time
Identity and Contact Information (Name, Surname, Email, Age, Gender, Phone)	Account management, communication, personalization, service delivery.	Establishment/perfor mance of a contract (KVKK Article 5/2-c); Legitimate interest (KVKK Article 5/2-f); Legal obligation (KVKK Article 5/2-ç).	The account remains active for +10 years (statute of limitations for potential disputes and burden of proof).
Biometric Data (Measurements such as height, leg length, waist circumference, shoulder width)	3D avatar generation, personalized body suggestion (core function), algorithm improvement, anonymous/group research.	Explicit consent (KVKK Article 6/3-a).	As long as the user continues to use the service and their consent remains valid, + 10 years (for algorithm development and statistical analysis purposes, anonymized/pseudonymized).
3D Body Avatar (Digital avatar derived from body measurements)	Personalized body recommendation, core function, anonymous/aggregate research, and algorithm optimization.	Explicit consent (KVKK Article 6/3-a).	As long as the user continues to use the service and their consent remains valid, + 10 years (for algorithm development and statistical analysis purposes, anonymized/pseudonymized).
Payment Information (Last 4 digits of the card, billing address)	Payment and billing processes, fulfillment of legal obligations.	Establishment/perfor mance of the contract (KVKK Article 5/2-c); Legal obligation (KVKK Article 5/2-ç).	10 years (as required by the Tax Procedure Law and related legislation).
Contact / Support Requests (Support request content, contact form data)	Support processes, monitoring service quality.	Establishment/perfor mance of the contract (KVKK Article 5/2-c); Legitimate interest (KVKK Article 5/2-f).	Three years from the date the request is finalized (for possible appeals and service quality audits).
Device and Connection Information (IP address, browser type, operating system, language preferences, access timestamps)	Security, performance, user experience, and behavioral analysis.	Legitimate interest (KVKK Article 5/2-f); Legal obligation (KVKK Article 5/2-ç).	2 years (for information security, fraud prevention and system integrity purposes).

Usage Data and Cookie Records (Pages visited, time spent, items clicked, in-service preferences)	Preference remembering, session management, performance analytics, personalized content, and advertising campaign effectiveness measurement.	Explicit consent (KVKK Article 5/1); Establishment/perfor mance of a contract (KVKK Article 5/2-c); Legitimate interest (KVKK Article 5/2-f).	Session expiration date depending on cookie type - 2 years (detailed in the Cookie Policy).
Marketing Permissions and Preference Records	Sending commercial electronic messages, marketing activities.	Explicit consent (KVKK Article 5/1).	While the permission remains in effect; communication will cease upon withdrawal of permission, and permission/rejection records are required for 3 years to serve as proof.

These periods are reviewed at regular intervals. When the period expires or the processing purpose ceases, personal data is destroyed by secure deletion, destruction, or anonymization methods in accordance with the provisions of the Regulation. The 10-year retention period, particularly for biometric data and derived outputs, serves the purposes of statistical analysis and algorithm development to improve the accuracy of the service; during this period, the data is kept in an anonymized or pseudonymized form.

6. METHODS OF DESTROYING AND ANONYMIZING PERSONAL DATA

Yoursizer.com, in accordance with Article 7 of the KVKK (Personal Data Protection Law) and Article 7 of the Regulation, fulfills its obligation to delete, destroy, or anonymize personal data ex officio or upon the request of the data subject when the reasons requiring the processing of personal data cease to exist. In these processes, the most appropriate method is chosen, taking into account the nature of the data, the recording medium, and the risk of re-identification.

6.1. Deletion and Deletion Methods:

•Permanent Deletion (Secure Deletion): This is the process of rendering personal data completely inaccessible and unusable for the relevant users (Regulation Article 8). This method is preferred, especially for data that directly identifies an individual or poses an unnecessary risk when associated with that individual, such as identity and contact information, payment/billing related records, and support correspondence. It is achieved either by overwriting the data with random data via software or by irreversibly deleting database records.

•Cryptographic Destruction (Key Destruction): This involves irreversibly destroying the encryption keys of encrypted data, rendering the data unreadable and unusable. This method is particularly applicable to data stored on encrypted backup media. By destroying the keys, access to the encrypted data becomes impossible.

•Physical Destruction: This refers to the irreversible destruction of physical media containing personal data (hard disks, CDs, DVDs, USB drives, etc.) (Regulation Article 9). This is achieved through methods such as demagnetizing magnetic media, physically breaking or shattering optical media, and shredding paper media using shredding machines.

6.2. Anonymization Methods: Anonymization is the process of rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when matched with other data (KVKK Article 3/b, Regulation Article 10). Yoursizer.com applies anonymization methods, particularly in data structures where the identity can be completely and irreversibly separated and the link to the individual can be severed, and which are necessary only for generating aggregate/statistical output, such as aggregate statistics derived from biometric measurements, model performance metrics, and research datasets. It is essential that the anonymization process is irreversible.

The main techniques used during anonymization are as follows:

•Aggregation: This involves combining data from multiple individuals to generate statistical summaries (averages, totals, percentages) instead of individual records. This makes it impossible to identify an individual based solely on their data. For example, data such as "average height of users with a waist circumference between 70-75 cm" might be presented.

•Data Masking/Rounding: This involves concealing certain parts of personal data or rounding its values to reduce its sensitivity. For example, using age ranges instead of full age (e.g., 25-30 years), or rounded values instead of full measurements (e.g., 70-75 cm instead of 72.3 cm).

•Generalization/Bucketization: This involves converting individual values into wider ranges. For example, instead of expressing "height 175 cm," it might be expressed as "height range 170-180 cm."

•Adding Noise: This involves adding small, random deviations to data that won't affect statistical analysis but will make it more difficult to identify a unique individual. This is particularly used when anonymizing sensitive data.

•K-Anonymity and L-Diversity: These techniques reduce the risk of identifying a unique individual by ensuring that at least k individuals in an anonymized dataset share the same combination of features. L-diversity, on the other hand, protects against inference attacks by ensuring that sensitive feature values have at least l different values in each k-anonymous set.

These techniques make it difficult to link data back to a single individual, reduce the risk of "unique combinations," and ensure that reporting/research outputs remain at the aggregate level only. Anonymization decisions and methods are reviewed periodically, taking into account the data type and the risk of re-identification. The irreversibility of anonymization processes is verified through technical reporting and independent audits. Especially for data used in model training, even if it is not technically possible to remove the deleted user's data from the model, datasets are anonymized in a way that makes the individual unidentifiable (using techniques such as aggregation, spacing, masking, and noise injection).

7. PERIODIC DESTRUCTION AND INSPECTION PROCESSES

Yoursizer.com conducts regular periodic data destruction and audit processes to ensure compliance with legislation and effectiveness in the storage and destruction of personal data. These processes reinforce the principles of transparency and accountability at every stage of the data lifecycle.

7.1. Periodic Destruction Processes: In accordance with Article 11/2 of the Regulation, periodic destruction processes are carried out by the data controller at the time intervals determined in the personal data retention and destruction policy. At Yoursizer.com, data is destroyed in the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize personal data arises. This periodic destruction period cannot exceed six months in any case. This process is carried out through a combination of automated systems and manual controls. 7.2. Audit and Reporting Processes: To ensure the continuity of retention and destruction processes, a governance structure has been established that progresses through a written Retention and Destruction Policy, a personal data processing inventory, access and transaction records (logs), and periodic internal audit mechanisms.

•Audit Frequency: Audits are conducted at least every 6 months. More frequent audits may be required in cases such as risk/product changes, new integrations, or regulatory updates. ● Responsibilities: The main roles responsible for the audit processes are the GDPR Compliance Officer, the Information Security (ISO/IT Security) Team, and the Product/Operations Teams. These teams collaborate to carry out the audit activities. ● Reporting Content: Audit results are presented to senior management in detailed reports including the following headings:

•Records and datasets whose retention period has expired.

•The deletion, destruction, or anonymization processes that have been carried out. ● Backup rotation and destruction evidence (operation logs, approval records). ● Supplier/subcontractor data protection compliance and destruction processes. ● Actions identified, security vulnerabilities, and remediation plans.

•In accordance with Article 7/3 of the KVKK (Law on the Protection of Personal Data), all processes related to the deletion, destruction, or anonymization of personal data are recorded, and these records are kept for at least three years, excluding other legal obligations.

7.3. Policy Update Mechanisms: This policy is a dynamic document and is reviewed and updated in the following situations:

•Legislative changes (amendments to the Personal Data Protection Law, Regulations, or other relevant legal provisions).

•New technological developments or changes in infrastructure providers.

•The processing of new data categories begins (e.g., the expansion of biometric data coverage). ● Adding new product or service functionalities.

•Decisions or guidelines of the Personal Data Protection Board.

•Findings and recommendations identified as a result of internal or external audits. Policy updates are made with the participation of the relevant teams (DVAT Compliance Officer, Technical Management, Software Team) and come into effect after approval by senior management.

8. POLICY IMPLEMENTATION AND UPDATES

This Policy was approved by the Yoursizer.com Board of Directors and entered into force on January 4, 2026. The Policy sets out the fundamental principles, procedures, and guidelines to be applied in the storage and destruction of personal data across all units of our Company and external service providers.

The policy is available on our company's website (www.yoursizer.comThe document is published on the company's internal information management systems and other related platforms (mobile application, widget) and made accessible to relevant individuals. The document will be kept both digitally (internal information management systems) and physically (printed copies where necessary).

Revision Tracking Chart:

Revision Date	Revision Number	Explanation of the Change	Approving Unit/Person
04.01.2026	V.1.0	Initial Entry into Force	Board of Directors
[Missing Information: Revision Date]	[Missing Information: Revision Number]	[Missing Information: Explanation of the Change]	[Missing Information: Approving Unit/Person]

Yoursizer.com reserves the right to update this Policy in accordance with possible changes in applicable legislation and decisions taken by the Personal Data Protection Board. Updates will enter into force on the date of publication of this Policy.

Yoursizer.com