Varlık – Privacy Policy and KVKK Disclosure

1. Identity of the Data Controller

Under Article 3 of the KVKK, the data controller is the person who determines the purposes and means of processing personal data and who is responsible for establishing and managing the data filing system. For the Varlık application, the data controller is the individual developer whose identity and contact details are set out below:

• Data Controller: Halilhan İnan (individual developer / natural person)
• Product/Application: Varlık (iOS – App Store)
• Contact (e-mail): halilhaninan@gmail.com
• Country: Türkiye

You may direct any questions, requests and applications regarding the processing of your personal data, this notice, the exercise of your rights, or our privacy practices to the e-mail address above. Details of the application procedure are explained in Section 9 of this notice.

Varlık is a project run by an individual developer; there is no separate legal entity (company). Should this change (for example, if the project continues under a corporate structure), this notice will be updated and the data controller information renewed.

2. Personal Data Processed

By the nature of the service, Varlık endeavours to process your personal data in the minimum amount possible (data minimisation principle). The categories and examples of personal data processed are as follows:

• Identity and Contact Data: The e-mail address you provide when creating an account; optionally, the name/display name you enter and, if you use the social profile feature, your username and profile image.
• Transaction Security Data: Session token/authentication information, encrypted/hashed password, device information (device model, operating system version, app version, language/region setting, device identifiers), IP address and login/logout records.
• Financial Data (Portfolio Data Entered by You): Asset items you enter entirely manually, together with details such as their type, quantity, and purchase/cost information (for example, BIST/U.S. equities, crypto asset quantities, cash amounts, gold, real-estate values), as well as the total net worth, allocation and historical performance data calculated from them by the App. This data is not automatically pulled from your bank/brokerage accounts; Varlık does not connect directly to any financial institution to access your real account activity. We emphasise that this financial portfolio data is NOT special-category personal data within the meaning of Article 6 of the KVKK; nevertheless, given its sensitivity, it is protected with additional safeguards, including access controls and encryption at rest where applicable (see Section 11).
• AI Coach Data: If you use the AI Coach feature, the questions you submit and any portfolio context you choose to share are processed in order to generate a response and are transferred to Anthropic, our US-based artificial intelligence provider (see Section 5).
• Usage and Log Data: Your in-app interactions, screens viewed, click/usage statistics, performance and crash records, technical diagnostic data, and date/time stamps.
• Social Interaction Data (only if you use the optional social features): Users you follow/who follow you, posts you share, likes and comments, information you choose to display on your public profile, and your visibility preferences on the leaderboard.
• Consent/Evidence Data: The version of the documents you accepted, the scope of the explicit consents you gave/withdrew, and the date-and-time stamp thereof, together with your user identifier.
• Support/Communication Data: The content of messages you send us via e-mail or support channels and your contact details.

Varlık does not intend to process special-category personal data within the meaning of Article 6 of the KVKK, such as religion, race, health or biometric data, and advises that such data not be entered into the App.

3. Purposes of Processing Personal Data

Your personal data is processed for the following purposes, on the basis of the relevant legal grounds, and in a manner that is connected, limited and proportionate to those purposes:

• Creating your membership account, verifying your identity and managing your session.
• Providing the core functions of the App: calculating net worth based on the portfolio data you enter, and producing charts, projections, dividend and retirement calculations.
• Transmitting the necessary symbols to third-party price providers so that current/delayed market prices can be displayed.
• Generating general informational responses to your questions in the AI Coach feature.
• Providing and managing the optional social features (public profile, follow, leaderboard, posts/likes/comments).
• Ensuring the security of the App and preventing unauthorised access, fraud and misuse.
• Improving the stability and performance of the App through error/crash analysis and enhancing the user experience.
• Responding to your requests, questions and complaints and carrying out support services.
• Fulfilling obligations arising from applicable law, keeping consent records for evidentiary purposes, and meeting lawful requests of competent authorities.
• Where you have given explicit consent, carrying out communication activities regarding product developments and notifications.

Varlık does not use your personal data for purposes such as profiling or credit assessment; your data is never sold under any circumstances.

4. Legal Grounds for Processing Personal Data (KVKK Arts. 5 and 6)

Your personal data is processed on the basis of the following legal grounds set out in Article 5 of the KVKK:

• Being directly related to the conclusion or performance of a contract (KVKK Art. 5/2-c): Creating your membership account, e-mail identity verification, session management, and providing calculation/display services based on the portfolio data you enter, are processed within the scope of performing the Terms of Service between you and us. The use of foreign infrastructure that is necessary for the performance of the service, such as displaying market prices, also falls within this scope and relies on the appropriate safeguards set out below.
• Processing being necessary for the legitimate interests of the data controller (KVKK Art. 5/2-f): Activities such as ensuring the security of the App, preventing misuse and fraud, improving the service through error/crash analysis, and keeping basic usage statistics rely on our legitimate interests, provided they do not harm your fundamental rights and freedoms.
• Being expressly provided for by law and necessary for the data controller to fulfil a legal obligation (KVKK Arts. 5/2-a and 5/2-ç): Records that must be kept under applicable law and meeting the requests of competent authorities.
• Processing being necessary for the establishment, exercise or protection of a right (KVKK Art. 5/2-e): Retaining, for a reasonable/limitation period, records and consent records that may be used as evidence in potential disputes.
• Existence of explicit consent (KVKK Art. 5/1): Optional processing activities that do not fall under any of the grounds above rely on your explicit consent. These principally include: (i) the use of optional social/public-profile and leaderboard features, (ii) non-essential analytics processing, (iii) marketing/communication activities, and (iv) the use of non-essential cookies/similar technologies. For regular cross-border transfers, the primary legal basis is the appropriate safeguards (standard contractual clauses) explained in Section 5 below; any separate explicit consent obtained in this regard is supplementary only. You may withdraw your explicit consent at any time, as easily as you gave it; withdrawal takes effect prospectively only and does not affect the lawfulness of processing carried out before withdrawal.

Although Varlık does not intend to process special-category personal data, should such data exceptionally be involved, the conditions set out in Article 6 of the KVKK (as a rule, explicit consent) are complied with.

5. Transfer of Personal Data (Domestic and Cross-Border – KVKK Arts. 8 and 9)

Your personal data is transferred only to the extent necessary to achieve the purposes set out in this notice and on the basis of the relevant legal grounds. Your data is never sold to third parties under any circumstances.

Domestic Transfer (KVKK Art. 8): Within the limits of applicable law, transfers may be made to competent public authorities and institutions as required by our legal obligations, to our advisers (e.g., legal/financial advisers) upon your request, and to Türkiye-based suppliers we work with to operate the service.

Cross-Border Transfer (KVKK Art. 9): Varlık's infrastructure and certain core functions operate through third-party service providers whose servers are located abroad (in particular in the United States). For this reason, some of your personal data is transferred abroad. The principal categories of foreign recipients and the data transferred are as follows:

• Twelve Data (USA) – Market price provider: The equity/asset symbols in your portfolio are transmitted for the purpose of price queries. Data that directly identifies the user is not transferred; however, technical request data (such as IP) may reach the provider.
• CoinGecko (USA/international) – Crypto price provider: Used for crypto asset symbols/price queries.
• Anthropic (USA) – AI Coach provider: When you use the AI Coach feature, your questions and any portfolio context you choose to share are transferred solely to generate a response. This data is not used for advertising or profiling.
• Apple App Store infrastructure (USA) – Technical data within the scope of app distribution, purchase/subscription (if any), and notification infrastructure.
• Cloud hosting and app-distribution providers – Within the scope of the technical operation and hosting of the App.

The recipient list below will be updated once these providers are actually integrated; no data is transferred in respect of services that are not currently active:

• Sentry (USA) – Error/crash monitoring (once active, application error records and limited technical diagnostic data are processed).
• Google / Firebase (USA) – Analytics/notifications (once active, technical data and device identifiers are processed).

Legal basis for cross-border transfer: Under Article 9 of the KVKK, as amended by Law No. 7499 which entered into force on 1 June 2024, REGULAR transfers to countries for which there is no adequacy decision are based on appropriate safeguards rather than explicit consent. The transfers to the providers listed above, whose servers are located in the United States, are regular in nature and are carried out under Article 9 of the KVKK on the basis of appropriate safeguards provided by standard contractual clauses executed with such providers and notified to the Turkish Data Protection Authority. For these transfers, any separate explicit consent you provide is supplementary only; withdrawing such explicit consent does not affect your core recording/calculation features that rely on the performance of the contract and on the appropriate safeguards.

We remind you that foreign recipients may process your data within the framework of their own privacy policies and that these providers are subject to the legal regulations of their own countries.

6. Method of Collecting Personal Data

Your personal data is collected by the following methods, through automated and partly automated means:

• Directly from you: By creating an account, completing your profile information and manually entering your portfolio assets (e-mail, name/display name, asset items, etc.).
• Automatically while you use the App: Through session token, device information, IP address, usage/log records, and cookies/similar technologies.
• Through third-party services: Data generated within the scope of the technical operation of authentication, error monitoring, price provision and AI Coach services.
• Through communication channels: Information you provide if you send us an e-mail or support request.

This data is collected via the mobile app interface, server (backend) systems and integrated third-party services, on the basis of the legal grounds set out in Section 4 of this notice.

7. Retention Periods for Personal Data

Your personal data is retained in line with the principles in Article 4 of the KVKK, for as long as necessary for the purpose for which it is processed, subject to the minimum retention periods provided for under applicable law. Our general principles are as follows:

• Account and profile data (e-mail, name, authentication information): Retained for as long as your membership is active. If you delete your account, it is deleted or anonymised within a reasonable technical processing period (as a rule, no later than 30 days).
• Portfolio/financial data you enter: Retained for as long as your account is active; deleted or anonymised when the account is deleted.
• Session token and authentication records: For the duration of their validity; invalidated when the session ends or you log out.
• Consent/explicit-consent records: Owing to our burden of proof, retained for the limitation period applicable to potential disputes even after the relevant processing activity has ended.
• Log and security records: Retained for a reasonable period for security and legitimate-interest purposes (generally up to 12 months), then deleted or anonymised.
• Error/crash records: Retained for as long as needed for diagnosis and improvement (generally up to 12 months).
• AI Coach query records: Retained for the minimum period necessary to provide the service and prevent misuse.
• Support/communication correspondence: Retained for a reasonable period for the resolution of the request and for potential disputes.
• Where there is a legal obligation or where a right must be established/protected, data may be retained until the end of the relevant limitation/retention periods.

Personal data whose retention period has expired or whose purpose of processing has ceased is deleted, destroyed or anonymised by us, either on our own initiative or upon your request.

8. Rights of the Data Subject (KVKK Art. 11)

Under Article 11 of the KVKK, by applying to the data controller you have the following rights with respect to yourself:

• To learn whether your personal data is being processed,
• To request information if your personal data has been processed,
• To learn the purpose of processing and whether it is used in accordance with that purpose,
• To know the third parties to whom personal data is transferred domestically or abroad,
• To request correction of personal data if it has been processed incompletely or inaccurately,
• To request deletion or destruction of personal data within the framework of the conditions set out in Article 7 of the KVKK,
• To request that the above correction, deletion or destruction operations be notified to the third parties to whom personal data has been transferred,
• To object to a result arising against you through analysis of processed data solely by automated systems,
• To claim compensation for damage if you suffer harm due to unlawful processing of personal data.

In addition, in processing activities based on explicit consent, you have the right to withdraw your explicit consent at any time, from the Consent Preferences screen, as easily as you gave it.

9. Application Method (Communiqué on the Procedures and Principles of Application to the Data Controller)

You may submit your requests regarding your rights under Article 11 of the KVKK, in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller, together with information verifying your identity, by the following method:

• E-mail: halilhaninan@gmail.com (sending from the e-mail address registered in the App facilitates identity verification.)

Your application must contain at least the following information: your full name; your signature if the application is in writing; your registered e-mail address (or your contact details); and the subject and explanation of your request. Stating your request clearly and comprehensibly helps speed up the process.

Your applications are concluded free of charge as soon as possible and in any event within thirty (30) days, depending on the nature of the request. However, if the process additionally entails a cost, a fee in the tariff determined by the Turkish Data Protection Authority may be charged. We will either accept your request or reject it by explaining the reasons.

If your application is rejected, if you find our response insufficient, or if you do not receive a timely response, you have the right to file a complaint with the Turkish Data Protection Authority within thirty (30) days from the date you learn of the response and in any event within sixty (60) days from the date of application.

10. Cookies and Similar Technologies

As a mobile application, Varlık primarily uses local storage on the device, session/authentication tokens, and similar technologies through software development kits (SDKs). The technologies used, according to their function, are as follows:

• Mandatory/functional technologies: Those necessary for the App to operate, such as keeping your session open, security, and remembering your language/preference settings. These do not require explicit consent; they rely on legitimate interest and performance of the contract.
• Performance/analytics technologies: Used to understand how the App is used, diagnose errors and improve the experience. Non-essential analytics technologies rely on your explicit consent.

You can manage permission/analytics preferences from your device settings or from the in-app Consent Preferences screen and refuse technologies that require explicit consent. Blocking some functional technologies may affect the proper operation of the App.

Web cookies: Our web pages (archhan.com) use only strictly necessary cookies; non-essential cookies operate only with your consent via the cookie banner.

11. Measures Regarding Data Security

In order to prevent the unlawful processing of, and unauthorised access to, your personal data and to ensure its safekeeping, technical and administrative measures aimed at providing an appropriate level of security are taken in accordance with Article 12 of the KVKK. The principal measures are as follows:

• Communication security: All data traffic between the App and the server is transmitted encrypted via HTTPS/TLS.
• Secure storage on the device: Session tokens and sensitive credentials are stored using the operating system's secure storage mechanisms, such as the iOS Keychain.
• Password security: Passwords are not stored in plain text; they are protected using industry-standard hashing methods.
• Specific measure for financial portfolio data: The portfolio data you enter is additionally protected through access controls and encryption at rest where applicable.
• Data masking/minimisation: Sensitive information in logs and error records is masked as far as possible; only the minimum necessary data is transmitted to third parties.
• Access control: Access to data is limited to authorised persons only and on a need-to-know basis.
• Updates and monitoring: Systems are kept up to date; anomalies are monitored using error/security monitoring tools.

We remind you that, despite all measures taken, the transmission of data over the internet cannot be guaranteed to be 100% secure. If it is determined that your personal data has been unlawfully obtained by others, the necessary notifications will be made to you and to the Turkish Data Protection Authority in accordance with applicable law.

12. Children's Personal Data

Varlık is not a service directed at children and is not designed for use by persons under the age of 18. To use the App, you must be of legal age (18 years or older) or act with the approval of your legal representative.

We do not knowingly collect personal data of persons under the age of 18. If we determine, or receive a notification, that a child's personal data has been processed contrary to consent or by mistake, the relevant data is deleted as soon as possible. If you believe that data belonging to a child of whom you are the parent/legal representative is being processed, you can contact us via the communication channel in Section 9.

13. Changes to the Privacy Policy and KVKK Disclosure

This Privacy Policy and KVKK Disclosure may be updated from time to time in line with changes in legislation, new features added to the App, or updates from our service providers. The current text is always made accessible within the App and/or on our relevant digital channels.

In the event of a significant change, we will endeavour to inform you by appropriate methods, such as an in-app notification or an e-mail sent to your registered address, and to provide a summary of the changes. If a new processing activity requiring explicit consent is involved, your explicit consent will be separately requested for it.

Your continued use of the App means that you have read the updated text; however, this does not substitute for your consent in respect of processing that requires explicit consent.

Version: 1 — Effective date: 03.06.2026