INFLYZE (SFENKIA LTD) DATA BREACH NOTIFICATION POLICY

Effective Date: 14/08/2025
Last Updated: 14/08/2025
Version: 1.0

1. PURPOSE

This policy regulates the process of detecting, assessing, and reporting personal data security breaches to relevant authorities on the Inflyze website (inflyze.com) and mobile application ("Platform") operated by Sfenkia Ltd ("Company").

The policy has been prepared to ensure full compliance with the provisions of Turkish KVKK Law No. 6698, EU GDPR, and UK GDPR.

2. DEFINITIONS

Personal Data Breach: Breach of security of personal data through unauthorized access, disclosure, alteration, or destruction.
Data Subject: An identifiable natural person whose identity is determined or determinable.
Data Breach Notification: Official notification made to relevant institutions and data subjects after the detection of a breach.

3. SCOPE

This policy covers all personal data breaches involving:

Platform users (influencers, brands, individual users),
Business partners,
Job applicants,
Platform employees.

4. DATA BREACH DETECTION

A data breach is considered detected in the following situations:

Unauthorized third parties gaining access to user data
Accidental sharing of personal data
Unauthorized access to servers or databases
Data exposure due to device loss or theft
Malware or ransomware attacks

5. INTERNAL PROCESSES

When a data breach is detected:

The Data Protection Officer (DPO) is immediately notified.
The type, scope, affected data categories, and number of individuals are determined.
Technical measures are implemented to prevent the breach from continuing.
Risks caused by the breach are assessed.

6. NOTIFICATION OBLIGATIONS

6.1. Under GDPR & UK GDPR

The breach must be reported to the UK Information Commissioner's Office (ICO) or relevant EU Data Protection Authority within 72 hours of detection.
The notification includes the following information:
- When and how the breach occurred
- Categories of affected data and number of individuals
- Measures taken
- Recommended steps to protect data subjects' rights

6.2. Under KVKK

The breach must be reported to the Turkish Personal Data Protection Authority (KVKK) within 72 hours of detection.
Additionally, affected data subjects must be informed transparently as soon as possible.

7. DATA SUBJECT NOTIFICATION

The following information is communicated to data subjects affected by the breach:

What the breach was and when it occurred
Categories of affected data
What the risks are
Measures taken
Recommendations to enhance their own data security

Notifications are made via email, SMS, or Platform in-app notifications.

8. RECORDING AND REPORTING

Every data breach is recorded using the Breach Incident Record Form.
Details of the incident, measures taken, and notification processes are archived.
Breach incidents are analyzed at least once a year to update security policies.

9. CONFIDENTIALITY

All information related to data breaches is shared only with authorized personnel.
Statements to the press or third parties are made only by the Company's authorized spokesperson.

10. SANCTIONS

Relevant disciplinary and legal proceedings are initiated against employees, contractors, or third parties who cause data breaches.

11. UPDATES

This policy may be updated in accordance with legal regulations and technical developments. The most current version is published on the inflyze.com website and mobile application.

INFLYZE (SFENKIA LTD) DATA BREACH NOTIFICATION POLICY

Effective Date: 14/08/2025
Last Updated: 14/08/2025
Version: 1.0

1. PURPOSE

The policy has been prepared to ensure full compliance with the provisions of Turkish KVKK Law No. 6698, EU GDPR, and UK GDPR.

2. DEFINITIONS

Personal Data Breach: Breach of security of personal data through unauthorized access, disclosure, alteration, or destruction.
Data Subject: An identifiable natural person whose identity is determined or determinable.
Data Breach Notification: Official notification made to relevant institutions and data subjects after the detection of a breach.

3. SCOPE

This policy covers all personal data breaches involving:

Platform users (influencers, brands, individual users),
Business partners,
Job applicants,
Platform employees.

4. DATA BREACH DETECTION

A data breach is considered detected in the following situations:

Unauthorized third parties gaining access to user data
Accidental sharing of personal data
Unauthorized access to servers or databases
Data exposure due to device loss or theft
Malware or ransomware attacks

5. INTERNAL PROCESSES

When a data breach is detected:

The Data Protection Officer (DPO) is immediately notified.
The type, scope, affected data categories, and number of individuals are determined.
Technical measures are implemented to prevent the breach from continuing.
Risks caused by the breach are assessed.

6. NOTIFICATION OBLIGATIONS

6.1. Under GDPR & UK GDPR

The breach must be reported to the UK Information Commissioner's Office (ICO) or relevant EU Data Protection Authority within 72 hours of detection.
The notification includes the following information:
- When and how the breach occurred
- Categories of affected data and number of individuals
- Measures taken
- Recommended steps to protect data subjects' rights

6.2. Under KVKK

The breach must be reported to the Turkish Personal Data Protection Authority (KVKK) within 72 hours of detection.
Additionally, affected data subjects must be informed transparently as soon as possible.

7. DATA SUBJECT NOTIFICATION

The following information is communicated to data subjects affected by the breach:

What the breach was and when it occurred
Categories of affected data
What the risks are
Measures taken
Recommendations to enhance their own data security

Notifications are made via email, SMS, or Platform in-app notifications.

8. RECORDING AND REPORTING

Every data breach is recorded using the Breach Incident Record Form.
Details of the incident, measures taken, and notification processes are archived.
Breach incidents are analyzed at least once a year to update security policies.

9. CONFIDENTIALITY

All information related to data breaches is shared only with authorized personnel.
Statements to the press or third parties are made only by the Company's authorized spokesperson.

10. SANCTIONS

Relevant disciplinary and legal proceedings are initiated against employees, contractors, or third parties who cause data breaches.

11. UPDATES

This policy may be updated in accordance with legal regulations and technical developments. The most current version is published on the inflyze.com website and mobile application.

INFLYZE (SFENKIA LTD) DATA BREACH NOTIFICATION POLICY

1. PURPOSE

2. DEFINITIONS

3. SCOPE

4. DATA BREACH DETECTION

5. INTERNAL PROCESSES

6. NOTIFICATION OBLIGATIONS

6.1. Under GDPR & UK GDPR

6.2. Under KVKK

7. DATA SUBJECT NOTIFICATION

8. RECORDING AND REPORTING

9. CONFIDENTIALITY

10. SANCTIONS

11. UPDATES

Product

Company

Legal

INFLYZE (SFENKIA LTD) DATA BREACH NOTIFICATION POLICY

1. PURPOSE

2. DEFINITIONS

3. SCOPE

4. DATA BREACH DETECTION

5. INTERNAL PROCESSES

6. NOTIFICATION OBLIGATIONS

6.1. Under GDPR & UK GDPR

6.2. Under KVKK

7. DATA SUBJECT NOTIFICATION

8. RECORDING AND REPORTING

9. CONFIDENTIALITY

10. SANCTIONS

11. UPDATES