KVKK Data Subject Rights

Caymaz TechHealth Yazilim Tic. Ltd. Sti. ("Caymaz TechHealth") is the data controller under KVKK for all personal data processed through caymaztech.com and our mobile/web applications (Calvion, Vivify AI, Qibla Finder, Prescription Book, HairArchitect AI, FaceArchitect AI, Caliber dB, and future products).

Company Details: Full name: Caymaz TechHealth Yazilim Tic. Ltd. Sti. MERSIS No: 0203091510500001 Tax Office: Başakşehir | Tax ID: 2030915105 Address: Istanbul, Turkey

KVKK Representative: As a Turkish-registered legal entity, we are not required to appoint a separate domestic KVKK representative.

How to submit a request: Use the contact form at caymaztech.com/#contact and select "Privacy / KVKK / GDPR request". State your full name, contact details, the app involved, and the nature of your request. We verify identity before acting and respond within the KVKK-mandated 30-day period.

Under KVKK, we process the following categories of personal data:

• Identity and contact data (name, email, organisation, phone if provided) — collected electronically via website contact form, app registration, or business communications. • Account and authentication data (user IDs, session tokens via Firebase Auth or Supabase Auth) — collected automatically during app sign-up/sign-in. • Subscription and purchase metadata (entitlements, product IDs, subscription status via Adapty, Apple App Store, Google Play) — collected automatically via platform billing. • Technical data (IP address, device type, OS, app version, language, approximate location from IP, crash/diagnostic logs) — collected automatically during app and website use. • Usage and analytics data (feature usage, session events where Firebase Analytics is enabled) — collected automatically during app use. • User-generated content (images, text, audio for AI or simulation features) — provided directly by you when activating a feature. • Contact form and support messages — provided directly by you. • Consent records (timestamps, choices, policy version; in-app Consent Audit exports) — recorded automatically at the time of consent action.

Special Category Data: Photos or health-related information uploaded to health-adjacent apps (HairArchitect AI, FaceArchitect AI, Vivify AI, Calvion) may constitute special category personal data under KVKK Article 6. Such data is processed only to provide the requested feature and on the basis of your explicit consent.

Your personal data is processed for the following purposes:

• Operating, managing, and securing our website and mobile applications • Providing AI, simulation, and core product features you request • User authentication, push notifications (FCM), and subscription management (Adapty, app stores) • Responding to inquiries, KVKK requests, and Consent Audit requests • Detecting and preventing abuse, fraud, and security incidents • Complying with legal obligations and enforcing our Terms of Service • Sending essential transactional notifications

We do not sell your personal data and do not use it for third-party advertising or profiling beyond what is described in this disclosure and our Privacy Policy.

Processing of personal data is based on the following KVKK legal grounds:

KVKK Art. 5/2-a — Expressly provided by law: Legal retention and reporting obligations (e.g., tax, accounting).

KVKK Art. 5/2-c — Necessary for the performance of a contract: Account creation, subscription management, delivery of app features you have requested.

KVKK Art. 5/2-f — Legitimate interest: Website and app security, fraud prevention, technical troubleshooting, aggregate analytics.

KVKK Art. 5/1 — Explicit consent: Non-essential cookies; cross-border AI processing requiring cross-border transfer; marketing communications (if opted in).

KVKK Art. 6/2 — Explicit consent for special category data: Health-adjacent photos or information uploaded to simulation/analysis apps.

You may withdraw any consent you have given at any time without affecting the lawfulness of prior processing.

Personal data may be shared within Turkey with the following categories of recipients, to the extent required by the applicable legal ground and purpose:

• Legal advisers and attorneys (legal compliance and dispute resolution) • Financial advisers and independent auditors (tax and accounting obligations) • Competent public authorities and courts (where required by law)

Such transfers are governed by KVKK Article 8 and made only to the extent necessary for the stated purpose.

Your personal data may be transferred outside Turkey by the following service providers. As the KVKK Board has not yet designated any country as having an adequate level of protection, cross-border transfers rely on your explicit consent and/or binding data transfer undertakings.

| Provider | Country | Purpose | Safeguard | |----------|---------|---------|----------| | Firebase / Google (Auth, FCM, Crashlytics, Analytics) | USA | Auth, push, crash/analytics | Explicit consent + Google Cloud DPA | | Cloudflare (R2, Turnstile, CDN) | USA / Global | Storage, bot protection, CDN | Explicit consent + Cloudflare DPA | | Hetzner | Germany (EEA) | Server infrastructure | Explicit consent + Hetzner DPA | | Apple App Store / Google Play | USA | App distribution, IAP | Platform terms | | Adapty | USA | Subscription management | Explicit consent + Adapty DPA | | Supabase | USA | Auth, database (per app) | Explicit consent + Supabase DPA | | Resend | USA | Contact form email delivery | Explicit consent + Resend DPA | | fal.ai | USA | AI inference processing | In-app explicit consent | | Eachlabs.ai | USA | AI video/media processing | In-app explicit consent |

For AI features, you must accept the in-app explicit consent before first use. Declining means the AI feature will be unavailable; other non-AI features are not affected.

Personal data is retained only as long as necessary for the stated purpose or as required by law.

• Account and authentication data: While your account is active; deleted or anonymized within 30–90 days after you delete your account in-app (subject to backup cycles). • AI and simulation inputs: Up to 7 (seven) days after output generation, then deleted or anonymized. • Contact form and KVKK request records: Typically up to 24 months after resolution (may be longer if legally required). • Security logs: Short rolling windows appropriate to technical need. • Financial and tax records: As required by the Tax Procedure Law and applicable legislation (generally 5–10 years). • Cookie and consent records: 12 months from the date of consent (consent_v1 localStorage entry).

At the end of the retention period, data is securely deleted, destroyed, or anonymized as soon as technically feasible.

Under KVKK Article 11, you have the right to:

• Learn whether your personal data is being processed • Request information about processing activities • Learn the purpose of processing and whether data is used in accordance with that purpose • Know the third parties to whom data is transferred domestically or abroad • Request correction of incomplete or inaccurate data • Request deletion or destruction of data under KVKK Article 7 conditions • Request that corrections and deletions be notified to third parties to whom data was transferred • Object to processing based solely on automated analysis that produces a result against you • Claim compensation for damages caused by unlawful processing

How to submit a request: Use the contact form at caymaztech.com/#contact and select "Privacy / KVKK / GDPR request". Include your full name, contact information, the app involved, and a description of your request. After identity verification, we will respond within 30 (thirty) days as required by KVKK Article 13.

If your request is rejected or you do not receive a timely response, you may file a complaint with: Personal Data Protection Authority (KVKK Kurumu) Nasuh Akar Mah. Ziyabey Cad. No:19, 06520 Balgat/Ankara, Turkey Phone: +90 312 216 50 50 Website: kvkk.gov.tr

VERBİS (Veri Sorumluları Sicil Bilgi Sistemi) is the Data Controllers Registry maintained by the KVKK Board.

Our Status: Data controllers with fewer than 50 employees AND an annual financial balance below 25 million TRY may qualify for the general VERBİS registration exemption under KVKK Board Decision 2018/87 and subsequent clarifications.

Caymaz TechHealth operates as a startup below these thresholds; however, given our health-adjacent application portfolio involving special category data, we actively monitor KVKK Board guidance on this matter. We will register promptly if and when the Board determines that our activities require registration.

You may check the current VERBİS registry and file complaints about data processing at kvkk.gov.tr.