COOKIE CLARIFICATION TEXT

The Personal Data Protection Law (Law No. 6698), which is currently in force in the Republic of Türkiye, is largely aligned with the European Union’s General Data Protection Regulation (GDPR) and is based on the same fundamental principles. Both regulatory frameworks require that personal data be processed lawfully, fairly, and transparently for specific, explicit, and legitimate purposes; that such data be accurate and kept up to date where necessary; that processing be relevant, limited, and proportionate to the intended purposes; and that personal data be retained only for the period necessary for those purposes.

The Personal Data Protection Law governs the personal data processing activities of data controllers operating within Türkiye and incorporates many elements similar to those found in the GDPR, including data security obligations, data subject rights, the obligation to inform, requirements for explicit consent, and lawful bases for processing.

The documents presented on this website have been prepared in accordance with the provisions of the Personal Data Protection Law. They are structured in parallel with the GDPR and reflect the legal obligations applicable to data processing activities carried out within Türkiye. Accordingly, given the structural similarities between the two laws, these documents are considered to be consistent with data processing practices concerning individuals located within the European Economic Area (EEA).

Thanks to the structural alignment between the Personal Data Protection Law and the GDPR, our data processing principles comply not only with domestic legislation but also with international data protection standards.

As NOVA ARSA GELİŞTİRME İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ (“Nova Arsa” or the “Company”), we use cookies, pixels, website plugins/tools, GIFs, and similar technologies (“Cookies”) on https://www.novaarsa.com (the “Website”), on other digital platforms owned by Nova Arsa, and on all other online or offline channels made available to you, our users/visitors (“Data Subjects”). All these channels shall hereinafter be collectively referred to as the “Platform.” These technologies are used during your use or visit of the Platform to improve your experience.

The use of these technologies is carried out in accordance with the applicable legislation, particularly the Personal Data Protection Law (Law No. 6698) (the “Law”). As a Company, we prioritize transparency and confidentiality. Furthermore, in our capacity as data controller, we implement appropriate technical, legal, and administrative security measures to protect your personal data against unlawful use, unauthorized access, damage, loss, or disclosure. These measures include secure databases, antivirus software, backup systems, encryption, data masking, Cloudflare plugins on the website, servers, and specialized security solutions such as Fortilogger, SOPLOG, Sonlogger, Omaspot, and firewalls (security software).

The purpose of this Cookie Clarification Text is to inform you, as the data controller, about the cookies used during your use of the Platform and the processing of your personal data. Nova Arsa may obtain information about the users who visit our Website and their use of the Website by using technical communication files (cookies). These technical communication files are small text files that are sent to the user’s browser to be stored in the main memory. Cookies store preferences and make the use of the Internet easier. Through these technologies, data such as IP addresses of users and visitors, behaviors on the Website, demographic data, marketing information, and the electronic devices used for accessing the Platform may be processed.

In this text, we aim to explain which types of cookies we use on our Website and application, for what purposes, and how you can manage and control these cookies.

Method and Legal Basis for Collecting Personal Data

Your personal data is collected electronically through cookies during your visit to our Website, either in whole or in part by automated means, or through non-automated means provided that they form part of a data recording system. This collection is based on the legal grounds of the Company’s legitimate interests, such as advertising, marketing, and ensuring security. The collected personal data is processed in accordance with Articles 5 and 6 of the Law for the purposes specified in this Cookie Clarification Text.

Marketing and advertising activities, including targeting and profiling conducted through forms available on the Website or via Meta platforms (Instagram, Facebook, WhatsApp), are carried out only with your explicit consent.

To Whom and For What Purposes Personal Data May Be Transferred

As Nova Arsa, personal data collected within the scope of this Cookie Clarification Text may be transferred, in line with the purposes described below and in compliance with applicable legislation, to:

• Shareholders of the Company and companies in which the Company holds shares, and shareholders of those companies,
• Business partners,
• The Marketing Department,
• Technology service providers offering support for systems used in connection with the Website, such as hosting services and CRM (Customer Relationship Management) providers,
• Third-party vendors providing services for commercial advertising and marketing activities, such as Message Management System (İleti Yönetim Sistemi: İYS) providers,
• Legally authorized public institutions and private persons, as set out under Articles 8 and 9 of the Law.

Data may be transferred in whole or in part by automated means, or through non-automated means provided that they form part of a data recording system, and with the appropriate technical and administrative security measures in place.

What Types of Cookies Are Used and for What Purposes?

Website cookies specific to you may be processed by Nova Arsa for the purposes of:

• Customizing the products and services offered to you based on your preferences, usage habits, and needs;
• Ensuring the stable and secure operation of the Website;
• Conducting direct and indirect marketing activities.

In accordance with Articles 5 and 8 of the Law and/or in cases where exceptions are provided under applicable legislation, the Company may process and transfer your personal data without obtaining your explicit consent. These cases include, but are not limited to:

• If explicitly stipulated by laws;
• Where it is necessary for the protection of the life or physical integrity of the data subject or another person who is unable to give consent due to actual impossibility or whose consent is not legally valid;
• If it is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of that contract;
• If processing is necessary for compliance with a legal obligation to which the Company is subject;
• If the data has been made public by the data subject;
• If processing is necessary for the establishment, exercise, or protection of a right;
• If processing is necessary for the legitimate interests pursued by the Company, provided that such processing does not violate the fundamental rights and freedoms of the data subject.

Nova Arsa uses various types of cookies on its Platforms for purposes such as:

• Analyzing and improving Platform performance:
  For instance, integrating the Website with different servers, determining the number of visitors, adjusting performance settings, or facilitating users’ ability to find what they are looking for.
• Ensuring the security of the Website:
  Technologies such as CloudFlare are used to distribute website content through secure servers globally, reducing page load times and protecting the Website against common cyber-attacks.
• Enhancing Platform functionality and ease of use:
  For example, enabling sharing on third-party social media platforms, remembering usernames or search queries for future visits.
• Personalization, targeting, advertising, and remarketing:
  Displaying ads relevant to your interests based on the pages and products you have viewed.
• Performing essential Website functions and presenting products and services tailored to your needs and preferences:
  These cookies may be collected via automated means through cookies or through forms and surveys you voluntarily fill out on the Website and may be processed in line with your explicit consent or based on the Company’s legitimate interests.

Types of Cookies Used on the Website

Below you can find different types of cookies used on our Website and application. Both first-party cookies (placed by the Website you visit) and third-party cookies (placed by servers other than the Website you visit) are utilized.

Types of Cookies by Usage Purpose

Mandatory Cookies:
These cookies are necessary for the proper functioning of the Website. They are used to ensure the system operates smoothly, for users to create accounts and log in, to inform the user of the requested service, to prevent fraudulent transactions, and to ensure the Website functions properly. Without these cookies, the Website will not operate correctly. Therefore, mandatory cookies are used for the performance of the service, pursuant to Article 5 of the Law.

• Session ID (session cookie): Stores the user’s login information (if logged in elsewhere), enabling continued access between pages without repeated login. Without this cookie, the user may need to log in again when navigating pages.
• XSRF-TOKEN (CSRF protection cookie): Stores a token generated by the server to prevent cross-site request forgery (CSRF). Frameworks like Angular automatically use a cookie by this name to ensure that forms and sensitive transactions are submitted from valid sources.
• __cf_bm: Used to distinguish between humans and bots. It helps websites generate accurate reports. This cookie has a lifespan of 24 hours.
• _cfuvid: Part of services provided by CloudFlare – includes load balancing, content delivery, and DNS linking. This cookie remains active for the session and is deleted afterward.
• CookieConsent: Stores the user’s cookie consent status for the current domain; maximum retention period is one year.

Preference (Functionality) Cookies:
These cookies are used to simplify visits and improve user experience on the Website. They remember your previous preferences and provide a customized experience upon your next visit. While not mandatory for the Website’s core functions, they provide preference-based enhancements and are only used with your consent.

• language: Stores the user’s preferred language setting. For example, if English is selected, this cookie ensures the site opens in English on future visits.
• theme: Remembers the user’s visual preferences (e.g., dark or light theme), ensuring a consistent look in future visits.

Analytical and Statistical Cookies:
Analytical cookies help us determine which pages are most visited, what content is viewed most frequently, and how visitors interact with the Website. These cookies collect data such as user traffic to help us provide services in line with that traffic. They may be provided by first-party or third-party services and typically gather data anonymously. Since these cookies may collect online identifiers (such as IP addresses or unique IDs), they require user consent under the Law.

• _ga (Google Analytics): The main cookie used by Google Analytics, it assigns a unique ID to each visitor to track how the site is used. It retains data for 2 years and generates anonymized data related to the individual user.
• ga#: Used by Google Analytics to gather data about how many times a user visits the Website and the dates of their first and last visits.
• _gid (Google Analytics): Used to distinguish between new and returning visitors for analysis purposes. It has a lifespan of 24 hours and collects short-term data.
• Route: Records statistical data about user behavior on the Website. It is used internally by the website operator for analytical purposes. This cookie has a lifespan of 2 days.

Marketing Cookies:
Marketing cookies are used to track visitors across websites to deliver relevant and personalized advertisements based on their interests. These cookies may involve third-party advertising and tracking services and are integrated with Nova Arsa’s advertising and analytics tools. Below are some commonly used marketing cookies and their purposes:

• _gcl_au: Used by Google AdSense to evaluate the efficiency of advertising on websites using its services. Maximum storage duration: 3 months.
• NID: Stores a unique identifier to recognize returning users’ devices. This ID is used for targeted advertising. Maximum storage duration: 6 months.
• GTM (Google Tag Manager): Allows for the addition and management of tracking and marketing tags on the Website. These tags help track performance, analyze behavior, and manage advertising campaigns.
• _wpfuuid: Generated by the WPForms plugin when a user visits a page containing a form. It assigns a Universal Unique Identifier (UUID) for backend form processing. It does not contain any personal data.
• YouTube Cookies
  • #-# / iU5q-!O9@$ / LAST_RESULT_ENTRY_KEY / remote_sid / YSC / VISITOR_INFO1_LIVE / VISITOR_PRIVACY_METADATA / yt-remote-* (various cookies):**
    These cookies are used to track user interaction with embedded YouTube content, manage user settings, estimate bandwidth, and ensure functionality. They are session-based or stored for a set duration, such as 90 or 180 days, and include persistent HTML local storage.
  • IDE (Google Ads DoubleClick): Assigns a unique ID to users for tracking advertising efficiency across websites. Used to deliver personalized ads and measure their performance. Originates from .doubleclick.net.
  • test_cookie: Checks whether the user’s browser supports cookies. Originates from .doubleclick.net.
  • _fbp (Meta/Facebook Pixel): Set via Meta Pixel to associate a browser with a user’s Meta account (e.g., Facebook/Instagram), enabling remarketing during later ad campaigns.
  • UserMatchHistory (LinkedIn): Tracks site usage to improve ad targeting. Lifetime: up to 30 days. See: www.linkedin.com/legal/l/cookie-table

How Can I Control the Use of Cookies?

Your preferences regarding the use of cookies and similar technologies are essential to us. However, please note that certain cookies are necessary for the operation of the Platform and must be used. We would also like to remind you that if you disable some cookies, certain functions of the Platform may not work partially or fully.

You can manage your preferences regarding the cookies used on the Platform as follows:

• Visitors can customize their preferences related to cookies by changing their browser settings. If the browser being used offers this capability, preferences can be adjusted through browser settings. Depending on the capabilities of the browser, data subjects may prevent the use of cookies, choose to receive a warning before cookies are used, or disable or delete only some cookies.
• Technical communication files help us obtain statistical data such as how many people visit the site, the purpose and frequency of these visits, and how long visitors stay on the site, as well as support dynamically generating content and advertisements tailored for users. These files are not designed to retrieve data from your main memory or e-mail account or to access any other personal information.
• Most browsers are initially set to accept cookies automatically. However, users can change these settings to disable cookies or to receive a notification when cookies are sent.
• These settings vary depending on the browser being used. For general guidance on managing cookie settings, you can visit https://www.aboutcookies.org/.
• Preferences for cookies may need to be set separately for each device from which the Platform is accessed.

Direct Links to Manage Cookies:

• Disable cookies managed by Google Analytics
• Manage personalized ad experience provided by Google
• Manage cookie preferences used in advertising activities of many companies via Your Online Choices
• On mobile devices, cookie management can be done via device-specific settings menus.

Browser-Specific Settings:

• Adobe Analytics
• AOL
• Google Chrome
• Internet Explorer
• Mozilla Firefox
• Opera
• Safari

What Are Your Rights as a Data Subject?

In general, cookies do not directly process your personal data. However, if you give consent, your data may be processed indirectly (such as through your IP address). Based on the forms you fill out on our Website and the consents you provide, and in accordance with Article 11 of the Personal Data Protection Law (“Law”), data subjects are entitled to the following rights:

• To learn whether personal data is being processed;
• To request information if personal data has been processed;
• To learn the purpose of processing personal data and whether it is used in accordance with that purpose;
• To know the third parties to whom personal data is transferred, domestically or abroad;
• To request the correction of personal data if it is incomplete or incorrect, and to request that such correction is communicated to third parties to whom the data was transferred;
• To request the deletion or destruction of personal data if the reasons for processing no longer exist, despite it being processed in accordance with the Law and other relevant legislation, and to request that such deletion or destruction is communicated to third parties to whom the data was transferred;
• To object to the occurrence of a result against oneself by analyzing processed data exclusively through automated systems;
• To request compensation in the event of damage caused due to the unlawful processing of personal data.

You may exercise your rights listed above by completing the “Data Subject Application Form” available on our Website at https://www.novaarsa.com. You may send a signed hard copy of the form to the address of NOVA ARSA GELİŞTİRME İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ (Tax ID: 6321251367) located at “Altunizade Mah. Mahir İz Cad. No:31, 34662 Üsküdar/İSTANBUL” via notary or similar methods; or send it signed with a “secure electronic signature” as defined in the Electronic Signature Law No. 5070 to our registered e-mail (KEP) address: novaarsagelistirme@hs01.kep.tr  You may also submit your request by other methods determined by the Personal Data Protection Authority.

Your application will be finalized free of charge within 30 (thirty) days at the latest, depending on the nature of your request. However, if the requested process incurs an additional cost, you may be charged a fee in accordance with the tariff determined by the Personal Data Protection Board.

By making a request that prevents the processing of certain personal data, the data subject acknowledges that they may not be able to fully benefit from the functionality of the Website and agrees that any responsibility arising in this context shall rest with them.