Privacy Policy

Updated Date: 5 May 2023

1. Objective

The objective of Herogram (also referred to as "the Company") is to manage personal data of its users in accordance with standard privacy principles and pertinent data protection regulations, including the Personal Data Protection Law No. 6698 (PDP Law) and other applicable legislation. If you have already shared or plan to share your personal information with our Company, or if we have acquired it through external sources, we may process it as the "Data Controller".

Our Company aims to process your personal data with due care and in compliance with this objective, we will undertake appropriate actions to ensure the accuracy and timeliness of the personal information shared or reported to us. These measures may include recording, storing, preserving, reorganizing, and sharing the data with authorized institutions as required by law. Additionally, we may transfer, classify, and disclose the data to third parties within or outside the country, in accordance with relevant legislation and your explicit consent if necessary. It is important to note that the personal information may also be subject to other processing methods and procedures as outlined by the legislation.

This Privacy Policy has been adopted by Herogram to ensure the continuation and enhancement of our operations in accordance with the principles established in the PDP Law. The Policy outlines the types of data we collect, how we intend to use, store, protect, and share this information, the procedure for withdrawing your consent for data processing, and how to make corrections or revisions.

Please note that capitalized terms used in this Policy have the same meaning as specified in the Terms and Conditions, unless defined separately in this Policy.

2. Collection of Personal Data and Method

In accordance with the purposes outlined in this Privacy Policy, Herogram reserves the right to process your personal data.

As part of our services, Herogram collects and uses certain personal data of its users. This includes order information when making an in-app purchase, as well as the Identifier for Advertisers (IDFA), Identifier for Vendors/Developers (IDVF), and Internet Protocol Address (IP Address) associated with the mobile device used to access our services.

Data Categories and Data Types

Data security measures for processing personal information	The following information may be collected by Herogram in connection with your use of our services: internet traffic data (network movements, IP address, visit data, time and date information), device name, in-app purchase history, Token ID (if notifications are allowed through your device), Identifier for Advertisers (IDFA) designated on your mobile device (if you have given permission), and Identifier for Vendors/Developers (IDVF) designated on your mobile device.
Customer data associated with transactions	Order Information
Marketing Data	IDFA, IDVF

We may collect the aforementioned data directly from you, through electronic or physical mediums, your mobile device, third-party applications, or third-party sources that you can access our application through (such as Apple App Store and Google Play App Store). The purpose of this data collection includes compliance with legal obligations, improving our services, administering your use of our services, and enabling you to easily navigate and enjoy our services.

We may also collect log data generated while you use our services or applications (through our products or third-party products). This log data may include your device's Internet Protocol (IP) address, device name, operating system version, the configuration of the app when utilizing our service/application, the time/date of your use of the service/application, and other relevant statistics.

Personal Data Processing PrinciplesHerogram processes personal data as a data controller in accordance with this Privacy Policy and based on the following basic principles: (i) compliance with the law and good faith, (ii) accuracy and, when necessary, up-to-date information, (iii) processing for specific, explicit, and legitimate purposes, (iv) limiting data processing to the intended purpose and minimizing data; and (v) storing data for the period required by relevant legislation or for the purpose for which it was processed.

Purposes and Legal Basis for Processing Personal Data

We will process your personal data in compliance with applicable laws and regulations, as well as articles 5 and 6 of the PDP Law. Such processing will be carried out through automated or non-automated means, provided that it is expressly permitted by laws, necessary for the performance of a contract, or for the legitimate interests of Herogram, with your fundamental rights and freedoms being protected.

a. Reasons of Personal Data Processing

Following the above-mentioned general conditions, we process your personal data for the following purposes:

Process Security	Conducting business operations in compliance with legal requirements. Fulfilling commitments related to our products or services. Carrying out communication activities to keep customers informed and up-to-date. Conducting audits of our business activities to ensure quality and efficiency. Providing after-sales support services for goods or services purchased from us. Carrying out the sales processes of our goods or services Carrying out storage and archiving processes Conducting contract procedures Implementing measures to ensure information security Performing auditing and ethical procedures Carrying out business operations and conducting audits Ensuring business continuity through relevant activities Providing information to authorized entities, institutions, and organizations.
Customer Transaction	Compliance with legal obligations Fulfillment of commitments related to our company, products and services Communication with our customers and partners Audit and monitoring of business operations Provision of after-sales support services for our products and services Sale of our products and services Storage and archiving of data Execution of contractual agreements Implementation of information security measures Conducting ethical and audit activities Ensuring business continuity Sharing information with authorized parties, institutions and organizations.
Marketing Data	Performing marketing analysis studies and carrying out advertising, campaign, and promotion processes.

Furthermore, the reasons for processing personal data are subject to change according to our responsibilities under relevant laws and corporate policies. These include but are not limited to:

Creating user accounts for service recipients/application users.
Personalizing our services to understand users and their preferences in order to improve their experience.
Notifying users of new products, services, applications, advertisements, and promotions.
Conducting digital subscription and in-app purchase processes for service recipients.
Managing auto-renewable subscriptions for access to content, services, or premium features.
Ensuring information security.
Conducting activities in accordance with applicable legislation.
Fulfilling the demands of competent authorities.
Carrying out financial and accounting transactions.
Conducting communication activities.
Conducting contract processes.
Carrying out strategic planning activities.
Responding to requests and complaints.

b. Legal Reasons

Customer Transaction	We may process your personal data if it is necessary for the establishment of a contractual relationship with you or directly related to our performance obligation arising from the contract.
Process Security	Fulfillment of our legal obligations Processing necessary for the establishment, performance, or termination of a contract with you Processing directly related to our obligations arising from a contract with you
Marketing Data	Your explicit consent (acquired via Apple and/or Google)

Third Party Websites and Applications

Ask Brain2 App (Ask Brain2) may contain links to third-party websites and applications whose content is not controlled by Herogram. These linked websites may have different terms and conditions than Herogram, and as such, Herogram cannot be held responsible for the use or disclosure of information that these websites may process. Additionally, Herogram will not be responsible for any links from other sites provided to Ask Brain2, which is owned by Herogram.

We collect information in a fair and lawful manner with your knowledge and consent, and we will inform you of the reason for collecting your data and how it will be used. Please note that you have the right to refuse our request for this information. However, this may impact our ability to provide you with some of the services you desire.

Cookies

Cookies are small text files that are placed on your computer or mobile device's browser or hard drive when you visit a webpage or application. They enhance the browsing experience by allowing websites to function more smoothly and display tailored web pages that meet your specific needs and preferences. Cookies do not collect any personal information or files from your device; they only record information about your online website visit history.

We use cookies to operate and improve the functionality and efficiency of our services, as well as to provide personalized content, such as advertisements that match your interests on our sites or those of third parties. If you wish to delete cookies that are already on your computer or prevent Internet Explorer from recording or locating cookies, you can do so.

Most internet browsers are set to accept cookies by default. However, cookie management varies from browser to browser. You can find more information on how to manage cookies by referring to the help menu of your browser or program.

Push Notifications

Herogram's mobile applications may occasionally send you push messages about updates or service alerts. You can modify or opt-out of these notifications at any time through your device's settings. We will retain your data for as long as required by applicable laws or until the processing is no longer necessary. In certain circumstances, we may continue to store your personal data even after its intended purpose has expired, but only if required by other laws or with your explicit consent. If you give consent for us to store your personal data for additional time, we will promptly delete, destroy, or anonymize it when that time expires or when the processing purpose is no longer relevant.

Technical and Administrative Measures

Herogram will keep the personal data it handles in accordance with applicable laws for as long as it is necessary to fulfill the processing requirements. Herogram is committed to taking all necessary administrative and technical measures and exercising appropriate care to ensure the security, privacy, and confidentiality of personal data. To prevent unauthorized access, disclosure, alteration, or destruction of data, Herogram takes necessary precautions. As a result, the following technical and administrative safeguards are implemented by Herogram for the personal data it processes:

Herogram installs anti-virus applications on all computers and servers within its information technology infrastructure, which are periodically updated.

The servers hosted in Herogram's data center and disaster recovery centers are safeguarded by periodically updated software-loaded firewalls. The relevant next-generation firewalls manage the internet connections of all staff and provide protection against viruses and other similar threats during this process.

Herogram allows suppliers to access its servers or systems through SSL-VPN, which is defined on Firewalls. A unique SSL-VPN identification has been created for each supplier, allowing them to access only the systems they are authorized to use.

User access: Herogram limits the access of its employees to its systems based on their job descriptions. If there is any change in their authority or duties, the system authorizations are updated accordingly.

Information security threat and event management: Herogram transfers the events occurring on its servers and firewalls to the "Information Security Threat and Event Management" system. The responsible staff is alerted through this system in case of any security threat and can respond immediately.

Encryption: Herogram stores sensitive data with cryptographic methods and transfers it through encrypted environments as required. The cryptographic keys are stored in secure and diverse environments.

Herogram securely logs all transaction records related to sensitive data.

Two-factor authentication: Access to sensitive data through remote means requires at least two-factor authentication.

Penetration testing: Herogram periodically conducts penetration tests on its servers. The security gaps identified are promptly addressed, and verification tests are performed to ensure the identified gaps are closed. Additionally, the Information Security Threat and Event Management System automatically performs penetration tests, with results recorded.

Information Security Management System (ISMS): The director of information technology and the director of financial operations audit the topics contained in the control forum during monthly ISMS meetings.

Moreover, regular training is provided to Herogram employees to enhance awareness of various information security violations and to reduce the impact of the human factor in information violation incidents.

Physical data security: Sensitive data stored on paper is secured in lockers and accessed only by authorized personnel. Adequate security measures are taken to protect against situations such as electric leakage, fire, deluge, and theft, based on the nature of the environment where sensitive data is stored.

Backup: Herogram periodically backs up the data it stores, using backup facilities provided by cloud infrastructure providers or developing its own backup solutions when necessary, provided that they comply with relevant legislation and this Policy.

Non-disclosure agreement: Employees involved in processing sensitive personal data are required to sign non-disclosure agreements.

When transferring sensitive personal data, Herogram uses encrypted corporate email or Registered E-mail.

Herogram promptly informs users and the relevant data protection authority, if needed, and takes appropriate measures if personal data is compromised due to an attack on Ask Brain2 or the Herogram system, despite Herogram having implemented necessary information security measures. This also includes instances where personal data is accessed by unauthorized third parties.

4. Transmission of Personal Data to Third Parties

compliance with articles 8 and 9 of the PDP Law, which define the procedures and principles to be observed during personal data transfer, suppliers are permitted to transfer personal and special categories of data to third parties both domestically and internationally. This is due to the use of servers and cloud computing systems located outside of the country.

Personal data may be transferred abroad for the following reasons:

Conducting storage and archiving operations
Conducting business operations
Providing after-sales support services for goods and services
Managing customer relationship management processes.

Herogram reserves the right to transfer your personal data to our Company's service providers, as well as third-party entities such as Facebook SDK, Adjust, and Firebase Analytics, which are integrated into our service. This may be done for the following purposes:

To share identity, communication, and transaction security information with authorized public institutions and organizations, in order to execute activities that comply with legislation, monitor and execute legal affairs, and inform authorized persons, institutions, and organizations.
To share customer transaction information for the management of after-sales support services, business activities, and customer relationship management processes.

5. Data Subject Rights

In accordance with Article 11 of the PDP Law, you, as the data subject, have certain rights regarding your personal data. You may exercise these rights by contacting Herogram and requesting the following:

Information on whether or not your personal data has been processed
Information on the purpose of the processing and whether your data is being used for that purpose
Information on the third parties, domestic or foreign, to whom your personal data has been transferred
Notification to third parties if your personal data has been processed incompletely or inaccurately
Deletion, destruction, or anonymization of your personal data if the reasons for processing have disappeared, and notification to third parties to whom your personal data has been transferred
Objection to any result that is detrimental to you that arises solely from the analysis of your personal data through automated systems
Compensation for any damages you may have incurred due to the unlawful processing of your personal data.

In situations where the General Data Protection Regulation (GDPR) is applicable, data subjects possess certain rights. These rights include:

Right of access: The right to know whether personal data is being processed and, if so, the right to access the personal data and information about how the personal data is being processed by Herogram.
Right to correction: The right to request that inaccurate information be corrected or incomplete information be completed by Herogram.
Right to deletion: The right to request the deletion of personal data according to the conditions specified in the GDPR.
Right to restrict processing: The right to request that the processing of personal data be restricted according to the conditions specified in the GDPR.
Right to object to processing: The right to object to the processing of personal data according to the conditions specified in the GDPR.
Right to data portability: The right to request that the data collected by Herogram be directly transferred to another organization, or under certain conditions.
Objection to the occurrence of a result against oneself by analyzing the processed data exclusively through automatic systems, including profiling.

In order to make a request related to your personal data, you must be authorized and provide proper documentation if you are acting on behalf of someone else. The application must also include your identity and address information and supporting documents. To file a request, you can use the "Data Subject Application Form" provided by our company at [email protected]. We will finalize your request within a maximum of 30 (thirty) days, depending on its nature, free of charge, in accordance with Article 13 of the PDP Law. If your request is rejected, we will provide the reason(s) for the rejection in writing or electronically, along with its justification.

If you believe that our company or anyone we have transferred your data to is violating your rights, you have the right to file a complaint to the data protection authority in your country or other competent supervisory authorities.

Our company may revise this Privacy Policy as necessary. If you continue to access Ask Brain2 and use or access it without taking advantage of the services offered by Herogram after the notification period, you will be deemed to have accepted the changes made in this Privacy Policy.

Customer Title:	Herogram FZ LLC
Address:	Dubai, United Arab Emirates
E-mail:	[email protected].
Tel:	xx