POLICY ON THE PROTECTION OF PERSONAL DATA
This Policy has been prepared by Rune Technologies Information Services Joint Stock Company (“Rune” or the “Company”) within the scope of the data controller’s obligation to inform, in order to ensure compliance with the Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated 07 April 2016 and numbered 29677 (“KVKK”), and other relevant legislation.
Within this Policy, the procedures and principles adopted and implemented by our Company are set out with respect to the categories of personal data processed by our Company, the principles governing the processing of personal data, the purposes and legal bases for processing, the transfer of personal data within Türkiye and abroad, the retention and destruction of personal data, and the rights of data subjects and the procedures for exercising such rights.
Rune Technologies Information Services Joint Stock Company (“Rune” or the “Company”) undertakes to act in full compliance with the KVKK and other applicable legislation, and to process, use, destroy, transfer, and otherwise handle personal data in accordance with the procedures and processes defined in this Policy and in line with the principles set forth under the Law.
DEFINITIONS
Explicit Consent: | Consent that is related to a specific subject, based on information, and expressed with free will. |
Anonymization: | The process by which personal data is rendered impossible to associate with an identified or identifiable natural person, even when matched with other data. |
Personal Data: | Any information relating to an identified or identifiable natural person. |
Processing of Personal Data: | Any operation performed upon personal data, whether wholly or partly by automated means or otherwise as part of a data recording system, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of the use of such data. |
Data Subject (Owner of Personal Data): | A natural person whose personal data is processed. |
Special Categories of Personal Data (Sensitive Personal Data): | Personal data relating to an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance or attire, membership in associations, foundations or trade unions, Health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
PERSONAL DATA PROCESSED
The personal data listed below are examples of the data processed by our Company and do not represent an exhaustive list. Depending on the nature of the activity and the context of processing, new data processing activities may arise. In such cases, separate privacy notices will be prepared, and the relevant individuals will be informed accordingly.
2.1 Regarding Website Visitors and Potential Business Partners
Identity Information: Name, surname (if shared through the contact form)
Contact Information: E-mail address, phone number (if shared through the contact form)
Technical Data: IP address, device type, browser information, operating system, date and time of visit, page view details, log records
Cookie Data: Cookies used to measure website performance, user preferences, and interactions with embedded third-party content
2.2 Regarding Communication Requests
Identity Information: Name, surname (if shared through the form)
Contact Information: E-mail address, phone number
Message Content: Requests, suggestions, cooperation offers, or complaints submitted via the contact form or e-mail
Time Information: Date and time of submission
2.3 Regarding Suppliers, Business Partners, and Service Providers
Identity Information: Name, surname, Turkish ID number or tax number (for natural-person business partners)
Contact Information: Phone number, e-mail address, business address
Financial Information: Bank account details, invoice information
Contractual Information: Communication and transaction records arising from the contract
2.4 Within the Scope of Game and Web Application Usage
User Interaction Data: In-game behavior data, session duration, clickstream and navigation logs
Device and Application Data: Browser type, screen resolution, connection speed, cookie identifiers
Location Data: Approximate geographic location (city-level) derived from the user’s IP address
In addition to the above, our Company may process personal data depending on the nature of the work performed and the specific processing activity.
3. METHODS OF COLLECTING PERSONAL DATA
Your personal data are collected through various methods in compliance with the Law on the Protection of Personal Data No. 6698 (KVKK). Personal data may be obtained through the following means: completing communication or support forms available on our website (https://runegames.studio/), system logs and transaction records automatically generated during your interactions with the website, cookies and similar technologies (as explained in our Cookie Policy), the automatic recording of browser or device information, communications made via e-mail, online support channels, or social media, technical integrations carried out with service providers or business partners, such as payment infrastructures, advertising networks, or analytics tools. All personal data collected are stored and processed solely for the purposes of data processing, and only for specific, legitimate, and lawful purposes in accordance with applicable legislation.
4. THE PURPOSE AND LEGAL BASIS FOR THE PROCESSING OF YOUR DATA
Your personal data may be processed by our Company in accordance with the Law on the Protection of Personal Data (KVKK) and other applicable legislation, for the purposes set out below under each relevant data category. While the specific purposes are categorized based on different groups of individuals, personal data may also be processed for general purposes beyond those listed below, where applicable.
4.1 REGARDING WEBSITE VISITORS AND POTENTIAL BUSINESS PARTNERS
Your personal data are processed by our Company for the purposes and on the legal bases set out below:
| PURPOSE OF THE PROCESSING | LEGAL BASIS |
· Evaluating and responding applications, · Responding to inquiries, suggestions, or requests submitted through the contact form or via e-mail | KVKK Art. 5/2(c): Processing is necessary for the establishment or performance of a contract directly related to the data subject. |
· Fulfilling legal obligations (e.g., providing information to authorized public institutions, accounting and IT security requirements) | KVKK Art. 5/2(ç): Processing is necessary for compliance with the data controller’s legal obligations. |
· Ensuring the operation and performance of the Website, monitoring system errors, and maintaining security · Improving user experience on the Website, conducting technical analyses, and creating statistical reports (through cookies and log records) · Performing statistical analyses and advertising measurement activities through cookies | KVKK Art. 5/2(f): Processing is necessary for the legitimate interests of the data controller, provided that such processing does not violate the fundamental rights and freedoms of the data subject. |
· Conducting marketing activities, providing users with customized campaigns and content suggestions (where explicit consent is obtained) | KVKK Art. 5/1: Processing is based on the explicit consent of the data subject. |
FOR THE PURPOSES OF COMMUNICATION REQUESTS OR SUPPORT APPLICATIONS
Personal data collected through the Website, game platform, or other communication channels within the scope of contact/support requests are processed by our Company for the purposes and on the legal bases set out below:
THE PURPOPSE OF PROCESSING | LEGAL BASIS | |
| KVKK Art. 5/2(c): Processing is necessary for the establishment or performance of a contract directly related to the data subject. | |
· Recording and retaining requests and complaint processes, and keeping such data as evidence in case of audits or disputes | KVKK Art. 5/2(ç): Processing is necessary for compliance with the data controller’s legal obligations. | |
· Measuring service quality and conducting customer satisfaction analyses · Verifying the identity and contact information of visitors or potential business partners related to their requests, ensuring follow-up, response, and information feedback. | KVKK Art. 5/2(f): Processing is necessary for the legitimate interests of the data controller, provided that such processing does not violate the fundamental rights and freedoms of the data subject. |
FOR THE PURPOSES OF SUPPLIERS, BUSINESS PARTNERS, AND SERVICE PROVIDERS
The personal data of natural person suppliers, business partners, and service providers who maintain commercial, technical, or operational relations with our Company are processed for the purposes specified below and in accordance with the applicable legal grounds.
THE PURPOSE OF PROCESSING | LEGAL BASIS | |
· Establishing, executing, and maintaining contractual relationships with suppliers, business partners, or service providers, and ensuring necessary communication | KVKK Art. 5/2(c): Processing is necessary for the establishment or performance of a contract directly related to the data subject. | |
| KVKK Art. 5/2(ç): Processing is necessary for compliance with the data controller’s legal obligations. | |
· Conducting communication and collaboration processes, managing up-to-date contact information · Archiving correspondence, meeting notes, and call records made between the parties in connection with the business relationship | KVKK Art. 5/2(f): Processing is necessary for the legitimate interests of the data controller, provided that such processing does not violate the fundamental rights and freedoms of the data subject. | |
·
| KVKK Art. 5/2(e): Processing is necessary for the establishment, exercise, or protection of a right. |
- FOR THE PURPOSES OF USING THE GAME AND WEB APPLICATION
Personal data collected automatically within the technical infrastructure of the game platform and website is processed for the purposes specified below and in accordance with the relevant legal grounds.
THE PURPOSE OF THE PROCESSING | LEGAL BASIS | |
· Recording user sessions and in-game behavior and interactions (e.g., clicks, session duration, progress)
| KVKK Art. 5/2(c): Processing is necessary for the establishment or performance of a contract directly related to the data subject. | |
| KVKK Art. 5/2(f): Processing is necessary for the legitimate interests of the data controller, provided that such processing does not violate the fundamental rights and freedoms of the data subject. | |
· As detailed in the Cookie Policy, providing analytics, advertising, or personalized content through cookies and similar technologies based on the user’s explicit consent | KVKK Art. 5/1: Processing is based on the explicit consent of the data subject. |
5. TRANSFER OF PERSONAL DATA
Our Company may transfer personal data to third parties located in Türkiye or, when necessary, abroad — either for processing or storage purposes — in compliance with the conditions set out in the Law No. 6698 on the Protection of Personal Data (KVKK) and other applicable legislation, while taking the security measures prescribed therein.
To ensure efficient operation of our business activities and to benefit from technological capabilities, we may transfer your personal data abroad through cloud-computing technologies, provided that all required technical and administrative measures are implemented. Other than such cases, we do not transfer your personal data outside Türkiye.
Pursuant to Article 9 of the KVKK, personal data may be transferred abroad without the explicit consent of the data subject only if one of the conditions specified under Articles 5/2 or 6/3 of the KVKK is met and if:
a) the foreign country to which the data will be transferred ensures an adequate level of protection, or
b) in the absence of adequate protection, both the data controllers in Türkiye and in the relevant foreign country undertake in writing to provide adequate protection and obtain authorization from the Personal Data Protection Authority (“Authority”).
For regular transfers, under Article 9/4(c) of the KVKK, the existence of a standard contract published by the Authority — which specifies data categories, purposes of transfer, recipients and recipient groups, technical and administrative measures, and additional safeguards for special-category personal data — is required.
For occasional transfers, under Article 9/6, transfers may be carried out where: the data subject gives explicit consent after being informed of potential risks; the transfer is necessary for the performance of a contract between the data subject and the data controller or for pre-contractual measures at the data subject’s request; the transfer is necessary for the conclusion or performance of a contract made in the interest of the data subject between the data controller and another natural or legal person; or the transfer is necessary for the establishment, exercise, or protection of a right.
Accordingly, in cases where explicit consent is not required, our Company ensures that the country to which the data will be transferred provides an adequate level of protection. The adequacy decision shall be determined by the Personal Data Protection Board. If such adequacy is not established, both the data controller in Türkiye and the foreign data controller must undertake to provide adequate protection in writing and obtain the Board’s authorization.
In this context, our Company may share personal data with;
Business partners and service providers (both in Türkiye and abroad) for purposes such as receiving IT or consultancy services, product and service support, or where domestic business partners’ servers are located abroad,
Authorized public institutions, organizations, and judicial authorities, to fulfill our legal obligations to provide information or documents, and to exercise our legal rights such as filing or responding to claims;
Overseas servers through local service providers whose infrastructure is located outside Türkiye, based on the standard contractual clauses approved by the Authority;
Suppliers or business partners (whether in a contractual partnership or providing independent services) to ensure the proper performance of our services;
Training and compliance partners, as well as legal and professional advisors such as lawyers, certified public accountants, and occupational-safety specialists, for the fulfillment of our statutory obligations;
Foreign clients with whom we have commercial relations, to establish communication and execute contracts, including the transfer of our employees’ data as necessary for contractual performance;
Suppliers or contracted healthcare providers, as well as other product or service vendors, when required for the proper performance of our services.
6. DELETION OF PERSONAL DATA
Personal data processed by our Company within the scope of its activities are retained only for the period necessary to achieve the purposes for which they were collected and for the duration required by the relevant legislation.
When personal data lose their purpose of processing, reach the end of their retention period, or, where applicable, are requested to be erased by the data subject, such data are destroyed using one of the methods of deletion, destruction, or anonymization specified in Article 7 of the KVKK, as appropriate to the nature of the data and processing activity.
Deletion of personal data refers to making the data inaccessible and unrecoverable for relevant users under any circumstances. Destruction of personal data refers to rendering the data inaccessible, irretrievable, and unusable by anyone in any manner. Anonymization of personal data refers to rendering the data impossible to associate with an identified or identifiable natural person, even if matched with other datasets.
7. RIGHTS OF THE DATA SUBJECT
Pursuant to Article 11 of the Law, you may exercise the following rights by applying to the Company through the methods specified in the “Contact” section of this Policy:
To learn whether your personal data are being processed,
To request information if your personal data have been processed,
To learn the purpose of the processing of your personal data and whether they are used in accordance with their purpose,
To learn the third parties to whom your personal data are transferred domestically or abroad,
To request the rectification of your personal data if they are incomplete or inaccurate,
To request the deletion or destruction of your personal data within the framework of the conditions set forth in the KVKK legislation,
To request that third parties to whom your personal data have been transferred be notified of such rectification, deletion, or destruction,
To object to any result arising to your detriment through the exclusive analysis of processed data by automated systems,
To request compensation if you suffer damage due to the unlawful processing of your personal data.
8. CONTACT
You may submit your applications regarding the rights listed above in accordance with the procedures specified in the Communiqué on the Principles and Procedures of Application to the Data Controller.
Your applications may be submitted by:
Delivering them in person to the address GÜLBAHÇE MAH. GÜLBAHÇE CAD. NO: 1/48 İÇ KAPI NO: 14 URLA / İZMİR (please note that identification will be required)
Sending them via notary public to the address GÜLBAHÇE MAH. GÜLBAHÇE CAD. NO: 1/48 İÇ KAPI NO: 14 URLA / İZMİR,
Sending them by registered electronic mail (KEP) to the address petrolig@hs02.kep.tr using your secure electronic signature in accordance with the Electronic Signature Law No. 5070,
Sending them in writing from the e-mail address previously notified to the Company and registered in our systems to the address petrolig@hs02.kep.tr
Your requests submitted through these channels will be duly processed and responded to by our Company.
Additionally, after the Personal Data Protection Board announces new methods for submission, our Company will also publish information regarding how applications will be received through such methods.