GDPR Privacy Notice

As the data controller pursuant to Article 3/1-(ı) of the GDPR: • Title: AGENTA GROUP YAZILIM TURİZM TİCARET LİMİTED ŞİRKETİ • Address: Yavansu Mahallesi Hüseyin Can Bulvarı Hasan Berat Sitesi 5.Blok No:45/5 İç Kapı No:2 Kuşadası/Aydın • MERSIS No: 0216140401600001 • Tax Office/No: Kuşadası VD - 2161404016 • Email: destek@camperello.com • Phone: 0545 829 60 60 • Web: camperello.com VERBIS Registration Status: The registration process of our Company in the Data Controllers Registry (VERBIS) is ongoing, and this document will be updated once the registration is completed.

Our Company may process the following categories of personal data depending on the nature of the service: • Identity Data: name-surname, Turkish ID number (in case of invoicing/legal obligation), date of birth, gender • Contact Data: email, phone, address, country, city • Customer Transaction Data: order and listing payment information, shopping history, request and complaint records • Financial Data: invoice information, IBAN (for host/vendor payment), type of payment instrument (card information is stored with PCI-DSS compliant payment provider, not retained by Camperello) • Location Data: coordinates of the campsite marked on the map, approximate location with user consent • Visual and Audio Data: profile photo, advertisement photos, product photos, customer support audio/video recordings (if any) • Legal Transaction Data: contract, lawsuit and enforcement file information, correspondence • Transaction Security Data: IP address, device/browser information, log records, session cookies • Marketing Data: newsletter subscription, cookie-based preference information, campaign participation information

Your personal data is processed for the following purposes in accordance with the general principles set forth in Article 4 and the conditions stipulated in Articles 5-6 of the GDPR: • Creation and management of your membership account • Receiving and fulfilling equipment orders and caravan listing publications • Collection of payments and execution of entitlement payments • Management of invoice, contract, distance selling, and pre-information processes • Provision of customer support services, evaluation of requests and complaints • Account security, prevention of fraud and abuse • Fulfillment of legal obligations (tax, bookkeeping, e-commerce, GDPR) • Responding to requests from authorized institutions and courts • If you provide explicit consent, marketing, campaign, personalized content, and advertisement presentation • Development of services, analytical and statistical studies

Your personal data is processed for the following legal reasons under Article 5 of the GDPR: • GDPR Article 5/2-(a): Explicitly stipulated by laws (e.g., obligations under Law No. 213, Law No. 6502, Law No. 6563) • GDPR Article 5/2-(c): Necessity for the establishment and performance of a contract (membership, sales contract, listing publication contract) • GDPR Article 5/2-(ç): Necessity for the data controller to fulfill a legal obligation • GDPR Article 5/2-(e): Necessity for the establishment, exercise, or protection of a right • GDPR Article 5/2-(f): Necessity for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject (security, fraud prevention, service improvement) • GDPR Article 5/1: Explicit consent (especially in cases of marketing, cookie-based tracking, and transfers abroad conducted with explicit consent)

Your personal data may be shared with the following parties, limited to the purposes mentioned above and provided that necessary security measures are taken, in accordance with Articles 8 and 9 of the GDPR: Domestic Transfers: • Payment providers: PayTR • Cargo and logistics companies: Aras Kargo and other cargo companies selected by the Seller • Hosts and Sellers (mandatory Buyer/Seller information for the fulfillment of sales/listings) • Financial advisors, auditing, law firms (if required) • Authorized public institutions and organizations (when requested, within legal limits) • Email sending providers, SMS providers

Camperello collaborates with certain cloud infrastructure and service providers while delivering its services. The servers of the providers listed below may be located abroad: • Clerk (authentication/session management) – USA • Cloudflare (CDN, DDoS protection, R2 object storage) – USA/EU • Neon (PostgreSQL database hosting) – EU (Frankfurt region) • OpenAI (if AI-supported features are utilized) – USA • Sentry (error tracking) – USA • Analytics and email providers (if in use) Transfers abroad, as per Article 9 of the GDPR (amended by Law No. 7499), are conducted based on the existence of an adequacy decision, the signing of a declaration/standard contract, or in exceptional cases, based on the explicit consent of the data subject. Data is protected with security standards at least at the level of GDPR.

Your personal data is collected electronically through the membership form on the Platform, order and listing publication processes, customer support channels, cookies, mobile applications, email, phone, open sources, payment providers, and social media platforms; and physically through documents such as contracts and invoices.

Your personal data will be deleted, destroyed, or anonymized in accordance with the relevant legislation (especially Law No. 213 – 5 years, Law No. 6102 – 10 years, Law No. 6563 and secondary legislation – 3 years, limitation periods for consumer transactions under Law No. 6502 – generally 10 years) and the Company's retention and destruction policy after the purpose for which they were processed has ceased or the maximum legal retention period has expired.

You have the following rights under Article 11 of the GDPR: • To learn whether your personal data is being processed • To request information regarding your personal data if it has been processed • To learn the purpose of processing your personal data and whether they are used in accordance with that purpose • To know the third parties to whom your personal data has been transferred, whether domestically or abroad • To request the correction of your personal data if it is incomplete or inaccurately processed and to request that the operation performed in this context be notified to third parties to whom your data has been transferred • To request the deletion or destruction of your personal data if the reasons necessitating its processing have ceased, even though it has been processed in accordance with the provisions of the GDPR and relevant legislation, and to request that the operation performed in this context be notified to third parties to whom your data has been transferred • To object to the emergence of a result against you by means of exclusively automated systems analyzing your processed data • To request compensation for damages incurred due to the unlawful processing of your personal data

To exercise your rights as a data subject, you may submit your request to our Company using the following methods in accordance with the Communiqué on the Procedures and Principles for Application to the Data Controller: • In writing: By sending a signed petition to Yavansu Mahallesi Hüseyin Can Bulvarı Hasan Berat Sitesi 5.Blok No:45/5 İç Kapı No:2 Kuşadası/Aydın (along with documents verifying your identity) • Via KEP: [During registration] • From your registered email address in our system, securely signed or mobile signed to destek@camperello.com Your application must include your name-surname, Turkish ID number, address for notification, email/phone, and the subject of your request. Our Company will respond to your request free of charge within a maximum of 30 (thirty) days in accordance with Article 13/2 of the GDPR, depending on the nature of your request. If the process incurs an additional cost, a fee may be charged as determined by the data protection authority. If you are not satisfied with the outcome of your application, you may file a complaint with the data protection authority in accordance with Article 14 of the GDPR.

Our Company takes administrative and technical measures to prevent the unlawful processing of your personal data and unlawful access to data, in accordance with Article 12 of the GDPR: access authorization matrices, password policies, multi-factor authentication, encryption (TLS/HTTPS, application-level for sensitive data), log monitoring, penetration testing, employee confidentiality agreements, GDPR awareness training, and data breach response plans.