Privacy Policy and Data Protection Notice

As used in this privacy notice: • Personal Data: Any information relating to an identified or identifiable natural person. • KVKK (Personal Data Protection Law): Law No. 6698 on the Protection of Personal Data, published in the Official Gazette on April 7, 2016. • Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. • Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. • Data Subject: The natural person whose personal data is processed. • Platform: The PrecastX web application, mobile application, and all related services. • Device: PrecastX temperature sensors (PX-Sens) and gateway devices (PX-Base).

The data controller for the PrecastX platform: Company Name: SumerLabs Yazılım Teknoloji İnşaat Sanayi ve Ticaret Limited Şirketi Address: Tunhan Mh. 237.Sk Süteks Sit. No:1E/4 Etimesgut/ANKARA, Turkey Tax Office / Tax ID: Etimesgut Tax Office / 7830855807 Authorized Person: Ahmet SÜMER Phone: +90 553 436 96 80 Email: sumer682003@yahoo.com As the Data Controller under KVKK, personal data shared by our users, potential customers, employee candidates, suppliers, and business partners may be processed, transferred to third parties domestically and internationally, stored, used for profiling, and classified in compliance with KVKK, in connection with and proportionate to our operational and service purposes.

Your personal data is collected in physical and electronic environments in accordance with the fundamental principles set forth in the Personal Data Protection Law No. 6698, in compliance with the law and the principle of good faith, connected to, limited to, and proportionate with the processing purposes; accurate and up-to-date; for specific, explicit, and legitimate purposes and for the period required by the relevant legislation or necessary for the purpose for which they are processed. As the data controller, your personal data is processed for the following purposes: • Providing, maintaining, and improving the PrecastX platform and IoT services • Collecting, processing, analyzing, and reporting sensor data • Providing device management, firmware updates, and technical support services • Performing user account management and authentication operations • Providing team and project management functions • Processing payment and billing transactions • Sending technical notifications, updates, and support messages • Analyzing platform usage patterns and improving service quality • Fulfilling legal obligations and meeting reporting requirements under applicable legislation • Conducting statistical studies and market research

Personal data collected under this Privacy Policy includes the following categories: • Identity and Contact Information: Name, surname, username, email address, phone number, company information, profile photo. • Authentication Data: Google account ID, Apple account ID, password hash, phone verification status. • Payment Information: Payment data processed through the iyzico payment infrastructure during purchases (credit card information is not directly stored by us). • IoT Sensor Data: Thermocouple temperature readings, ambient temperature and humidity data, battery level, battery temperature, charging status, fuel gauge data. • Device Identification Data: Device ID, MAC address, IMEI number, MSISDN, firmware version, device model and technical specifications. • Device Telemetry Data: Signal quality (RSSI), uptime, reboot reasons, memory usage, flash storage usage, transmission statistics. • Location Data: Geographic location data (geocoding) related to reading sessions. • Media Content: Photos and video files attached to reading sessions. • Usage Data: Application interactions, session durations, page views, activities on the platform. • Technical Data: IP address, browser information (user agent), session tokens, log data. • Project and Production Data: Project information, product data (beams, columns, etc.), formwork information, concrete class, mix design, slump value, probe placements. Your personal data is collected electronically through the mobile application, web platform, IoT devices (via BLE, MQTT protocols), email, phone, cookies, and analytics tools. The legal basis for data collection includes: performance of a contract, legitimate interest, legal obligation, and explicit consent.

PrecastX utilizes IoT sensor technologies for real-time monitoring of concrete curing processes. In this context: • Sensor devices (PX-Sens) measure temperature data through thermocouple probes embedded in concrete once per second and transmit it to the gateway device (PX-Base) via encrypted wireless protocol. • The gateway device transfers the collected sensor data to the PrecastX cloud infrastructure via MQTT protocol over NB-IoT/LTE or WiFi connection. • In the cloud infrastructure, sensor data is processed, analyzed, anomaly detection is performed, and notifications are triggered. • Users can access data in real-time through the mobile application and web dashboard via WebSocket connection. • Offline data synchronization: When internet connection is unavailable, data is stored on the device and synchronized via the mobile application through BLE when connectivity is restored. • Device commands: Reading session start/stop, configuration, and firmware update commands can be sent to devices through the cloud platform. Sensor data is processed within the scope of service delivery and contract performance, and is protected under KVKK when associated with personally identifiable information.

Your personal data shared with us may be transferred to third parties, institutions, and organizations domestically and internationally, as well as to judicial and administrative authorities upon request, within the scope of the purposes listed above, in compliance with KVKK and applicable legislation, provided that necessary technical and administrative measures are taken. Third-party service providers to whom your personal data may be transferred: • Cloudflare: Hosting, CDN, security, and file storage (R2) services • PostHog: Platform usage analytics and event tracking • iyzico: Payment processing infrastructure • Resend: Email delivery services (notifications, invitations, verification emails) • Twilio: SMS delivery services (OTP verification, notifications) • Expo: Mobile push notification services • Google and Apple: Authentication services (OAuth) Your personal information is never sold, traded, or rented to third parties for marketing purposes. Your personal data and technical information will be shared with relevant institutions and organizations only when duly requested by authorized, administrative, and official authorities in accordance with applicable legislation for the purpose of fulfilling our security and legal obligations.

Your personal data is retained for the periods determined by legislation. Where no specific period is determined by legislation, data is retained for the duration required for the continuation of our services and in accordance with commercial customs, and thereafter only for the purpose of serving as evidence in potential legal disputes for the necessary periods. After the expiration of the specified periods, personal data is deleted, destroyed, or anonymized. If you close your account or submit a deletion request, your data will be deleted or anonymized within a reasonable period, except for data that must be retained due to legal obligations. Sensor data is retained during the period in which the relevant reading session is active and after the session ends for reporting and analysis purposes.

Third-party service providers are used for hosting, database, error tracking, analytics, and communication services. Some of these providers may use servers located outside of Turkey. In such cases, necessary administrative and technical measures are taken in accordance with Article 9 of KVKK, and data transfer is carried out either to countries with adequate protection or to countries without adequate protection provided that the data controller commits to adequate protection in writing and the Personal Data Protection Board grants permission.

We implement comprehensive technical and administrative measures to ensure the security of your personal data: • All data transmissions are protected with TLS/SSL encryption. • IoT sensor communication is secured with AES-128 encryption and HMAC-SHA256 integrity verification. • User session tokens and sensitive data are stored in encrypted storage. • Access privileges are restricted according to the principle of least privilege. • Regular backup and disaster recovery procedures are implemented. • Rate limiting and bot protection (Cloudflare Turnstile) are in place. • Password data is stored using one-way hash functions and is never recorded in plain text. However, no transmission over the internet can be guaranteed to be completely secure; we recommend exercising caution when sharing sensitive content.

Under the Personal Data Protection Law No. 6698 and other applicable legislation, as a user/data subject whose personal data is processed, you have the following rights: • To learn whether your personal data has been processed. • To request information about processing if your personal data has been processed. • To learn the purpose of processing your personal data and whether they are used in accordance with their purpose. • To know the third parties to whom your personal data has been transferred domestically or abroad. • To request correction of your personal data if it has been processed incompletely or inaccurately, and to request that the correction be notified to third parties to whom your personal data has been transferred. • To request deletion, destruction, or anonymization of your personal data when the reasons requiring processing no longer exist, despite having been processed in accordance with KVKK and other applicable laws, and to request that this action be notified to third parties to whom your personal data has been transferred. • To object to any result that arises against you through the analysis of your processed data exclusively by automated systems. • To claim compensation for damages incurred due to unlawful processing of your personal data.

Under KVKK Art. 11, you have the right to request the transfer of your personal data to yourself or to another data controller you designate. You can request that sensor data, project information, product records, and other content uploaded to our platform be delivered to you in a machine-readable, commonly used, and structured format (JSON, CSV, etc.) by sending an email to sumer682003@yahoo.com. Data portability requests will be concluded within a reasonable period (no later than 30 days) after identity verification. Data will be provided in the requested format to the extent technically feasible.

You can request the deletion of your account and data or the cessation of processing by sending an email to sumer682003@yahoo.com or by using the "Delete My Account" function in the mobile application. In case of a deletion request, all your personal data will be deleted or anonymized within a reasonable period, except for data that must be retained due to legal obligations (commercial book retention periods, tax legislation, etc.). Requests are processed after identity verification.

Our web platform uses essential session and security cookies. In addition: • Analytics Cookies: Platform usage statistics are collected through the PostHog analytics tool. This data is processed for the purpose of improving service quality, in anonymized form where possible. • Security Cookies: Security verification cookies are used within the Cloudflare Turnstile bot protection system. • Session Cookies: Essential cookies are used for user authentication and session management. You can manage or delete cookies through your browser settings. However, disabling essential cookies may affect your ability to use certain functions of the platform.

This Privacy Policy may be updated. We reserve the right to make changes in order to provide up-to-date information regarding data protection practices and legal regulations. Changes will take effect upon publication on the platform. In case of a material change, users will be notified through appropriate channels (email, in-app notification). Continuing to use the platform after any changes constitutes acceptance of the new Privacy Policy. If you do not accept the changes, you must stop using the platform and request the deletion of your account.