1. DATA PRIVACY COMMITMENT

1.1 This Personal Data Protection Policy (“Policy”) determines the principles to be followed within the Company regarding the protection and processing of Personal Data pursuant to the Law on Protection of Personal Data No. 6698, by PRIME CARE TURİZM VE SAĞLIK İŞLETMELERİ A.Ş. (“Company”).

1.2 The Company undertakes to comply with this Policy and the procedures regarding the Personal Data within its structure.

2. PURPOSE OF THE POLICY

The main purpose of this Policy is to determine the principles regarding the methods and processes for the processing and protection of Personal Data by the Company.

3. SCOPE OF THE POLICY

3.1 This Policy covers all activities regarding Personal Data processed by the Company. 3.2 This Policy does not apply to data that does not qualify as Personal Data. 3.3 This Policy may be amended from time to time with the approval of the Management.

4. DEFINITIONS

• Explicit Consent: Consent based on information and expressed with free will.

• Anonymization: Rendering Personal Data impossible to link with an identifiable person.

• Personal Data: Any information relating to an identified or identifiable natural person.

• KVKK: The Law on Protection of Personal Data No. 6698.

• Special Categories of Personal Data: Data relating to health, sexual life, biometrics, genetics, etc.

• Data Subject: The natural person whose personal data is processed (e.g., patients, visitors).

• Data Controller: The entity (Prime Care Clinic) determining the purposes and means of processing personal data.

5. PRINCIPLES OF PROCESSING PERSONAL DATA

5.1 Processing in conformity with the law and good faith. 5.2 Ensuring accuracy and currency of data. 5.3 Processing for specific, explicit, and legitimate purposes. 5.4 Being connected, limited, and proportionate to the purpose. 5.5 Retention for the period required for the purpose.

6. PROCESSING OF PERSONAL DATA

6.1 Explicit Consent: Personal Data is processed if the Data Subjects give Explicit Consent after being informed. 6.2 Processing Without Consent: In cases foreseen by KVKK (e.g., clearly stipulated in laws, medical necessity, contract performance, legal obligations), data may be processed without explicit consent.

7. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

7.1 Sensitive data (Special Categories) are processed only with Explicit Consent or if required by law. 7.2 Health and sexual life data may be processed without consent by persons under the obligation of secrecy (e.g., Doctors) for medical diagnosis, treatment, and care services. 7.3 Necessary security measures determined by the Board are taken while processing this data.

8. DATA RETENTION PERIOD

Personal Data is kept for the legal retention periods and for the time necessary for the purpose of processing. Expired data is deleted, destroyed, or anonymized.

9. DELETION, DESTRUCTION, AND ANONYMIZATION

When the purpose for processing Personal Data disappears, the relevant data is deleted, destroyed, or anonymized. The Management is responsible for these processes.

10. TRANSFER OF PERSONAL DATA

10.1 Personal Data may be transferred to third parties in Turkey or abroad in accordance with the legislation, provided that necessary security measures are taken. 10.2 Transfers are made to support medical services, legal obligations, or operational requirements (e.g., IT support), always respecting confidentiality.

11. COMPANY’S OBLIGATION TO INFORM

The Company informs Data Subjects about the identity of the Data Controller, the purpose of processing, data transfer recipients, collection methods, and their rights before processing Personal Data.

12. RIGHTS OF DATA SUBJECTS

We respect your privacy and your control over your personal information. Under the Law (KVKK), you have the right to learn whether your data is processed, request correction, deletion, or information about transfers.

How to Contact Us: We do not require complex legal forms, notary approvals, or formal “application forms” for you to exercise your rights. If you have any questions about your data or wish to make a request, simply contact us directly.

Data Controller: PRIME CARE TURİZM VE SAĞLIK İŞLETMELERİ A.Ş. E-mail: info@primecareturkey.com Address: Yenibosna Merkez Mahallesi, 1. Asena Sk. No:15CA Pullman Hotel yanı, 34295 Bahçelievler/İstanbul

You can send your requests via email. We will address your request as soon as possible and within 30 days at the latest.

13. DATA MANAGEMENT AND SECURITY

13.1 The Company takes all technical and administrative measures to ensure the security of Personal Data. 13.2 Employees are trained on data protection. Access to data is limited to authorized personnel only. 13.3 Security systems (firewalls, backups, antivirus) are used to protect digital data. 13.4 Physical files are kept in secure environments.

14. DATA BREACH RESPONSE

In the event of a data breach (e.g., data obtained by unauthorized persons), the Company will notify the Personal Data Protection Board and the affected individuals in accordance with the law (within 72 hours).

15. TRAINING

The Company provides necessary training to its employees regarding the protection of Personal Data and patient privacy.

16. AUDIT

The Company regularly checks its internal processes to ensure compliance with this Policy and the Law.

17. RESPONSIBILITIES

All employees and the Management are responsible for the implementation of this Policy.

18. CHANGES TO THE POLICY

This Policy may be updated by the Company Management. The updated version will be available to employees and visitors.

19. EFFECTIVE DATE

This version of the Policy was approved by the Company Management on November 30, 2025 and entered into force.