Privacy, Personal Data & Contact

Only the information needed to reserve, operate and follow up on the trip is collected.

• Booking contact: Full name, email, phone or WhatsApp number and country of residence.
• Ticketing and legal needs: Passport number, nationality and date of birth when domestic flights require them.
• Payments: Card data is handled by the authorized bank in a PCI-DSS environment. Only a confirmation token and last 4 digits are visible; full card number and CVV are not stored.
• Operations: Hotel category, dietary needs, accessibility notes, tour messages and feedback.
• Website analytics: Anonymous performance cookies, not personally identifying cookies.

Personal data is not sold. It is used for reservations, flight tickets, hotels, drivers, confirmations, reminders and optional newsletters that can be unsubscribed from.

Yes. Data handling follows Turkish privacy law and, for eligible travelers, equivalent European privacy rights.

• KVKK, Turkey Law No. 6698: The primary framework for a Turkey-based company and data controller obligations.
• GDPR: Applied to EU and UK resident travelers, including portability and objection rights where relevant.
• Swiss FADP: Swiss resident requests are handled with protections aligned to GDPR-level rights.
• California privacy requests: Do-not-sell requests are honored, although personal data is not sold.

You do not need to cite a law when making a request. A clear instruction such as “delete my data” or “send my data” is enough; the strongest applicable protection is applied.

Personal data is shared only with providers who need it to deliver the booking, and only for that purpose.

• Airlines: Passenger name, passport number and date of birth for ticket issuance.
• Hotels: Name, stay dates, room notes and dietary information when needed.
• Local operators and drivers: Name, phone, pickup location and group size.
• Payment processor: The authorized bank processes the card transaction; full card data does not pass through local servers.
• Authorities: Information is shared only when required by law or court order.

Data is not shared with data brokers, third-party advertisers, marketing companies or affiliate sales partners. EU/UK data processed in Turkey is protected through Standard Contractual Clauses and equivalent safeguards.

Retention depends on the type of data and legal obligations.

• Booking records and payment history: Kept for 7 years for Turkish tax and audit requirements.
• Tokenized card references: May be retained by the bank for up to 7 years under PCI-DSS and banking rules.
• Passport copies: Deleted after the tour. Only the passport number may remain in the booking record for tax-audit purposes.
• Tour feedback and complaints: Kept for 2 years after resolution.
• Marketing email list: Kept until unsubscribe; removal is normally completed within 24 hours.
• Anonymous analytics cookies: Maximum 13 months.

Early deletion is possible for data that is not legally required. A privacy-minimize request is usually completed within 10 business days.

You may exercise privacy rights free of charge under KVKK, GDPR or the most protective applicable framework.

• Access: Receive a copy of the data held about you.
• Correction: Fix inaccurate contact, passport or booking details.
• Deletion: Remove data unless retention is legally required for booking or tax records.
• Restriction and objection: Pause or object to certain processing activities.
• Portability: EU/UK residents may request data in JSON or CSV format.
• Consent withdrawal: Withdraw previously given consent for future use.
• Complaints: You may contact KVKK or your local EU data authority.

Requests are handled within 1 month. Complex cases may be extended by up to 2 additional months with a written explanation.

If a personal-data breach creates risk for travelers, the incident is handled under KVKK and GDPR notification rules.

• Detection: Monitoring, access logs and staff reporting are used to identify suspicious activity.
• Containment: Affected systems are isolated and the breach route is blocked as quickly as possible.
• Assessment: Within about 24 hours, the affected data types and individuals are reviewed.
• Regulator notice: KVKK and, where relevant, EU authorities are notified within 72 hours after awareness if legally required.
• User notice: If risk is high, affected travelers are contacted directly with details and recommended steps.
• Remediation: Actions may include password resets, bank coordination or identity-monitoring support where appropriate.

Security measures include SSL, encrypted databases, role-based access, audits, no CVV or full card-number storage and separated production/development environments.

Privacy requests can be sent through the contact form on https://cappadociahotairballoon.com/, by email at [email protected], or by WhatsApp at +90 505 932 7978, +90 533 554 8555, +90 536 709 5098 and +90 532 450 8227. Responses are provided in the traveler’s preferred language whenever possible.

• Email: Use [email protected] and include “Privacy request” in the subject.
• Phone / WhatsApp: Use the WhatsApp numbers +90 505 932 7978, +90 533 554 8555, +90 536 709 5098 and +90 532 450 8227 every day from 09:00 to 18:00 (Istanbul, GMT+3) for urgent privacy concerns.
• Postal address: Use Kocamustafapasa Mah., Kocamustafapasa Cad. No: 107, Fatih / Istanbul / TURKIYE.
• Privacy handling: Data-protection requests are handled by the responsible management and operations team.

Simple requests such as unsubscribe or typo correction are often handled within 24 hours. Access and deletion requests are normally processed within 10 business days, while complex multi-booking cases may take up to the legal 30-day maximum.