Privacy Policy

1. Data Controller

Data Controller: Turlio — an online travel booking platform operated by a sole proprietor based in Türkiye.

Contact: info@turlio.com

Detailed legal entity information (trade name, registration number, registered address) will be published on this page following formal company registration.

2. Personal Data Collected

The following personal data is collected during the booking process:

• First name and surname
• Email address
• Phone number
• Accommodation details (hotel name, area)
• Booking details (date, number of guests, product preferences)
• IP address and device information (security purposes)
• Cookie data (session ID, cart contents)

Your payment information (credit/debit card number, CVV, expiry date) is never stored or transmitted through Turlio servers. Payment transactions are processed entirely by PCI DSS Level 1 certified Stripe infrastructure, encrypted directly from your browser to Stripe servers.

3. Purpose of Processing

Collected personal data is processed only for the following purposes:

• Creating, confirming, and sending e-vouchers for your bookings
• Organizing tour, transfer and ticket services with licensed suppliers
• Communicating with you regarding customer support requests
• Fulfilling legal obligations (invoice issuance, tax reporting)
• Providing evidence in the resolution of potential disputes
• Ensuring site security and preventing fraud

Your personal information is never sold, rented, or shared for marketing purposes with third parties under any circumstances.

4. Legal Basis for Processing

Under KVKK and GDPR, our data processing activities rely on the following legal grounds:

• Performance of contract (KVKK Art. 5/2-c, GDPR Art. 6(1)(b)): Processing your booking
• Compliance with legal obligation (KVKK Art. 5/2-ç, GDPR Art. 6(1)(c)): Invoice retention, tax reporting
• Legitimate interest (KVKK Art. 5/2-f, GDPR Art. 6(1)(f)): Service quality improvement, fraud prevention
• Explicit consent (KVKK Art. 5/1, GDPR Art. 6(1)(a)): Marketing communications (optional, only with your permission)

5. Sharing with Third Parties

Your personal data is shared only with service providers strictly necessary for fulfilling your booking. The shared data is the minimum required to deliver the service (e.g., name, booking date, hotel information).

• Tour and transfer operators (licensed suppliers across Dubai and the UAE): Name, date, guest count, hotel information for service delivery
• Stripe (payment infrastructure, US-based, PCI DSS Level 1): Payment processing
• SendGrid (email delivery, US-based): Booking confirmations, vouchers
• Google Analytics (analytics, anonymized): Site usage statistics
• Vercel (hosting, US-based): Site server infrastructure
• Supabase (database, EU-based): Booking records

6. Cross-Border Data Transfers

Some of our service providers (Stripe, SendGrid, Vercel) are located outside Türkiye. Therefore, your personal data may be transferred to the United States and EU Member States with appropriate safeguards in place, under GDPR Standard Contractual Clauses (SCCs).

Pursuant to KVKK Art. 9 and GDPR Chapter V, the following measures are taken to ensure adequate protection of transferred data:

• Data Processing Agreements (DPAs) are signed with all service providers
• Data is transmitted over encrypted channels (TLS 1.3+)
• Our service providers maintain certified data protection standards (ISO 27001, SOC 2)

7. Data Retention Period

Your personal data is retained for as long as necessary to fulfill the purpose of processing:

• Booking and invoice data: 5 years (as required by Turkish Tax Procedure Law Art. 253)
• Customer support correspondence: 2 years (as required by Turkish Consumer Protection Law)
• Marketing consent data: Until consent is withdrawn or after 3 years of inactivity
• Site analytics data: 26 months (Google Analytics standard)
• Cookies: From end of session up to 24 months depending on cookie category

Upon expiration of the retention period, data is automatically deleted or permanently anonymized.

8. Data Security

The following technical and administrative measures are in place to ensure your data security:

• All site traffic is protected with 256-bit SSL/TLS encryption
• HSTS (HTTP Strict Transport Security) is active
• Payment transactions are processed through PCI DSS Level 1 certified Stripe
• Database access is restricted with Row Level Security (RLS)
• Administrator access is protected with two-factor authentication (2FA)
• Regular security audits and backup procedures are implemented

9. Your Rights

Under KVKK Art. 11 and GDPR Chapter III, you have the following rights:

• Right to know whether your personal data is being processed
• Right to request information if it has been processed
• Right to learn the purpose of processing and whether it is used in accordance with such purpose
• Right to know third parties to whom your data has been transferred domestically or abroad
• Right to request correction of incomplete or inaccurate data
• Right to request deletion or erasure of your data within the framework of KVKK and relevant legislation (right to be forgotten)
• Right to request notification of correction, deletion and erasure procedures to third parties to whom data has been transferred
• Right to object to a decision arising against you as a result of analysis of processed data through automated systems
• Right to claim compensation in case of damage resulting from unlawful processing
• Right to data portability (GDPR Art. 20): Receive a copy of your data in a structured format
• Right to object to processing (GDPR Art. 21): Object to processing based on legitimate interest

To exercise these rights, you may apply via info@turlio.com. Your requests will be answered free of charge within 30 days at the latest (KVKK Art. 13, GDPR Art. 12).

10. Cookies and Tracking Technologies

Our site uses the following cookie categories to improve user experience:

• Essential cookies (no consent required): Session ID, cart contents, cookie preference record. Required for site functionality.
• Analytics cookies (consent required): Anonymous site usage analysis with Google Analytics
• Marketing cookies (consent required): Ad effectiveness measurement with Meta Pixel

You may change your cookie preferences at any time via the cookie notice at the bottom of the page or through your browser settings.

11. Data of Persons Under 18

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal data from children under 18. Should we become aware that a child's data has been submitted without parental/guardian consent, such data will be deleted as soon as possible.

As a parent/guardian, if you notice data you believe belongs to your child, please notify us at info@turlio.com.

During the booking process, only name and age (for pricing purposes) are collected for child passengers; the parent/guardian is the contracting party.

12. Data Breach Notification

Pursuant to KVKK Art. 12/5 and GDPR Art. 33-34, in the event that your personal data is accessed by unauthorized persons:

• Notification to the Turkish Personal Data Protection Authority (KVKK) within 72 hours
• Affected users are notified via email as soon as possible
• Potential risks and recommended precautions are transparently disclosed

13. Changes

This Privacy Policy may be updated from time to time. Significant changes will be announced on our site and the last updated date will be indicated. We recommend periodic review of this page.

14. Contact

For questions, requests, and complaints regarding our privacy policy:

• Email: info@turlio.com
• WhatsApp: 24/7 support line

Competent Data Protection Authorities:

• Türkiye: Personal Data Protection Authority (KVKK) — kvkk.gov.tr
• EU: Local Data Protection Authority (DPA)
• UAE: UAE Data Office