What we keep, what we don't, and what you can do about it.

Istanbul Tourist Information Ltd. is a TÜRSAB-licensed travel agency (licence A-7812) registered in Sultanahmet, Fatih, Istanbul, Türkiye. Turkish VAT number 3470891204. We have traded since 2016. We operate five related booking micro-sites for central Istanbul attractions — this one (Hagia Sophia), Topkapı Palace, Basilica Cistern, Bosphorus Cruises, and the Whirling Dervish Mevlevi Sema ceremony.

For the purposes of the EU General Data Protection Regulation (GDPR) and the Turkish Law on the Protection of Personal Data (KVKK, 6698), we are the data controller for every booking and support interaction with any of our sites. Our registered office handles privacy inquiries in English, Turkish, French, Spanish, German, and Italian.

Raccogliamo exactly four categories of personal data. Nothing more.

• Booking data. Your name, email address, the ticket product, the date and time slot, the number of guests, and the payment reference our provider returns to us. On some bookings, also a contact phone number, your nationality for tax purposes, and — rarely — specific accessibility requirements you choose to share.
• Support correspondence. The content of emails, WhatsApp messages, and any forms you submit to support. Plus metadata about when you sent them. These records stay linked to your booking reference.
• Analytics events. Pseudonymous behavioural data — which pages you viewed, which CTAs you clicked, how far you scrolled. Captured only if you have consented to analytics cookies. No names attached.
• Technical logs. Your IP address, browser user-agent string, and request timestamps. Logged automatically by our hosting provider for security and abuse prevention. Separate from booking data.

We do not collect payment card data, passport numbers, national ID numbers, health data, religious or political opinions, sexual orientation, or any other special-category data. If you voluntarily share such information in correspondence (e.g. mobility needs), we minimise, anonymise, or purge it promptly — see retention.

Contractual necessity

For booking data and correspondence connected to a booking: we process your data to deliver the service you purchased. If you book a Hagia Sophia ticket, we hold your name and email because we need to send you the QR ticket. We process under GDPR Art. 6(1)(b) and KVKK Art. 5(2)(c). Without this data, we cannot sell tickets.

Legitimate interest

For security logs and fraud prevention, we process under Art. 6(1)(f). Our legitimate interest is keeping the booking system secure and available. This processing is limited to what is necessary and does not involve profiling or automated decisions.

Consent

For analytics cookies, marketing cookies, and any data use beyond contract delivery, we rely on your explicit consent via our cookie preferences tool. You can withdraw consent at any time from the footer of any of our sites.

Legale obligation

For invoicing, VAT compliance, and TÜRSAB licensing records, we process under Art. 6(1)(c). Turkish tax law requires seven-year retention of sales records — which is why some identifying data survives the routine deletion cycle.

Every byte of personal data we hold comes directly from you. We do not buy email lists. We do not scrape data. We do not receive data from third-party marketers, affiliates, or resellers.

Three collection points exist:

• At checkout, when you enter the fields the booking form requires.
• In support correspondence, when you write to us via email, WhatsApp, or a support form.
• Through your browser, via automatic technical logs (always) and via analytics/marketing cookies (only after explicit consent).

We do not use embedded third-party widgets (live chat, external review tools, social media embeds). If that ever changes, it will be disclosed on this page and in the vendor section.

When you book a Hagia Sophia ticket, the following happens to your data, in order:

• Your name, email, and slot selection are stored on our booking database hosted within the EU.
• Your card data is entered directly into a Stripe-hosted iframe. It never touches our server. Stripe returns us a token — a payment reference — which we store against your booking for refunds and dispute resolution. We never see your card number, CVC, or 3-D Secure code.
• Your booking reference and product details are forwarded to our ticketing provider for QR voucher generation. Only the fields the partner needs to issue the ticket.
• A confirmation email is sent via our transactional email provider. The email contains your QR ticket and booking reference. This is the only communication you receive unless you separately opt in to other updates.
• Your booking record stays on file for seven years for Turkish tax compliance. After year seven, routine deletion runs.

When you email, WhatsApp, or fill a support form, we retain the thread linked to your booking reference. This lets us track context across multiple messages and reply with what we actually said last time.

Support threads are read only by human members of our Hagia Sophia support team — at present, three Istanbul-based staff (Selin, Mehmet, Zeynep). No data in support threads is used for marketing, profiling, or resale. Threads are retained for two years after the last message, then anonymised.

If your support message touches on sensitive categories (accessibility, health), we use only what is necessary to serve you on the day and then purge the sensitive fragment — typically within 30 days of the visit.

Usiamo cookies and similar technologies. Three categories:

• Essential cookies. Keep your session active during checkout, remember your consent preferences themselves, provide basic security. Used without consent — the service cannot function without them.
• Analytics cookies. Used only after you consent. Help us understand which pages work, which booking flows break, how guests move through the site. Pseudonymous — no names attached. Currently served via Google Analytics 4 with IP anonymisation enabled.
• Marketing cookies. Used only after you consent. Help our ad measurement (Meta Pixel) understand which ads drove which bookings. Pseudonymous. Served only if you opt in.

You can change your preferences at any time — see Cookie Preferences, or click "Cookie settings" in any site footer. Withdrawing consent stops future collection; existing pseudonymous data is retained until its natural rotation (14 months for analytics).

Condividiamo personal data with the following processors, each under a written Data Processing Agreement. Every vendor on this list has been reviewed for GDPR and KVKK compliance.

Every vendor in this list has signed a GDPR-compliant Data Processing Agreement, implements appropriate security measures, and processes data only on our instructions. We do not use vendors whose privacy practices we haven't reviewed — even free services.

We do not sell data. We do not rent data. We do not share data with marketers or affiliate partners. Full stop.

The only third parties who see your personal data are the processors listed above, and only for the specific purposes listed. We may additionally share data with:

• Turkish tax authorities, if requested as part of a lawful audit of our VAT records. Not routine.
• TÜRSAB, our licensing body, if they request records in relation to a formal customer complaint escalated to them.
• Law enforcement or courts, only when compelled by a valid Turkish court order or equivalent. We disclose only what the order specifies.
• Our legal counsel, if we need to seek advice on a specific complaint. Under attorney-client privilege.

• Booking records: seven years from booking date, for Turkish tax compliance.
• Support correspondence: two years from last message, then anonymised.
• Payment references (Stripe tokens): seven years, linked to booking.
• Sensitive support fragments (health, accessibility): up to 30 days after visit date, then purged.
• Analytics events: 14 months, pseudonymous.
• Marketing events: 13 months, pseudonymous.
• Technical/security logs: 90 days.
• Sentry error traces: 90 days.

At the end of each retention period, deletion happens automatically. No data survives beyond its period without a specific legal reason, which we document separately.

Some of our processors — Stripe, Google Analytics, Meta Pixel, Sentry — are US-based. Data that flows to them leaves Türkiye and the EU.

We rely on Standard Contractual Clauses (the European Commission's 2021 SCCs) with every non-EU processor, plus supplementary measures where warranted (encryption in transit and at rest, data minimisation, contractual restrictions on further processing). Where a processor is certified under the EU–US Data Privacy Framework, we document the certification and rely on it.

We do not transfer data to jurisdictions without adequate legal protections. If an EU adequacy decision changes during the effective period of this policy, we update our transfer mechanisms accordingly within 90 days.

We follow standard-of-industry security practices, not extraordinary ones, because we're a small operator. Specifically:

• Encryption in transit (TLS 1.3) and at rest (database-level encryption via our hosting provider).
• No card data on our servers. Stripe handles every card keystroke; we receive only tokens.
• Role-based access. Our support team can see booking data; our accountant can see payment references; our developers can see anonymised error traces. No one sees everything by default.
• Multi-factor authentication on every employee account that touches personal data.
• Monthly security patching of all production systems, plus immediate patching for critical vulnerabilities.
• Annual security audit by an independent Turkish information-security firm.
• Breach notification process. If we suffer a personal data breach, we notify the national DPA within 72 hours and affected users as soon as we have enough detail to be useful.

We are not ISO 27001 certified. If that certification is important to you, use our services with that understanding.

Under GDPR and KVKK, you have extensive rights over your personal data. We implement all of them.

To exercise any of these rights, write to our privacy desk. We respond to every request within 30 days — usually under five.

Our services are oriented to adults who purchase tickets — sometimes for family groups that include children. Raccogliamo children's names and ages only as metadata on a family booking (e.g. "two adults, one child aged 9") and only when the child's age affects the ticket rate.

We do not knowingly market directly to children. If a child under 16 contacts our support line without parental knowledge, we delete the data as soon as we identify the situation. If you're a parent and believe your child has shared data with us, email privacy@istanbul-tourist-information.com and we'll remove it within 48 hours.

We update this policy when our processing changes — new vendor, changed retention, new jurisdiction, new legal basis. Material changes are announced at least 14 days before the effective date, by email to all customers with an active booking at the time.

Non-material changes (typo fixes, clarifications, link updates) are made without notice but always reflected in the version number and "last reviewed" date at the top of this page. We archive every prior version for three years.