Privacy, Data & Contact

We collect only what is needed to book, deliver and follow up on your tour. Nothing more.

• At booking: Full name, email, phone/WhatsApp number, country of residence.
• For ticketing and legal compliance: Passport number, nationality, date of birth — required by Turkish Civil Aviation Authority for domestic flights.
• For payment: Card-payment data is handled by our authorized Turkish acquiring bank (PCI-DSS certified). We see only a confirmation token and last 4 digits — never the full card number or CVV.
• Operational data: Tour preferences (hotel category, dietary needs, accessibility), tour feedback, messages exchanged with our team.
• Website analytics: Anonymous cookies for site performance — no personally identifiable data in cookies.

We never sell your data. The data we collect is used only to run your booking (bookings, flight tickets, hotel reservations, driver briefings) and to communicate with you (confirmations, reminders, optional newsletters you can opt out of anytime).

Tip: If you want to book a tour but prefer minimum disclosure, contact us on WhatsApp — we can take a booking with just lead name + email + phone. Passport details are only required close to the travel date (72 hours before flight ticketing).

Yes. We operate under Turkish data-protection law (KVKK) by default and apply GDPR-equivalent rights for travelers from the European Union and United Kingdom.

• KVKK (Turkey, Law 6698): Our primary legal framework as a Turkish company. We are a registered data controller with the Turkish Personal Data Protection Authority (KVKK).
• GDPR (EU, Regulation 2016/679): Applies to EU and UK resident travelers. You have the same rights as under KVKK plus a few additional EU-specific protections (data portability, right to object to automated decisions).
• Swiss Federal Act on Data Protection (FADP): We honor FADP rights for Swiss residents, equivalent to GDPR.
• CCPA (California): We honor "do not sell" requests for California residents, though we don't sell data to anyone in the first place.

You always have the right to choose which legal framework you want to be treated under — whichever is most favorable to you in the moment of your request is the one we apply.

Tip: You don't need to state a legal basis to exercise a right. Just email info@toursce.com with your request ("delete my data", "send me all my data", "correct my email") and we apply the strongest applicable protection automatically.

We share data only with the specific providers who deliver your booking, only to the extent necessary, and only under written data-processing agreements.

• Airlines: Passenger name, passport number, date of birth — mandatory for ticket issuance.
• Hotels: Name, arrival/departure dates, room preferences, dietary notes.
• Local operators (balloon, tours, drivers): Name, phone, hotel pickup point, group size.
• Payment processors: Handled by our Turkish acquiring bank — card data never reaches our servers.
• Authorities on legal request: Only when compelled by Turkish law or court order.

We do not share your data with:

• Marketing companies
• Data brokers
• Third-party advertisers
• Affiliate sales partners

No international transfer outside scope: If you are an EU/UK resident, your data may be processed in Turkey (our operational country). Turkey has an adequacy decision for GDPR purposes is still pending, so we rely on Standard Contractual Clauses (SCCs) and our commitment to equivalent protection.

Tip: You can request a full list of the specific suppliers that received your data for a given booking. Email info@toursce.com with your booking reference — we respond within 5 business days with the complete list.

Different data types have different retention periods, driven by legal obligation.

• Booking records and payment history: 7 years (required by Turkish tax law and fiscal audit).
• Credit card tokenized references: Up to 7 years by our bank, per PCI-DSS and Turkish banking regulation.
• Passport copies (if you sent them): Deleted immediately after tour completion. We only keep the passport number in the booking record for tax-audit purposes.
• Tour feedback and complaints: 2 years after resolution.
• Marketing email list: Until you unsubscribe. Unsubscribe removes you within 24 hours.
• Website analytics cookies: Anonymous, 13 months maximum.

You can request early deletion of any data not bound by a legal retention obligation. For example, we can delete all your marketing and operational data immediately after your tour while retaining the minimum booking record required by tax law.

Tip: After your trip, if you want to minimize your data footprint, send us a single email saying "close privacy-minimize-my-data request". We delete everything not legally required, unsubscribe you from newsletters, and confirm what remains and why. Standard processing within 10 business days.

You have strong rights under KVKK and GDPR. We honor all of them, for free, within one month of your request.

• Access: Request a copy of all data we hold on you.
• Rectification: Fix incorrect data (a wrong email, an old phone number, a misspelled passport name).
• Deletion ("right to be forgotten"): Delete all your data, subject to retention obligations on booking records.
• Restriction: Freeze processing while a dispute or correction is in progress.
• Objection: Opt out of marketing or of specific processing activities.
• Data portability (EU/UK residents): Receive your data in a machine-readable format (JSON / CSV) for transfer to another service.
• Withdrawal of consent: Withdraw any consent you previously gave, with future effect.
• Right not to be subject to automated decisions: We don't use automated decision-making, but if we ever did, you'd have the right to human review.
• Right to lodge a complaint: With the Turkish Data Protection Authority (KVKK) or your local EU data authority.

Exercising any right is free and handled within 1 month. Extensions up to 2 additional months only for complex requests, with written justification.

Tip: To make a request, send a single email to info@toursce.com with the subject "Privacy request — [your right]" and your booking reference if applicable. We confirm receipt within 3 business days and complete the request within the legal timeframe.

In the rare event of a personal-data breach that poses a risk to your rights, we follow both KVKK and GDPR breach-notification rules.

• Internal detection: Our monitoring and access logs flag anomalies; staff are trained to report suspected incidents immediately.
• Containment: Within hours, we isolate affected systems and block the breach vector.
• Assessment: Within 24 hours, we identify which personal data and which individuals may be affected.
• Regulator notification: Within 72 hours of becoming aware, we notify the Turkish KVKK (and relevant EU DPAs for EU travelers), as required by law.
• User notification: If the breach poses a high risk to your rights, we notify you directly by email and phone, describing what happened, what data was affected and what steps to take.
• Remediation: Password resets, card reissuance coordination with banks, identity-monitoring offers where appropriate.

We have not had a reportable breach to date. The measures we maintain to prevent one include: SSL everywhere, encrypted databases, role-based access control, annual security audits, no storage of card CVV or full PAN, and segregated development/production environments.

Tip: If you ever receive a suspicious email claiming to be from toursce asking for password, card number or passport, do not respond. Our official domain is toursce.com. When in doubt, call +90 533 554 85 55 or email info@toursce.com directly — we will confirm whether the message is legitimate.

Contact us directly for any privacy concern, data-access request, correction or deletion. Responses are in your preferred language.

• Email:info@toursce.com (primary).
• Phone / WhatsApp: +90 533 554 85 55, 09:00–18:00 Turkey time (UTC+3), Monday to Saturday.
• Postal address: Kocamustafapasa Mahallesi, Kocamustafapasa Caddesi No:107 D:1, Fatih / Istanbul / Türkiye.

Data Protection Officer (DPO) requests are handled by the same team; we are a small enough organization that the DPO responsibilities sit directly with the CEO and the head of operations.

If you are not satisfied with our response to a privacy request, you can complain to:

• Turkey: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
• EU: Your national data protection authority (list at edpb.europa.eu).
• UK: Information Commissioner's Office — ico.org.uk
• California: California Privacy Protection Agency — cppa.ca.gov

Tip: Response times: simple requests (unsubscribe, correction of a typo) within 24 hours; access and deletion requests within 10 business days; complex multi-booking requests up to the legal 30-day maximum. For urgent issues (suspected data misuse, phishing), call the WhatsApp number — we respond faster to voice than to email.