Privacy Policy

The data controller responsible for processing your personal data is HotelMaster Turizm Teknoloji A.Ş. ("HotelMaster", "we", "us"), operating from Istanbul, Turkey. Email: info@hotelmaster.com Web: hotelmaster.com For users residing in the EU/EEA: HotelMaster acts as a data controller under Regulation (EU) 2016/679 (GDPR). Turkey does not yet have an EU adequacy decision; transfers of personal data originating from the EU are made under appropriate safeguards pursuant to Article 46 GDPR (Standard Contractual Clauses — SCCs).

Identity Data: Full name, date of birth, national ID number (only where legally required), passport number, and nationality (for international bookings). Contact Data: Email address, phone number, postal/billing address. Booking and Travel Data: Stay dates, destination, room type, guest list, special requests (accessibility needs, dietary preferences, etc.), flight/transfer details. Financial Data: Payment method type (credit/debit card), billing details, transaction ID, and refund records. Card number, CVV, and expiry date are not stored on HotelMaster servers; these are tokenised by our PCI DSS-compliant payment processor (PayTR / iyzico). Device and Technical Data: IP address, browser type and version, operating system, device type, screen resolution, session duration. Usage Data: Pages visited, click and search history, filter preferences, time spent on the Platform, conversion funnel data. Cookie and Tracking Data: Session identifiers, preference cookies, analytics and marketing cookies. Authentication Data: OAuth access tokens from third-party providers (Google, Apple) and passkey (FIDO2) credentials.

Directly From You: We collect data when you create an account, make a booking, complete a payment, fill in a form, contact customer support, or write a review. Automatically: Technical and usage data is collected automatically as you use the Platform (via cookies, server logs, and analytics tools). From Third Parties: When you log in via Google or Apple, we receive the profile information permitted by those platforms. We may receive booking confirmations or change notifications from Suppliers.

Each processing activity is based on one or more of the following legal bases: Performance of a Contract (KVKK Art. 5/2-c | GDPR Art. 6/1-b): Creating bookings, processing payments, handling cancellations and refunds, customer support. Legal Obligation (KVKK Art. 5/2-ç | GDPR Art. 6/1-c): Tax law (10-year retention under Turkish Tax Procedure Law), internet log retention under Law No. 5651 (2 years), tourism law notifications, anti-money laundering regulations. Legitimate Interests (KVKK Art. 5/2-f | GDPR Art. 6/1-f): Fraud detection, platform security, service quality analysis, operational improvements. These interests do not override your individual data protection rights. Consent (KVKK Art. 5/1 | GDPR Art. 6/1-a): Marketing emails, personalised promotional recommendations, and marketing cookies. You may withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing.

Service Delivery: Creating, managing, and confirming bookings; processing payments; coordinating with hotel, tour, and transfer suppliers. Customer Support: Responding to inquiries, resolving complaints, processing booking modifications and cancellations. Security and Fraud Prevention: Detecting suspicious activity, maintaining account security, monitoring for abuse. Risk scoring may involve automated decision-making; your right to contest such decisions is preserved. Service Improvement: Usage analytics, A/B testing, performance monitoring, feature development. Marketing (consent-based only): Personalised hotel and tour recommendations, discount and promotional notifications, newsletters. You can opt out at any time via the "unsubscribe" link in any communication. Legal Compliance: Tax filings, responses to official authority requests, litigation.

Your personal data is not shared with third parties outside the categories below. Your data is never sold for commercial purposes under any circumstances. Suppliers (Hotel, Tour, Transfer, Car Rental): Data necessary to fulfil your booking (name, stay dates, special requests) is shared with the relevant Supplier. Payment Processors: PayTR Ödeme ve Elektronik Para Hizmetleri A.Ş. and iyzico; solely for processing payments, within PCI DSS-compliant infrastructure. B2B Inventory Suppliers: RateHawk, Viator, and similar international providers; minimum necessary data for booking queries and confirmations. International transfers are subject to appropriate safeguards under KVKK Art. 9 and GDPR Art. 46 (SCCs). Technical Infrastructure Providers: Email delivery service, cloud hosting, error monitoring (Sentry), analytics (Google Analytics). Data Processing Agreements (DPAs) are in place with these providers. Authorised Public Authorities: In response to court orders, prosecutorial requests, or legal obligations. HotelMaster will notify you in advance wherever legally permissible. Group Companies: Affiliates or group companies of HotelMaster, solely for operational business purposes.

Some of our service providers and inventory partners operate outside Turkey. For such transfers: For EU/EEA-originated data: Standard Contractual Clauses (SCCs) under GDPR Article 46 are applied. For users in Turkey: Explicit consent or adequate protection standards as determined by the Turkish Data Protection Authority (KVKK) under Article 9 are ensured. Transfers to RateHawk (Russia/Cyprus) and Viator (TripAdvisor Group, USA) are conducted under contractual safeguards compliant with KVKK and GDPR requirements.

Your personal data is deleted, destroyed, or anonymised when the purpose for which it was collected ceases to exist or the applicable retention period expires. Tax and accounting records: 10 years (Turkish Tax Procedure Law Art. 253). Booking and contract data: 10 years (Turkish Code of Obligations, general limitation period). Internet log records: 2 years (Law No. 5651). Marketing data: Until consent is withdrawn, maximum 2 years. Account data: Until account deletion or 3 years of inactivity. Customer service correspondence: 3 years. Fraud/security incident records: 5 years. When you delete your account, personal data not subject to the mandatory statutory periods above is deleted or anonymised within 30 days.

Strictly Necessary Cookies: Required for core Platform functions (session management, security verification, shopping cart). Cannot be disabled; no consent required. Functional Cookies: Remember personalisation settings such as language preference, currency, and search filters. Can be disabled; some features may be affected. Analytics Cookies: Collect Platform usage statistics (Google Analytics 4). Data is processed in anonymised or pseudonymised form. Can be disabled via browser extensions or cookie preferences. Marketing Cookies: Used for personalised advertisements and recommendations. Activated only with your explicit consent; can be disabled at any time via the cookie preference panel. To manage your cookie preferences, use the "Cookie Settings" link in the Platform footer or manage cookies through your browser settings.

The following technical and administrative measures are applied to protect your personal data: Transport Layer Security (TLS 1.2+): All communications are encrypted end-to-end. Data Encryption: Sensitive data in the database is encrypted using AES-256. PCI DSS Compliance: Payment card data does not pass through HotelMaster systems directly; tokenisation is applied. Access Control: Personal data is accessible only to authorised personnel within the relevant business function; role-based access control (RBAC) is enforced. Security Monitoring: Continuous monitoring via Sentry and internal log systems. Regular Testing: Regular security assessments and vulnerability scans are conducted. Data Breach Notification: In the event of a personal data breach, HotelMaster will notify the Turkish Data Protection Authority (KVKK) within 72 hours and notify affected individuals within a reasonable period, in compliance with KVKK regulations and GDPR Articles 33–34.

Rights under KVKK (All Users — KVKK Art. 11): • To learn whether your personal data is being processed • To request information if it is being processed • To learn the purpose and whether data is used in accordance with that purpose • To know the third parties to which data is transferred domestically or abroad • To request correction of incomplete or inaccurate data • To request deletion or destruction under KVKK Art. 7 • To request notification to third parties of correction/deletion • To object to decisions arising solely from automated processing • To claim compensation for damages caused by unlawful processing Additional Rights under GDPR (Users Resident in the EU/EEA): • Right of access (Art. 15): Request a copy of data processed about you. • Right to rectification (Art. 16): Request correction of inaccurate data. • Right to erasure / "right to be forgotten" (Art. 17): Request deletion under specific conditions. • Right to restriction of processing (Art. 18): Restrict processing under specific conditions. • Right to data portability (Art. 20): Receive your data in a structured format or have it transferred to another controller. • Right to object (Art. 21): Object to processing based on legitimate interests. • Right to lodge a complaint: With the competent Data Protection Authority (DPA) in your EU country. Rights under CCPA (Users Resident in California, USA): • Right to know what personal information is collected. • Right to request deletion of personal information. • Right to opt out of "sale" or "sharing" of personal information (HotelMaster does not sell your data). • Right to correct inaccurate personal information. • Right not to be discriminated against for exercising these rights. How to Exercise Your Rights: Send an email to info@hotelmaster.com with "Data Subject Request" in the subject line. Requests are responded to within 30 days (GDPR legal deadline: 1 month, extendable by a further 2 months where necessary).

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from users under 18. If we become aware that data from a user under 18 has been collected inadvertently, we will delete it promptly. For users under 16 residing in the EU/EEA, consent must be given or authorised by a parent or guardian with parental responsibility (GDPR Art. 8). If you have concerns about this, please contact us at info@hotelmaster.com.

We may update this Privacy Policy from time to time. Material changes will be communicated to your registered email address at least 30 days before taking effect and announced on this page. For requests, questions, or complaints relating to your personal data: Email: info@hotelmaster.com Supervisory Authority in Turkey: Kişisel Verileri Koruma Kurumu (KVKK) Web: kvkk.gov.tr Supervisory Authority in the EU/EEA: The national Data Protection Authority (DPA) of your EU member state. (DPA directory: edpb.europa.eu/about-edpb/board/members_en) The current version of this policy is always available at hotelmaster.com/privacy-policy.