Security & Privacy Policy

1. What we collect

Identification & contact data (name, email, phone, nationality)

Reservation details (selected flight, travel date, special requests)

Payment data (tokenized by our PCI-DSS-compliant gateway; we never store full card numbers)

Device & usage data (IP address, browser type, pages visited)

2. Why we collect it

To fulfill our contract with you (booking confirmation, flight operation)

To comply with Turkish aviation and accounting laws

To improve the user experience and site security

With your consent, to send promotions or surveys

3. Legal bases

Contractual necessity (Article 5/2-c KVKK)

Legal obligation (Article 5/2-ç)

Legitimate interest (Article 5/2-f)

Explicit consent for marketing communications (Article 5/1)

4. Data storage & transfer

Data are stored on encrypted servers located in the EU and Turkey. When required to share data with flight operators, we limit disclosure to what is strictly necessary (full name, nationality, weight if demanded for flight balance). No data are sold to third parties.

5. Retention period

Reservation records are kept for 10 years to meet statutory obligations; newsletter consent is retained until you unsubscribe.

6. Your rights

Under KVKK and, where applicable, GDPR, you may request access, correction, deletion, processing restriction, data portability, or lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu).

7. Contact

Email privacy@balloonbooking.tr for any data-protection inquiries.

---

Prepared July 2025