Privacy Policy

We collect only the information needed to manage bookings, operate our website and provide travel services safely and correctly. The data may include:

• Identity information: full name, date of birth, nationality and gender.
• Contact details: email address, telephone number, postal address and preferred language.
• Passport and identity document details: passport number, issuing country, issue date and expiry date, requested only when required for hotel registration, domestic flights, restricted sites, airport services or other operational needs.
• Booking information: selected services, travel dates, number of travellers, pickup details, special notes, dietary needs and accessibility requests.
• Payment information: handled by our PCI-DSS compliant payment provider. Full card numbers are not stored on our own servers.
• Account information: username, encrypted password and profile preferences when you create a customer account.
• Technical information: IP address, device data, browser type, pages viewed and timestamps, used for security, analytics, fraud prevention and website functionality.

Your personal data is used for practical booking and service purposes, including to:

• process reservations and issue confirmations, vouchers, invoices and tickets;
• coordinate services with hotels, airlines, balloon operators, guides, drivers and local partners;
• contact you before, during and after travel about pickup times, itinerary changes, weather conditions or operational updates;
• provide customer support and handle requests, complaints, amendments or refunds;
• comply with tax, accounting, tourism and border-control obligations where applicable;
• detect, investigate and prevent fraud, abuse or unauthorized activity;
• send newsletters or promotional offers only when you have opted in.

We do not sell, rent or trade personal data. Information is shared only when necessary to provide the booked service or comply with legal duties. Recipients may include:

• Travel service partners — hotels, airlines, balloon operators, transfer companies, guides and local excursion providers that need traveller details to deliver the service.
• Payment providers — PCI-DSS compliant processors that securely handle card and online payment transactions.
• Technology and hosting providers — service providers working under data-processing terms and appropriate technical and organizational safeguards.
• Accountants, auditors and tax authorities — where business, accounting or legal rules require disclosure.
• Courts, public authorities or law enforcement — only when we receive a valid legal request or are legally required to respond.

Where data is transferred to partners outside the European Economic Area, we use Standard Contractual Clauses, adequacy decisions or equivalent protection mechanisms where required.

Because our travel services are operated in Türkiye and some technology or service partners may be located in Türkiye or other countries, certain personal data may be transferred outside the European Economic Area. When this happens, we rely on safeguards such as Standard Contractual Clauses, adequacy decisions, legally recognized transfer mechanisms or your explicit consent, so that your data remains protected in line with applicable privacy law.

Our website uses cookies and similar technologies to keep the site functional, remember preferences, maintain secure sessions, analyse traffic and improve the booking process.

Essential cookies are required for the website to work and remain active by default. Analytics, advertising and other non-essential cookies are used only after you give consent through the cookie banner. You may update your preferences at any time from the cookie-settings link in the website footer.

Our cookies are not designed to store full payment details or passport document contents.

We use administrative, technical and organizational safeguards to protect personal data against unauthorized access, accidental loss, misuse, alteration or disclosure. These measures may include TLS/SSL encryption, encrypted storage for sensitive fields, salted and hashed passwords, firewalls, access controls based on job role, activity monitoring, periodic security checks and confidentiality obligations for staff.

If a personal data breach is likely to create a high risk to your rights and freedoms, we will notify the competent authority and affected users as required by GDPR Articles 33 and 34.

Personal data is kept only for as long as it is needed for the purpose for which it was collected, or for the period required by law. Our general retention periods are:

• booking, payment and invoice records: up to 10 years where required by tax, accounting or tourism rules;
• passport details saved in My Account: until you delete them yourself or close your account, unless a legal retention duty applies;
• marketing contact information: until you unsubscribe or withdraw consent;
• customer account data: until the account is deleted, after which eligible data is erased within 30 days except records we must legally keep;
• website analytics data: anonymised or deleted within 26 months where applicable.

If you are protected by the GDPR, you may exercise the following rights, subject to the conditions and limits set by law:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete information.
• Right to erasure / right to be forgotten (Art. 17) — request deletion when data is no longer required or when another valid ground applies.
• Right to restriction of processing (Art. 18) — ask us to limit processing in specific circumstances.
• Right to data portability (Art. 20) — receive eligible data in a structured and machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent — withdraw consent at any time without affecting earlier lawful processing.
• Right to lodge a complaint — contact the data-protection authority in your country of residence.

You can exercise many of these rights from My Account or by writing to info@cappadociahotairballoon.com. We normally respond within 30 days.

You may remove saved passport records without contacting our support team:

1. Sign in to your account at cappadociahotairballoon.com.
2. Open My Account > Travellers > Passport Details.
3. Select the Delete button next to the passport record you want to remove.
4. Confirm the action in the pop-up window.

The record is deleted from the live database immediately. Encrypted backups are rotated and overwritten within 30 days.

You can request closure of your account and deletion of eligible personal data at any time:

1. Sign in to cappadociahotairballoon.com.
2. Go to My Account > Settings > Privacy.
3. Choose Delete my account.
4. Complete the on-screen confirmation. We may send a verification email to confirm that the request is genuine.

After confirmation, your account is disabled immediately and eligible personal data is erased within 30 days. This does not include records we are required to keep by law, such as invoices, payment records and accounting documents that may be retained for up to 10 years. Such residual records are kept in restricted archives and are not used for marketing.

We send newsletters, travel updates or promotional offers only when you have chosen to receive them. Each marketing email includes an unsubscribe option, and you can update your communication preferences at any time from My Account > Settings > Communications.

Our services are designed for adult customers. We do not knowingly collect personal data directly from children under 16. When a booking includes a minor, the information is provided by a parent or legal guardian, who accepts this Privacy Policy on behalf of the child.

We may revise this Privacy Policy when our services, legal requirements, technical systems or internal procedures change. The "last updated" date shows the most recent version. If a material change affects your privacy rights, we may notify you by email or by placing a clear notice on our website.