KVKK Information Notice

1. Data Controller

This Information Notice has been prepared by Tolerance Seyahat Turizm ve Organizasyon Anonim Şirketi (“Company”, “Lufer Tour”), as the data controller, pursuant to Article 10 of the Law No. 6698 on the Protection of Personal Data (“KVKK”) and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform.

Data Controller / Seller: Tolerance Seyahat Turizm ve Organizasyon Anonim Şirketi (operating under the “Lufer Tour” brand)

Address: Orhan Veli Kanık Caddesi No: 53/1 Kavacık / Beykoz / Istanbul

Tax Office/No: Beykoz Tax Office / 8490698779

MERSIS No: 0849069877900001

E-mail: bilgi@lufer.com.tr

Phone: +908504206464

Website: www.lufer.com.tr

2. Categories of Personal Data Processed

Lufer Tour, as a direct boat operator providing services in a B2C model, may process the following categories of personal data belonging to visitors, customers, members, and corporate business partners:

• Identity Data: Name and surname, Turkish ID number (only when required by law for invoice/manifest purposes), date of birth.
• Contact Data: E-mail, mobile phone, billing address.
• Customer Transaction Data: Reservation records, tour date/time preferences, number of persons, number of children/infants, option preferences (Breakfast, Dinner, etc.), cart and order history.
• Financial Data: Invoice information, payment approval number, refund records. Card number, CVV, and expiry date are not stored on the Company’s servers; the payment process is carried out via the PCI-DSS certified payment provider Iyzico (Iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş.).
• Transaction Security Data: User password (hashed), session data, IP address, log records.
• Marketing Data: Cookie preferences, session/interaction data collected within the scope of GA4/Meta Pixel (only with explicit consent), affiliate (UTM/partner referral) parameters.
• Request / Complaint Data: Messages submitted via the contact form, customer reviews, refund/cancellation requests.

Our Company does not request or process special categories of personal data. Please do not share such data during communication.

3. Purposes of Processing Personal Data

• To make tour reservations, receive payments, issue invoices/receipts, and keep statutory records.
• To provide pre-tour/post-tour information and communicate any tour changes or cancellations.
• To respond to requests, questions, and complaints; to carry out refund processes.
• To create and maintain membership accounts and ensure session security.
• With your explicit consent, for marketing, campaign, and commercial electronic communication purposes, and to analyze the website via GA4/Meta Pixel.
• To fulfill legal obligations (tax, trade, tourism legislation, maritime manifest, etc.).
• To prevent and follow up on legal disputes.

4. Transfer of Personal Data

Your personal data may be transferred for the purposes stated below and in accordance with Articles 8 and 9 of the KVKK:

• Iyzico (Iyzi Ödeme ve Elektronik Para Hizmetleri A.Ş.): For 3D Secure payment, refund, and card storage (if chosen by the user) processes.
• Resend / Gmail SMTP: For sending reservation confirmations and system e-mails.
• Google Analytics 4 (Google Ireland Ltd.) and Meta Pixel (Meta Platforms Ireland Ltd.): Session and interest data may be transferred only if you give explicit consent to analytical/marketing cookies from the Cookie Consent Banner.
• Affiliate / Business Partners: Only anonymous conversion information (e.g., UTM parameters, order ID) is shared with the business partner that referred you to our site.
• Legal Authorities: To authorized public institutions such as courts, prosecutor’s offices, tax offices, and law enforcement authorities within the framework of the applicable legislation.
• Legal, Financial, and Audit Professionals: Under confidentiality obligations, within a limited scope.

Except for those listed above, your data is not sold, rented, or transferred for marketing purposes to third parties.

5. Method and Legal Grounds for Collecting Personal Data

Your personal data are collected through our website (lufertour.com), contact forms, call center, e-mail, social media channels, and cookies, by automated or partially automated means. Legal grounds:

• It is directly related to the establishment or performance of a contract (KVKK Art. 5/2-c).
• It is necessary for compliance with a legal obligation (KVKK Art. 5/2-ç).
• It is necessary for our legitimate interests (KVKK Art. 5/2-f).
• Your explicit consent has been obtained (especially for marketing cookies and commercial electronic communications, KVKK Art. 5/1).

6. Retention Periods

• Membership and reservation data: As long as membership is active + 10 years after termination of membership (TCC Art. 82).
• Invoice and financial records: 5 years pursuant to tax legislation.
• Marketing consents: Until consent is withdrawn; 3 years after withdrawal for evidentiary purposes.
• Server log records: 2 years (Law No. 5651).
• Contact form messages: 2 years.

7. Your Rights Under Article 11 of the KVKK

As a personal data subject, you have the right to learn whether your personal data is processed, to request information if it has been processed, to learn the purpose of processing and whether it is used in accordance with its purpose, to know the third parties to whom it is transferred domestically/abroad, to request correction if it is incomplete or incorrectly processed, to request deletion/destruction within the framework of the conditions set forth in Article 7 of the KVKK, to object to data processed through automated systems, and to claim compensation if you suffer damage.

You may submit your applications, in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller,” together with documents verifying your identity, to bilgi@lufer.com.tr or to our correspondence address указан выше. Requests will be concluded free of charge within 30 days at the latest.