← Hotelcilik
Template / draft. This text is a starting point and not legal advice. Have a Turkish-licensed lawyer review and adapt it before publishing live.

Privacy policy

How Hotelcilik handles personal data — companion to the KVKK Aydınlatma metni

Who we are

Hotelcilik ("we", "us") is the provider of the Hotelcilik hospitality platform used by partner hotels to operate their guest services. This privacy policy describes how we handle personal data when you use the platform — whether as a hotel staff member, a guest scanning a QR code, or a hotel administrator.

For Turkish-language users, our binding privacy notice is the Aydınlatma metni under KVKK Madde 10.

What we collect

  • Identity: name, surname, date of birth, nationality, ID/passport number and expiry (where required by hospitality law).
  • Contact: email, phone, room number.
  • Account & session: for staff accounts — username, hashed password, session tokens.
  • Service data: requests you make (housekeeping, room service, taxi, etc.), their content, timestamps, and lifecycle status.
  • Notification data: messages sent by the hotel and your read state.
  • Technical: IP, browser, device — limited-retention security logs.

Why we process it

  • To provide the reservation, check-in, and stay services you requested
  • To deliver guest service requests to the right hotel staff
  • To meet legal obligations (e.g. accommodation reporting, tax law)
  • To measure and improve service quality (aggregated/anonymised statistics)
  • To prevent fraud and secure the platform
  • For marketing communication — only with your explicit opt-in

Legal basis

We rely on:

  • Performance of contract — for reservations, requests, and core service.
  • Legal obligation — accommodation reporting, tax, employment law.
  • Legitimate interest — service quality, fraud prevention, business continuity.
  • Consent — marketing emails, optional cookies; revocable at any time.

Under GDPR these map to Article 6(1)(b), 6(1)(c), 6(1)(f), 6(1)(a) respectively. Under KVKK they map to Madde 5(2)(c), 5(2)(ç), 5(2)(f), 5(1).

Who we share it with

  • The hotel you are staying at (the operational data controller for your stay)
  • Cloud infrastructure providers and processors — see the live sub-processor list.
  • Authorities, when legally compelled

Cross-border transfers: some infrastructure (database, storage, realtime) is hosted within the EU. Transfers between Türkiye and the EU rely on contractual safeguards. We will update this policy if the regulatory landscape changes (e.g. an EU adequacy decision for Türkiye).

How long we keep it

  • Reservation, guest, and request data:for the life of the hotel's contract with us, plus any retention period required by accommodation reporting law.
  • Authentication logs: 30 days, then anonymised aggregates only.
  • Marketing consent records: kept until consent is withdrawn, plus a short evidence window.

When a hotel ends its contract, the hotel administrator can export and delete all data themselves via /m/settings. We do not retain copies after deletion beyond ordinary backup rotation.

Your rights

You have the right to:

  • Know whether we process your data and, if so, get a copy (KVKK Madde 11; GDPR Article 15)
  • Have inaccurate data corrected (Madde 11(d); Article 16)
  • Have your data erased when no longer needed and there's no overriding legal duty (Madde 7; Article 17)
  • Restrict or object to processing (Article 18, 21)
  • Receive a portable copy (Madde 11; Article 20)
  • Withdraw consent at any time (where consent is the basis)
  • Lodge a complaint with the Personal Data Protection Authority (KVK Kurumu) or your local DPA

Exercise these by emailing privacy@hotelcilik.app. If you have a Hotelcilik manager account, the export and delete actions are available directly under /m/settings.

How we protect it

  • Encryption in transit (TLS) and at rest (managed by our database provider)
  • Per-tenant data isolation enforced at every API boundary
  • Audited support access — internal staff acting on your hotel's data is logged
  • Password hashing with industry-standard algorithms (bcrypt-class via Better Auth)
  • Time-bound session cookies; rotation on key auth events

Changes to this policy

We will update this policy as the platform evolves. Material changes will be communicated to active hotels and visible at the top of this page with a "Last updated" date. Continued use of the platform after a change indicates acceptance.

Contact

For privacy-related questions: privacy@hotelcilik.app. For general support: support@hotelcilik.app.