Privacy Policy and Personal Data Protection Notice
Explains how your personal data is collected, processed, stored, and protected when you use the Tourism Partner app and related services.
1.Definitions
The following terms are used throughout this Policy:
- App / Service: The Tourism Partner mobile application (iOS and Android), the websites under the
tourismpartner.worlddomain (including the main site and thereign.tourismpartner.worldadmin panel), and all related digital services. - User: Any natural person who downloads the App, creates an account, or otherwise uses the Service.
- Personal Data: Any information relating to an identified or identifiable natural person.
- Special Categories of Personal Data: Data such as gender, health, and biometric data listed under Article 6 of Turkish Law No. 6698 (KVKK).
- Processing: Any operation performed on personal data — collection, recording, storage, modification, disclosure, transfer, classification, or restriction of use.
- KVKK: The Turkish Personal Data Protection Law No. 6698.
- GDPR: The European Union General Data Protection Regulation (EU 2016/679).
- Data Controller: Tourism Partner — the party that determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
- Content: Any post, message, trip listing, review, photo, video, profile information, or other material created or shared by a User through the App.
2.Data Controller
Under Turkish Law No. 6698 (KVKK), Tourism Partner is the data controller for the processing of your personal data. You can reach the data controller at info@tourismpartner.world. Where registration with the Data Controllers' Registry (VERBİS) is required, the registration has been completed.
3.Personal Data We Collect
Tourism Partner collects and processes the following categories of personal data:
3.1. Identity and Contact Data
- Account registration data: first name, last name, username, email address, date of birth, gender.
- OAuth identifiers: The unique identifier assigned to you by Google or Apple when you sign in with those providers (Google ID or Apple ID).
- Profile photo (avatar) and optional biography text (bio).
- Phone number (optional): if you choose to add it to your account.
3.2. Profile and Preference Data
- Your city of residence (city level only — no GPS coordinates are collected).
- Languages you speak and your proficiency level.
- Interests, hobbies, and travel preferences (selected from predefined categories).
- Trip-creation preferences such as the "women-only participants" option.
3.3. User-Generated Content (UGC)
- Trip listings: route (origin/destination city), dates, category, capacity, description, cover image.
- Social feed posts: text, photo, video.
- Direct messages: one-to-one messages with other Users.
- Reviews: ratings and comments you leave after a trip.
- Social graph: users you follow / are followed by, users you have blocked.
- Content reports: the reason and description you provide when reporting content or another user.
3.4. Technical and Device Data
- Device information: operating system (iOS/Android), app version.
- Push notification token (FCM token): a unique identifier assigned to your device by Firebase Cloud Messaging, used to deliver push notifications.
- Device language: used to serve content in the correct language (Turkish/English).
- IP address: recorded at sign-up and during reports for security, abuse prevention, and legal compliance.
- Session data: sign-in timestamps, encrypted JWT token data.
3.5. Permission-Based Data
We only access the following data with your explicit in-app permission. If you decline, the related feature will not work, but the rest of the App remains usable.
- Camera and Photo Library: when you upload a profile photo, post photo/video, or trip cover image.
- Notifications: to receive push notifications (new message, application, follow, etc.).
- File picker: to upload documents during a guide application.
4.How We Collect Data
Your personal data is collected through the following channels:
- Directly from you: data you enter when creating an account, completing your profile, sharing content, messaging, and other user actions.
- Automatically: technical data generated by your device and transmitted to our servers as you use the App (device info, IP, session logs).
- From third-party identity providers: when you sign in with Google or Apple, the minimum profile data shared by these providers (email, name, user ID, profile image URL).
5.Purposes of Processing
Your personal data is processed for the following purposes:
| Purpose | Data Categories |
|---|---|
| Account creation, authentication, and session management | Identity data, OAuth identifiers, IP, session data |
| Displaying your profile and content to other users | Profile, content, and social graph data |
| Trip matching and social interaction | Location (city), hobby, language, preference, and content data |
| Messaging and real-time notification delivery | Message content, FCM token, session data |
| Content moderation and report handling | Content, report records, IP, account status |
| Service security and abuse prevention | Device, IP, session, and security logs |
| Fulfillment of legal obligations | Data necessary in the relevant scope (e.g. official authority requests) |
| Service improvement and error diagnosis | Anonymous technical logs, error reports |
| Communication and announcements (only with your explicit consent) | Contact information |
We never process your personal data for ad segmentation, behavioral targeting, or commercial sale to third parties. We do not score or profile you with automated decision-making mechanisms.
6.Legal Basis (KVKK Arts. 5 / 6)
We rely on the following legal grounds under Articles 5 and 6 of the KVKK:
- Formation and performance of a contract (Art. 5/2-c): account creation, matching, messaging, content display.
- Fulfillment of legal obligations (Art. 5/2-ç): log retention and reporting obligations under the Turkish Internet Act No. 5651.
- Legitimate interests of the data controller (Art. 5/2-f): service security, abuse prevention, content moderation, complaint handling.
- Explicit consent (Arts. 5/1, 6/2): for processing special-category data such as gender and for optional notifications/communications.
Gender information is processed so features like the "women-only participants" trip option can function correctly. Processing of this special-category data relies on your explicit consent, which is requested at sign-up. You may withdraw this consent at any time from in-app settings.
7.Data Sharing
Your personal data is shared with the following parties for the stated purposes:
7.1. With Other Users
Public fields of your profile (name, username, avatar, city, bio, hobbies/languages/preferences, follower/following counts, your trips, the reviews you have received), and any content you share within the App (posts, trip listings, reviews) are visible to other users. Your direct messages are visible only between you and the person you are messaging with.
7.2. Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Google LLC — Firebase Cloud Messaging | Push notification delivery | FCM token, notification content |
| Google LLC — Google Sign-In | OAuth authentication | Google ID, email, name, profile image URL |
| Apple Inc. — Sign in with Apple | OAuth authentication | Apple ID, optional email, name |
| Amazon Web Services (AWS) | Application server hosting | All application data (encrypted in transit) |
These providers process your data under their own privacy policies and act as data processors. They are contractually obliged to use the data only for the stated purposes.
7.3. Legal Authorities
We are obliged to share your data, to the extent required by applicable law, in response to duly issued written requests from courts, prosecutors, law enforcement agencies, the Information and Communication Technologies Authority (BTK), or other competent public authorities. Such sharing is performed within the obligations of the Turkish Internet Act No. 5651 and the Turkish Penal Code.
7.4. Legal Proceedings
We may share data with our professional advisors (lawyers, auditors) on a need-to-know basis to protect our rights, detect abuse, intervene in situations threatening user safety, or preserve evidence that may be subject to legal proceedings.
8.International Data Transfers
Our server infrastructure is hosted on Amazon Web Services and parts of your data may be processed in AWS data centers outside Turkey. We also use international service providers such as Google Firebase and Apple Sign-In.
Such international transfers are carried out within the scope of Article 9 of the KVKK and relevant decisions of the Turkish Personal Data Protection Authority, to countries that provide adequate protection or under mechanisms such as undertakings or Binding Corporate Rules. For users covered by the GDPR, Standard Contractual Clauses (SCCs) are applied.
9.Data Retention
| Data Category | Retention Period |
|---|---|
| Active account data (profile, content, social graph) | As long as your account is active |
| Data remaining after account deletion | Permanently erased from all systems within 30 days of the deletion request |
| Messaging content | Until one of the parties deletes the conversation or closes their account |
| Access/session logs, IP records | 2 years under the Turkish Internet Act No. 5651 |
| Content report records | 3 years for legal evidence retention |
| Data subject to legal obligations | For the periods stipulated by the relevant legislation |
10.Data Security
We apply the following technical and administrative measures to protect your personal data against unauthorized access, loss, alteration, or disclosure:
- Encrypted communication (TLS/HTTPS): all traffic between the App and our servers is encrypted.
- Token-based authentication (JWT): sessions are carried out with signed JSON Web Tokens.
- Password hashing (BCrypt): administrator passwords are stored as one-way cryptographic hashes; raw passwords are never retained.
- Secure local storage: credentials on mobile devices are stored encrypted in the iOS Keychain / Android Keystore.
- Role-based access control: the admin panel is accessible only to authorized Administrator accounts.
- Regular backups and disaster recovery: a backup policy is in place for critical data.
- Incident response: in the event of a data breach, notification will be made to the Turkish Personal Data Protection Authority and to affected users as soon as possible (as a rule, within 72 hours) in accordance with Article 12/5 of the KVKK.
Despite all technical measures, please note that data transmission over the internet is not 100% secure. Choosing a strong password, securing your OAuth account (Google/Apple), and keeping your device safe are your responsibility.
11.Children's Privacy
Tourism Partner is intended solely for users aged 18 and over. We technically enforce the 18+ check via the date of birth collected at sign-up. If we learn that a user is under the age of 18, the account is closed immediately and the related data is deleted.
If you suspect that we are collecting data from a child under 18, please notify us at info@tourismpartner.world and we will investigate the matter without delay.
12.Your Rights (KVKK Art. 11)
In relation to your personal data, you have the following rights under Article 11 of the KVKK:
- To learn whether your personal data is being processed.
- To request information if processing has taken place.
- To learn the purpose of processing and whether the data is used in line with that purpose.
- To know the third parties, in Turkey or abroad, to whom the data is transferred.
- To request correction if the data is incomplete or inaccurate.
- To request erasure or destruction within the conditions of Article 7 of the KVKK.
- To request that any correction or erasure be notified to third parties to whom the data was transferred.
- To object to outcomes against you that result solely from automated analysis.
- To claim compensation for damages caused by unlawful processing.
To exercise these rights you can apply by emailing info@tourismpartner.world. Your request will be evaluated and responded to within 30 days at the latest, in accordance with Article 13 of the KVKK. The application must comply with the requirements set out in the "Communiqué on the Procedures and Principles of Application to the Data Controller."
You can also initiate an account deletion request directly from within the App via "Settings → Account → Delete my account."
13.Cookie Policy
The mobile application does not use browser cookies. On the websites you access
through a browser (tourismpartner.world, reign.tourismpartner.world),
only the following technical cookies are used:
- Session cookies: required to keep your session open while signed in to the admin panel.
- Preference cookies: remember your theme and language choice in the browser.
No advertising, tracking, analytics, or third-party cookies are used on our websites. You can disable cookies entirely from your browser settings; in that case, the admin panel may not be functional.
14.Third-Party Services
The App uses the following third-party services. Each provider's own privacy policy applies; please review the links for details:
- Google — Privacy Policy (Sign-In, Firebase Messaging, Fonts)
- Apple — Privacy Policy (Sign in with Apple, APNs)
- Amazon Web Services — Privacy Notice
15.Changes to this Policy
We may update this Policy from time to time. In the case of material changes, we will notify you via in-app notification and/or your registered email address a reasonable time before the changes take effect. The latest version of the Policy is always published on this page. Continued use of the Service after the "Last Updated" date constitutes your acceptance of the updated version.
16.Contact
For any questions, requests, or complaints regarding our privacy practices, this Policy, or your KVKK rights, you can reach us via:
- Email: info@tourismpartner.world
When submitting a KVKK request, please include a document verifying your identity (e.g. a copy of your national ID card). Your application will be evaluated in accordance with the "Communiqué on the Procedures and Principles of Application to the Data Controller."