1. Updates to This Notice

We reserve the right to update this Notice in order to provide accurate and up-to-date information on practices and regulations relating to the protection of personal data.

In the event of any substantial change to this Notice, data subjects will be informed by appropriate means.

2. Purpose and Scope of the Notice

This Notice has been prepared to explain:

  • which personal data Cappadocia Cave Suites Hotel processes within the scope of its commercial activities,

  • the purposes for which such personal data are processed,

  • the parties to whom personal data may be transferred, and

  • the purposes for such transfers.

This Notice covers all channels through which personal data are collected, including both physical and digital environments.

3. Channels Through Which Personal Data Are Collected

3.1 Physical and Operational Channels

Personal data may be collected through (including but not limited to):

  • booking offices,

  • check-in counters,

  • kiosks,

  • inflight entertainment systems,

  • request and complaint channels,

  • boarding checkpoints,

  • surveys,

  • fairs and events,

by verbal, written or electronic means, and by automatic or non-automatic methods.

3.2 Digital and Commercial Channels

Personal data may also be collected through:

  • Cappadocia Cave Suites Hotel website and mobile applications,

  • agencies authorized to sell Cappadocia Cave Suites Hotel products and services,

  • online sales channels,

  • social media,

  • passenger and customer communications,

  • SMS channels,

  • business intelligence tools,

  • contracted merchants,

  • business / program partners and other airlines,

again by verbal, written or electronic means, and by automatic or non-automatic methods.

3.3 Digital Platforms

For the purposes of this Notice:

  • The website operated by Cappadocia Cave Suites Hotel (“Website”),

  • software and applications provided via computers or other smart devices (“Application”),

  • social media accounts administered by persons authorized to provide services on behalf of Cappadocia Cave Suites Hotel (“Social Media”),

and other similar channels are collectively referred to as “Digital Platforms”.

4. Which Personal Data Do We Process?

The categories of personal data processed by our Company vary depending on the nature of the legal relationship established with us. The main categories of personal data collected through all channels, including Digital Platforms, are listed below.

4.1 Identification Information

Personal data provided, for example, when:

  • creating an account on our Website or Application,

  • making a reservation,

  • benefiting from privileged services offered by Cappadocia Cave Suites Hotel and its business partners,

such as:

  • name,

  • surname,

  • identification number,

  • passport number,

  • and similar identification details.

4.2 Contact Information

Personal data provided in the course of using our services, such as:

  • e-mail address,

  • phone and mobile phone numbers,

  • social media contact information,

  • physical address,

  • and other contact details.

4.3 Location Data

Location data collected via location-based tools, for example for:

  • directions to airport or hotel,

  • map views,

  • nearest car parking spaces,

  • lounge and facility usage information.

4.4 Advance Passenger Information (“API”)

Personal data including:

  • name,

  • nationality,

  • date of birth,

  • gender,

  • type and number of travel document,

  • date of issue and expiry,

  • issuing authority.

4.5 Information Relating to Family and Relatives

Personal data relating to the data subject’s relatives (such as spouse or children), including:

  • identification information,

  • contact information,

  • profession and education details, etc.

4.6 Customer Process Information

Personal data recorded in customer-facing processes and channels, such as:

  • call centers,

  • credit card statements,

  • box office receipts,

  • customer instructions relating to reservations (purchase, cancellation, postponement, changes),

and other records attributable to a specific person.

4.7 Process Security Information

Information processed for the security of digital transactions, such as:

  • website login/password information and similar data used when benefiting from products and services in digital environments.

4.8 Risk Management Information

Information processed for risk and security checks, such as:

  • results and records of various queries performed via public institutions,

  • records relating to security checks (e.g., whether a person is prohibited from boarding),

  • address registration system records,

  • IP logs and similar records.

4.9 Financial Information

Financial data such as:

  • credit / debit card information,

  • bank account and IBAN information,

  • balance information,

  • credit balance information,

  • other financial transaction details.

4.10 Physical Environment Security Information

Information collected in our physical premises, including:

  • entry / exit logs,

  • visitor information,

  • camera (CCTV) and audio records.

4.11 Legal Procedure and Compliance Information

Information processed in the context of:

  • requests and decisions of judicial or administrative authorities,

  • legal follow-up and compliance processes.

4.12 Audit and Inspection Information

Information relating to:

  • records and processes concerning the exercise and protection of our legal rights and claims related to the data subject.

4.13 Special Categories of Personal Data

Special categories of personal data processed only in cases explicitly provided for by law and, where required, based on your explicit consent, such as:

  • race, ethnic origin,

  • political opinion, philosophical belief, religion, sect or other beliefs,

  • dress and appearance,

  • membership to associations, foundations, unions or other organizations,

  • health and sexual life,

  • criminal convictions and security measures,

  • biometric and genetic data.

4.14 Marketing Information

Data used for marketing and profiling purposes, such as:

  • reports and evaluations about preferences, tastes, usage and travel habits,

  • targeting information,

  • cookie records,

  • data generated within data enrichment activities,

  • survey and satisfaction survey records,

  • information and evaluations arising from campaigns and direct marketing activities.

4.15 Request / Complaint Management Information

Information and records collected in relation to:

  • requests and complaints concerning our products or services,

  • internal reports and evaluations regarding the resolution of such requests by relevant business units.

4.16 Audio-Visual Information

Data such as:

  • photographs,

  • camera images,

  • voice recordings and similar audio-visual materials.

5. Transfer of Personal Data

Your personal data may be shared with:

  • parties providing products or services to us or on our behalf,

  • our suppliers and business partners from whom we receive support in establishing, executing and terminating our relationship with you,

  • parties with whom we cooperate for providing products and services to you.

Your data may also be shared with public institutions and private persons authorized by law, within the scope of their legal powers.

In all such cases, our Company takes the necessary precautions to ensure that the recipient parties process and transfer personal data in compliance with:

  • this Notice, and

  • applicable data protection legislation.

Personal data may be transferred to group companies, business partners, and legally authorized institutions and persons in line with the conditions and purposes of data processing set out in Articles 8 and 9 of the Law, and may be transferred abroad in accordance with Article 9 and the decisions of the Personal Data Protection Board.

5.1 Transfers Abroad

Your personal data may be transferred abroad only when:

  • your explicit consent is obtained, or

  • in the absence of explicit consent, at least one data processing condition set out in the Law is met, and

    • the country to which data are transferred provides adequate protection as determined by the Personal Data Protection Board, or

    • where adequate protection is not available, a written undertaking ensuring adequate protection is concluded between our Company and the data controller abroad, and the approval of the Personal Data Protection Board is obtained.

6. Retention of Personal Data

Our Company determines retention periods by taking into account:

  • applicable legal provisions, and

  • the purposes of data processing.

In particular, we consider:

  • statutory limitation periods,

  • legal obligations relating to the retention of personal data.

Once the purpose for processing ceases to exist, and unless there is another legal basis requiring further retention, personal data are:

  • deleted,

  • destroyed, or

  • anonymized.

7. Principles Relating to Personal Data Privacy

In all data processing activities, our Company acts in accordance with the following principles:

  • Lawfulness and conformity with rules of good faith,

  • Accuracy and keeping data up-to-date where necessary,

  • Processing for specific, explicit and legitimate purposes,

  • Being relevant, limited and proportionate to the purposes of processing,

  • Retention for the period stipulated in the relevant legislation or as long as necessary for the purposes for which they are processed.

8. Use of Digital Platforms

Your personal data may be processed during your use of Digital Platforms in order to:

  • manage and operate the Website and Application,

  • perform activities to optimize and improve user experience,

  • understand how the Website is used,

  • support and enhance the use of location-based tools,

  • manage your online accounts,

  • inform you about services offered near you.

Where you choose to benefit from specific products or services, your personal data will be processed only for the purpose of enabling you to receive such products and services.

9. Exercise of Rights by Data Subjects

You may exercise your rights set out under applicable data protection legislation and communicate your related requests to us using the contact information provided below.

Requests submitted by data subjects in relation to their rights will be assessed and concluded by us within thirty (30) days at the latest, in accordance with the limitations set out in the Law.

In principle, requests are processed free of charge. However, Cappadocia Cave Suites Hotel reserves the right to charge a fee according to the tariff determined by the Personal Data Protection Board if the request requires additional cost.

Our Company may request additional information from the applicant to verify that the requester is the data subject and may ask further questions to clarify the request, if needed.

10. Contact Details

Cappadocia Cave Suites Hotel
Gafferli Mahallesi, Ünlü Sokak No: 19
Göreme / Nevşehir 51080 – Türkiye

Fax: +90 (384) 271 27 63
Phone: +90 (384) 271 28 00, +90 (533) 134 44 22
WhatsApp: +90 (533) 134 44 22
E-mail: info@cappadociacavesuiteshotel.com

11. Data Security

We take all appropriate technical and organisational measures to safeguard your personal data and to mitigate risks such as:

  • unauthorized access,

  • accidental loss,

  • deliberate deletion,

  • damage or alteration of personal data.

In this context, our Company:

  • Ensures data security through protection systems, firewalls, and other software and hardware, including intrusion prevention systems against viruses and other malicious software,

  • Manages access to personal data on a need-to-know and role-based basis, in line with the nature of the data and the responsibilities of units / roles / applications,

  • Conducts necessary audits to ensure compliance with the Law, as required by Article 12,

  • Implements internal policies and procedures to ensure lawful data processing,

  • Applies stricter security and access rules to special categories of personal data,

  • Requires third parties accessing personal data in the course of outsourced services to undertake compliance with data protection laws and this Notice,

  • Takes necessary steps to inform all employees, especially those with access to personal data, about their duties and responsibilities under the Law.