This Privacy Policy complies with both the Turkish Personal Data Protection Law (KVKK, Law No. 6698) and the EU General Data Protection Regulation (GDPR, Regulation 2016/679). Where these frameworks differ, we apply the higher standard of protection.
Contents
1. Data Controller
Odamigo Turizm Ltd. Sti. is the data controller responsible for processing your personal data.
Company: Odamigo Turizm Ltd. Sti.
Tax Office: Mecidiyekoy (Istanbul)
Tax ID (VKN): 6340420923
TURSAB License: 12754 (Group A)
Contact for data protection inquiries: privacy@eurotrain.tr
Website: https://eurotrain.tr
2. Data We Collect
2.1 Data You Provide:
a) Identity data: Full name, date of birth, nationality (required for booking).
b) Contact data: Email address, phone number.
c) Travel document data: Passport or ID number (required for certain international routes).
d) Payment data: Processed by our PCI DSS-certified payment provider; we do not store full card numbers.
e) Account data: Email, encrypted password (if you register).
f) Communication data: Messages to our support team.
2.2 Data We Collect Automatically:
a) Device and browser information (type, version, operating system).
b) IP address and approximate location (country level).
c) Pages visited, features used, and interaction patterns on the Platform.
d) Cookies and similar technologies (see Section 8).
2.3 Data from Third Parties:
a) Booking and ticket data from rail Operators (directly or via distribution partners).
b) Payment confirmation from our payment service provider.
c) Authentication data if you sign in via Google (name, email, profile photo).
3. How We Use Your Data
We process your data for the following purposes and legal bases:
β’ Process your booking and issue tickets
GDPR: Art. 6(1)(b) Contract | KVKK: Art. 5(2)(c) Contract
β’ Process payments securely
GDPR: Art. 6(1)(b) Contract | KVKK: Art. 5(2)(c) Contract
β’ Send booking confirmations and travel updates
GDPR: Art. 6(1)(b) Contract | KVKK: Art. 5(2)(c) Contract
β’ Provide customer support
GDPR: Art. 6(1)(b) Contract | KVKK: Art. 5(2)(c) Contract
β’ Comply with tax and legal obligations
GDPR: Art. 6(1)(c) Legal obligation | KVKK: Art. 5(2)(c)(e) Legal
β’ Improve Platform performance and security
GDPR: Art. 6(1)(f) Legitimate interest | KVKK: Art. 5(2)(f) Legitimate
β’ Send marketing communications (with consent)
GDPR: Art. 6(1)(a) Consent | KVKK: Art. 5(1) Explicit consent
β’ Fraud prevention and security
GDPR: Art. 6(1)(f) Legitimate interest | KVKK: Art. 5(2)(f) Legitimate
4. Data Sharing
We share your personal data only as necessary to provide our services:
β’ Railway Operators (directly or via authorized distribution partners): Name, DOB, travel documents β for ticket issuance and carriage
β’ Payment provider (PCI DSS Level 1): Transaction data (no full card numbers) β for secure payment processing
β’ Error monitoring service: Anonymized technical data β for platform stability
β’ Hosting providers (EU-primary): Anonymized access logs β for content delivery
β’ Database provider (EU-hosted): Encrypted booking data β for data storage
β’ Email service provider: Email address, booking reference β for transactional emails
For a detailed list of our current sub-processors, visit eurotrain.net/sub-processors.
We do not sell your personal data to third parties. We do not use your data for profiling or automated decision-making that produces legal effects.
5. International Data Transfers
Your data may be transferred to service providers located in the EU/EEA, Turkey, and other countries with appropriate data protection safeguards (Standard Contractual Clauses). For a current list of our sub-processors and their locations, visit eurotrain.net/sub-processors.
For KVKK compliance: Cross-border transfers are made pursuant to Article 9 of Law No. 6698, using approved standard contractual clauses and the KVKK Authority's adequacy determinations.
For GDPR compliance: Transfers outside the EEA are protected by Standard Contractual Clauses (Art. 46(2)(c) GDPR) or adequacy decisions (Art. 45 GDPR).
6. Data Retention
β’ Booking records: 10 years (Turkish Tax Law, TTK Art. 82)
β’ Payment records: 10 years (Tax and PCI compliance)
β’ Account data: Until account deletion + 30 days
β’ Support communications: 3 years from last contact
β’ Technical logs: 90 days (rolling)
β’ Cookie data: See Cookie Policy (Section 8)
β’ Marketing consent records: Duration of consent + 3 years
7. Your Rights
Under both KVKK and GDPR, you have the following rights:
a) Right of access: Request a copy of your personal data.
b) Right to rectification: Correct inaccurate or incomplete data.
c) Right to erasure: Request deletion of your data (subject to legal retention requirements).
d) Right to restriction: Limit how we process your data.
e) Right to data portability: Receive your data in a structured, machine-readable format.
f) Right to object: Object to processing based on legitimate interest or for direct marketing.
g) Right to withdraw consent: Withdraw consent at any time without affecting prior processing.
To exercise your rights, contact privacy@eurotrain.tr. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the KVKK Authority (kvkk.gov.tr) or your local data protection authority in the EU.
8. Cookies
β’ Strictly Necessary: Session, auth, security β Duration: Session β Consent not required
β’ Functional: Language, currency preferences β Duration: 1 year β Consent required
β’ Analytics: Platform improvement β Duration: 2 years β Consent required
β’ Performance: Error monitoring β Duration: Session β Legitimate interest
You can manage your cookie preferences through our cookie banner or your browser settings. Disabling strictly necessary cookies may affect Platform functionality.
9. Children's Privacy
Our Platform is not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental consent. If you believe a child under 16 has provided us with personal data, please contact privacy@eurotrain.tr immediately.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
a) TLS/SSL encryption for all data in transit (HTTPS everywhere).
b) Encryption at rest for sensitive data in our database.
c) PCI DSS compliant payment processing (card data never touches our servers).
d) Role-based access control and audit logging.
e) Regular security assessments and continuous monitoring.
f) Rate limiting and DDoS protection on all endpoints.
In the event of a data breach, we will notify the KVKK Authority and affected individuals within 72 hours, as required by both KVKK and GDPR.
11. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be notified via email and posted on the Platform at least 30 days before taking effect. The "Last Updated" date at the top reflects the most recent revision.
12. Contact
General inquiries: Contact Form
Privacy/data protection: privacy@eurotrain.tr
KVKK Authority: https://kvkk.gov.tr EU ODR Platform: https://ec.europa.eu/consumers/odr