KVKK clarification & GDPR notice
Data Protection Notice (KVKK & GDPR)
The formal data-protection notice of SGR Seyahat Acentası Turizm Ticaret Limited Şirketi (Uçhisar Taxi), explaining how your personal data is processed under the Turkish KVKK and the EU GDPR when you request an airport transfer.
Last updated: 1 July 2026
Data controller
The data controller (veri sorumlusu) responsible for your personal data is SGR Seyahat Acentası Turizm Ticaret Limited Şirketi, a licensed Turkish travel agency and member of TÜRSAB, trading as Uçhisar Taxi.
You can reach us at any time with a data-protection question or to exercise your rights. This is the formal notice; a shorter, plain-language Privacy Policy summarises it, but this text governs.
- Legal entity: SGR Seyahat Acentası Turizm Ticaret Limited Şirketi
- Legal form: Limited Şirketi (Ltd. Şti.), broadly comparable to a German GmbH
- Registered address: Tekelli, Karlık Sk. No:12, 50240 Uçhisar / Nevşehir, Türkiye
- MERSİS No: 0769216528900001
- Tax office / Tax No (Vergi No): Nevşehir / 7692165289
- TÜRSAB operating licence (işletme belge no): 13924
- Phone / WhatsApp: +90 537 609 53 81
- Email: info@uchisartaxi.tr
- Website: https://www.uchisartaxi.tr
Categories of personal data we process
We collect only the data we need to arrange and deliver your transfer. We do not knowingly collect special-category (sensitive) data, and our booking form contains no free-text field inviting health, religious or similar information. Please do not send us such data unless it is genuinely necessary (for example an accessibility need), in which case we process it only to serve you.
- Identity and contact data: your name, mobile/WhatsApp number and, if given, email address
- Booking and trip data: pickup and drop-off locations, date and time, number of passengers, vehicle class, flight number, and any notes you add (e.g. child-seat or luggage requests)
- Communication data: the content of the WhatsApp and other messages you exchange with us about your booking
- Technical and log data: IP address, device/browser information and server logs generated automatically for security and to operate the site
- Cookie and measurement data: identifiers set only after you consent via the cookie banner (Google Maps and Google advertising measurement)
- Payment data: none. We take no card details online and store none — see the dedicated section below
Purposes, legal bases and recipients
The table below sets out, for each processing activity, why we process your data, the legal basis under the KVKK (Law No. 6698) and the GDPR (Regulation (EU) 2016/679), and who receives it. Purpose (amaç) and legal basis (hukuki sebep) are stated separately, as the KVKK requires.
- Handling your booking request (contact and trip data): performance of a contract / steps taken at your request — GDPR Art. 6(1)(b) and KVKK m.5/2(c). Recipients: Supabase (database, EU region) and Vercel (hosting).
- Confirming your booking and communicating with you (e.g. pickup updates): performance of a contract — GDPR Art. 6(1)(b) and KVKK m.5/2(c). Recipient: Meta Platforms / WhatsApp (United States).
- Dispatching your assigned driver internally: our legitimate interest in operating the transfer efficiently — GDPR Art. 6(1)(f) and KVKK m.5/2(f). Recipient: Telegram.
- Keeping legal, tax and travel-agency records: compliance with a legal obligation — GDPR Art. 6(1)(c) and KVKK m.5/2(ç). Recipients: our accountant and, where required, the competent authorities.
- Displaying maps and routes: your consent — GDPR Art. 6(1)(a) and KVKK m.5/1 (açık rıza), given via the cookie banner. Recipient: Google.
- Advertising measurement and analytics: your consent — GDPR Art. 6(1)(a) and KVKK m.5/1, given via the cookie banner. Recipient: Google.
- Hosting, security and server logs: our legitimate interest in a secure, functioning website — GDPR Art. 6(1)(f) and KVKK m.5/2(f). Recipients: Vercel and Supabase.
- Fulfilling the state passenger-manifest obligation (U-ETDS): compliance with a legal obligation — GDPR Art. 6(1)(c) and KVKK m.5/2(ç). Recipient: the Turkish U-ETDS state system, where a licensed carrier must file passenger data before departure.
How we collect your data and its legal basis
We collect your data directly from you when you complete the booking-request form or message us on WhatsApp; technical and log data are generated automatically when you use the site. Because you provide it directly, this notice is our GDPR Article 13 information.
Providing your name, contact number, flight number and trip details is necessary for us to arrange the transfer: without them we cannot confirm your booking or ensure the driver can find and reach you. Consent-based items (maps and advertising measurement) are always optional and never a condition of booking.
International data transfers
Some of our processors operate outside Türkiye and outside the EU/EEA, so your data may be transferred abroad. Türkiye is not the subject of an EU adequacy decision, and equally these are onward transfers (yurt dışı aktarımı) under the KVKK. We rely on the following safeguards.
For the United States processors we use (Google and Meta/WhatsApp, and to the extent applicable our hosting providers), we rely on the EU–US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR), so that a lawful transfer basis remains in place even if the Framework is later invalidated.
Under GDPR Chapter V, the transfer of your booking data to your assigned driver and to us in Türkiye is necessary to perform the transfer you requested and is therefore made under Art. 49(1)(b) GDPR, supported by Standard Contractual Clauses where offered by the relevant provider.
Under the KVKK, cross-border transfers rely on the appropriate safeguards in KVKK m.9 — principally the Board's Standard Contract (Kurul Standart Sözleşme) or other appropriate safeguards — and not on your consent. Hosting in an EU region (e.g. Supabase) does not make a provider adequate under Turkish law; it remains an international transfer. You may request further detail on the safeguards in place, and a copy where one is available, using the contact details above.
How long we keep your data
We keep your data only for as long as necessary for the purpose it was collected for, or for as long as the law requires, after which it is deleted or anonymised.
- Booking data: approximately 3 years after the service, matching the general limitation period for potential claims
- Accounting and invoice records: 10 years, as required by Turkish commercial and tax law (TTK / VUK)
- Un-actioned enquiries that do not lead to a booking: 6 to 12 months
- Cookie and analytics identifiers: no longer than 14 months
- WhatsApp and Telegram message threads: deleted or anonymised within 12 months, unless a dispute or claim is live and we must retain them longer
No online payment
This website takes no payment. It creates a booking request only; the driver confirms it by WhatsApp, and you pay the driver in person, in Turkish Lira, on arrival. No card details are collected or stored by this website, and we operate no online-payment system. Accordingly, we process no payment-card data at all.
No automated decision-making
We do not carry out automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. Prices are set by a fixed, published rule per route, and every booking is confirmed by a human driver — no profiling or automated profile-based decision governs your transfer.
Your rights
Depending on which law applies to you, you have the rights set out below. To exercise any of them, contact us at info@uchisartaxi.tr. We respond within 30 days under the KVKK and within one month under the GDPR (Art. 12(3)).
- Under the KVKK (m.11), you have the right to: learn whether your personal data is processed; request information if it has been processed; learn the purpose of processing and whether the data is used in line with that purpose; know the third parties to whom the data is transferred at home or abroad; request correction of incomplete or incorrect data; request erasure or destruction of the data under the conditions of m.7; request that any correction, erasure or destruction be notified to third parties to whom the data was transferred; object to a result arising exclusively from automated analysis of the data that is to your detriment; and claim compensation for damage arising from unlawful processing.
- Under the GDPR, you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and the right to object (Art. 21).
- Where processing is based on your consent, you may withdraw that consent at any time (Art. 7(3) GDPR), without affecting the lawfulness of processing before withdrawal.
- You have the right to lodge a complaint with a supervisory authority (see below).
Complaints to a supervisory authority
If you believe your data has been processed unlawfully, you may contact us first so we can put things right, and you may also complain to the competent authority.
- In Türkiye: the Personal Data Protection Authority — Kişisel Verileri Koruma Kurumu (KVK Kurumu), kvkk.gov.tr, which the controller must respond to within 30 days.
- In the EU/EEA: your local Data Protection Authority. For residents of Germany, the competent Landesdatenschutzbehörde of your federal state, or the federal Commissioner (BfDI).
Consent for marketing is separate
This notice explains how we inform you about our processing (aydınlatma); it is distinct from consent (rıza). Any marketing messages are handled through a separate, unbundled explicit-consent (Açık Rıza) flow that you can give or refuse independently. Consenting to marketing is never a condition of making a booking, and you can withdraw it at any time.
If you book a bundled package (for example a transfer combined with a tour and/or an overnight stay) it is a paket tur, and additional package-travel rules and a separate agreement apply, which may affect the processing described here.