The data behind a thirty-minute underground visit.

This site is operated by Istanbul Tourist Information Ltd., a Turkish limited company registered in Istanbul under TÜRSAB licence A-7812 and VAT number 3470891204. Registered office: Sultanahmet Mah. Divan Yolu Cad. 17, 34122 Fatih, Istanbul. Data officer: privacy@istanbul-tourist-information.com.

This privacy policy covers basilicacistern.istanbul-tourist-information.com, the dedicated booking and visitor-guide site for the Basilica Cistern. It does not cover the Municipality of Istanbul's own cistern operator site, nor any reseller.

Four categories. Nothing more.

Contact & booking data — cardholder name, email, phone, chosen slot time, ticket quantity, optional audio-guide language.

Payment data — card entered on Stripe's hosted page. We keep only last four digits + brand for your invoice.

Usage data — which pages you visit, referrer, device class. Anonymised before aggregation.

Support data — if you write to us, your email and our reply. Kept in our helpdesk for 36 months.

Each item sits under a specific GDPR legal basis.

Contract performance. Booking data — we can't issue a ticket without it. Art. 6(1)(b) GDPR.

Legal obligation. Turkish tax law — 10-year retention of transaction records. Art. 6(1)(c) GDPR.

Legitimate interest. Analytics, fraud detection, crash reports. Opt-out via cookie panel. Art. 6(1)(f) GDPR.

Consent. Marketing cookies and newsletters — explicit opt-in only. Art. 6(1)(a) GDPR.

Directly from you, in the booking form or a support email. We don't buy data lists, don't enrich with third-party sources, don't fingerprint your device. One exception: card details go directly to Stripe, which returns a token we use to reference the payment.

Your booking record: reference (BC- prefix), slot time, cardholder name, contact email, phone, ticket count, audio-guide language, VAT amount, total paid, refund history. Complete list.

Visible to you (via confirmation email) and our support team when you write in. The cistern gate attendant only sees a scanned QR code with quantity — no contact details.

Helpdesk tool: Front. Retention: 36 months. Not used for AI training. Not shared with marketing. Seen only by the support team + data officer.

GA4 with IP anonymisation, ad-signals disabled, demographics off. We see how many people arrive, where they drop off — not who they are. Sentry for crash reports with PII scrubbing before leaving your browser.

Each vendor has a signed DPA with us. Audited annually.

We don't sell, rent, or share data with partners for their own marketing. The vendors in section 08 are the only third parties, all acting as processors under our instructions.

Exception: valid Turkish court or tax-authority order. You will be notified unless forbidden by the order. Never happened in the history of the site.

Booking records — 10 years (Turkish tax law).

Support conversations — 36 months from last message, or until erasure requested.

Analytics — 24 months in GA4, aggregated after.

Crash reports — 14 days in Sentry.

Marketing cookies — 90 days or until revoked.

Primary infrastructure is EU-based (Frankfurt, Amsterdam). Stripe and Google route some data through US infrastructure under the EU-US Data Privacy Framework + SCCs (GDPR Art. 46).

TLS 1.3 everywhere. DB encryption at rest. 2FA required for all staff accounts. Quarterly pen-tests by a Turkish security firm. 72-hour breach notification commitment (tighter than GDPR's baseline).

Eight rights under GDPR (EU) and KVKK (Türkiye).

We do not knowingly collect data about under-16s. A parent can book a child's entry — cardholder is the parent's name, and only first names of children appear on the voucher.

Material changes: 30-day email notice before taking effect. Minor edits: posted without notification, version number increments in the header.