HOP ON HOP OFFTICKETS
Back to site
Privacy policyTerms & conditionsCancellation policy

Privacy Policy

Last updated July 4, 2026

Protecting your personal data is a priority for Authentic Day Tour. We are committed to being transparent about how we collect, use and share your information. This Privacy Policy explains how Authentic Day Tour, LLC ("Authentic Day Tour", "we", "us" or "our") processes your personal data when you use our website hoponhopofftickets.istanbul (the "Platform") and the hop-on hop-off sightseeing bus tickets and services we offer through it in Istanbul, Turkey.

By using the Platform you acknowledge that you have read and understood this Privacy Policy. This policy is written in English, and the English version prevails in the event of any dispute over its interpretation.

I. Definitions

In this Privacy Policy:

  • Authentic Day Tour, we, us or our means Authentic Day Tour, LLC, the operator of the Platform and the controller of your personal data.
  • Booking means an order for a hop-on hop-off sightseeing bus ticket or pass placed through the Platform.
  • GDPR means the EU General Data Protection Regulation (Regulation (EU) 2016/679).
  • KVKK means Turkey’s Law on the Protection of Personal Data No. 6698.
  • Supplier means the third party from which we source the hop-on hop-off tickets we sell to you.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Platform means the website hoponhopofftickets.istanbul.
  • You or your means the person using the Platform or making a Booking.

II. Controller and contact

Authentic Day Tour, LLC, United States of America. Email: support@authenticdaytour.com. Phone: +1 307 381 9665. If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the details above.

III. Information we collect

1. Information you provide to us

(a) Booking information. When you make a Booking we collect:

  • First and last name
  • Email address
  • Phone number
  • Your travel date and the pass you choose
  • The number of travellers

We use this information to process your Booking, issue your ticket and communicate with you about it.

(b) Customer service communications. When you contact us by email, live chat or WhatsApp, we collect your name, email, phone number, Booking details and the content of your message.

2. Information collected automatically

When you visit the Platform we automatically collect certain technical information through cookies and similar technologies (see Section V):

(a) Device and browser information:

  • Browser type and version
  • Operating system
  • Device type (desktop, mobile, tablet)
  • Screen resolution

(b) Usage information:

  • Pages visited and interactions
  • Referring URL
  • Date, time and duration of your visit
  • Click and scrolling behaviour

(c) Network information:

  • IP address
  • Approximate location derived from your IP address
  • Language preferences

We process this data to operate and secure the Platform, analyse usage and improve our service, based on our legitimate interests.

IV. How we use your information

We only process your personal data where we have a valid legal basis under the GDPR. The purposes and their legal bases are set out below.

1. Booking fulfilment and service delivery

We process your name, email and phone number to complete your Booking, issue your ticket and communicate any updates. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

2. Booking confirmations and communications

We send confirmations, tickets and important updates by email and WhatsApp. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3. Cancellations and refunds

We process cancellation requests and refunds in line with our Cancellation Policy. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

4. Customer support

We process your communications to answer your questions and resolve issues. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interest in providing support (Art. 6(1)(f) GDPR).

5. Platform security and fraud prevention

We process automatically collected data, such as IP addresses and behavioural signals, to protect the Platform against fraud and abuse. Legal basis: our legitimate interest in security (Art. 6(1)(f) GDPR).

6. Analytics and platform improvement

We process aggregated and anonymised usage data to understand how the Platform is used and to improve it. Legal basis: our legitimate interest in improving our service (Art. 6(1)(f) GDPR).

7. Advertising measurement

With your consent, we use tracking technologies such as Meta Pixel and Google Ads to measure the effectiveness of our advertising. Legal basis: consent (Art. 6(1)(a) GDPR).

8. Legal compliance

We process personal data where required by law, regulation or a governmental request. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

V. Cookies and tracking technologies

We show a cookie consent banner on your first visit so you can accept or decline non-essential cookies.

1. Categories of cookies

(a) Strictly necessary cookies are essential for the Platform to work, for example to keep your booking session active. They cannot be disabled and do not require consent.

(b) Analytics cookies help us understand how visitors use the Platform through aggregated, anonymised data. They are only placed with your consent.

(c) Marketing cookies measure advertising effectiveness and are only placed with your consent.

2. Tracking technologies we use

(a) Google Analytics, provided by Google Ireland Limited, analyses how the Platform is used through cookies that collect interaction data and anonymised IP addresses. Google may process data outside the EEA, including in the USA, under the EU-U.S. Data Privacy Framework. More information: policies.google.com/privacy.

(b) Google Tag Manager, provided by Google, manages our tracking tags. It does not itself collect personal data but helps deploy other tracking technologies.

(c) Meta Pixel, provided by Meta Platforms Ireland Limited, measures advertising effectiveness on Facebook and Instagram using pseudonymised interaction data. Meta may process data outside the EEA under the EU-U.S. Data Privacy Framework. More information: facebook.com/privacy/policy.

(d) Google Ads, provided by Google, displays relevant advertisements across the Google network with your consent, using remarketing cookies. You can manage personalised advertising at adssettings.google.com.

(e) Microsoft Clarity, provided by Microsoft Corporation, helps us understand user interactions through aggregated session statistics and heatmaps, automatically masking sensitive input fields. Microsoft may process data outside the EEA under the EU-U.S. Data Privacy Framework. More information: privacy.microsoft.com.

3. Managing your cookie preferences

You can accept or decline non-essential cookies from the banner, and change your choice at any time using the "Cookie preferences" link in the footer. You can also manage cookies through your browser settings, and opt out of Google Analytics at tools.google.com/dlpage/gaoptout. Disabling certain cookies may affect how the Platform works. Your cookie choice is stored on your device until you change it or clear your browser data.

VI. Customer service

1. Support channels

You can reach us by email at support@authenticdaytour.com, through the live chat on the Platform, or on WhatsApp. We process your name, email, phone, Booking details and message content to respond to you and resolve your issue.

2. Live chat (Chatwoot)

Our live chat is powered by Chatwoot, hosted on our own infrastructure. Chat data is stored on our self-hosted servers and is not shared with third parties for their own purposes. Legal basis: performance of a contract and our legitimate interest in customer support (Art. 6(1)(b) and Art. 6(1)(f) GDPR).

3. WhatsApp

WhatsApp messages are processed through infrastructure operated by Meta Platforms Ireland Limited, which processes your phone number and message metadata under its own privacy policy. Meta may process data outside the EEA under the EU-U.S. Data Privacy Framework. More information: whatsapp.com/legal/privacy-policy.

VII. Booking process

1. Ticket purchase

To make a Booking we collect your first and last name, email, phone number, travel date and number of travellers, which are necessary to arrange and deliver your sightseeing experience. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Your Booking is processed through our booking and reservation platform (Point), and the details needed to issue and honour your ticket are shared with the relevant supplier.

2. Booking confirmations

We send confirmations, tickets and reminders by email (using Cloudflare) and, where you provide a phone number, by WhatsApp. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3. Cancellations and refunds

You can cancel your Booking in line with our Cancellation Policy. We process the personal data necessary to handle your cancellation and refund. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

VIII. Information sharing and third parties

We do not sell your personal data. We share it only in the circumstances described below and only to the extent necessary.

1. Payment processing (Stripe)

All card payments are processed by Stripe, Inc. Your payment details are transmitted directly to Stripe’s secure servers. We do not collect, store or access your full card details, and we only receive confirmation of payment and a transaction identifier. Stripe acts as an independent controller and may process data in the USA under the EU-U.S. Data Privacy Framework. More information: stripe.com/privacy.

2. Booking and reservation platform (Point)

Your Booking is created and managed through Point, our booking and reservation platform, which processes your Booking data on our behalf under a data processing agreement so that your ticket can be issued and managed.

3. Ticket supplier

The details needed to issue and validate your ticket, such as your name and Booking reference, are shared with the supplier that provides it. The supplier acts as an independent controller for the service it provides.

4. Email communications (Cloudflare)

We send transactional emails, such as confirmations and tickets, using Cloudflare. Your email address and the message content are processed for this purpose. Cloudflare may process data in the USA under the EU-U.S. Data Privacy Framework. More information: cloudflare.com/privacypolicy.

5. Hosting and infrastructure (Vercel)

The Platform is hosted on Vercel, provided by Vercel Inc., which processes technical data such as IP address, request timestamps and browser information to deliver and secure the Platform. Standard firewall and bot-protection measures are applied to guard against automated attacks and abuse. Vercel may process data in the USA under the EU-U.S. Data Privacy Framework. More information: vercel.com/legal/privacy-policy. Legal basis: our legitimate interest in security (Art. 6(1)(f) GDPR).

6. Analytics and advertising providers

As described in Section V, we share limited data with Google, Meta and Microsoft for analytics and advertising measurement, subject to your consent for non-essential cookies.

7. WhatsApp (Meta)

As described in Section VI, WhatsApp is used for confirmations and support and is operated by Meta.

8. Legal and regulatory disclosures

We may disclose personal data where required by law, regulation, legal process or a governmental request, or where necessary to comply with a legal obligation, to protect our rights or property, to prevent or investigate wrongdoing, or to protect the personal safety of users or the public.

9. Business transfers

If we are involved in a merger, acquisition, reorganisation or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any change of ownership or use of your personal data, as well as any choices you may have.

IX. International data transfers

Authentic Day Tour, LLC is based in the United States. If you access the Platform from outside the USA, your data may be transferred to, stored in and processed in the USA and other countries where our service providers operate.

For users in the EEA, the United Kingdom or Switzerland, transfers to countries that do not offer an adequate level of protection are safeguarded by the EU-U.S. Data Privacy Framework, Standard Contractual Clauses under Art. 46(2)(c) GDPR, or other appropriate safeguards required by law.

Service providerCountrySafeguard
StripeUSAEU-U.S. Data Privacy Framework
VercelUSAEU-U.S. Data Privacy Framework
CloudflareUSAEU-U.S. Data Privacy Framework
GoogleUSAEU-U.S. Data Privacy Framework
MetaUSAEU-U.S. Data Privacy Framework
MicrosoftUSAEU-U.S. Data Privacy Framework

X. Data retention

We keep your personal data only for as long as necessary for the purposes described above or as required by law.

Data categoryRetention period
Booking data (name, email, phone, ticket details)5 years from the Booking date, or as required by tax and commercial law
Payment records (transaction confirmations)We do not store card data; Stripe retains it under its own policy. Confirmations are kept for 5 years
Customer support communications (email, chat, WhatsApp)2 years from the last communication
Automatically collected data (analytics, logs)Google Analytics: 26 months; server logs: 30 days; Microsoft Clarity: up to 13 months
Cookie consent preferenceStored on your device until you change it or clear your browser data

When personal data is no longer needed, we securely delete or anonymise it.

XI. Children’s privacy

The Platform is intended for adults. Bookings that include children are made by the adult placing the order, and the Booking data relates to that adult. We do not knowingly collect personal data directly from children under 16 without the consent of a parent or guardian. If we become aware that we have inadvertently collected such data, we will delete it promptly. To report suspected collection of a child’s data, contact support@authenticdaytour.com.

XII. Automated decision-making

To prevent fraud, our payment provider (Stripe) and booking platform may automatically screen Bookings using signals such as transaction patterns, IP address and device characteristics, and a Booking may be declined if it is flagged as high risk. If your Booking is declined automatically, you can request human review, express your point of view and contest the decision by contacting support@authenticdaytour.com. Legal basis: our legitimate interest in fraud prevention and platform security (Art. 6(1)(f) GDPR).

XIII. Your rights

If you are in the EEA, the United Kingdom or Switzerland, you have the following rights under the GDPR. If you are in Turkey, you have equivalent rights under the KVKK.

  • Right of access (Art. 15 GDPR): obtain a copy of your personal data and information about how it is processed.
  • Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17 GDPR): have your data deleted where it is no longer necessary or where you withdraw consent.
  • Right to restriction (Art. 18 GDPR): restrict processing in certain circumstances.
  • Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR): object to processing based on our legitimate interests.
  • Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time, without affecting processing carried out before withdrawal.
  • Right to lodge a complaint (Art. 77 GDPR): complain to your local supervisory authority.
  • Right regarding automated decisions (Art. 22 GDPR): as described in Section XII.

To exercise any of these rights, contact us at support@authenticdaytour.com. We will respond within 30 days of receiving your request. We may need to verify your identity. For complex or high-volume requests, we may extend this period by a further 60 days and will let you know if we do.

XIV. Data security

We use appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction, including:

  • Encryption of data in transit using TLS/SSL
  • Secure payment processing through Stripe, which is PCI DSS Level 1 certified
  • Firewall and bot-protection measures
  • Self-hosted customer service infrastructure (Chatwoot)
  • Access controls that limit access on a need-to-know basis
  • Regular review of our collection, storage and processing practices

No method of transmission over the internet or electronic storage is completely secure, so while we work to protect your personal data we cannot guarantee its absolute security.

XV. Third-party links

The Platform may contain links to third-party websites or services that we do not operate. We are not responsible for the content or privacy practices of those third parties, and we encourage you to review the privacy policy of every site you visit.

XVI. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or for other operational reasons. When we make changes we update the "last updated" date at the top of this page. For material changes we will provide a prominent notice on the Platform or contact you by email before the changes take effect.

XVII. Contact us

If you have any questions, concerns or requests regarding this Privacy Policy or your personal data, please contact us:

  • Authentic Day Tour, LLC
  • Email: support@authenticdaytour.com
  • Phone: +1 307 381 9665
HOP ON HOP OFFTICKETS

Istanbul's open-top, hop-on hop-off sightseeing bus. One ticket, unlimited rides and 12 stops across the historic peninsula, the Bosphorus and the modern city. Hop off wherever you like, then catch the next bus.

Explore

TicketsRoute & stopsDeparture pointsTimetable

Support

Traveller tipsFAQContact us
We accept
VisaMastercardAmexApple PayGoogle PayMaestro
Powered by Stripe
Privacy policyTerms & conditionsCancellation policy
Authentic Day Tour

© 2026 hoponhopofftickets.istanbul, operated by Authentic Day Tour, LLC · All rights reserved.

hoponhopofftickets.istanbul is an independent online platform operated by Authentic Day Tour, LLC for booking sightseeing experiences in Istanbul. We are not a public authority or the official operator of every service listed, and the prices shown may differ from those available at the point of sale.