Privacy Policy
Last updated July 4, 2026
Protecting your personal data is a priority for Authentic Day Tour. We are committed to being transparent about how we collect, use and share your information. This Privacy Policy explains how Authentic Day Tour, LLC ("Authentic Day Tour", "we", "us" or "our") processes your personal data when you use our website hoponhopofftickets.istanbul (the "Platform") and the hop-on hop-off sightseeing bus tickets and services we offer through it in Istanbul, Turkey.
By using the Platform you acknowledge that you have read and understood this Privacy Policy. This policy is written in English, and the English version prevails in the event of any dispute over its interpretation.
I. Definitions
In this Privacy Policy:
- Authentic Day Tour, we, us or our means Authentic Day Tour, LLC, the operator of the Platform and the controller of your personal data.
- Booking means an order for a hop-on hop-off sightseeing bus ticket or pass placed through the Platform.
- GDPR means the EU General Data Protection Regulation (Regulation (EU) 2016/679).
- KVKK means Turkey’s Law on the Protection of Personal Data No. 6698.
- Supplier means the third party from which we source the hop-on hop-off tickets we sell to you.
- Personal Data means any information relating to an identified or identifiable natural person.
- Platform means the website hoponhopofftickets.istanbul.
- You or your means the person using the Platform or making a Booking.
II. Controller and contact
Authentic Day Tour, LLC, United States of America. Email: support@authenticdaytour.com. Phone: +1 307 381 9665. If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the details above.
III. Information we collect
1. Information you provide to us
(a) Booking information. When you make a Booking we collect:
- First and last name
- Email address
- Phone number
- Your travel date and the pass you choose
- The number of travellers
We use this information to process your Booking, issue your ticket and communicate with you about it.
(b) Customer service communications. When you contact us by email, live chat or WhatsApp, we collect your name, email, phone number, Booking details and the content of your message.
2. Information collected automatically
When you visit the Platform we automatically collect certain technical information through cookies and similar technologies (see Section V):
(a) Device and browser information:
- Browser type and version
- Operating system
- Device type (desktop, mobile, tablet)
- Screen resolution
(b) Usage information:
- Pages visited and interactions
- Referring URL
- Date, time and duration of your visit
- Click and scrolling behaviour
(c) Network information:
- IP address
- Approximate location derived from your IP address
- Language preferences
We process this data to operate and secure the Platform, analyse usage and improve our service, based on our legitimate interests.
IV. How we use your information
We only process your personal data where we have a valid legal basis under the GDPR. The purposes and their legal bases are set out below.
1. Booking fulfilment and service delivery
We process your name, email and phone number to complete your Booking, issue your ticket and communicate any updates. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
2. Booking confirmations and communications
We send confirmations, tickets and important updates by email and WhatsApp. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
3. Cancellations and refunds
We process cancellation requests and refunds in line with our Cancellation Policy. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
4. Customer support
We process your communications to answer your questions and resolve issues. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interest in providing support (Art. 6(1)(f) GDPR).
5. Platform security and fraud prevention
We process automatically collected data, such as IP addresses and behavioural signals, to protect the Platform against fraud and abuse. Legal basis: our legitimate interest in security (Art. 6(1)(f) GDPR).
6. Analytics and platform improvement
We process aggregated and anonymised usage data to understand how the Platform is used and to improve it. Legal basis: our legitimate interest in improving our service (Art. 6(1)(f) GDPR).
7. Advertising measurement
With your consent, we use tracking technologies such as Meta Pixel and Google Ads to measure the effectiveness of our advertising. Legal basis: consent (Art. 6(1)(a) GDPR).
8. Legal compliance
We process personal data where required by law, regulation or a governmental request. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
V. Cookies and tracking technologies
We show a cookie consent banner on your first visit so you can accept or decline non-essential cookies.
1. Categories of cookies
(a) Strictly necessary cookies are essential for the Platform to work, for example to keep your booking session active. They cannot be disabled and do not require consent.
(b) Analytics cookies help us understand how visitors use the Platform through aggregated, anonymised data. They are only placed with your consent.
(c) Marketing cookies measure advertising effectiveness and are only placed with your consent.
2. Tracking technologies we use
(a) Google Analytics, provided by Google Ireland Limited, analyses how the Platform is used through cookies that collect interaction data and anonymised IP addresses. Google may process data outside the EEA, including in the USA, under the EU-U.S. Data Privacy Framework. More information: policies.google.com/privacy.
(b) Google Tag Manager, provided by Google, manages our tracking tags. It does not itself collect personal data but helps deploy other tracking technologies.
(c) Meta Pixel, provided by Meta Platforms Ireland Limited, measures advertising effectiveness on Facebook and Instagram using pseudonymised interaction data. Meta may process data outside the EEA under the EU-U.S. Data Privacy Framework. More information: facebook.com/privacy/policy.
(d) Google Ads, provided by Google, displays relevant advertisements across the Google network with your consent, using remarketing cookies. You can manage personalised advertising at adssettings.google.com.
(e) Microsoft Clarity, provided by Microsoft Corporation, helps us understand user interactions through aggregated session statistics and heatmaps, automatically masking sensitive input fields. Microsoft may process data outside the EEA under the EU-U.S. Data Privacy Framework. More information: privacy.microsoft.com.
3. Managing your cookie preferences
You can accept or decline non-essential cookies from the banner, and change your choice at any time using the "Cookie preferences" link in the footer. You can also manage cookies through your browser settings, and opt out of Google Analytics at tools.google.com/dlpage/gaoptout. Disabling certain cookies may affect how the Platform works. Your cookie choice is stored on your device until you change it or clear your browser data.
VI. Customer service
1. Support channels
You can reach us by email at support@authenticdaytour.com, through the live chat on the Platform, or on WhatsApp. We process your name, email, phone, Booking details and message content to respond to you and resolve your issue.
2. Live chat (Chatwoot)
Our live chat is powered by Chatwoot, hosted on our own infrastructure. Chat data is stored on our self-hosted servers and is not shared with third parties for their own purposes. Legal basis: performance of a contract and our legitimate interest in customer support (Art. 6(1)(b) and Art. 6(1)(f) GDPR).
3. WhatsApp
WhatsApp messages are processed through infrastructure operated by Meta Platforms Ireland Limited, which processes your phone number and message metadata under its own privacy policy. Meta may process data outside the EEA under the EU-U.S. Data Privacy Framework. More information: whatsapp.com/legal/privacy-policy.
VII. Booking process
1. Ticket purchase
To make a Booking we collect your first and last name, email, phone number, travel date and number of travellers, which are necessary to arrange and deliver your sightseeing experience. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Your Booking is processed through our booking and reservation platform (Point), and the details needed to issue and honour your ticket are shared with the relevant supplier.
2. Booking confirmations
We send confirmations, tickets and reminders by email (using Cloudflare) and, where you provide a phone number, by WhatsApp. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
3. Cancellations and refunds
You can cancel your Booking in line with our Cancellation Policy. We process the personal data necessary to handle your cancellation and refund. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
VIII. Information sharing and third parties
We do not sell your personal data. We share it only in the circumstances described below and only to the extent necessary.
1. Payment processing (Stripe)
All card payments are processed by Stripe, Inc. Your payment details are transmitted directly to Stripe’s secure servers. We do not collect, store or access your full card details, and we only receive confirmation of payment and a transaction identifier. Stripe acts as an independent controller and may process data in the USA under the EU-U.S. Data Privacy Framework. More information: stripe.com/privacy.
2. Booking and reservation platform (Point)
Your Booking is created and managed through Point, our booking and reservation platform, which processes your Booking data on our behalf under a data processing agreement so that your ticket can be issued and managed.
3. Ticket supplier
The details needed to issue and validate your ticket, such as your name and Booking reference, are shared with the supplier that provides it. The supplier acts as an independent controller for the service it provides.
4. Email communications (Cloudflare)
We send transactional emails, such as confirmations and tickets, using Cloudflare. Your email address and the message content are processed for this purpose. Cloudflare may process data in the USA under the EU-U.S. Data Privacy Framework. More information: cloudflare.com/privacypolicy.
5. Hosting and infrastructure (Vercel)
The Platform is hosted on Vercel, provided by Vercel Inc., which processes technical data such as IP address, request timestamps and browser information to deliver and secure the Platform. Standard firewall and bot-protection measures are applied to guard against automated attacks and abuse. Vercel may process data in the USA under the EU-U.S. Data Privacy Framework. More information: vercel.com/legal/privacy-policy. Legal basis: our legitimate interest in security (Art. 6(1)(f) GDPR).
6. Analytics and advertising providers
As described in Section V, we share limited data with Google, Meta and Microsoft for analytics and advertising measurement, subject to your consent for non-essential cookies.
7. WhatsApp (Meta)
As described in Section VI, WhatsApp is used for confirmations and support and is operated by Meta.
8. Legal and regulatory disclosures
We may disclose personal data where required by law, regulation, legal process or a governmental request, or where necessary to comply with a legal obligation, to protect our rights or property, to prevent or investigate wrongdoing, or to protect the personal safety of users or the public.
9. Business transfers
If we are involved in a merger, acquisition, reorganisation or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any change of ownership or use of your personal data, as well as any choices you may have.
IX. International data transfers
Authentic Day Tour, LLC is based in the United States. If you access the Platform from outside the USA, your data may be transferred to, stored in and processed in the USA and other countries where our service providers operate.
For users in the EEA, the United Kingdom or Switzerland, transfers to countries that do not offer an adequate level of protection are safeguarded by the EU-U.S. Data Privacy Framework, Standard Contractual Clauses under Art. 46(2)(c) GDPR, or other appropriate safeguards required by law.
| Service provider | Country | Safeguard |
|---|---|---|
| Stripe | USA | EU-U.S. Data Privacy Framework |
| Vercel | USA | EU-U.S. Data Privacy Framework |
| Cloudflare | USA | EU-U.S. Data Privacy Framework |
| USA | EU-U.S. Data Privacy Framework | |
| Meta | USA | EU-U.S. Data Privacy Framework |
| Microsoft | USA | EU-U.S. Data Privacy Framework |
X. Data retention
We keep your personal data only for as long as necessary for the purposes described above or as required by law.
| Data category | Retention period |
|---|---|
| Booking data (name, email, phone, ticket details) | 5 years from the Booking date, or as required by tax and commercial law |
| Payment records (transaction confirmations) | We do not store card data; Stripe retains it under its own policy. Confirmations are kept for 5 years |
| Customer support communications (email, chat, WhatsApp) | 2 years from the last communication |
| Automatically collected data (analytics, logs) | Google Analytics: 26 months; server logs: 30 days; Microsoft Clarity: up to 13 months |
| Cookie consent preference | Stored on your device until you change it or clear your browser data |
When personal data is no longer needed, we securely delete or anonymise it.
XI. Children’s privacy
The Platform is intended for adults. Bookings that include children are made by the adult placing the order, and the Booking data relates to that adult. We do not knowingly collect personal data directly from children under 16 without the consent of a parent or guardian. If we become aware that we have inadvertently collected such data, we will delete it promptly. To report suspected collection of a child’s data, contact support@authenticdaytour.com.
XII. Automated decision-making
To prevent fraud, our payment provider (Stripe) and booking platform may automatically screen Bookings using signals such as transaction patterns, IP address and device characteristics, and a Booking may be declined if it is flagged as high risk. If your Booking is declined automatically, you can request human review, express your point of view and contest the decision by contacting support@authenticdaytour.com. Legal basis: our legitimate interest in fraud prevention and platform security (Art. 6(1)(f) GDPR).
XIII. Your rights
If you are in the EEA, the United Kingdom or Switzerland, you have the following rights under the GDPR. If you are in Turkey, you have equivalent rights under the KVKK.
- Right of access (Art. 15 GDPR): obtain a copy of your personal data and information about how it is processed.
- Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17 GDPR): have your data deleted where it is no longer necessary or where you withdraw consent.
- Right to restriction (Art. 18 GDPR): restrict processing in certain circumstances.
- Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR): object to processing based on our legitimate interests.
- Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time, without affecting processing carried out before withdrawal.
- Right to lodge a complaint (Art. 77 GDPR): complain to your local supervisory authority.
- Right regarding automated decisions (Art. 22 GDPR): as described in Section XII.
To exercise any of these rights, contact us at support@authenticdaytour.com. We will respond within 30 days of receiving your request. We may need to verify your identity. For complex or high-volume requests, we may extend this period by a further 60 days and will let you know if we do.
XIV. Data security
We use appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction, including:
- Encryption of data in transit using TLS/SSL
- Secure payment processing through Stripe, which is PCI DSS Level 1 certified
- Firewall and bot-protection measures
- Self-hosted customer service infrastructure (Chatwoot)
- Access controls that limit access on a need-to-know basis
- Regular review of our collection, storage and processing practices
No method of transmission over the internet or electronic storage is completely secure, so while we work to protect your personal data we cannot guarantee its absolute security.
XV. Third-party links
The Platform may contain links to third-party websites or services that we do not operate. We are not responsible for the content or privacy practices of those third parties, and we encourage you to review the privacy policy of every site you visit.
XVI. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or for other operational reasons. When we make changes we update the "last updated" date at the top of this page. For material changes we will provide a prominent notice on the Platform or contact you by email before the changes take effect.
XVII. Contact us
If you have any questions, concerns or requests regarding this Privacy Policy or your personal data, please contact us:
- Authentic Day Tour, LLC
- Email: support@authenticdaytour.com
- Phone: +1 307 381 9665