KVKK Disclosure Text

Data Controller

The data controller responsible for the processing of your personal data is Limousinium, operating at limousinium.com, with its principal place of business in Istanbul, Turkey. As the data controller, Limousinium determines the purposes and means of processing personal data in compliance with KVKK.

Categories of Personal Data Processed

The following categories of personal data may be processed depending on the nature of your interaction with our services:

• Identity Data: Full name, Turkish ID number (T.C. Kimlik No), passport number, date of birth
• Contact Data: Email address, phone number, postal address
• Financial Data: Payment card details (processed via 3D Secure, not stored), IBAN (encrypted at rest), billing information, transaction records
• Location Data: Pickup and drop-off addresses, GPS coordinates during active transfers (drivers only), saved locations
• Vehicle & Driver Data: Driver license information, vehicle registration details, verification documents (for carriers and drivers)
• Digital Data: IP address, browser type, device information, cookies, session data, usage logs
• Transaction Data: Booking details, transfer history, payment records, confirmation numbers, activity logs

Purposes of Data Processing

Your personal data is processed for the following purposes, in accordance with Article 5 and Article 6 of KVKK:

• Executing and managing transfer booking agreements and fulfilling contractual obligations
• Processing payments, refunds, and managing financial transactions securely
• Verifying the identity of carriers, drivers, and agency account holders
• Providing real-time transfer tracking and status notifications
• Calculating route-based pricing, bridge tolls, and applicable discounts
• Managing carrier earnings, balance tracking, and withdrawal requests
• Ensuring platform security, preventing fraud, and protecting against unauthorized access
• Complying with legal and regulatory obligations (tax law, commercial law, consumer protection)
• Improving service quality through anonymized analytics and user feedback
• Communicating service updates, booking confirmations, and responding to support requests

Legal Basis for Processing

Your personal data is processed based on the following legal grounds as defined in Article 5(2) of KVKK:

• Article 5(2)(a): Processing is expressly provided for by law (tax regulations, commercial record-keeping)
• Article 5(2)(c): Processing is necessary for the performance of a contract (booking and transfer services)
• Article 5(2)(ç): Processing is necessary for the data controller to fulfill its legal obligations
• Article 5(2)(e): Processing is necessary for the establishment, exercise, or protection of a right
• Article 5(2)(f): Processing is necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights of the data subject (platform security, fraud prevention)
• Article 5(1): Explicit consent of the data subject (for optional analytics cookies and marketing communications)

Data Recipients and Transfers

Your personal data may be shared with the following recipients for the stated purposes, in compliance with Articles 8 and 9 of KVKK:

• Vehicle Carriers & Drivers: Booking details necessary to fulfill the transfer service (name, pickup/drop-off, flight info)
• Payment Processors: Garanti BBVA for 3D Secure payment processing — card data transmitted directly, not stored on our servers
• Cloud Infrastructure: Railway (hosting) and Cloudinary (document/image storage) — data may be transferred abroad with adequate protection measures per Article 9 of KVKK
• Mapping Services: Google Maps APIs for route calculation and live tracking
• Legal Authorities: Courts, regulatory bodies, and law enforcement when required by law or court order

For international data transfers, we ensure compliance with Article 9 of KVKK by implementing adequate protection measures, including contractual safeguards with service providers located outside of Turkey.

Data Collection Methods

Your personal data is collected through the following channels:

• Website (limousinium.com) — registration forms, booking forms, contact forms
• Mobile application — account registration, booking process, document uploads
• Automated systems — cookies, server logs, device information, GPS data (drivers)
• Email and phone communications — support requests, inquiries
• Third-party services — payment processors (transaction confirmations), mapping services (route data)

Data Security Measures

In accordance with Article 12 of KVKK, we implement the following technical and administrative measures to protect your personal data:

Technical Measures:

• TLS/SSL encryption for all data in transit
• Fernet symmetric encryption for sensitive financial data (IBAN) at rest
• JWT authentication tokens stored in httpOnly cookies (XSS protection)
• Brute-force login protection with automatic account lockout (django-axes)
• Content Security Policy (CSP) headers against unauthorized script execution
• 3D Secure payment processing — card data never stored on our servers

Administrative Measures:

• Access control policies — role-based access (admin, carrier, driver, agency)
• Regular security audits and dependency updates
• Data minimization — only collecting data necessary for stated purposes
• Contractual obligations with third-party service providers regarding data protection

Data Retention Periods

Personal data is retained for the periods necessary to fulfill the purposes for which it was collected, or as required by applicable legislation:

• Account data: Duration of account activity + 2 years after closure
• Booking and transaction records: 10 years (Turkish Commercial Code, Tax Procedure Law)
• Payment records: As required by financial regulations and Banking Law
• Carrier/driver verification documents: Duration of relationship + 5 years
• Server logs and analytics: Up to 12 months
• Cookies: Session cookies expire on browser close; persistent cookies up to 12 months

Upon expiration of the retention period, personal data is deleted, destroyed, or anonymized in accordance with the KVKK Data Deletion, Destruction, and Anonymization Regulation.

Your Rights Under KVKK (Article 11)

In accordance with Article 11 of KVKK, you have the following rights regarding your personal data:

• To learn whether your personal data is being processed
• To request information about processing if your data has been processed
• To learn the purpose of processing and whether it is used in accordance with its purpose
• To know the third parties to whom your data is transferred domestically or abroad
• To request correction of your data if it is incomplete or inaccurate
• To request deletion or destruction of your data under the conditions set forth in Article 7 of KVKK
• To request notification of correction, deletion, or destruction to third parties to whom data has been transferred
• To object to any result arising exclusively from the analysis of your data through automated systems that is against your interests
• To request compensation for damages arising from unlawful processing of your data

How to Exercise Your Rights

To exercise your rights under Article 11 of KVKK, you may submit your request to us through the following methods:

• By email to info@limousinium.com with the subject line "KVKK Request"
• By written petition delivered to our registered address in Istanbul, Turkey

Your request must include your full name, Turkish ID number (if applicable), contact information, and a clear description of the right you wish to exercise. We will respond to your request free of charge within 30 days at the latest. If the request requires additional costs, the fee schedule determined by the Personal Data Protection Board may apply.

If your request is rejected or you find our response insufficient, you may file a complaint with the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) within 30 days of receiving our response, or within 60 days of the date of your original application if no response is received.

Changes to This Disclosure

This KVKK Disclosure Text may be updated from time to time due to changes in legislation, our data processing activities, or regulatory guidance. The updated version will be published on our website with a revised effective date. We recommend reviewing this page periodically.

Data Controller Contact Information

For all matters related to KVKK and your personal data: