Privacy Policy
Last updated: 24 March 2026 · Version 1.0 · dpo@utubooking.com
1. Who We Are
UTUBooking Ltd (“we”, “us”) is the data controller for personal data collected through utubooking.com and our mobile apps.
| Data Protection Officer | dpo@utubooking.com |
| KVKK Contact | kvkk@utubooking.com |
| Response time | 30 days (GDPR Art. 12 / KVKK md.13 / DPDP §12) |
| Registered address | [UTUBooking Ltd registered address] |
2. What Data We Collect
| Category | Examples | Why collected |
|---|---|---|
| Identity | Name, nationality, passport number | Booking fulfilment; Hajj/Umrah regulatory requirements |
| Contact | Email address, phone number | Booking confirmation, customer support |
| Payment | Card last 4 digits, gateway transaction ID | Payment processing (card data handled by PCI-DSS certified gateways) |
| Usage (consent) | Pages visited, search queries, booking funnel | Analytics — only with your explicit consent |
| Technical | IP address, browser type, device ID | Security, fraud prevention, consent audit |
| Religious context | Hajj / Umrah booking implies religious practice | Explicit consent obtained (GDPR Art. 9(2)(a)) |
We do not collect: precise GPS location, biometric data, or racial/ethnic origin beyond nationality.
3. Legal Basis for Processing
| Processing | Legal Basis | Reference |
|---|---|---|
| Booking fulfilment | Contract performance | GDPR Art. 6(1)(b) / KVKK md.5/2(c) |
| Account management | Contract performance | GDPR Art. 6(1)(b) |
| Tax records (7 years) | Legal obligation | GDPR Art. 6(1)(c) |
| Analytics cookies | Your consent | GDPR Art. 6(1)(a) / DPDP §6 |
| Marketing communications | Your consent | GDPR Art. 6(1)(a) / KVKK md.5/1 |
| Fraud prevention | Legitimate interest | GDPR Art. 6(1)(f) |
| AI pricing (aggregate) | Legitimate interest (no PII enters AI) | GDPR Art. 6(1)(f) — DPIA conducted |
| Religious data (Hajj context) | Explicit consent | GDPR Art. 9(2)(a) |
4. How Long We Keep Your Data
| Data category | Retention period |
|---|---|
| Booking records | Contract duration + 7 years (tax law) |
| Account profile | While account is active + 30 days post-deletion |
| Payment records | 7 years (financial regulation) |
| Analytics data | 13 months |
| Consent audit log | Permanent (GDPR Art. 7(1) — we must prove consent) |
| Erasure request log | 7 years post-completion (Art. 17(3)(e)) |
| Marketing data | Until consent withdrawn |
5. Who We Share Your Data With
We share your data only where necessary for service delivery. We never sell your data.
| Recipient | Purpose | DPA |
|---|---|---|
| Payment gateways (Stripe, STC Pay, Iyzico, Midtrans, iPay88, JazzCash, Easypaisa) | Payment processing | Stripe: ✅ SCCs · Others: contractual restrictions |
| Hotelbeds API | Hotel inventory | Booking data only |
| Amazon Web Services | Cloud infrastructure | AWS DPA + SCCs |
| Anthropic (Claude AI) | Pricing model — aggregated metrics only, no PII | DPA in progress |
| Legal authorities | When required by law (court order, etc.) | N/A |
6. International Transfers
Your data may be processed in these locations, each with an appropriate safeguard:
| Location | Shard | Safeguard |
|---|---|---|
| AWS Frankfurt (eu-central-1) | EU/TR users | Within EU — no transfer mechanism needed |
| AWS Bahrain (me-south-1) | KSA/UAE/KWT/JOR/MAR/TUN users | Standard Contractual Clauses (SCCs) |
| AWS Mumbai (ap-south-1) | IN/PK users | DPDP data localisation compliant |
A copy of applicable SCCs is available on request from dpo@utubooking.com.
7. Your Rights
| Right | Description | How to exercise | Law |
|---|---|---|---|
| Access | Get a copy of all data we hold | In-app · dpo@utubooking.com | Art. 15 · DPDP §12 |
| Rectification | Correct inaccurate data | Edit profile in app | Art. 16 · KVKK md.11 |
| Erasure | “Right to be forgotten” | In-app · DPO email | Art. 17 · DPDP §13 |
| Restriction | Limit how we use your data | dpo@utubooking.com | Art. 18 |
| Portability | Receive your data as a file | In-app (JSON-LD download) | Art. 20 |
| Object | Object to legitimate-interest processing | dpo@utubooking.com | Art. 21 · KVKK md.11(e) |
| Withdraw consent | Withdraw any consent at any time | Cookie settings or DPO email | Art. 7(3) · DPDP §6 |
Response time: 30 days. Complex requests may take up to 90 days — we will notify you in advance. Email dpo@utubooking.com with subject “Data Rights Request” and your registered email address.
8. Cookies
| Category | Purpose | Consent required |
|---|---|---|
| Strictly Necessary | Session management, security, booking state | No (Art. 6(1)(b) — contract) |
| Analytics | Usage tracking, funnel analysis | Yes — opt-in only |
| Marketing | Personalised offers, retargeting | Yes — opt-in only |
Manage your preferences via the cookie banner (shown to EU/UK/TR/IN users) or email dpo@utubooking.com.
9. Automated Decision-Making (GDPR Art. 22)
Our AI Pricing Engine generates hotel price recommendations using aggregated occupancy and demand data. No personal data (name, email, nationality, booking history) enters the AI model. Pricing is set per hotel × date pair — the same price applies to all users for a given search.
This does not constitute an automated decision with legal or similarly significant effect on individual users (EDPB Guidelines 05/2020 §16). You may request a human review of any price by contacting support@utubooking.com.
10. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33 / DPDP §8) and inform affected users without undue delay if the breach poses a high risk to their rights.
11. Right to Complain
We encourage you to contact us first at dpo@utubooking.com. You also have the right to lodge a complaint with your national supervisory authority:
| Jurisdiction | Authority |
|---|---|
| UK | Information Commissioner’s Office (ICO) — ico.org.uk |
| EU (Ireland) | Data Protection Commission — dataprotection.ie |
| France | CNIL — cnil.fr |
| Germany | BfDI — bfdi.bund.de |
| Turkey (KVKK) | Kişisel Verileri Koruma Kurumu — kvkk.gov.tr |
| India (DPDP) | Data Protection Board of India — dpdp.gov.in |
12. Changes to This Policy
Material changes will be notified by email or in-app notice at least 30 days before they take effect. Previous versions are available from dpo@utubooking.com.
13. California Privacy Rights (CCPA / CPRA) CCPA
This section applies to residents of California under the California Consumer Privacy Act (CCPA) 2018 and its amendment, the California Privacy Rights Act (CPRA) 2023.
California Seller of Travel Registration: UTUBooking is registered as a California Seller of Travel. Registration No. 2000000-40. Registration does not constitute approval by the State of California.
Your California Rights
| Right | Description | How to exercise |
|---|---|---|
| Know (§1798.110) | Request disclosure of data categories, sources, purposes, and third-party recipients | GET /api/user/ccpa/rights or email privacy@utubooking.com |
| Delete (§1798.105) | Request deletion of personal information (exemptions apply for tax/legal records) | Request deletion |
| Opt-out of sale / sharing (§1798.120) | Direct UTUBooking not to sell or share your PI for cross-context behavioural advertising | Do Not Sell or Share |
| Correct (§1798.106) | Request correction of inaccurate personal information | Email privacy@utubooking.com or edit in account settings |
| Limit sensitive PI (§1798.121) | Limit use of sensitive personal information (nationality, precise geolocation) | Email privacy@utubooking.com |
| Non-discrimination (§1798.125) | Exercising rights will not result in denial of service, different pricing, or reduced quality | Automatic — no action needed |
Data We Collect (CCPA Categories)
| Category | Examples | Sold / Shared? |
|---|---|---|
| Identifiers | Name, email, phone, IP address | No |
| Commercial information | Booking history, payment records | No |
| Geolocation | Country/state derived from IP | No |
| Internet activity | Browsing behaviour on utubooking.com | Analytics partners only (opt-in) |
| Sensitive PI — nationality | Required for Hajj/Umrah visa compliance | No |
Submitting Requests
California residents (and authorised agents acting on their behalf) may submit requests:
- Online: utubooking.com/privacy/ccpa-opt-out
- Email: privacy@utubooking.com
- Phone: 1 (800) UTU-BOOK (toll-free, US only)
We will respond within 45 days. If additional time is needed, we will notify you within the initial 45-day period. No fee is charged unless requests are manifestly unfounded or excessive.
UTUBooking Ltd · Registered address: [address] · Company number: [number]
dpo@utubooking.com · kvkk@utubooking.com · privacy@utubooking.com