Personal Data Processing and Protection Policy

Protection of personal data is a key matter for GREEN ACTION TURIZM TAŞ. İNS. TİC. LTD. ŞTİ. (“ReAction Paragliding”). ReAction Paragliding adopts the principles stipulated by the Personal Data Protection Law No. 6698 (”KVK Law”) in order to comply with KVK Law, and fulfills its obligations for the processing, deletion, destruction, anonymization and transfer of personal data, the enlightening of the person concerned and the provision of data security. In this context, natural persons (”Relevant Person”), whose personal data are processed are offered access to the Privacy and Personal Data Protection Policy.

1) Scope and Purpose of the Privacy and Personal Data Protection Policy

This Privacy and Personal Data Protection Policy specifies the following terms. Pertaining to ReAction Paragliding; Personal data acquisition methods and their legal reasons,
Person groups whose personal data are processed (Data Subject Categorization),
What category of personal data are processed with regard to these person groups (Data Categories) and sample data types,
What business processes and what purposes these personal data are used for,
Technical and administrative measures taken to ensure the safety of personal data,
To whom and for what purpose the personal data may be transmitted,
Personal data retention periods,
How the related Persons can change their positive or negative preferences for receiving commercial electronic messages,
Personal data sharing with official authorities.

a) Personal Data Acquisition Methods and their Legal Reasons,

ReAction Paragliding acquires personal data auditorily, electronically or in writing through Websites, mobile applications, social media accounts, cookies, call center, notifications from the administrative and judicial authorities and other communication channels in accordance with the personal data processing requirements specified in KVK Law and legal reasons specified in this Privacy/Personal Data Protection Policy.

b) Categorization of Data Subject Person Group

ReAction Paragliding categorizes the data subject person groups, whose personal data is processed in the course of personal data processing and related activities, as follows. However, personal data of other person groups (like bloggers) may also be processed in accordance with the personal data processing requirements set forth in Articles 5 and 6 of KVK Law and the legal reasons specified in this Privacy/Personal Data Protection Policy. Customer/Member, Potential Customer/Member
Online Visitor
The Person who will do the Activity Purchased
Service Provider/Service Provider Candidate, or Employee or Official of Service Provider

c) Data Categories and Sample Data Types

Customer/Member, Potential Customer/Member

Identity Information: First Name, Family Name.
Contact Information: Mobile/Cell phone, email address.
Customer/Member Information: Membership information, membership ID number.
Customer’s/Member’s Processing Information: Information about the activities purchased, call center interview records, commercial communication permission, campaigns utilized, booking.
Risk Management Information: IP address
Processing Security Information: Password information
Marketing Information: Cookie records, targeting information, assessments showing habits and likes. SMS and email messages sent for marketing purposes based on the commercial electronic message permission given by the relevant person.
Auditory Data: Interview Records
Legal Transaction and Compliance Information: The start and end time of the service provided, the type of service utilized, the amount of data transferred, the commercial electronic message permission given by the member in electronic environment, the membership agreement approved by the member, the distance selling agreement.
Demand/Complaint Management/Reputation Management Information: The complaints and/or demands of the member concerning the service purchased by the member which the member sent through the website, mobile application, social media accounts, and the records related to the transactions performed during the review or management of these demands.

Online Visitor

Legal Transaction Information/Risk Management Information: IP address
Legal Transaction and Compliance Information: The start and end time of the service provided, the type of service utilized, the amount of data transferred.

The Person who will do the Activity Purchased

Identity Information: First Name, Family Name
Contact Information: Mobile/Cell phone, email address.

d) What Business Processes and What Purposes These Personal Data Are Used For

Personal data are used for the following purposes;

To process online visitor data in accordance with the relevant legislation,
To enable bookings on these platforms in one’s capacity as a “guest”,
To process membership transactions,
To improve the services provided on the platform, to develop new services and give information about them,
To analyze the Customer’s/Member’s preferences, tastes and needs with regard to the customers who have granted approval for commercial electronic messaging and to provide Customer-/Member-specific promotions, opportunities and benefits in order to perform the Membership Agreement concluded with the customer,
To promote and market, within the scope of the contractual relationship, activities and services in line with the Customer’s/Member’s preference and taste by doing direct marketing, digital marketing, re-marketing and analyzes with regard to the customers/members who have granted approval for commercial electronic messaging,
To resolve Customer/Member issues and complaints,
To get in contact with the Customer/Member based on the permission granted for commercial electronic messaging, to improve the Customer/Member experience on both the platform and mobile application,
To create Customer/Member satisfaction, loyalty and engagement,
To conduct statistical assessments and market researches,
For corporate reputation management and media communications,
To determine and implement ReAction Paragliding’s commercial and business strategies,
To follow accounting and purchasing transactions,
For judicial processes and for compliance with legislation,
To respond to information requests from administrative and judicial authorities,
For company-internal reporting and for planning business development activities,
To ensure electronic data processing security and to prevent malicious use,
To plan and execute operational activities necessary to ensure that the activities of ReAction Paragliding are carried out in accordance with ReAction Paragliding procedures and its policies prepared in accordance KVK Law,
To make arrangements necessary to ensure that the processed data is up-to-date and accurate, and to perform activities related to these processes.

e) Technical and Administrative Measures Taken To Ensure the Safety of Personal Data

ReAction Paragliding undertakes to take all technical and administrative measures necessary to ensure the confidentiality, integrity and safety of your personal data and to show due diligence in this regard.

ReAction Paragliding takes the measures necessary to prevent unauthorized access to personal data, and misuse, unlawful processing, disclosure, alteration or destruction of personal data. ReAction Paragliding uses the generally-accepted standards for security technology such as firewalls and Secure Socket Layer (SSL) encryption when processing personal data. In addition to that, your personal data are transferred using SSL when sending these data to ReAction Paragliding through the website, mobile application and mobile site.

ReAction Paragliding performs the following with a view to preventing unlawful access to the personal data it processes and unlawful processing of such data, and ensuring the protection of personal data:

It protects all fields on the website or mobile application, from which personal data is received, with SSL,

It creates and implements access authorization and control matrices for its employees so that the personal data collected from the website or mobile application is not be processed unlawfully,

It periodically carries out penetration tests and tests the robustness of the system against unauthorized access to ensure that personal data is secured against unlawful access,

It uses the Pseudonymization (pseudonymous data) method for all secondary data processing except for the primary processing. It uses encryption methods on the systems that have this data and implements a more stringent access authorization and control policy to ensure that pseudonymous data precludes the identification of the person concerned,

It ensures that personal data in paper is stored in lockers and is accessible by authorized persons only.

f) To Whom and For What Purpose the Personal Data May Be Transmitted

ReAction Paragliding transmits personal data only to third parties in accordance with the purposes set out in this Privacy and Personal Data Protection Policy and pursuant to Articles 8 and 9 of KVK Law. The Customer/Member data processed in this context, and the information on the booked activity or the person, who will perform the activity, is shared with the supplier, and this data is also accessible by the call center if necessary.

Customer/Member data is also shared with the intermediary service provider of commercial electronic messaging to deliver the customer promotions, advertisements, benefits and opportunities in line with the customer’s preferences, liking and habits in accordance with the commercial electronic message approval of the customer/member.

The website or mobile application usage preferences and navigation history are shared with third parties, from which cookie service is received, for segmentation and to communicate with the Customer/Member in line with their liking and preferences. Personal data transmissions within this scope are carried out through secure means and channels provided by the relevant third party. Depending on the content and scope of the service received from third parties, data are transferred using pseudonymous data in all cases where the transmission of the Customer’s/Member’s personal data is not required.

Anonymous data of the Customer/Member are shared with market-research companies to increase customer/member satisfaction and loyalty.

In addition to technical measures to ensure data security, the above-mentioned personal data to be transferred domestically and abroad is also legally protected by the provisions in compliance with KVK Law that are included in our agreements taking into that the counterpart of the legal relationship is a data supervisor or data processor.

g) Personal Data Retention Periods

The ReAction Paragliding retains the personal data it processes in compliance with KVK Law for the periods stipulated in the relevant legislation or required by the purpose of processing. These periods are approximately as follows in our Personal Data Retention and Destruction Policy:

You may review our Cookie Policy for the retention periods of personal data obtained by cookies.

h) The Rights of the Related Persons on Their Personal Data and How They Can Exercise These Rights,

The rights of the Person concerned on the personal data processed by ReAction Paragliding in accordance with Article 11 of KVK Law are listed below:

  • Call Center Records — 3 years (Law No. 6563)
  • Membership and Reservation Records — 10 years (Law No. 6098)
  • Accounting and Financial Records — 10 years (Law No. 6102, Law No. 213)
  • Cookies — at most 2 years (Details in Cookies Policy)
  • Website traffic data of online visitors — 2 years (Law No. 5651)
  • Personal Data of Customers — 10 years after legal affairs ends (Law No. 6102, Law No. 6098, Law No. 213 and Law No. 6502)
  • Personal Data of Customers — 3 years (Law No. 6563)
  • Personal Data of Suppliers — 10 years after legal affairs ends (Law No. 6102, Law No. 6098, Law No. 213)

Learning whether personal data has been processed,
Requesting information if personal data is processed,
Learning the purpose of processing personal data and whether they are used appropriately,
Knowledge about the third parties where personal data is transferred at home or abroad, Requesting the correction of personal data in case of incomplete or incorrect processing, Requesting the deletion or destruction of personal data within the conditions stipulated in Article 7 of KVK Law,
Requesting the notification of the transactions performed pursuant to sub-paragraphs (d) and (e) to the third parties to which personal data has been transferred,
Objecting to the emergence of an outcome against himself/herself as a result of the analysis of the processed data performed exclusively by means of automated systems,
Requesting the compensation of the damage in case of suffering a damage due to unlawful processing of personal data.
To exercise your rights over your personal data, you can access your account via the «Profile» section on ReAction Paragliding’s website, mobile application or mobile site, and perform any necessary changes, updates and/or deletions.

i) How the Related Persons Can Change Their Positive or Negative Preferences for Receiving Commercial Electronic Messages

You can change or update at any time your negative or positive consent to receiving commercial electronic messages, which you indicated when subscribing to the website or mobile application run by ReAction Paragliding, or at a later time, by accessing the “Profile” section.
Termination of membership does not mean the revocation of your consent to receiving commercial electronic messages. Therefore, please also make sure that you have completed all the procedures for undoing your consent.
You can follow the steps outlined in our Cookie Policy for cookie management.

j) Personal Data Sharing with Official Authorities

Your personal data and navigation information about your visit to the website or mobile application run by ReAction Paragliding may be shared with public institutions and organizations legally authorized to request personal data (in cases including, but not limited to, fight against crime, threat to state and public security, and cases where ReAction Paragliding has a legal or administrative obligation to notify or inform) in order to enable ReAction Paragliding to perform its legal obligations.

k) Use and Management of Cookies

You can review our Cookie Policy for more information about the use of cookies by ReAction Paragliding.

2) Conditions for Deleting, Destroying and Anonymizing Personal Data

ReAction Paragliding retains the personal data it processes through its website, mobile application or mobile site, no longer than is required by the relevant laws in accordance with Articles 7 and 17 of KVK Law and Article 138 of the Turkish Criminal Code, and/or is necessary for the purpose of the data processing. In the case of expiry of these periods, it shall delete, destroy or anonymize personal data in accordance with the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data.
ReAction Paragliding describes in detail in the Personal Data Retention and Disposal Policy, which ReAction Paragliding prepared in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data, the methods and technical and administrative measures for deletion, destruction and anonymization. In this Policy, the time interval for periodic destruction required by the Regulation is set as 24 months. Accordingly, ReAction Paragliding uses anonymization as a method of destruction.

3) Amendments to Privacy/Personal Data Protection Policy

ReAction Paragliding may, at any time, amend this Privacy/Personal Data Protection Policy. These amendments shall take effect immediately following the publication of the amended new Privacy/Personal Data Protection Policy. You, our members, will be duly informed about the amendments in the Privacy/Personal Data Protection Policy.

Date: 31/03/2020