How we handle the data behind your palace visit.

This site is operated by Istanbul Tourist Information Ltd., a Turkish limited company registered in Istanbul under TÜRSAB licence A-7812 and VAT number 3470891204. Registered office: Sultanahmet Mah. Divan Yolu Cad. 17, 34122 Fatih, Istanbul. You can reach our data officer at privacy@istanbul-tourist-information.com.

This privacy policy covers topkapi.istanbul-tourist-information.com, the dedicated booking and visitor-guide site for Topkapı Palace. It does not cover the Ministry of Culture's own site, the venue's official pages, or any reseller that may have sold you a ticket.

Four categories, nothing more. Anything outside this list, we don't ask for and wouldn't know what to do with.

Contact & booking data — the cardholder's name, email, and phone number, plus the names of fellow visitors if you book for a group. Your preferred language for the tour (we match a guide accordingly) and any Harem add-on choice.

Payment data — the card number is entered on Stripe's hosted page, tokenised there, and we only store the last four digits + brand for your invoice. We never see nor store the full card number.

Usage data — which pages you visit, how you got here, what device you're using. Anonymised before aggregation (see section 07).

Support data — if you write to us, we keep your email and our reply. Nothing else about the conversation is shared or mined.

Under GDPR, every piece of data we collect has to sit under a specific legal basis. Here are ours, item by item.

Contract performance. Your booking data — name, email, visit date, ticket type. Without it we literally cannot issue you a ticket or brief the guide on your arrival. Legal basis: Art. 6(1)(b) GDPR.

Legal obligation. Turkish tax law requires us to keep transaction records for 10 years. That means the cardholder name, total amount, date, and VAT portion of each sale. Legal basis: Art. 6(1)(c) GDPR.

Legitimate interest. Analytics, fraud detection, anonymised crash reports — we use these to keep the site working and resist fraud. You can opt out via the cookie panel. Legal basis: Art. 6(1)(f) GDPR.

Consent. Marketing cookies, retargeting, newsletter sign-ups — only with your explicit opt-in. Legal basis: Art. 6(1)(a) GDPR.

Directly from you — when you fill a booking form, email support, or type into a field. We don't buy data lists, we don't enrich your profile with third-party sources, and we don't fingerprint your device. If you haven't told us something yourself, we don't know it.

The one exception: payment card details, which you enter directly into Stripe's form. Stripe confirms the payment and returns a reference to us — we never see the card number itself.

Your booking record contains: booking reference, visit date, slot time, guide language, Harem add-on, cardholder name, contact email, phone, number of visitors in the group, VAT amount, total paid, and any refund history. This is the complete list.

It is visible to three people: you (via the confirmation email), your licensed guide on the day of your visit (name + group size + language only — they don't see your contact details), and our support team when you write to them.

When you email support, your message and our reply are stored in our helpdesk tool (Front). Conversations are retained for 36 months unless you ask us to purge them sooner — useful if a later agent needs context about a refund or a reschedule you previously discussed.

Support conversations are never used as training data for AI, never shared with marketing, and never visible to anyone outside the three-person support team plus the data officer.

We use Google Analytics 4 with IP anonymisation, ad-signals disabled, and demographics off. We see how many visitors arrive, which page they land on, and where they drop off — not who they are, what device model they use, or what else they look at across the web.

Sentry captures crash reports (JavaScript errors, server exceptions) with a scrubbed version of the page — any form field, cookie, or URL parameter that might carry personal data is stripped before the report leaves your browser. We use these to know what broke; we don't use them to identify people.

Seven third parties touch data on this site. Here they are, what they do, and where they hold the data.

Each vendor has signed a Data Processing Agreement with us and is audited annually. If you want a copy of the list, email the data officer.

We do not sell your data. We do not rent it. We do not share it with partners for their own marketing. The only third parties that touch your data are the vendors listed in section 08, all of whom act as data processors under our instructions.

Exception: if a Turkish court, a tax authority, or the Ministry of Culture issues a valid legal order, we will comply. You will be notified unless the order specifically forbids that disclosure. This has not happened in the history of the site.

Booking records — 10 years (Turkish tax law requires the financial record for this duration).

Support conversations — 36 months from last message, or until you ask for deletion.

Analytics data — 24 months in GA4, aggregated after that (no individual records).

Crash reports — 14 days (Sentry automatically purges beyond that).

Marketing cookies — 90 days or until you revoke consent, whichever comes first.

Our primary infrastructure is EU-based (Frankfurt and Amsterdam). Two vendors — Stripe and Google — route a portion of data through US infrastructure. Both rely on the EU-US Data Privacy Framework and Standard Contractual Clauses under GDPR Art. 46 for lawful transfer.

If you are booking from Türkiye, data stays within the country to the extent the Ministry of Culture's external sales API is concerned — that transfer sits under KVKK equivalent safeguards.

TLS 1.3 on every connection. Database encryption at rest. Two-factor authentication required for every staff account. Quarterly penetration tests by an independent Turkish security firm. A documented incident-response playbook with a 72-hour notification commitment (shorter than GDPR requires).

No system is perfectly secure. If a breach happens that affects you, we will notify you within 72 hours of detection with the specific data involved, the potential impact, and the steps we've taken — regardless of what the regulatory minimum requires.

Under GDPR (if you're in the EU) and KVKK (if you're in Türkiye), you have eight rights over your data. Here they are, plus how to exercise each one.

We do not knowingly collect data about children under 16. A parent can book palace entry for a child — in that case the cardholder's name is the parent's, and only first names of children appear on the voucher. No contact details are requested for minors.

We may update this policy. When a change affects your rights materially, you will be emailed at the address on your most recent booking at least 30 days before the change takes effect. Minor edits (typo fixes, clarifications) are posted without notification, but the version number in the header increments either way.