Skip to main content
Back to Home

Privacy Policy

Last updated: February 22, 2026

This Privacy Policy complies with both the Turkish Personal Data Protection Law (KVKK, Law No. 6698) and the EU General Data Protection Regulation (GDPR, Regulation 2016/679). Where these frameworks differ, we apply the higher standard of protection.

1. Data Controller

Odamigo Turizm Ltd. Sti. is the data controller responsible for processing your personal data. Company: Odamigo Turizm Ltd. Sti. Tax Office: Mecidiyekoy (Istanbul) Tax ID (VKN): 6340420923 TURSAB License: 12754 (Group A) Contact for data protection inquiries: privacy@eurotrain.tr Website: https://eurotrain.tr

2. Data We Collect

2.1 Data You Provide: a) Identity data: Full name, date of birth, nationality (required for booking). b) Contact data: Email address, phone number. c) Travel document data: Passport or ID number (required for certain international routes). d) Payment data: Processed by our PCI DSS-certified payment provider; we do not store full card numbers. e) Account data: Email, encrypted password (if you register). f) Communication data: Messages to our support team. 2.2 Data We Collect Automatically: a) Device and browser information (type, version, operating system). b) IP address and approximate location (country level). c) Pages visited, features used, and interaction patterns on the Platform. d) Cookies and similar technologies (see Section 8). 2.3 Data from Third Parties: a) Booking and ticket data from rail Operators (directly or via distribution partners). b) Payment confirmation from our payment service provider. c) Authentication data if you sign in via Google (name, email, profile photo).

3. How We Use Your Data

We process your data for the following purposes and legal bases: β€’ Process your booking and issue tickets GDPR: Art. 6(1)(b) Contract | KVKK: Art. 5(2)(c) Contract β€’ Process payments securely GDPR: Art. 6(1)(b) Contract | KVKK: Art. 5(2)(c) Contract β€’ Send booking confirmations and travel updates GDPR: Art. 6(1)(b) Contract | KVKK: Art. 5(2)(c) Contract β€’ Provide customer support GDPR: Art. 6(1)(b) Contract | KVKK: Art. 5(2)(c) Contract β€’ Comply with tax and legal obligations GDPR: Art. 6(1)(c) Legal obligation | KVKK: Art. 5(2)(c)(e) Legal β€’ Improve Platform performance and security GDPR: Art. 6(1)(f) Legitimate interest | KVKK: Art. 5(2)(f) Legitimate β€’ Send marketing communications (with consent) GDPR: Art. 6(1)(a) Consent | KVKK: Art. 5(1) Explicit consent β€’ Fraud prevention and security GDPR: Art. 6(1)(f) Legitimate interest | KVKK: Art. 5(2)(f) Legitimate

4. Data Sharing

We share your personal data only as necessary to provide our services: β€’ Railway Operators (directly or via authorized distribution partners): Name, DOB, travel documents β€” for ticket issuance and carriage β€’ Payment provider (PCI DSS Level 1): Transaction data (no full card numbers) β€” for secure payment processing β€’ Error monitoring service: Anonymized technical data β€” for platform stability β€’ Hosting providers (EU-primary): Anonymized access logs β€” for content delivery β€’ Database provider (EU-hosted): Encrypted booking data β€” for data storage β€’ Email service provider: Email address, booking reference β€” for transactional emails For a detailed list of our current sub-processors, visit eurotrain.net/sub-processors. We do not sell your personal data to third parties. We do not use your data for profiling or automated decision-making that produces legal effects.

5. International Data Transfers

Your data may be transferred to service providers located in the EU/EEA, Turkey, and other countries with appropriate data protection safeguards (Standard Contractual Clauses). For a current list of our sub-processors and their locations, visit eurotrain.net/sub-processors. For KVKK compliance: Cross-border transfers are made pursuant to Article 9 of Law No. 6698, using approved standard contractual clauses and the KVKK Authority's adequacy determinations. For GDPR compliance: Transfers outside the EEA are protected by Standard Contractual Clauses (Art. 46(2)(c) GDPR) or adequacy decisions (Art. 45 GDPR).

6. Data Retention

β€’ Booking records: 10 years (Turkish Tax Law, TTK Art. 82) β€’ Payment records: 10 years (Tax and PCI compliance) β€’ Account data: Until account deletion + 30 days β€’ Support communications: 3 years from last contact β€’ Technical logs: 90 days (rolling) β€’ Cookie data: See Cookie Policy (Section 8) β€’ Marketing consent records: Duration of consent + 3 years

7. Your Rights

Under both KVKK and GDPR, you have the following rights: a) Right of access: Request a copy of your personal data. b) Right to rectification: Correct inaccurate or incomplete data. c) Right to erasure: Request deletion of your data (subject to legal retention requirements). d) Right to restriction: Limit how we process your data. e) Right to data portability: Receive your data in a structured, machine-readable format. f) Right to object: Object to processing based on legitimate interest or for direct marketing. g) Right to withdraw consent: Withdraw consent at any time without affecting prior processing. To exercise your rights, contact privacy@eurotrain.tr. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the KVKK Authority (kvkk.gov.tr) or your local data protection authority in the EU.

8. Cookies

β€’ Strictly Necessary: Session, auth, security β€” Duration: Session β€” Consent not required β€’ Functional: Language, currency preferences β€” Duration: 1 year β€” Consent required β€’ Analytics: Platform improvement β€” Duration: 2 years β€” Consent required β€’ Performance: Error monitoring β€” Duration: Session β€” Legitimate interest You can manage your cookie preferences through our cookie banner or your browser settings. Disabling strictly necessary cookies may affect Platform functionality.

9. Children's Privacy

Our Platform is not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental consent. If you believe a child under 16 has provided us with personal data, please contact privacy@eurotrain.tr immediately.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: a) TLS/SSL encryption for all data in transit (HTTPS everywhere). b) Encryption at rest for sensitive data in our database. c) PCI DSS compliant payment processing (card data never touches our servers). d) Role-based access control and audit logging. e) Regular security assessments and continuous monitoring. f) Rate limiting and DDoS protection on all endpoints. In the event of a data breach, we will notify the KVKK Authority and affected individuals within 72 hours, as required by both KVKK and GDPR.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via email and posted on the Platform at least 30 days before taking effect. The "Last Updated" date at the top reflects the most recent revision.

12. Contact

General inquiries: Contact Form

Privacy/data protection: privacy@eurotrain.tr

KVKK Authority: https://kvkk.gov.tr EU ODR Platform: https://ec.europa.eu/consumers/odr

Contact

For questions about our privacy policy or your personal data: