Privacy Notice

1. Who we are (the data controller)

We operate the website www.golfbelek.com ("the Platform"). For the purposes of UK GDPR and the EU General Data Protection Regulation (Regulation (EU) 2016/679), GOLFBELEK.COM LTD is the data controller of the personal data we process about you.

Operations in Türkiye — including ground transfers, hotel coordination, and on-site golf services — are delivered by our local partners, Kesit Turizm Otelcilik ve Tic. Şti. and Dilahan Turizm Taşımacılık Tic. Ltd. Şti., who act as our processors under written agreements.

2. Personal data we collect

You provide directly

• Identity & contact: name, surname, date of birth (for flight/hotel bookings), email, mobile and fixed phone numbers, country of residence, passport details (where required by airlines or hotels).
• Booking details: tee-time selections, golf course preferences, hotel choice, party size, group member names, dietary or accessibility requirements (only when you provide them).
• Payment data: billing address and (where applicable) the last four digits of the card used. Full card numbers are processed directly by our payment provider — we do not store them.
• Account data: login email, hashed password, communication preferences.

Collected automatically

• Technical data: IP address, browser type and version, device type, operating system, time zone, referring URL.
• Usage data: pages viewed, search queries, click-paths, session duration — collected via Google Analytics 4 and Google Tag Manager.

From third parties

• Booking confirmations from golf clubs and hotels.
• Fraud-prevention checks from payment providers.

3. How we use your data

• To process your booking and deliver the services you requested (tee times, hotels, transfers, extras).
• To create and maintain your account.
• To communicate with you about your booking — confirmations, changes, vouchers, follow-ups.
• To respond to enquiries and provide customer support before, during, and after your trip.
• To take payment and prevent fraud.
• To improve the Platform — performance monitoring, A/B testing, analytics.
• To send marketing communications, only where you have given consent (see §11).
• To comply with legal obligations (tax, accounting, anti-money-laundering, lawful authority requests).

4. Legal bases for processing

Under UK GDPR / EU GDPR, every use of your data must rely on a lawful basis. We rely on the following:

5. Sharing & recipients

We share personal data only with parties who need it to deliver our services or who we are legally required to share with:

• Golf courses, hotels, and airlines — to confirm and deliver your booking.
• Operational partners in Türkiye — Kesit Turizm and Dilahan Turizm, acting as our processors for ground operations.
• Payment processors — Stripe and similar providers, acting as separate controllers for payment data.
• Technology providers — hosting, email delivery, analytics (e.g. Google Analytics, Google Tag Manager), CDN (Cloudflare).
• Professional advisers — accountants, auditors, lawyers, where required.
• Authorities — where required by law, court order, or to protect our rights.

We do not sell your personal data.

6. International transfers

Because our operations span the UK and Türkiye, your data is transferred between these countries. Türkiye is not currently subject to a UK or EU adequacy decision; transfers there are made under UK International Data Transfer Agreements or EU Standard Contractual Clauses (SCCs), supplemented with appropriate technical and organisational safeguards.

Some of our technology providers (e.g. Google) may process data in the United States. Such transfers rely on the UK Extension to the EU–US Data Privacy Framework, on SCCs, or on equivalent safeguards.

7. Retention periods

• Booking records: 7 years from the booking date (UK accounting and tax law, Companies Act 2006).
• Account data: for the lifetime of your account, plus up to 2 years after closure.
• Marketing consent records: until you withdraw consent, plus up to 2 years for evidence of withdrawal.
• Analytics data: up to 14 months in Google Analytics 4 (default retention).
• Support correspondence: up to 3 years from the last contact.

Where Turkish tax or commercial law requires longer retention for partner-handled records, those longer periods apply.

8. Security

We use generally accepted technical and organisational measures to protect your data, including TLS/SSL encryption in transit, hashed password storage, access controls, regular backups, and vendor due diligence. No system is perfectly secure; if we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and inform you where required.

9. Your rights

Under UK GDPR and EU GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") in certain circumstances.
• Restrict processing in certain circumstances.
• Portability — receive a machine-readable copy of data you provided.
• Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent at any time, where processing relies on consent.
• Not be subject to solely automated decision-making with legal or similarly significant effect — we do not currently carry out such processing.

To exercise any of these rights, email [email protected]. We will respond within one month. Identification may be requested to verify your request.

10. Cookies

We use strictly necessary cookies to operate the Platform. We use analytics and marketing cookies (Google Analytics, Google Ads) only if you consent through our cookie banner. You can change your preferences at any time. See our Cookie Notice for details.

11. Marketing communications

We send marketing emails — such as offers, seasonal promotions, and travel guides — only with your prior consent. Each marketing email contains an unsubscribe link, and you may opt out at any time by emailing [email protected]. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, nor does it affect transactional messages relating to your bookings.

12. Changes to this notice

We may update this notice from time to time. The "Last updated" date at the top will reflect the latest version. Material changes will be communicated through the Platform or by email where appropriate. Continued use of the Platform after changes constitutes acceptance of the updated notice.

13. Note for users in Türkiye (KVKK)

Where Turkish data protection law applies — for example, when a booking is fulfilled by our local partners in Türkiye — Kesit Turizm Otelcilik ve Tic. Şti. and Dilahan Turizm Taşımacılık Tic. Ltd. Şti. process limited operational data on our instructions as data processors. Your rights under KVKK Article 11 (information, access, correction, erasure, objection, complaint to the Personal Data Protection Authority — KVKK Kurumu) are recognised.

Türkçe çeviri ve KVKK kapsamındaki başvuru süreçleri için [email protected] adresine yazabilirsiniz.

14. Contact & complaints

Privacy enquiries: [email protected]

Postal: GOLFBELEK.COM LTD, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

If you are not satisfied with our response, you have the right to lodge a complaint with:

• UK: Information Commissioner's Office (ICO) — ico.org.uk · 0303 123 1113.
• EU: the data protection authority of the EU/EEA country where you live or work.
• Türkiye: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr.