REGNUM HOTELS PERSONAL DATA PROTECTION AND PRIVACY POLICY

Purpose and Scope of the Policy

Overview of the Policy

At Regnum Hotels, we place great importance on the privacy of our guests, visitors, suppliers, and business partners. This Privacy Policy outlines the principles we follow in protecting the personal data of users who visit our website and all stakeholders who benefit from our services in digital environments. Our aim is to foster a culture of data security and deliver a transparent, trustworthy, and legally compliant approach to data processing.

In this context, we commit to comply with the Personal Data Protection Law (KVKK - Law No. 6698) and the European Union General Data Protection Regulation (GDPR) in all processes involving the collection, storage, processing, transfer, protection, and deletion of personal data. This policy also provides information on the purposes of processing personal data, legal grounds, data security measures, and the rights of data subjects.

Additionally, the personal data of individuals using the Regnum Hotels mobile application is also included within the scope of this policy. All data processing activities conducted via the application are carried out in compliance with KVKK and GDPR provisions.

Framework of KVKK and GDPR

This policy has been prepared based on the Personal Data Protection Law No. 6698 (KVKK) and the European Union General Data Protection Regulation (GDPR). The legal requirements of the regions in which Regnum Hotels operates or provides services are also considered.

Under KVKK, it is a legal obligation to process, retain, and destroy personal data lawfully and to inform data subjects. GDPR, in addition to these obligations, defines enhanced user rights such as transparency, data portability, explicit consent management, and the right to audit.

Regnum Hotels operates in accordance with the following shared principles of both regulations:

• Lawfulness and fairness,

• Processing for specified, explicit, and legitimate purposes,

• Necessity and proportionality,

• Accuracy and timeliness,

• Limitation of the retention period,

• Secure storage and appropriate disposal.

Under the GDPR, the principle of accountability is also upheld, whereby data processing activities are documented, and data protection impact assessments are conducted for high-risk processing activities.

Data Subjects Covered by the Policy

The following groups of individuals may have their personal data processed under this policy:

• Website Visitors: All users accessing the website at www.regnumhotels.com

• Guests and Prospective Guests: Individuals who benefit from accommodation services or are involved in the reservation process

• Business Partners and Suppliers: Third-party institutions and individuals from whom we receive services, with whom we collaborate, or have consultancy relationships

• Employees and Candidates: Regnum Hotels staff and individuals involved in the recruitment process

• Event and Organization Participants: Individuals attending hotel-organized meetings, seminars, weddings, or events

• Visitors: Individuals physically visiting our facilities (e.g., restaurant guests or meeting attendees)

• Loyalty Program Members and Digital Platform Users: Individuals using our applications or subscribed to our email communications

Data Controller Information and Contact

Definition of Data Controller

Pursuant to the Personal Data Protection Law No. 6698 ("KVKK"), a "data controller" refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

According to the European Union General Data Protection Regulation (GDPR), a data controller is also defined as the person or entity that determines the purposes and methods of processing personal data.

Accordingly, the data controller responsible for processing your personal data obtained through our website or via all physical/digital channels is the organization whose information is provided below:

Regnum Hotels Data Controller Information

Title: Carya Turizm Yatırımları A.Ş
Address: Kadriye Bölgesi, Üçkum Tepesi Mevkii, Belek – Serik / Antalya – Türkiye
Phone: +90 (242) 710 34 34
Email: [email protected]

VERBIS Data Controller Information
Regnum Hotels has appointed a Data Protection Officer within the scope of the European Union General Data Protection Regulation (GDPR). For any requests, suggestions, or complaints within the scope of the GDPR, you may contact us via the following communication channel:
KVKK Contact Address: [email protected]

Guests, suppliers, or visitors who qualify as data subjects may submit any applications or requests related to data processing activities in writing through the above contact channels or by using the KVKK Application Form.

Categories and Types of Collected Personal Data

When using the services provided by Regnum Hotels or visiting our website, the personal data listed below is collected in accordance with legal regulations and with the necessary security measures:

Identity, Contact, Reservation, Payment, and Health Data

The following categories of data may be collected directly from you through electronic forms, reservation processes, membership registrations, call centers, email correspondences, physical forms, and service requests within the hotel:

• Identity Information: Name, surname, national ID number, date of birth, gender, passport information, nationality

• Contact Information: Email address, mobile phone, landline, mailing address, country

• Reservation and Accommodation Data: Room type, check-in/check-out dates, special requests, number of guests, child information, accommodation history

• Payment and Invoice Information: Credit card details (encrypted), billing address, bank account number, e-invoice/e-archive data

• Health Data: Allergy, special diet, disability status, and medical requirements obtained with the guest's consent. Such special categories of personal data are processed only to improve the accommodation process and ensure safety.

• Loyalty Program and Service Preferences: Loyalty membership details, service preferences, feedback, and social media shares

Data Collected Through Automated Systems

When visiting our website or using our digital applications, the following technical data may be collected through automated systems:

• IP address, device type, operating system, browser type

• Login and logout times, visited pages

• Click history, preferred language, location data (depending on device settings)

• Network data such as the accessed network and connection type

• Session ID and user behavior data

This data is retained for a limited time to enhance user experience, ensure system security, and prevent fraud, and is analyzed after being anonymized.

Cookie Data

Our website uses cookie technologies to provide more effective service and personalize the user experience. The types of cookies used are as follows:

• Essential Cookies: Technical cookies that enable core functionalities of the website

• Functional Cookies: Cookies that remember user preferences (e.g., language, region)

• Performance and Analytics Cookies: Cookies used to measure site traffic and analyze performance (e.g., Google Analytics)

• Marketing and Targeting Cookies: Cookies that enable targeted advertising based on user interests (used only with explicit consent)

You can manage your cookie preferences through your browser settings or via our Advertising and Cookie Policy page.

Methods of Collecting Personal Data and Legal Grounds

At Regnum Hotels, we collect, process, and store your personal data through the following methods. These operations are conducted in accordance with applicable legal regulations based on legal grounds such as explicit consent, performance and establishment of contracts, legitimate interests, and legal obligations.

Directly from the User

Your personal data is directly obtained from you through the following means:

• Reservations, contact forms, or information requests via our website

• Telephone conversations with our call center

• Direct applications to our hotel (check-in forms, registration procedures)

• Physical forms, surveys, or satisfaction questionnaires

• Feedback you provide during guest relations processes

• Participation through loyalty programs, contests, or campaigns

Legal Grounds:

• KVKK Art. 5/2-c: Directly related to the establishment or performance of a contract

• KVKK Art. 5/2-f: Legitimate interests of the data controller

• GDPR Art. 6/1-b: Necessary for the performance of a contract

• Where explicit consent is obtained: KVKK Art. 5/1 and GDPR Art. 6/1-a

Digital Channels and Cookies

When you visit our website or use our digital platforms, data may be collected via the following channels:

• Cookies and similar technologies used on our website

• Mobile applications, social media platforms

• IP address, device information, session activities, and visit durations

• Third-party analytics tools such as Google Analytics

Legal Grounds:

• KVKK Art. 5/2-f: Legitimate interests

• KVKK Art. 5/1 and GDPR Art. 6/1-a: Cookie usage requiring explicit consent

• GDPR Art. 6/1-f: Website security and enhancing user experience

Security Systems (CCTV, Access Control, etc.)

Regnum Hotels facilities utilize closed-circuit camera systems (CCTV) and entry/exit control systems for security purposes. Through these systems, your visual data and access records may be processed.

• Only video data is collected in common areas via cameras; no audio recordings are made.

• Camera monitoring activities are conducted within legal boundaries and accompanied by proper informational notices.

Legal Grounds:

• KVKK Art. 5/2-f: Legitimate interests of the data controller

• GDPR Art. 6/1-f: Monitoring for security and crime prevention purposes

Age Limitation / Personal Data of Children

At Regnum Hotels, we process personal data of individuals under the age of 18 only with the explicit consent of their parents or legal guardians. We do not solicit information directly from individuals under 18 through our website. The data of minors is processed solely to the extent necessary for the provision of accommodation services and in compliance with applicable legal regulations.

Purposes of Data Processing

At Regnum Hotels, we process your personal data for the following purposes and within the framework of legal boundaries. Your data is used solely for the purposes specified and shared with third parties only in accordance with legal bases and, when necessary, with your explicit consent.

Provision of Services and Reservation Processes

• Delivery of hotel services such as accommodation, transfer, restaurant, spa, and meeting rooms

• Receiving and confirming reservation requests

• Executing payment transactions and issuing invoices

• Addressing special requests (such as allergies, dietary preferences, disabilities)

Customer Experience and Satisfaction Management

• Conducting guest satisfaction surveys

• Evaluating complaints, suggestions, and feedback

• Managing loyalty programs and providing personalized services

Fulfillment of Legal Obligations

• Managing identity verification and accommodation registration processes

• Meeting tax, accounting, and other statutory reporting requirements

• Responding to requests from authorized public institutions and organizations

Ensuring Security

• Ensuring general safety through on-premises camera systems

• Managing access control and maintaining log records

• Retaining data as evidence in potential legal disputes

Marketing, Promotion, and Communication Activities (Based on Explicit Consent)

• Sending promotional and informational content via email, SMS, or phone calls

• Analyzing user behavior via consent-based cookies

• Promoting campaigns, events, and new services

• Providing personalized offers based on guest reservation history, accommodation preferences, campaign engagement, and frequency of service usage within the scope of the loyalty program. The segmentation system (e.g., Green, Silver, Gold, Ruby memberships), which grants advantages based on membership level, is a part of data processing. Location-based campaigns, travel time preferences, and loyalty card thresholds are also processed under this scope. These operations are performed only for individuals who have provided explicit consent.

• Data related to the loyalty program is never shared with third parties for marketing or advertising purposes. It is used solely within Regnum Hotels to deliver personalized services.

• Within the loyalty program:

  • Data such as membership type, participation date, and transaction volume may be categorized for profiling.

  • Members may advance to different card levels (e.g., Green, Silver, Gold, Ruby) based on spending brackets.

  • Segment-specific campaigns, discounts, and promotional content may be offered.

  • Users who do not wish to receive such offers may update their communication preferences to opt out.

Business Process Improvement and Analytical Purposes

• Conducting internal audits, monitoring service quality, and strategic planning

• Analyzing website and digital platform usage data

• Enhancing user experience and implementing cybersecurity measures

Call Center Conversations and Recordings

Phone conversations with our call center may be recorded to improve customer service quality and service development. Individuals are informed prior to the call. These recordings are accessible only to authorized personnel, securely stored for the legal retention period, and anonymized upon expiry.

• Recordings are retained for a maximum of 3 years.

• Conversations are stored only within data centers located in Turkey, with no international transfers.

• Access to recordings is protected through log monitoring and access restriction protocols.

Digital Assistant and WhatsApp Records

At Regnum Hotels, conversation contents may be recorded during the use of our WhatsApp communication channel and AI-based digital assistant services to enhance guest satisfaction, track interactions, and improve service quality.

Within this scope:

• WhatsApp conversations are used solely for tracking service-related requests and resolving complaints. Any commercial communication is conducted only with explicit consent.

• Conversations are stored in secure digital environments for a limited duration, accessible only by authorized units.

• Records are retained for a maximum of 3 years and anonymized after the retention period ends.

• Records are stored exclusively within Turkey and are not transferred abroad.

• Conversations with digital assistants are not used for automated decision-making or profiling purposes; they are intended solely to support service operations.

• Individuals are informed prior to the start of the conversation through a data privacy notice.

Personal data processed through these communication processes is handled based on the legitimate interests of the data controller, in accordance with Article 5/2-f of KVKK and Article 6/1-f of GDPR.

Sharing and Transfer of Personal Data

At Regnum Hotels, your personal data may be shared and/or transferred domestically or internationally with specific parties solely for defined purposes and in compliance with applicable legal regulations.

Domestic Sharing

Your personal data may be shared with the following parties in line with the processing purpose and within the scope of relevant legislation:

• Our business partners and suppliers: For the execution of services such as reservations, transfers, restaurants, SPA, housekeeping, IT infrastructure support, and customer relations

• Our group companies: To ensure service continuity and corporate operations

• Authorized public institutions and organizations: Upon legal request by law enforcement, courts, the Ministry of Finance, and other competent authorities

Legal Grounds:

• KVKK Art. 8

• Identity Notification Law No. 1774

• Tax Procedure Law No. 213

International Data Transfers

Some of your personal data may be transferred abroad under the following circumstances:

• Foreign-based cloud service providers (e.g., email, backup, reservation systems)

• Analytics and advertising service providers (e.g., Google, Facebook, etc.)

• Loyalty and customer experience platforms (for consent-based communication processes)

These transfers are carried out only when:

• You have given explicit consent,

• The transfer is made to countries deemed safe by the Personal Data Protection Board,

• There is a sufficient protection commitment from the foreign data controller,

• Transfers are covered by necessary security and confidentiality agreements

Legal Grounds:

• KVKK Art. 9

• GDPR Arts. 45–49

Safeguards for International Data Transfers

The following security measures are applied in cases of international data transfers:

• Standard contractual clauses approved by the European Commission

• Required technical and administrative data protection measures

• Encryption, access restrictions, and log tracking methods

• Data processing agreements with third parties

Data Transfers to Group Companies and Subsidiaries

Your personal data may be shared with companies operating under the Regnum Hotels brand or within the same corporate group, strictly for the data processing purposes specified above. The same data protection policies apply across all group companies, and they are obligated to implement the necessary administrative and technical measures. Upon request, a list of group companies and their legal titles can be provided.

Fundamental Principles Regarding the Processing of Personal Data

At Regnum Hotels, we fully comply with the principles outlined in Article 4 of the Law on the Protection of Personal Data No. 6698 (KVKK) and Article 5 of the General Data Protection Regulation (GDPR) when processing personal data. All data processing activities are conducted in accordance with the following core principles:

Lawfulness and Fairness

Personal data processing activities are carried out in accordance with laws and ethical standards. For example, email addresses are only used for marketing purposes with the explicit consent of the individual.

Accuracy and Up-to-Date Information

Processed data must be accurate and kept up to date. Guests may request updates in case of any changes to their contact or reservation details.

Specified, Explicit, and Legitimate Purposes

Each piece of data is collected for a clearly defined and legitimate purpose. For example, passport information is used solely for accommodation registration.

Relevance, Limitation, and Proportionality

Data is collected only to the extent necessary and relevant for the intended purpose. Unnecessary data is not processed.

Storage Limitation

Data is retained only for the period necessary to fulfill the processing purpose. Once the retention period expires, data is deleted, destroyed, or anonymized.

Secure Storage and Prevention of Unauthorized Access

All personal data is protected and accessible only by authorized personnel. Access logs are maintained and security measures are regularly updated.

Special Categories of Personal Data

According to Article 6 of KVKK and Article 9 of the GDPR, special categories of personal data are subject to higher protection standards. Regnum Hotels processes the special categories of personal data listed below only with your explicit consent and/or based on legal obligations:

• Health Information: Allergies, disabilities, special dietary needs, medical support requirements

• Biometric Data: Camera footage (for security purposes)

• Religious Beliefs, Association Memberships, etc.: Only processed based on your explicit information and specific service-related necessities

• Disability Information: For the arrangement of physical access and accommodation needs

Conditions for Processing:

• Obtaining explicit consent

• Clearly stipulated by law

• Health data processed within the scope of healthcare services by authorized individuals under confidentiality obligations

• Implementation of additional security measures set by the Authority

Regnum Hotels retains personal data only for the periods required by applicable legislation and the purpose of processing. Data is stored in accordance with legal obligations, commercial transaction requirements, and service quality standards. Once the retention period ends, data is deleted, destroyed, or anonymized in line with our data destruction policies.

Personal Data Retention Period

Criteria for Determining Retention Period

• Periods explicitly stated in the applicable legislation (e.g., 1 year under the Identity Reporting Law No. 1774, 10 years under the Tax Procedure Law)

• Completion of the service period and termination of contractual relationships

• Expiry of legal statute of limitations

• Withdrawal of user consent or revocation of explicit consent

• Conditions arising from the data subject's deletion request

Fate of Data Upon Expiry of Retention Period

When the data retention period expires:

• Deletion: Data is rendered inaccessible and unusable.

• Destruction: Data in physical form is removed by secure means.

• Anonymization: Data is made unidentifiable with the relevant person and used solely for statistical purposes.

Records and Audits

Data retention and destruction processes are recorded in accordance with the Personal Data Retention and Destruction Policy and related procedures. When necessary, they are documented using the Personal Data Destruction Form.

Data Subject Rights and Application Process

Individuals whose personal data is processed have certain rights under KVKK and GDPR. At Regnum Hotels, we recognize these rights and provide the necessary mechanisms for submitting applications.

Your Rights Under KVKK (Article 11)

• To learn whether your personal data is being processed

• To request information if your personal data has been processed

• To learn the purpose of the processing and whether data is used in line with this purpose

• To know the third parties to whom your data is transferred, within or outside the country

• To request the correction of incomplete or inaccurate data

• To request the deletion or destruction of your data in accordance with legislation

• To request that the correction or deletion processes be notified to third parties to whom data has been transferred

• To object to outcomes against you resulting from automated analysis

• To demand compensation if you suffer damage due to unlawful processing

Your Rights Under GDPR

• Right of access

• Right to rectification

• Right to erasure ("right to be forgotten")

• Right to restrict processing

• Right to data portability

• Right to object to processing

• Right to object to automated decision-making and profiling

• Right to lodge a complaint (with the data protection authority)

Application Methods

You may submit your applications regarding your rights:

• Via the KVKK Application Form available on our website,

• By sending a signed letter via post or courier service,

• Or via registered email (KEP) or your email address registered in our system, to the following address: [email protected]

Applications are processed free of charge and concluded within 30 days as per the legal deadline. However, if the process requires additional cost, a fee determined by the Authority may be charged.

Personal Data Security and Protection

Regnum Hotels implements both technical and administrative measures to ensure the highest level of personal data security. In this context, data security is not only a legal obligation but also a corporate responsibility and quality standard.

Technical Measures

• Data Encryption: Critical data flows and databases are protected using strong encryption algorithms.

• Secure Access: Personal data is accessible only by authorized individuals through authentication systems.

• Penetration Testing and Vulnerability Analyses: Information systems are regularly tested to identify and fix potential vulnerabilities.

• Camera Systems: Cameras used within the hotel for safety purposes operate solely for security and are supported by appropriate notification texts.

• Data Loss Prevention (DLP): Software solutions are used to prevent unauthorized data transfers.

Administrative Measures

• Authorization Matrix: Access to personal data is limited to job roles and operational needs.

• Trainings: Regular data protection and privacy awareness trainings are provided to all employees.

• Confidentiality Agreements: Data security undertakings are signed with business partners, suppliers, and employees.

• Audits: Data protection practices are periodically reviewed through internal audit mechanisms.

Breach Notification

Regnum Hotels undertakes to notify relevant parties in the event of any personal data breach, in accordance with Article 12 of KVKK and Articles 33 and 34 of GDPR.
In this context:

• The nature of the breach, number of affected individuals, and potential consequences are evaluated.

• The Personal Data Protection Board is notified within 72 hours.

• Affected data subjects are informed through our communication channels if they are directly impacted.

• Necessary technical and administrative measures are reviewed and strengthened to prevent recurrence.

All actions and notifications are documented and regularly audited.

E-Invoice and E-Archive Data

Regnum Hotels issues e-invoices and e-archive invoices to guests in compliance with the Tax Procedure Law No. 213 and related electronic invoicing regulations.
In this scope:

• Your email address, classified as personal data, is used through secure infrastructures integrated with e-invoice systems for invoice delivery.

• E-invoice and e-archive records are retained for 10 years in accordance with the law and are accessible only by authorized personnel.

• This data is used solely for billing purposes and is not shared with third parties for marketing.

Automated Decision-Making

Regnum Hotels does not make decisions affecting individuals solely based on automated data processing.
Accordingly, automated decision-making and profiling processes are supported by human review. As per Article 22 of the GDPR, where decisions are made solely through algorithmic systems, data subjects are clearly informed and provided with the right to object.
Data subjects can object to decisions based solely on automated processing, request human intervention, or demand a re-evaluation.

ISO 27001 Compliance

Regnum Hotels systematically implements the requirements of the ISO/IEC 27001 Information Security Management System to comply with international standards in information security management.
This certification ensures the continuous application of technical and administrative controls to protect the confidentiality, integrity, and availability of personal data.

Legal Responsibilities and Administrative Sanctions

Regnum Hotels fulfills its obligations regarding personal data protection under the Personal Data Protection Law No. 6698 (KVKK) and related secondary legislation.
All necessary technical and administrative measures are taken to ensure data security.
According to Article 18 of KVKK, administrative sanctions may be imposed by the Personal Data Protection Board in case of violations such as unlawful data processing or transfer, or failure to respond to data subject applications on time.
To prevent such violations, Regnum Hotels conducts internal audits, provides regular awareness trainings to employees, and continuously updates its data protection policies.

Transfer of Personal Data (Domestic and International)

Regnum Hotels ensures compliance with all obligations under the Personal Data Protection Law No. 6698 (KVKK) and the General Data Protection Regulation (GDPR) in the transfer of personal data to third parties.

Domestic Transfer

Personal data may be transferred to the following parties in accordance with Article 8 of KVKK and by implementing necessary data security measures:

• Group companies and affiliates

• Authorized business partners involved in reservation and operational processes

• Electronic communication service providers and marketing firms (only with explicit consent)

• Professional advisors such as financial consultants, legal advisors, and audit firms

• Public authorities when required by legal obligations (e.g., law enforcement, courts, ICTA, KVKK Authority)

International Transfer

Data may be transferred abroad in accordance with Article 9 of KVKK and GDPR provisions under the following conditions:

• With your explicit consent

• To countries declared to have adequate protection by the KVKK Board

• To countries without adequate protection only with a written commitment and the Board’s permission

International transfers may be made to:

• Cloud computing and reservation infrastructure providers (e.g., server hosting, CRM systems)

• Email marketing and survey companies

• International loyalty programs and business partners

• Other third-party technology providers offering data processing services

Safeguards for Data Transfers

During data transfers, the following safeguards are implemented:

• Data processing agreements and confidentiality undertakings

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Data encryption and secure transfer protocols (VPN, TLS, SSL)

• Limiting transferred data solely to the purpose of processing

Data Subject Rights (KVKK and GDPR)

At Regnum Hotels, we grant the following rights to personal data subjects under Article 11 of the KVKK and Articles 12–23 of the GDPR:

Rights Under KVKK

As a data subject, you have the right to:

• Learn whether your personal data is being processed

• Request information if your personal data has been processed

• Learn the purpose of processing and whether your data is used accordingly

• Know the third parties to whom your data has been transferred, domestically or abroad

• Request correction of incomplete or inaccurate data

• Request deletion or destruction of your data under Article 7 of the KVKK

• Request notification of the above actions to third parties to whom your data has been transferred

• Object to results against you arising from automated analysis of processed data

• Request compensation for damages arising from unlawful data processing

Rights Under GDPR

For our guests subject to EU regulations, the following rights are recognized:

• Right of Access (Art. 15): Access to your personal data processed by us

• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data

• Right to Erasure (Art. 17): Request deletion of your data under the “right to be forgotten”

• Right to Restriction of Processing (Art. 18): Temporarily stop the processing of your data

• Right to Data Portability (Art. 20): Receive your data in a structured format and transfer it to another controller

• Right to Object (Art. 21): Object to data processing

• Right to Object to Automated Decision-Making (Art. 22): Oppose decisions based solely on profiling

• Right to Withdraw Consent: Withdraw previously given consent at any time

• Right to Lodge a Complaint: Submit a complaint to a competent data protection authority

Regnum Hotels does not make any legal or similarly significant decisions based solely on automated data processing. All evaluation and decision-making processes involve human intervention and manual review when necessary.

How to Apply

To exercise your rights, you may fill out the application form available on the official website of Regnum Hotels or contact us through the following address after identity verification:
📧 [email protected]
📍 Regnum Hotels, Kadriye Region, Belek, Antalya, Turkey

Cookie Policy

At Regnum Hotels, we use cookies to enhance the experience of our website visitors, ensure ease of use, and provide personalized services. Our use of cookies is conducted in accordance with the Personal Data Protection Law No. 6698 (KVKK) and the General Data Protection Regulation (GDPR).

What Are Cookies?

Cookies are small text files stored on your device via your web browser that allow the website to recognize you. These files collect information about how you use our website and are used to personalize your experience.

Types of Cookies Used

The following types of cookies are used on our website:

• Mandatory Cookies: Required for the basic functions of the website. Used for purposes such as session management, security, and network management.

• Functional Cookies: Help the website remember your preferences (e.g., language selection).

• Performance and Analytical Cookies: Used to analyze visitor behavior to improve site performance.

• Targeting/Advertising Cookies: Used to deliver content and advertisements tailored to your interests. These cookies are generally placed by third parties.

Third-Party Cookies

Cookies may be used through third-party providers offering analysis and marketing services, such as Google Analytics and Facebook Pixel. These cookies help us understand visitor behavior and optimize our advertising efforts.

Managing Cookies

When visiting our website, you can set your cookie preferences and change them at any time. If you wish to disable cookies, you can do so via your browser settings. However, disabling mandatory cookies may cause certain parts of the site to function improperly.

Explicit Consent and Legal Basis

All cookies other than mandatory ones are processed only with your explicit consent. You may withdraw your consent at any time and update your cookie preferences.

Information and Explicit Consent Processes

At Regnum Hotels, we uphold the principle of transparency in all activities concerning personal data protection. Informing data subjects and obtaining explicit consent where necessary is our legal obligation during personal data processing.

Obligation to Inform

In accordance with Article 10 of the KVKK and Articles 13 and 14 of the GDPR, data subjects are presented with privacy notices at the time of data collection containing the following information:

• Identity of the data controller and its representative, if any

• Purpose of personal data processing

• Recipients and purposes of data transfers

• Method and legal basis for data collection

• Data subjects' rights under Article 11 of the KVKK and the GDPR

These privacy notices are tailored separately for guests, employees, suppliers, business partners, and visitors, and provided at the point and channel of data collection.

You can access the privacy notices prepared for different data subject groups via the following links:
Privacy Notices:

• Please click for the Guest Clarification Text

• Please click for the Employee Clarification Text

• Please click for the Supplier Business Partner Clarification Text

Camera Privacy Notices:

• Please click for the Guest Clarification Text Regarding Security Cameras

• Please click for the Employee Clarification Text Regarding Security Cameras

• Please click for the Supplier Clarification Regarding Security Cameras

Policies:

• Please click for the Personal Data Processing and Protection Policy

• Please click for the Personal Data Storage and Destruction Policy

Application Form:

• Please click here for the KVKK Application Form

Situations Requiring Explicit Consent

According to Article 5/1 of the KVKK and Article 6/1(a) of the GDPR, separate consent forms are provided for situations where data processing requires explicit consent. Such consent is obtained for:

• Marketing, promotions, and campaign notifications

• Profiling and personalized services

• Use of third-party advertising cookies

• Processing of special categories of personal data (e.g., health, disability, allergies)

• Cross-border data transfers (except in cases of legal exceptions)

Withdrawal of Explicit Consent

Even after giving consent, the data subject has the right to withdraw it at any time. Once consent is withdrawn, the processing based on that consent is terminated. This withdrawal can be made through an application by the data subject or using automated consent management tools provided in the system.

Application and Complaint Process

Personal data subjects may submit requests regarding their rights under Article 11 of the KVKK and Articles 15–22 of the GDPR to Regnum Hotels.

Application Methods

Data subjects may submit applications through one of the following methods:

• Email: To [email protected] via registered email (KEP) or an email address registered in our system

• Postal Mail: By sending a wet-signed application form along with a copy of an ID by registered mail

• In-Person: By applying in person at Regnum Hotels premises

Applications can be submitted using the “KVKK Application Form,” which is available on our website or at the hotel reception desks.

Response Time to Applications

Applications are processed free of charge and finalized within 30 days. However, if the process incurs additional costs, a fee may be charged based on the tariff set by the Personal Data Protection Authority.

Right to Complain

Under the KVKK, if an application is rejected or no response is provided within 30 days, the data subject has the right to file a complaint with the Authority. Under the GDPR, the data subject may also lodge a complaint with the data protection authority in their country of residence.

Changes to the Privacy Policy

Regnum Hotels may update this Privacy Policy from time to time in accordance with changes in legal regulations, updates to the scope of services, or revisions in data processing activities.

Tracking Updates

The update date of the policy is indicated at the end of the document, and the most recent version is always available at www.regnumhotels.com/kvkk. Previous versions can be provided upon request.

Notification Methods

Significant changes to our privacy policy may be communicated to data subjects via email, SMS, mobile app notifications, or in-hotel announcements. They may also be published as a “Policy Update” notification on our website.
This ensures that data subjects are informed of any major changes that may affect their rights.

Third-Party Websites and Disclaimer

The Regnum Hotels website may contain links to other websites operated by third parties to enhance the user experience.

External Links

These links are provided for informational purposes only and are not under the control of Regnum Hotels in terms of their privacy practices. Users are responsible for reviewing the privacy policies and cookie settings of any third-party sites they access through these links.

Disclaimer

Regnum Hotels does not accept any responsibility for the content, data processing activities, or security practices of third-party websites. Users should exercise due caution before sharing personal data on external websites to which they are redirected.

Surveys and Marketing Communications

Regnum Hotels, in accordance with Law No. 6563 on the Regulation of Electronic Commerce, sends surveys and commercial electronic messages only to guests who have given prior consent.
The messages sent are intended to evaluate service quality, enhance customer experience, and provide promotional information. The data processed in these activities is shared only for the specified purposes with survey system providers (e.g., Related Marketing Cloud - RMC, QuestionPro, etc.). The only shared data is the email address, which is retained for a maximum of 2 months before being deleted.
Guests may opt out of receiving these communications at any time and update their communication preferences by contacting [email protected].

Automated Data Processing and Profiling

Regnum Hotels processes and analyzes certain personal data through automated means to enhance user experience, improve service quality, and deliver personalized offers. These operations are carried out in compliance with the provisions of the KVKK and GDPR.

The sources used for automated data processing include:

• Website and Mobile Application Usage: Pages visited, clicks, session duration, device and browser details, language preference, IP address, etc.

• Loyalty Program Data: Booking history, frequency of stays, campaign interactions, spending amounts.

• Security Systems: Entry and exit logs, in-facility movement tracking.

• Survey Results and Digital Interactions: Preferences, feedback, segmentation data.

These data may be analyzed for the following purposes:

• Personalizing services (e.g., room preferences, dietary habits, SPA usage)

• Offering targeted campaigns and discounts

• Segmenting based on loyalty levels

• Optimizing website and app interfaces

Profiling Operations:

• Segment-based content for advertising and marketing purposes is provided only to users who have given explicit consent.

• No users are subject to automated decision-making (e.g., algorithmic rejections).

• Users have the right to learn whether they are subject to profiling, object to processing, and request deletion of profile data.

Commercial Message Management System (İYS)

Message Management System (İYS)

Regnum Hotels sends commercial electronic messages only to individuals who have given prior consent, in accordance with Law No. 6563 on the Regulation of Electronic Commerce and related regulations.
In this context, commercial communications (campaign announcements, surveys, promotions) sent via the following communication channels are recorded and managed through the Message Management System (İYS):

• SMS

• Email

• Phone calls

• Other electronic messages

Through the İYS platform, users can:

• View their current communication permissions

• Revoke permissions for any communication channel

• Avoid receiving any message they have not explicitly consented to

Official Platform: https://iys.org.tr

Data Security:
Permission data and contact information are processed only via İYS-integrated systems and are protected in compliance with the KVKK and GDPR. No communications are sent without explicit consent.

Digital Application Conversations and Message Retention

Regnum Hotels actively utilizes digital technologies to enhance guest satisfaction. In this context, written communications through mobile apps, WhatsApp groups, and in-hotel digital communication platforms may be recorded to improve service quality, track transaction history, and resolve potential disputes.

Included Digital Channels:

• In-app messaging panels

• WhatsApp group/personal conversations

• Hotel digital assistant modules

• Loyalty app messaging systems

Recording and Retention Conditions:

• Conversations are retained only during the service period and for a maximum of 1 year in secure systems.

• Messages are protected with restricted system access and are accessible only to authorized personnel.

• Guests are informed at the beginning of the conversation, and explicit consent is obtained when required.

Data Security:

• Stored messages are encrypted and logged in traceable systems.

• Message content is used solely to fulfill guest requests, analyze complaints, or measure service quality.

• Messages are never shared with third parties or processed for marketing purposes.

This practice is carried out based on legitimate interest in accordance with Article 5/2-f of the KVKK and Article 6/1-f of the GDPR. Data subjects retain the right to object to data processing activities.

Profiling and Automated Decision-Making Rights

Under the GDPR (Art. 21 and Art. 22) and KVKK regulations, data subjects have specific rights regarding profiling and automated individual decision-making processes.

Right to Object to Profiling

Data subjects may object to the processing of their personal data for profiling purposes, particularly when such profiling is used for direct marketing. Upon objection, the profiling activity must be halted unless compelling legitimate grounds can be demonstrated by the data controller.

Right to Object to Automated Decision-Making

Regnum Hotels does not engage in decision-making processes that are based solely on automated processing, including profiling, which produce legal effects or significantly affect individuals. Should such processing be carried out in the future, data subjects shall have the right to request human intervention, express their point of view, and contest the decision.

Policy Update and Revision Information

This Privacy Policy may be revised from time to time in line with legal amendments or updates to the scope of services.

• Last Update Date: 28.06.2025

• Revision No: 01

 

 

--------

As REGNUM CARYA, we collect your information in order to communicate effectively and to provide the best experience for you with our services.

In accordance with the “Personal Data Protection Law” No. 6698, whilst collecting personal data we have the obligation to provide clarification on the purpose of processing personal data, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collection of personal data, and other rights set forth under article 11 of the Law.

Our policies regarding the processing, protection, storage and destruction of personal data;

 

As the data subject, you may request the following by applying to us:

• Learn whether or not personal data is processed,
• Request information if personal data is processed,
• Learn the purpose of personal data processing and whether this data is used for the purposes intended,
• Know the third parties to whom personal data is transferred to in Turkey or abroad
• Request rectification of personal data if data is processed incompletely or inaccurately
• Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Personal Data Protection Law No. 6698,
• Request the notification of the third parties to whom personal data is transferred to of the transactions made relating to the 5th and 6th requests mentioned above
• Object to the occurrence of any result that is detrimental to the data subject by means of analysis of personal data exclusively through automated means,
• Request compensation for the damage arising from the unlawful processing of personal data.

 

As REGNUM CARYA, we respect and value your right to privacy. Therefore, we would like to provide information about the security cameras in accordance with the Personal Data Protection Law no. 6698 (KVKK) entered into force for the purpose of protecting the fundamental rights and freedoms with respect to the use of personal data.