Privacy Policy

1. Introduction

Tidebloom ("we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our services, visit our website, or engage with our Cappadocia travel experiences.

We operate in compliance with the Malaysian Personal Data Protection Act 2010 (PDPA) and respect international data protection standards including the European Union's General Data Protection Regulation (GDPR) for travelers from EU countries.

By using our services, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide when you:

• Submit inquiry forms or booking requests through our website
• Communicate with us via email, phone, or messaging platforms
• Register for our experiences or create an account
• Participate in surveys, promotions, or feedback requests

This information may include: full name, email address, phone number, mailing address, passport information (for travel bookings), payment details, dietary restrictions, medical conditions relevant to travel safety, emergency contact information, and any other information you choose to provide.

2.2 Automatically Collected Information

When you visit our website, we may automatically collect certain technical information including IP address, browser type and version, device identifiers, operating system, referring website URLs, pages viewed, time spent on pages, and click data.

2.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your browsing experience. See our Cookie Policy for detailed information about our cookie practices.

3. How We Use Your Information

We process your personal data for the following purposes:

• Service Delivery: To process bookings, coordinate travel logistics, arrange accommodations, meals, transport, and activities as part of your Cappadocia experience
• Communication: To respond to inquiries, provide booking confirmations, send pre-travel information, and communicate important updates about your journey
• Payment Processing: To process transactions, prevent fraud, and maintain financial records
• Safety and Compliance: To ensure compliance with aviation safety regulations, share necessary information with balloon operators and guides, and respond to emergencies
• Marketing: To send promotional materials about our services, with your consent (you may opt out at any time)
• Improvement: To analyze website usage, improve our services, and enhance customer experience
• Legal Obligations: To comply with applicable laws, regulations, and legal processes

4. Legal Basis for Processing (GDPR)

For EU travelers, we process your personal data based on:

• Contract Performance: Processing necessary to fulfill our travel service contract with you
• Legitimate Interests: Processing necessary for our business operations, fraud prevention, and service improvement
• Consent: Where you have provided explicit consent, such as for marketing communications
• Legal Compliance: Processing required to comply with legal obligations

5. Data Sharing and Disclosure

We share your personal information only in the following circumstances:

5.1 Service Providers

We share data with trusted third parties who assist in delivering our services: balloon operators in Turkey (for flight coordination), hotels and accommodation providers, ground transport companies, tour guides and cultural experts, payment processors, and IT service providers. These parties are contractually obligated to protect your data and use it only for specified purposes.

5.2 Legal Requirements

We may disclose information when required by law, in response to legal process, to protect rights and safety, or to prevent fraud and security threats.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity.

6. International Data Transfers

As we coordinate travel experiences in Turkey, your personal information may be transferred to and processed in Turkey and other countries where our service providers operate. We ensure appropriate safeguards are in place through contractual agreements and adherence to international data protection frameworks.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal data:

• Encryption of sensitive data during transmission and storage
• Secure servers with restricted access controls
• Regular security audits and vulnerability assessments
• Employee training on data protection and confidentiality
• Secure payment processing through PCI-DSS compliant systems

However, no method of transmission over the internet is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Booking Information: Retained for 7 years to comply with financial and tax regulations
• Marketing Data: Retained until you withdraw consent or we determine it's no longer relevant
• Website Analytics: Aggregated data retained indefinitely; individual data retained for 2 years
• Correspondence: Retained for 3 years after the last communication

After the retention period expires, we securely delete or anonymize your personal data.

9. Your Rights

Under Malaysian PDPA and GDPR (for EU travelers), you have the following rights:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data (subject to legal obligations)
• Restriction: Request limitation of processing in certain circumstances
• Data Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests or for marketing purposes
• Withdraw Consent: Withdraw consent for processing where consent was the legal basis

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

10. Children's Privacy

Our services are intended for individuals aged 18 and above. We do not knowingly collect personal information from minors under 18 without parental consent. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

11. Third-Party Websites

Our website may contain links to third-party websites (such as airline booking sites, hotel platforms, or tourism information). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or business operations. We will notify you of material changes by posting the updated policy on our website with a new "Last Updated" date. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Complaints and Supervisory Authority

If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the relevant supervisory authority:

• Malaysia: Personal Data Protection Department, Ministry of Communications and Digital
• EU Travelers: Your local data protection authority

We encourage you to contact us first so we can address your concerns directly.

14. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data practices, please contact: