Privacy Policy and UK GDPR Notice

Key Definitions

1Data Controller and Contact Details

The legal entity acting as data controller under this privacy policy is set out below.

The data controller for all services offered through the kemeryachtrental.com website is the legal entity above. Any request, query or formal application about your personal data can be sent to us through the channels listed above.

2Personal Data We Collect

To deliver a high quality service, meet our legal obligations and keep you safe at sea, we collect personal data in the following categories.

How We Collect Your Data

Your personal data is collected through the following channels, in most cases directly from you:

• Booking and contact forms on our website
• Phone calls, WhatsApp, Telegram and email correspondence
• Face to face meetings at your hotel or villa, or at our office
• Online payment links and bank transfer processes
• Cookies and on site analytics tools (automatic)
• Review and rating platforms (voluntary)

3Processing Purposes and Lawful Basis

We process your personal data only for specific, explicit and legitimate purposes. The lawful basis under the UK GDPR is set out for each purpose below.

Booking and Service Delivery

Your data is processed to confirm your booking, brief the crew, organise your transfer and run the service smoothly. Lawful basis is performance of a contract under Art. 6(1)(b) UK GDPR.

Legal Obligations

Your data is processed and, where necessary, disclosed for tax purposes, TURSAB reporting, maritime regulations, passenger manifest records and lawful requests from authorities. Lawful basis is compliance with a legal obligation under Art. 6(1)(c) UK GDPR.

Safety and Emergency Situations

In the event of an emergency at sea, your identity and contact data are used to communicate with the Coast Guard, medical teams and other competent authorities. Lawful basis is protection of vital interests under Art. 6(1)(d) UK GDPR.

Improving Our Service Quality

Surveys, feedback forms and web analytics data are used to improve our service, usually on the basis of anonymised data. Lawful basis is our legitimate interest under Art. 6(1)(f) UK GDPR.

Marketing Communications (Only With Your Consent)

We use your contact details to send updates about new routes, seasonal offers and promotions. This type of communication is sent only with your explicit consent and can be withdrawn at any time. Lawful basis is your consent under Art. 6(1)(a) UK GDPR, together with the rules of the Privacy and Electronic Communications Regulations (PECR).

4Data Sharing and Disclosure

We never sell, rent or share your data with third parties without your consent or a legal requirement. To deliver our service, however, certain data must be shared with the following parties:

• Boat operators and captains. Guest name, phone number, group size, special requests and passport details for the manifest.
• Transfer providers. Pickup address, phone number and number of passengers.
• Payment providers. Banks, virtual POS providers and payment intermediaries. Payment data is processed only within their secure systems and we do not store full card numbers.
• Public authorities. Upon formal written request from courts, public prosecutors, law enforcement, tax offices or TURSAB.
• Hosting, email and analytics providers. Third parties used for website hosting, email delivery and traffic analytics. Your data is protected through encryption and data processing agreements.

5International Data Transfers

Our website infrastructure and some of our analytics and communication tools are operated by providers whose servers are located outside the United Kingdom. In these cases, certain data is transferred internationally:

• Google LLC (USA). Google Analytics, Tag Manager, Google Maps
• Meta Platforms Inc. (USA). Facebook and Instagram pixels, WhatsApp communication
• Statcounter (Ireland). Traffic analytics
• Telegram Messenger (UAE). Instant messaging

6Data Retention Periods

We keep your data only for as long as necessary for the purposes set out above. Retention periods are determined by legal and professional requirements:

• Booking and service records. 10 years from the completion of the service (under Turkish Commercial Code and Tax Procedure Law).
• Invoices and financial documents. 10 years (tax legislation).
• Contact form messages. 1 year after the communication ends.
• Data collected with marketing consent. Until you withdraw your consent.
• Cookies and analytics data. From session duration up to 2 years, depending on the cookie type.
• Anonymised statistics. Indefinitely, since they no longer identify an individual.

Data whose retention period has expired is automatically deleted, destroyed or anonymised.

7Security Measures

To protect your personal data, we apply appropriate technical and organisational measures:

• SSL and HTTPS encryption. All form submissions and data traffic on our website are encrypted with SSL.
• Restricted access. Only staff who need access for their role can view your data.
• Password policy. Access to our systems is protected by strong passwords and two factor authentication.
• Regular backups. Data is regularly backed up to encrypted storage.
• Oversight of processors. We sign data processing agreements with all providers we work with.
• Breach notification. In the event of a personal data breach, we notify the Information Commissioner's Office (ICO) within 72 hours under Art. 33 UK GDPR, and inform affected individuals where required.

8Your Rights Under the UK GDPR

Under Articles 15 to 22 of the UK GDPR, as a data subject you have the following rights. To exercise any of them, please use the contact channels listed in section 11.

9Supplementary Notes Under the DPA 2018 and KVKK

For users resident in the United Kingdom, the provisions of the Data Protection Act 2018 (DPA 2018) apply in addition to the UK GDPR. The DPA 2018 supplements and clarifies the UK GDPR in areas where it leaves room for national rules, including law enforcement, intelligence services, criminal convictions data and certain exemptions.

The UK supervisory authority is the Information Commissioner's Office (ICO). You can find more information about your rights and how to file a complaint at ico.org.uk.

Because our company is based in Türkiye, we are also subject to the Turkish Personal Data Protection Law No. 6698 (KVKK — Kişisel Verilerin Korunması Kanunu). The KVKK is broadly aligned with the GDPR, so your rights are comparable under both legal frameworks.

10Cookies and Tracking Technologies

Our website uses cookies to improve your experience and analyse traffic. Cookies are small text files stored in your browser.

Types of Cookies We Use

• Strictly necessary cookies. Required for basic site functions such as session, language preference and currency selection. They cannot be switched off.
• Analytics cookies. Tools such as Google Analytics and Statcounter that analyse visitor behaviour anonymously.
• Marketing cookies. Tools such as the Meta (Facebook and Instagram) pixel that help us show adverts relevant to your interests.
• Preference cookies. Remember your choices such as language and currency.

You can always delete, block or be asked about cookies through your browser settings. Please note that disabling strictly necessary cookies may affect some site functions.

11Policy Changes and How to Apply

This privacy policy may be revised when needed, for example following new legal requirements, changes to our services or updates to the technologies we use. For significant changes we publish a notice on our website, and the date of the current version is shown at the top of this page.

To exercise any of the rights above or ask any question about our privacy practices, simply get in touch. Under Art. 12(3) UK GDPR we respond to your request within 30 days at no cost.

This privacy policy has been prepared in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018 and the Turkish Personal Data Protection Law No. 6698. For legally binding interpretations, we recommend consulting a qualified solicitor.