Privacy and Return Policy

Purpose: Contract performance, payments, business relationship management

Personal data is processed under KVKK Articles 5 and 6, and GDPR Article 6 (where applicable), based on:

• Explicit consent (e.g., marketing communications)

• Contract performance (e.g., service delivery, bookings)

• Legal obligations (e.g., tax records, employment law)

• Legitimate interests (e.g., fraud prevention, service improvement), provided fundamental rights are not harmed

We collect information you voluntarily provide, including:

• Account registration details (name, email, phone)

• Payment information for transactions

• Communication content (support requests, feedback)

• Profile information and preferences

We automatically collect:

• Technical Data: IP address, browser type, device characteristics, operating system, browser plug-in types and versions, time zone settings

• Usage Data: Pages visited, time spent, clickstream data with date and time stamps, feature usage, page response times, download errors, length of visits to specific pages

• Interaction Data: Page interaction information (scrolling, clicks, mouse-overs), methods used to browse away from pages

• Location Data: General geographic location based on IP address

• Purchase History: Aggregated with similar information from other users for analytics

• Cookie Data: As described in our Cookie section below

• Customer Service Data: Phone numbers given

We may receive information from:

• Fraud prevention services

• Social media platforms (publicly available information only)

• Business partners and affiliates

We use collected information to:

• Provide and maintain our Service

• Process transactions and bookings

• Communicate with you about our Service

• Improve our Service based on usage patterns

• Prevent fraud and ensure security

• Comply with legal obligations

• Send marketing communications (with consent)

• Administer contests, promotions, surveys, and other site features

• Manage call center interactions and customer support

We share personal data with trusted third-party service providers who assist us with:

• IT infrastructure and hosting

• Payment processing

• Customer support

• Analytics and marketing

• Legal and professional services

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections.

We may disclose personal data when required by law, court order, or to protect our rights, safety, or the rights of others.

Personal data may be transferred to countries outside Turkey and the EEA. We implement appropriate safeguards including:

• Standard contractual clauses

• Adequacy decisions by relevant authorities

• Explicit consent where required

We use cookies and similar technologies to:

• Ensure website functionality

• Analyze usage patterns

• Personalize content

• Serve relevant advertisements

Types of Storage Technologies:

• Cookies: Small data files stored on your device for identification and analytics

• Flash Cookies (Local Shared Objects): Used for fraud prevention and enhanced functionality

• Local Storage (DOM Storage): Provides persistent data storage with greater capacity than cookies
  

• Sessions: Small data pieces to identify areas of our website you've visited

Cookie Management: Most browsers allow you to control cookies through their settings. Disabling cookies may affect website functionality.

Third-Party Tracking:

• Google Analytics: For website analytics (subject to Google's privacy policy)

• Facebook Pixel: For advertising effectiveness (subject to Facebook's privacy policy)

• Google Maps API: For location services (subject to Google's privacy policy)

• Google Tag Manager: For managing and deploying tracking codes (subject to Google's privacy policy)

• HotJar.com: For user behavior analytics such as heatmaps and recordings (subject to Hotjar’s privacy policy)

• Facebook (Meta): For social media integrations and advertising (subject to Meta’s privacy policy)

• Google Ads: For online advertising campaigns (subject to Google’s privacy policy)

We use remarketing services to serve advertisements across the internet to people who have previously visited our website. This creates a personalized advertising experience that may appear as though we are 'following' you on the websites and platforms you visit most frequently. These services operate according to their respective privacy policies.

We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law. Specific retention periods:

• Customer Data: Until account deletion plus 6 years for legal/tax purposes

• Transaction Records: 7 years as required by Turkish commercial law

• Marketing Data: Until consent is withdrawn

• Website Analytics: 26 months

Upon expiry, data is securely deleted or anonymized.

Depending on your location, you may have the following rights:

• Right to be informed about data processing

• Right to access your personal data

• Right to request correction of inaccurate data

• Right to deletion (under specific conditions)

• Right to object to processing

• Right to data portability

• Right to lodge a complaint with supervisory authorities
  

All KVKK rights plus:

• Right to restrict processing

• Right not to be subject to automated decision-making

• Right to withdraw consent at any time

Exercising Your Rights: Contact us at info@citioapp.com. We will respond within 30 days and may require identity verification.

We implement technical and organizational measures to protect personal data, including:

• SSL encryption for data transmission

• Access controls and authentication

• Regular security assessments

• Staff training on data protection

• Incident response procedures

Important Notice About Data Backups: To protect information from inadvertent loss, we maintain backup systems. This means that a copy of your information may exist in a

non-erasable form that may be difficult or impossible for us to locate. However, we commit to updating, correcting, or deleting all personal information stored in databases we actively use and other readily searchable media as soon as reasonably and technically practicable upon your request.

We may send marketing communications with your explicit consent. You can:

• Unsubscribe using links in our emails
  

• Contact us to opt out of all marketing

• Update your communication preferences in your account settings

Our Service may contain links to third-party websites, integrate third-party services, or use

third-party tools for various functionalities. This Privacy Policy does not apply to such third-party services.

Third-Party Tools We Use:

• Google Analytics: Collects website usage data (subject to Google's Privacy Policy)

• Facebook Pixel: Tracks advertising effectiveness (subject to Facebook's Privacy Policy)

• Google Maps API: Provides location services (subject to Google's Privacy Policy)

• Payment Processors: Handle transaction processing (subject to their respective privacy policies)

• Customer Support Tools: May collect communication data (subject to provider privacy policies)

Important Notes:

• These third parties may collect data directly from your device

• They operate under their own privacy policies and terms of service

• We do not control their data practices

• Some tools may use cookies or similar tracking technologies

• Data collected by third parties may be subject to different retention periods and geographic locations

Your Control:

• You can disable cookies to limit some third-party data collection

• Review third-party privacy policies for opt-out options

• Contact us if you have concerns about specific third-party integrations

We encourage you to read the privacy policies of any third-party services you interact with through our platform.

Governing Law: This Privacy Policy is governed by Turkish law.

Cross-Border Transfers: By using our Service, you consent to the transfer of your information to Turkey and other countries where we operate, which may have different data protection laws than your country of residence.

We may update this Privacy Policy periodically. All changes can be found at the link at all times: https://citioapp.com/en/page/privacy-policy

Booking Events: If the purchased item is for a booking event, it can be returned at least 24 hours before the event starts.

Tangible Products: If it is a tangible product and you are located in Istanbul, it can be returned within 24 hours of receipt.

For return requests, please contact us using the information provided in the Contact section below.

For questions about this Privacy Policy or our data practices:

Email: info@citioapp.com

Website: https://citioapp.com/

Address: Akat Mah. Zeytinoğlu Cad Selçuklar Sok. Eti Apt B/6 Beşiktaş İstanbul

This Privacy Policy was last updated on 26.09.2025. Please review it regularly for any changes.