Privacy Policy

AYTATA BİLİŞİM SANAYİ VE TİCARET LİMİTED ŞİRKETİ ("Company," "we," "us," or "our"), operating the Vistumo platform, is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (vistumo.com) and mobile application (collectively, the "Service").

Vistumo is a tourist tax payment facilitation service that helps travelers pay mandatory tourist taxes for destinations including Bali (Indonesia), Venice (Italy), and Quintana Roo (Mexico). We act as an intermediary to simplify the payment process on your behalf.

The data controller responsible for your personal data is:

For users in the European Economic Area, please contact us at: contact@vistumo.com

To provide our tourist tax payment facilitation service, we collect and process the following categories of personal data:

3.1 Information You Provide Directly

3.2 Information Collected Automatically

When you use our Service, we may automatically collect:

• Device information (device type, operating system, unique device identifiers)
• Log data (IP address, browser type, pages visited, time and date of visit)
• Location data (country-level, derived from IP address)
• Usage data (features used, interactions with the Service)

3.3 Payment Information

We do not directly collect, store, or process your credit card or payment card information. All payment processing is handled by our PCI-DSS compliant payment processor. When you make a payment, your card details are entered on a secure payment page hosted by our payment processor. We only receive confirmation of successful or failed transactions, transaction IDs, payment amounts, card type (e.g., Visa, Mastercard), and the last four digits of your card number.

We use your personal data for the following purposes:

• To process and submit your tourist tax payments to the relevant government authorities
• To deliver your tax payment confirmation and QR codes via email
• To communicate with you regarding your transactions and provide customer support
• To comply with legal obligations and respond to lawful requests from authorities
• To detect, prevent, and address fraud, security issues, and technical problems
• To improve and optimize our Service
• To maintain records for accounting, tax, and audit purposes

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with similar data protection laws, we process your personal data based on the following legal grounds:

We share your personal data with the following categories of recipients:

6.1 Government Tourism Tax Authorities

To fulfill our service, we must share your personal data (name, passport number, country, date of birth, travel dates) with the official government portals of your destination:

• Bali, Indonesia: Bali Provincial Government via Love Bali portal (lovebali.baliprov.go.id)
• Venice, Italy: Municipality of Venice via Venezia Unica system (cda.veneziaunica.it)
• Quintana Roo, Mexico: State of Quintana Roo via VISITAX portal (visitax.gob.mx)

These government authorities are independent data controllers and process your data according to their own privacy policies and applicable laws. We recommend reviewing their privacy notices.

6.2 Payment Processor

Our payment processor processes all payments on our behalf. Our payment processor is a licensed payment institution and maintains PCI-DSS compliance. They receive only the information necessary to process your payment transaction.

6.3 Service Providers

We may engage trusted third-party service providers who assist us in operating our Service, such as cloud hosting providers, email delivery services, and customer support tools. These providers are contractually bound to process your data only on our instructions and implement appropriate security measures.

6.4 Legal Requirements

We may disclose your personal data if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

AYTATA BİLİŞİM SANAYİ VE TİCARET LİMİTED ŞİRKETİ is based in Turkey, which has not received an adequacy decision from the European Commission. When we transfer your personal data outside the European Economic Area (EEA) or the United Kingdom, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses for data transfers between our service providers and Turkey where applicable.
• Transfer Impact Assessments: We conduct transfer impact assessments to evaluate the level of protection in destination countries.
• Supplementary Measures: We implement technical measures including encryption in transit and at rest, access controls, and pseudonymization where appropriate.

Your data is also transferred to the relevant government tourism tax portal depending on your chosen destination. These transfers are necessary to perform our contract with you (GDPR Article 49(1)(b)). At checkout, you are also asked to provide your express consent for these cross-border data transfers (GDPR Article 49(1)(a)). The specific government portals receiving your data are:

• Indonesia: Bali Provincial Government portal, subject to Indonesian Personal Data Protection Law (UU PDP, Law No. 27 of 2022)
• Italy: Municipality of Venice system, subject to EU GDPR and Italian Privacy Code (Legislative Decree 196/2003). As an EU member state, transfers to Italy do not constitute international transfers under GDPR.
• Mexico: State of Quintana Roo portal, subject to Mexican Federal Data Protection Law (LFPDPPP)

These government authorities are independent data controllers. Once your data is submitted to their systems, their respective data protection laws and privacy policies apply. We recommend reviewing their privacy notices.

We retain your personal data for the following periods, applying the principle of data minimization:

Passport and identity data is retained only for the minimum period necessary. The 180-day retention period aligns with payment dispute resolution timeframes (card network chargeback windows extend up to 120 days). After 180 days, this data is permanently deleted, even if other transaction records are retained longer for compliance purposes.

Depending on your location, you may have the following rights regarding your personal data:

9.1 Rights Under GDPR (EEA/UK Users)

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data where there is no compelling reason for continued processing.
• Right to Restrict Processing: Request limitation of processing in certain circumstances.
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Lodge a Complaint: File a complaint with your local supervisory authority (e.g., Italian Garante per la Protezione dei Dati Personali).

9.2 Rights Under CCPA/CPRA (California Users)

If you are a California resident and we meet the CCPA applicability thresholds, you have the right to:

• Know what personal information we collect, use, disclose, and sell
• Delete your personal information (subject to exceptions)
• Opt-out of the sale or sharing of your personal information (we do not sell your data)
• Limit the use of sensitive personal information
• Non-discrimination for exercising your privacy rights

We do not sell your personal information. Passport numbers are considered "sensitive personal information" under CCPA. We process this data only as necessary to provide our services.

9.3 Rights Under Turkish KVKK

Under Turkish Law No. 6698 on the Protection of Personal Data (KVKK), you have the right to:

• Learn whether your personal data is processed
• Request information about processing activities
• Learn the purpose and whether data is used accordingly
• Know third parties to whom data is transferred
• Request correction of incomplete or inaccurate data
• Request deletion or destruction under Article 7
• Object to negative outcomes resulting from automated processing

9.4 Exercising Your Rights

To exercise any of these rights, please contact us at contact@vistumo.com. We will respond within the timeframes required by applicable law (30 days for GDPR/KVKK, 45 days for CCPA). We may need to verify your identity before processing your request.

We implement appropriate technical and organizational measures to protect your personal data, including:

• 256-bit encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Employee training on data protection
• Incident response procedures
• PCI-DSS compliant payment processing

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33 and KVKK Article 12(5).
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34.
• Document the breach including the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.

Given the sensitive nature of passport data processed by our Service, we treat any unauthorized access to identity documents with the highest priority. In the event of a breach involving passport numbers:

• Affected users will be notified promptly with specific guidance on protective measures
• We will cooperate with relevant authorities in all applicable jurisdictions
• We will provide regular updates on the investigation and remediation efforts

Breach notifications will be sent to the email address associated with your account. You may also contact us at contact@vistumo.com to inquire about any potential breach affecting your data.

Our Service is not directed to individuals under the age of 18. We require all users (account holders) to be at least 18 years old. Children under 18 may not create accounts or use our Service directly.

However, our Service allows parents and legal guardians to pay tourist taxes on behalf of minor children traveling with them. In such cases, the adult user provides the minor's personal data (name, passport number, date of birth, country) as part of the order. We process this data solely for the purpose of completing the tourist tax registration and apply the same security measures and retention periods as for adult data. The adult user is responsible for ensuring they have the legal authority to submit the minor's personal data.

If you become aware that a child has independently provided us with personal data without parental consent, please contact us at contact@vistumo.com, and we will take steps to delete such information.

We use cookies and similar tracking technologies to enhance your experience. Types of cookies we use:

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of our Service.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last Updated" date, and, where required by law, obtaining your consent or providing additional notice. We encourage you to review this Privacy Policy periodically.

This Privacy Policy should be read in conjunction with our other legal documents:

• Terms of Use — governing your use of our Service
• Distance Sales Agreement — governing the sale of our digital services
• Delivery & Returns Policy — governing delivery timelines and refund eligibility

If you have any questions about this Privacy Policy or our data practices, please contact us: