Privacy Policy

How we protect your personal data — aligned with KKTC Law 88/2024 (Kişisel Verileri Koruma Yasası) and GDPR principles.

Last updated: 25 May 2026

1. Data Controller

Company: Ağrı ve Toros Turizm Ltd (Kipra Rent A Car)
Legal form: Limited liability company registered in TRNC (Northern Cyprus)
Address: İsmet İnönü Bulvarı 117, Famagusta 99450, TRNC
E-mail: info@kiprarent.com
Phone: +90 546 996 10 04

2. Personal Data Categories

Identity: first name, surname, date of birth.
Contact: phone, email, postal address.
Document photos: driving licence (front + back), passport or ID card (front + back). Requested only as part of a rental booking; stored in secure object storage (Cloudflare R2).
Booking data: rental dates, pickup/return location, vehicle choice, add-ons (child seat, additional driver, etc.).
Payment data: your preferred payment method. Card details are never stored on the website — physical POS terminals at handover process them and the bank records remain with our payment provider.
Technical data: IP address, browser type, cookie data, page view durations.
Location data (for transfers): the airport or border crossing you ask us to meet you at.

3. Processing Purposes

Booking and rental contract management.
Customer identity verification (KYC) — required by local and international regulation.
Traffic fine, insurance, and damage handling.
Compliance with legal obligations (tax, insurance, audits).
Communication with you (booking confirmation, reminders, support).
Website analytics — only if you give consent.

4. Legal Basis

We process your personal data on one or more of the following legal bases:

Contract performance — necessary to enter into and perform the rental contract (identity, contact, document, booking, payment data).
Legal obligation — tax, insurance, traffic-fine reporting, and similar statutory duties.
Explicit consent — for analytics cookies and any additional data you volunteer.
Legitimate interest — site security, fraud prevention, service-quality improvement (only where this does not override your rights).

5. Recipients

We share your data with specific third parties strictly to deliver the service:

Recipient	Which data	Location	Purpose
Cloudflare, Inc.	All site data, document photos	US / EU data centres	Hosting, KV session storage, R2 object storage, DDoS protection
Clerk, Inc.	Email and name when you create an account	United States	Authentication (sign-in / sign-up)
Resend, Inc.	Email address, name, booking details	United States	Transactional email delivery (booking confirmations, etc.)
Google LLC (Gemini)	KYC document photos (at OCR time only)	US / global	Optical character recognition — extracts fields from the document you uploaded
Google LLC (Analytics)	Anonymous usage statistics	United States	Site analytics — only with your consent
TRNC Police / competent authorities	Data covered by lawful request	TRNC	Legal obligation (court order, traffic fines, investigation)
Insurance provider	Damage/accident-related documents and identification	TRNC / Türkiye	Damage/accident reporting, insurance claims

6. Cross-Border Transfer

Some of the providers listed above operate servers outside the TRNC — mainly in the United States and the EU. These transfers are necessary for the service we provide to you:

All transfers happen over TLS-encrypted connections.
Each third-party provider's own privacy policy and data-protection standards apply.
Cloudflare, Clerk, Resend, and Google have compliance commitments aligned with the EU General Data Protection Regulation (GDPR) and equivalent frameworks.
For consent-based transfers (e.g. analytics) you can withdraw consent at any time — use the preference panel on the Cookie Policy page.

7. Retention Periods

Data category	Retention
KYC document photos (licence, passport, ID)	Deleted 1 year after the rental ends
Booking and invoice data	5 years (TRNC tax law)
Communication logs (email exchanges)	1 year
Anonymous analytics data	Indefinite (cannot be linked back to an individual)
Cookie data	Per-cookie — see Cookie Policy

8. Data Security

HTTPS/TLS encryption on every connection.
No card data on the website — processed only via the physical POS terminal.
Access control: only authorised Kipra staff can access personal data; every access is logged.
Backups: daily, encrypted, used only for disaster recovery.
Document photos live in separate secure object storage (Cloudflare R2) with restricted access.

9. Your Rights as a Data Subject

Under KKTC Law 88/2024 (Kişisel Verileri Koruma Yasası) and equivalent frameworks (GDPR, UK GDPR), you have the following rights:

Right to information — to know whether we process your data.
Right of access — to receive a copy of the data we hold about you.
Right to rectification — to have inaccurate or incomplete data corrected.
Right to erasure — to have your data deleted. Statutory retention periods (e.g. 5 years of tax records) may prevent some data from being deleted until they expire.
Right to object — particularly for consent-based processing, you can object at any time.
Right to data portability — to receive the data you provided us in a machine-readable format.

To exercise any of these rights, contact us at info@kiprarent.com. We respond within 30 days of receiving your request.

10. Complaints

Please contact us first — we work hard to resolve issues quickly. If you remain dissatisfied with our response, you have the right to lodge a complaint with the TRNC Personal Data Protection Board (Kişisel Verileri Koruma Kurulu). EU/UK residents may additionally complain to their local supervisory authority.

11. Policy Changes

This privacy policy may be updated as our services and the legal landscape evolve. The current version always lives on this page; for significant changes we'll try to notify you by email. The "Last updated" date at the top of the page reflects the latest revision.

12. Related documents

Cookie Policy — the full list of cookies we use
Data Protection Notice — a short summary shown at form-fill points