Live Help Contact Get a quote

Aviation Services

Since 1989

General Privacy Notice

1. Introduction

Redstar Aviation is committed to ensuring the protection, confidentiality, and security of all personal data processed within the scope of its activities, in accordance with data protection legislation. This information note aims to explain how your personal data is processed, the purposes of processing, and the rights you may exercise.

2. Controller

This privacy notice is issued by Redstar Aviation (“Redstar”, “we”, “us”) as the data controller under applicable data protection laws, including the Turkish Personal Data Protection Law No. 6698 (“KVKK”) and, where applicable, the EU General Data Protection Regulation (“GDPR”).

Contact:

Email: data@redstar.com.tr

Address: Sabiha Gokcen Airport, Apron A Gate 34906 Pendik / Istanbul, Türkiye

3. Who this notice applies to

This single notice covers the following groups:

  • Customer Contacts (e.g., assistance companies, insurers, corporate clients, their employees/agents contacting us)
  • Patients / Passengers (and, where relevant, companions/relatives)
  • Supplier / Subcontractor Representatives (e.g., ground ambulance, hospitals, handling, operators, mission support partners)
  • Visitors (individuals visiting our offices, hangars or facilities)

Important: Depending on which group you are in, not all purposes and data categories listed below will apply to you.

4. What personal data we process (categories)

Depending on the mission and operational requirements, we may process:

  • Identity and contact data (name, surname, email, phone, address)
  • Business/contact-in-role data (company, position/title)
  • Identification documents (passport/ID details when required for flight permits and travel/immigration formalities)
  • Health data (only when strictly necessary for mission execution, medical clearance and continuity of care)
  • Operational/mission records (itinerary details, pick-up/destination, coordination notes, communications, approvals)
  • Financial data (billing, payment status, bank/transaction references where applicable)
  • Visitor registration/access control data (entry/exit records, badge details, host information)
  • CCTV recordings and related security logs (where applicable)

5. How we collect data (sources)

  • Directly from you (quotation requests, emails/calls, forms, mission coordination)
  • From third parties involved in a mission (e.g., assistance companies, insurers, hospitals, medical teams, ground ambulance providers, aviation/permit authorities), where necessary to execute the mission and/or comply with legal obligations.
  • During facility access and visitor registration processes (e.g., at reception/security checkpoints) 

6. Purposes of processing (why we use your data)

Your personal data may be processed for the following purposes depending on your relationship with Redstar:

Customer Contacts

  • Responding to inquiries, preparing and sending quotations
  • Contracting, service delivery coordination, customer communications
  • Customer relationship management and service quality / feedback processes
  • Billing and payment processes

Patients / Passengers

  • Medical clearance and mission planning; coordination with medical teams
  • Arranging ground ambulance and hospital admission / bed-to-bed processes
  • Obtaining required overflight/landing permits and making mandatory notifications to competent authorities (as applicable)

Supplier / Subcontractor Representatives

  • Supplier onboarding, contracting, operational coordination and communications
  • Compliance checks, performance management, incident handling
  • Payment and accounting processes (where relevant)

Visitors

  • Managing facility access and visitor registration (entry/exit records, badges, host details)
  • Ensuring site, aviation and information security (including prevention/detection of security incidents)
  • CCTV monitoring for the protection of people, aircraft, premises and assets (where applicable)
  • Health & safety management and incident response during visits
  • Managing communications and visit arrangements with the hosting team

Across all groups (where relevant)

  • Legal compliance (aviation law, tax/accounting obligations, record-keeping)
  • Risk management, safety and security (including mission documentation)
  • Handling disputes, claims, audits and exercising/defending legal rights 

7. Is providing your data mandatory?

Certain personal data is required to provide our services and/or to comply with aviation, medical and other legal obligations (e.g., flight permits, hospital/ground arrangements, billing and record-keeping). If such required data is not provided, we may be unable to arrange the mission, obtain necessary permits, coordinate medical/ground services, or complete the requested transaction. ,

8. Legal bases

We process personal data only where there is a lawful basis under KVKK and, where applicable, GDPR.

Typical bases may include:

  • Performance of a contract / steps prior to entering into a contract (e.g., responding to requests, quotation, mission execution)
  • Compliance with legal obligations (e.g., aviation authority requirements, permits, accounting/tax obligations)
  • Legitimate interests (e.g., service quality, operational security, fraud prevention), provided your rights do not override these interests
  • Vital interests (time-critical missions where processing is necessary to protect life/physical integrity)
  • Explicit consent where required (used only when a more appropriate legal basis is not available)

Health data / special categories: We process health data only when strictly necessary for medical clearance, mission execution and continuity of care, and only under the additional conditions required by applicable law. 

9. Retention (how long we keep data)

We retain personal data only for as long as necessary for the purposes above and as required by aviation, contractual and legal obligations. Retention periods may vary by record type (e.g., mission/flight records, accounting records, medical documentation, permits). Visitor registration/log records and access control records are retained in line with facility/security requirements for a limited period. CCTV recordings (where applicable) are retained for a limited period and may be kept longer only if required for incident investigation, legal claims, or compliance with legal obligations.

Detailed retention and disposal rules are defined in our internal retention/disposal procedures and can be provided upon request. 

10. Recipients (who we share data with)

Where necessary, we may share personal data with:

  • Ground ambulance providers
  • Hospitals and medical service providers
  • Assistance companies, insurers and other parties instructing or coordinating the mission (as applicable)
  • Medical professionals and medical service providers involved in clearance, care continuity or coordination (as applicable)
  • Aviation authorities and other competent authorities for permits/notifications
  • Subcontracted operators or mission support partners (e.g., handling, logistics, operational support)
  • Banks/payment service providers and auditors/accountants (where required)
  • IT/hosting and communication service providers (acting as processors, where applicable)

We share data on a need-to-know basis and only to the extent necessary. 

11. International transfers (third countries)

Aviation operations are inherently cross-border. Depending on the itinerary (pick-up, technical stops, destination, overflight/landing permits) and the medical pathway (hospital admission, ground ambulance), we may need to transfer and/or make accessible certain personal data to recipients located outside Türkiye and/or outside the EEA.

Scope and necessity: Transfers are limited to what is strictly necessary to:

  • Obtain overflight/landing/handling and other aviation permissions,
  • Coordinate ground ambulance and hospital admission,
  • Perform medical clearance and continuity of care,
  • Coordinate with subcontracted operators/mission support partners, and
  • Complete billing/payment and assistance/insurance administration (as applicable).

Safeguards: Where required, international transfers are carried out using appropriate safeguards, such as Standard Contractual Clauses (SCCs) and/or other transfer mechanisms recognized under applicable law, and additional measures where necessary. You may request information about the safeguards by contacting us at data@redstar.com.tr.

Exceptional urgent situations: In time-critical missions where safeguards cannot be put in place in advance, transfers may occur only to the extent strictly necessary to protect vital interests and/or to perform a contract in the interest of the data subject, in line with applicable law. 

12. Automated decision-making

We do not make decisions solely based on automated processing (including profiling) that produce legal or similarly significant effects on you. If this changes, we will provide additional information as required by law.

13. Your rights

You may exercise your rights under KVKK and, where applicable, GDPR, including (as relevant):

  • Right to be informed and right of access
  • Rectification / update
  • Erasure / destruction / anonymization where conditions are met
  • Restriction of processing (GDPR)
  • Data portability (GDPR)
  • Objection to processing (including legitimate interest processing)
  • Right to lodge a complaint with the competent supervisory authority (where applicable)

How to exercise your rights:

Please submit your request to data@redstar.com.tr. We may ask for identity verification to protect your data.

Right to lodge a complaint: If you believe that your personal data has been processed unlawfully, you may lodge a complaint with the competent supervisory authority. In Türkiye, you may submit a complaint to the Turkish Personal Data Protection Authority (https://www.kvkk.gov.tr/) in accordance with the procedures set out under KVKK. If GDPR applies, you may also lodge a complaint with the supervisory authority in the EEA member state of your habitual residence, place of work, or the place of the alleged infringement (the list of supervisory authorities by each EU countries: https://edpb.europa.eu/about-edpb/board/members_en).

14. Data Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Depending on the nature of processing and risks, such measures may include access controls and role-based authorizations, confidentiality commitments, logging/monitoring, physical security controls, vendor/processor security requirements, and incident management procedures. Despite these measures, no system can be guaranteed to be 100% secure; therefore, we continuously review and improve our controls.