Privacy Policy

"Services" refers to our event photo collection and sharing platform and all related features. "Website" refers to https://www.eventsharecloud.com. "Personal Data" means information that identifies you as an individual (e.g. name, email, uploaded photos). "Data" refers to any information collected from users, including usage and device data. "Processing" means any operation performed on personal data (e.g. collecting, storing, displaying). "Controller" means EventShareCloud, which determines how and why your data is processed.

Personal Data (provided by you): - Name - Email address - Uploaded photos and event content - Other information you choose to provide when using our Services Device and Usage Data (collected automatically): - IP address - Browser and device information - Language and general location data - Pages visited and actions taken within the platform Security and Audit Logs (collected automatically for security and legal compliance): - Account creation, login, logout, and password reset events - Event creation, update, and deletion actions - Gallery password verification attempts (successful and failed) - Photo download and deletion actions - Plan changes and purchase/refund transactions Each log entry includes the timestamp, IP address, user agent, and a reference to the affected resource. These logs are used exclusively for security monitoring, fraud prevention, and fulfilling our legal obligations.

We use strictly necessary cookies to operate the platform: session authentication cookies (managed by Supabase) and event access tokens for password-protected galleries. We also use JWT-signed cookies to securely deliver event photos through our Cloudflare CDN. These cookies do not track you and cannot be disabled without affecting core functionality.

We process your personal data based on the following legal grounds, in accordance with the General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK, Law No. 6698): - Contract Performance: Processing necessary to fulfill our agreement with you (e.g., providing the Services, managing your account, delivering your photos). - Consent: Processing based on your explicit consent (e.g., when you create an account, upload photos, or opt in to communications). - Legitimate Interests: Processing necessary for our legitimate business interests, provided these do not override your fundamental rights. Examples: maintaining security and audit logs to prevent unauthorized access, fraud, and abuse; monitoring application errors to ensure service reliability; improving the Services. - Legal Obligations: Processing required to comply with applicable laws and regulations, including the data security obligations under Article 12 of the KVKK.

To operate EventShareCloud, we rely on third-party service providers organized into the following categories. All such providers are contractually bound to protect your data and are used only for the specific purposes listed below: - Authentication and database provider (US / EU) – User authentication, database storage, and account management - Object storage and CDN provider (Global) – Photo and file storage, CDN delivery with JWT-signed cookies - Application hosting provider (US / EU) – Application hosting and content delivery - Payment processor and Merchant of Record (UK) – Payment processing, billing, and tax compliance - Error monitoring provider (Germany, EU) – Application error tracking and reliability monitoring - Bot protection provider (Global) – Protection of forms and sign-up flows against automated abuse We only share your data with these providers to the extent necessary to deliver the Services. A list of the specific subprocessors currently used is available on request at [email protected].

EventShareCloud is intended for individuals who are 18 years of age or older. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly.

Your data is stored securely using industry-standard encryption and access controls. Photo storage is handled by Cloudflare R2 with secure access via signed JWT cookies, and authentication and database services are provided by Supabase, both with strong security practices. We regularly review our data handling processes to ensure your information remains protected.

You have the following rights regarding your personal data: - Access: Request access to your personal data at any time - Correction: Update or correct inaccurate account information - Deletion: Request deletion of your personal data - Restriction: Request restrictions on how we process your data - Portability: Receive your personal data in a structured, commonly used format To exercise any of these rights, contact us at [email protected].

In addition to the above, EU users have the right to: - Restrict processing of their personal data - Withdraw consent for consent-based processing at any time - Lodge a complaint with a supervisory authority in their country of residence

Users in Turkey have additional rights under the Turkish Personal Data Protection Law (KVKK, Law No. 6698), including: - The right to learn whether personal data is being processed - The right to request information about processing activities - The right to learn the purpose of processing and whether data is used in accordance with that purpose - The right to know third parties to whom personal data is transferred, domestically or abroad - The right to request correction of incomplete or inaccurate data - The right to request deletion or destruction of personal data under the conditions set forth in Article 7 of the KVKK - The right to object to results obtained exclusively through automated systems that are to your detriment - The right to claim compensation for damages arising from unlawful processing of personal data You may exercise these rights by contacting us at [email protected]. You also have the right to lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurulu) if you believe your rights have been violated.

California residents have the right to: - Know what personal information we collect and how it is used - Request deletion of their personal information - Opt out of the sale of personal information (we do not sell personal information) - Not be discriminated against for exercising these rights

You can opt out of marketing communications at any time by: - Clicking the unsubscribe link in any marketing email - Contacting us at [email protected]

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects concerning you. All decisions regarding your account and content are made by human processes.

We retain your personal data for as long as your account is active or as needed to provide the Services. Event photos and content are retained according to your plan's retention period: - Free plan: 7 days after event creation - Premium plan: 60 days after event creation - Premium Plus plan: 90 days after event creation - Retention extensions purchased as add-ons extend these periods accordingly. When your plan's retention period ends, a 7-day grace period begins during which your data is preserved but uploads are disabled. We will notify you by email at the start of this grace period, giving you the opportunity to renew your plan or back up your content. After the grace period expires, your event data will be permanently deleted. Security and audit logs are retained for 2 years in accordance with our data security obligations under Article 12 of the KVKK and our legitimate interest in preventing fraud and abuse. They are automatically deleted after this period. Application error logs (collected by our error monitoring provider) are retained for 90 days and then automatically deleted. You may request deletion of your account and associated data at any time by contacting us. We will process the request without undue delay. We reserve the right to immediately delete data if your use of the Services violates our Terms of Service, including the upload of prohibited content.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (including the Turkish KVKK Authority where applicable) without undue delay and in any case within 72 hours of becoming aware of the breach, as required by GDPR and KVKK.

Your information may be processed in countries other than your country of residence (including the United States). We ensure appropriate safeguards are in place for such transfers, including through standard contractual clauses and compliance with applicable data protection frameworks.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website. We encourage you to review this Policy periodically.

For any questions, concerns, or privacy-related requests, please contact: Email: [email protected] Website: https://www.eventsharecloud.com