Privacy Policy

"Services" refers to our event photo collection and sharing platform and all related features. "Website" refers to https://www.eventsharecloud.com. "Personal Data" means information that identifies you as an individual (e.g. name, email, uploaded photos). "Data" refers to any information collected from users, including usage and device data. "Processing" means any operation performed on personal data (e.g. collecting, storing, displaying). "Controller" means EventShareCloud, which determines how and why your data is processed.

Personal Data (provided by you): - Name - Email address - Uploaded photos and event content - Other information you choose to provide when using our Services Device and Usage Data (collected automatically): - IP address - Browser and device information - Language and general location data - Pages visited and actions taken within the platform

We use strictly necessary cookies to operate the platform: session authentication cookies (managed by Supabase) and event access tokens for password-protected galleries. We also use JWT-signed cookies to securely deliver event photos through our Cloudflare CDN. These cookies do not track you and cannot be disabled without affecting core functionality.

We process your personal data based on the following legal grounds, in accordance with the General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK, Law No. 6698): - Contract Performance: Processing necessary to fulfill our agreement with you (e.g., providing the Services, managing your account, delivering your photos). - Consent: Processing based on your explicit consent (e.g., when you create an account, upload photos, or opt in to communications). - Legitimate Interests: Processing necessary for our legitimate business interests (e.g., improving the Services, preventing fraud, ensuring security), provided these do not override your fundamental rights. - Legal Obligations: Processing required to comply with applicable laws and regulations.

To operate EventShareCloud, we use the following third-party service providers. All third parties are contractually bound to protect your data and are used only for the specific purposes listed below: - Supabase – User authentication, database storage, and account management (US) - Cloudflare (R2 + Workers) – Photo and file storage, CDN delivery with JWT-signed cookies (Global) - Vercel – Application hosting and content delivery (US) - Paddle – Payment processing, billing, and tax compliance as Merchant of Record (UK) We only share your data with these providers to the extent necessary to deliver the Services.

EventShareCloud is intended for individuals who are 18 years of age or older. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly.

Your data is stored securely using industry-standard encryption and access controls. Photo storage is handled by Cloudflare R2 with secure access via signed JWT cookies, and authentication and database services are provided by Supabase, both with strong security practices. We regularly review our data handling processes to ensure your information remains protected.

You have the following rights regarding your personal data: - Access: Request access to your personal data at any time - Correction: Update or correct inaccurate account information - Deletion: Request deletion of your personal data - Restriction: Request restrictions on how we process your data - Portability: Receive your personal data in a structured, commonly used format To exercise any of these rights, contact us at [email protected].

In addition to the above, EU users have the right to: - Restrict processing of their personal data - Withdraw consent for consent-based processing at any time - Lodge a complaint with a supervisory authority in their country of residence

Users in Turkey have additional rights under the Turkish Personal Data Protection Law (KVKK, Law No. 6698), including: - The right to learn whether personal data is being processed - The right to request information about processing activities - The right to learn the purpose of processing and whether data is used in accordance with that purpose - The right to know third parties to whom personal data is transferred, domestically or abroad - The right to request correction of incomplete or inaccurate data - The right to request deletion or destruction of personal data under the conditions set forth in Article 7 of the KVKK - The right to object to results obtained exclusively through automated systems that are to your detriment - The right to claim compensation for damages arising from unlawful processing of personal data You may exercise these rights by contacting us at [email protected]. You also have the right to lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurulu) if you believe your rights have been violated.

California residents have the right to: - Know what personal information we collect and how it is used - Request deletion of their personal information - Opt out of the sale of personal information (we do not sell personal information) - Not be discriminated against for exercising these rights

You can opt out of marketing communications at any time by: - Clicking the unsubscribe link in any marketing email - Contacting us at [email protected]

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects concerning you. All decisions regarding your account and content are made by human processes.

We retain your personal data for as long as your account is active or as needed to provide the Services. Event photos and content are retained according to your plan's retention period: - Free plan: 7 days after event creation - Premium plan: 60 days after event creation - Premium Plus plan: 90 days after event creation - Retention extensions purchased as add-ons extend these periods accordingly. When your plan's retention period ends, a 7-day grace period begins during which your data is preserved but uploads are disabled. We will notify you by email at the start of this grace period, giving you the opportunity to renew your plan or back up your content. After the grace period expires, your event data will be permanently deleted. You may request deletion of your account and associated data at any time by contacting us. We will process the request without undue delay. We reserve the right to immediately delete data if your use of the Services violates our Terms of Service, including the upload of prohibited content.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (including the Turkish KVKK Authority where applicable) without undue delay and in any case within 72 hours of becoming aware of the breach, as required by GDPR and KVKK.

Your information may be processed in countries other than your country of residence (including the United States). We ensure appropriate safeguards are in place for such transfers, including through standard contractual clauses and compliance with applicable data protection frameworks.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website. We encourage you to review this Policy periodically.

For any questions, concerns, or privacy-related requests, please contact: Email: [email protected] Website: https://www.eventsharecloud.com