Privacy Policy

Innovarify Teknoloji ve Medya Limited Sirketi ("Innovarify," "Company," "we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Eventroy mobile application ("Application" or "App") and related services (collectively, the "Services").

This Privacy Policy has been prepared in compliance with the Turkish Personal Data Protection Law No. 6698 ("KVKK"), the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive 2002/58/EC, and other applicable data protection legislation.

1. INTRODUCTION AND DATA CONTROLLER

1.1. Innovarify Teknoloji ve Medya Limited Sirketi acts as the Data Controller (Veri Sorumlusu) with respect to the personal data processed through the Services, within the meaning of Article 3 of the KVKK and Article 4 of the GDPR.

1.2. Data Controller Details: Company Name: Innovarify Teknoloji ve Medya Limited Sirketi Address: Idealtepe Mah. Rifki Tongsir Cad. Aris Apt No: 29 B, Maltepe/Istanbul, Turkey Tax Office: Kucukyali Email: privacy@eventroy.com General Contact: info@innovarify.com

1.3. Please read this Privacy Policy carefully. By accessing or using the Services, you acknowledge that you have read, understood, and agree to the processing of your personal data as described in this Privacy Policy.

2. PERSONAL DATA WE COLLECT

We collect personal data from the following sources:

2.1. Data You Provide Directly:

(a) Account Information: Full name, email address, phone number, and password when you register for an Account.

(b) Profile Information: Profile photograph, biography or description, and any other information you choose to add to your profile.

(c) Event Information: Event name, type, date, time, location (address and/or geographic coordinates), description, cover image, and event preferences and settings.

(d) Guest Information: When you create a guest list, you may provide guest names, phone numbers, email addresses, group/category assignments, dietary preferences or notes, and any other information you add for event management purposes.

(e) Media Content: Photographs and videos you upload to event galleries, including associated metadata (file name, upload date, file size, and format).

(f) Communications: Messages sent through event group chats, feedback and support requests submitted through the Application, and any other communications you send to us.

(g) Gift Registry Data: Gift items, descriptions, links, and related preferences you add to event gift registries.

(h) AI Plan Input: Event preferences, requirements, and other information you provide when using the AI-powered event planning feature.

2.2. Data Collected Automatically:

(a) Device Information: Device model, manufacturer, operating system type and version, unique device identifiers, screen resolution, and language settings.

(b) Application Usage Data: Features used, actions performed within the Application, frequency and duration of use, and interaction patterns.

(c) Push Notification Tokens: Device-specific tokens required for delivering push notifications through Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM).

(d) Error and Performance Data: Application crash reports, error logs, performance metrics, and diagnostic data used to maintain and improve the Services.

(e) Log Data: IP address, access times, pages or screens viewed, and the referring application or URL.

2.3. Data Received from Third Parties:

(a) Platform Store Information: When you make a purchase through the Apple App Store or Google Play Store, we receive confirmation of your subscription status, transaction identifiers, and subscription period. We do not receive or store your credit card or payment card details.

(b) Authentication Providers: If you choose to sign in using a third-party authentication service (e.g., Google Sign-In or Apple Sign-In), we receive basic profile information (name, email address, and profile picture) as authorized by you.

(c) Location Data via Google Places: When you use the location search feature, search queries and selected location data are processed through the Google Places API.

3. PURPOSES OF DATA PROCESSING

3.1. We process your personal data for the following purposes:

(a) Service Delivery: To create and manage your Account, provide event management features, process guest lists, generate QR codes, facilitate check-in, enable gallery sharing, manage group messaging, operate gift registries, and deliver all other functionalities of the Services.

(b) Communication: To send you push notifications regarding event updates, RSVP changes, new messages, event reminders, and other Service-related communications; and to respond to your support requests and feedback.

(c) AI-Powered Features: To provide AI-generated event planning suggestions through the AI Plan feature by transmitting anonymized event data to our AI service provider.

(d) Service Improvement: To analyze usage patterns, diagnose technical issues, improve the performance and functionality of the Application, and develop new features.

(e) Security: To detect, prevent, and address fraud, unauthorized access, and other illegal or harmful activities; to verify User identity; and to maintain the security and integrity of the Services.

(f) Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, including obligations under the KVKK, GDPR, and Law No. 5651.

(g) Subscription Management: To manage your subscription status, verify entitlements to premium features, and process subscription-related communications.

4. LEGAL BASIS FOR PROCESSING

4.1. Under the KVKK (Article 5):

(a) Explicit Consent (Acik Riza): For processing that does not fall under the exceptions listed below, we obtain your explicit consent prior to processing your personal data.

(b) Necessary for the Performance of a Contract (Article 5(2)(c)): Processing necessary to provide the Services under our Terms of Service, including account creation, event management, guest list processing, and subscription management.

(c) Legal Obligation (Article 5(2)(a)): Processing necessary to comply with our obligations under Turkish law, including tax and commercial record-keeping obligations, and obligations under Law No. 5651 regarding internet publications.

(d) Legitimate Interests (Article 5(2)(f)): Processing necessary for our legitimate interests, provided that such interests do not override your fundamental rights and freedoms. This includes service improvement, security measures, and fraud prevention.

(e) Establishment, Exercise, or Defense of Legal Claims (Article 5(2)(e)): Processing necessary for the establishment, exercise, or defense of legal rights.

4.2. Under the GDPR (Article 6):

(a) Consent (Article 6(1)(a)): Where we rely on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.

(b) Performance of a Contract (Article 6(1)(b)): Processing necessary for the performance of our contract with you (the Terms of Service).

(c) Legal Obligation (Article 6(1)(c)): Processing necessary for compliance with a legal obligation to which we are subject.

(d) Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, balanced against your rights and freedoms.

5. DATA SHARING AND TRANSFERS

5.1. We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

5.2. We share your personal data only in the following circumstances:

(a) Service Providers (Sub-Processors): We engage trusted third-party service providers to perform functions on our behalf, including:

- Google Firebase (Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Functions): For user authentication, database operations, file storage, and server-side processing. Provider: Google LLC, Location: USA/EU.

- OpenAI: For the AI Plan feature. Only anonymized event data (event type, date, general preferences) is transmitted. No personally identifiable information is shared. Provider: OpenAI, L.L.C., Location: USA.

- Google Places API: For location search and place suggestions. Search queries and selected locations are processed. Provider: Google LLC, Location: USA.

- Resend: For sending transactional emails (e.g., invitation emails, notifications). Recipient email address and email content are shared. Provider: Resend, Inc., Location: USA.

- Apple Push Notification Service (APNs): For delivering push notifications to iOS devices. Device push tokens and notification payloads are transmitted. Provider: Apple Inc., Location: USA.

- Firebase Cloud Messaging (FCM): For delivering push notifications to Android devices. Device push tokens and notification payloads are transmitted. Provider: Google LLC, Location: USA.

- Expo Push Notifications: For managing and routing push notifications. Device push tokens are processed. Provider: 650 Industries, Inc. (Expo), Location: USA.

(b) Event Participants: When you participate in an Event (as an organizer, co-host, or guest), certain information (such as your name, profile photo, RSVP status, chat messages, and gallery contributions) may be visible to other participants of that Event, as necessary for the functioning of the Services.

(c) Legal Requirements: We may disclose your personal data if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to: (i) comply with a legal obligation; (ii) protect and defend the rights or property of the Company; (iii) prevent or investigate possible wrongdoing; or (iv) protect the personal safety of Users or the public.

(d) Business Transfers: In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your data.

6. INTERNATIONAL DATA TRANSFERS

6.1. Your personal data may be transferred to and processed in countries other than Turkey, including the United States, where our service providers maintain their infrastructure. These countries may have data protection laws that differ from those of Turkey or the European Union.

6.2. For transfers from Turkey: International data transfers are carried out in accordance with Articles 9 of the KVKK. Where the destination country does not provide an adequate level of protection as determined by the Personal Data Protection Board (Kisisel Verileri Koruma Kurulu), transfers are made based on one of the following safeguards: (a) your explicit consent; (b) Standard Contractual Clauses; or (c) binding corporate rules of the data importer.

6.3. For transfers from the EU/EEA: We rely on appropriate safeguards as required by Articles 46 and 49 of the GDPR, including: (a) Standard Contractual Clauses (SCCs) adopted by the European Commission; (b) adequacy decisions where applicable; or (c) other recognized transfer mechanisms.

6.4. Google LLC participates in the EU-US Data Privacy Framework and provides Standard Contractual Clauses for data transfers. OpenAI and other US-based sub-processors are required to adhere to appropriate data protection measures through our data processing agreements.

7. DATA SECURITY MEASURES

7.1. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

(a) Technical Measures: - Encryption of data in transit using TLS 1.2/1.3 (Transport Layer Security) - Encryption of data at rest using AES-256 encryption (provided by Firebase/Google Cloud) - Secure authentication through Firebase Authentication with support for multi-factor authentication - Granular access control through Firestore Security Rules and Cloud Storage Security Rules - Automated backups and disaster recovery procedures - Regular security testing and vulnerability assessments - Secure API communication with authentication tokens

(b) Organizational Measures: - Access to personal data is restricted to authorized personnel on a need-to-know basis - Confidentiality agreements with all employees and contractors who access personal data - Regular security awareness training - Documented incident response and data breach notification procedures - Periodic review and update of security policies and procedures

7.2. While we take reasonable measures to protect your data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

8. DATA RETENTION

8.1. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

8.2. Specific retention periods:

(a) Account Data: Retained for the duration of your Account. Upon Account deletion, your data is permanently deleted within thirty (30) days, except as described below.

(b) Event Data: Retained for the duration of the Event and for as long as the Event Organizer maintains the Event within the Application. When an Event is deleted, all associated data (guest lists, messages, gallery content) is deleted within thirty (30) days.

(c) Media Files: Retained until deleted by the uploader or the Event Organizer, or until the associated Event is deleted.

(d) Chat Messages: Retained for the duration of the Event and deleted when the Event is deleted.

(e) Financial and Tax Records: Retained for the minimum period required by Turkish tax and commercial law (currently ten (10) years under the Turkish Commercial Code No. 6102 and Tax Procedure Law No. 213).

(f) Legal Claims: Data relevant to a legal claim or investigation may be retained until the resolution of such claim, including any applicable statute of limitations period.

(g) Log Data and Error Reports: Retained for up to twelve (12) months for performance monitoring and troubleshooting purposes.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1. As a mobile application, Eventroy does not use traditional web cookies.

9.2. The Application uses local storage mechanisms (such as AsyncStorage and SecureStore) on your device to store session information, authentication tokens, and User preferences. This data is stored locally on your device and is not transmitted to third parties.

9.3. We may collect anonymous usage analytics to understand how the Application is used and to improve the Services. Such analytics do not contain personally identifiable information.

9.4. Push notification tokens are stored on our servers solely for the purpose of delivering push notifications and are deleted when you disable notifications or delete your Account.

10. CHILDREN'S PRIVACY

10.1. The Services are not directed at or intended for children under the age of thirteen (13). We do not knowingly collect personal data from children under thirteen (13).

10.2. If we become aware that we have collected personal data from a child under thirteen (13) without verified parental consent, we will take immediate steps to delete such data from our systems.

10.3. If you believe that a child under thirteen (13) has provided us with personal data, please contact us at privacy@eventroy.com so that we can take appropriate action.

10.4. Users between the ages of thirteen (13) and eighteen (18) may use the Services only with the consent and supervision of a parent or legal guardian.

11. YOUR RIGHTS

11.1. Under the KVKK (Article 11), you have the following rights:

(a) The right to learn whether your personal data is being processed; (b) The right to request information about processing if your data has been processed; (c) The right to learn the purpose of the processing and whether your data is being used in accordance with that purpose; (d) The right to know the third parties to whom your personal data is transferred, domestically or abroad; (e) The right to request rectification of incomplete or inaccurate personal data; (f) The right to request deletion or destruction of your personal data under the conditions stipulated in Article 7 of the KVKK; (g) The right to request notification of rectification, deletion, or destruction to third parties to whom your personal data has been transferred; (h) The right to object to any result that is to your disadvantage arising from the analysis of processed data exclusively by automated systems; (i) The right to claim compensation for damages arising from the unlawful processing of your personal data.

11.2. Under the GDPR (for EU/EEA residents), you additionally have:

(a) Right of Access (Article 15): The right to obtain confirmation of whether your personal data is being processed and, if so, to access such data and related information.

(b) Right to Rectification (Article 16): The right to have inaccurate personal data rectified and incomplete data completed.

(c) Right to Erasure / Right to Be Forgotten (Article 17): The right to have your personal data erased under certain circumstances, including when it is no longer necessary for the purposes for which it was collected.

(d) Right to Restriction of Processing (Article 18): The right to restrict the processing of your personal data under certain circumstances.

(e) Right to Data Portability (Article 20): The right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

(f) Right to Object (Article 21): The right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

(g) Right Not to Be Subject to Automated Decision-Making (Article 22): The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

(h) Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority. In Turkey, the relevant authority is the Personal Data Protection Board (KVKK Kurulu). In the EU, you may lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

12. EXERCISING YOUR RIGHTS

12.1. You may exercise your rights by contacting us through the following channels:

(a) Email: privacy@eventroy.com (b) In-App: Profile > Send Feedback (select "Privacy Request" as the subject) (c) Written Request: Send a signed written request to our registered address.

12.2. In accordance with Article 13 of the KVKK and the Communique on Application Procedures and Principles to the Data Controller, your request must include: (a) your full name and, if applicable, the contact details of your authorized representative; (b) your Turkish Republic identity number (for Turkish citizens) or passport number and nationality (for foreign nationals); (c) your residential or business address; (d) your email address, if applicable; (e) the subject matter of your request; and (f) supporting documents, if any.

12.3. We will respond to your request free of charge within thirty (30) days of receipt. If your request requires additional time due to complexity, we will inform you of the extension and the reasons for it. If there is a cost associated with the request (as permitted by applicable law), we will inform you in advance.

12.4. We may request additional information to verify your identity before processing your request, in order to protect against unauthorized access to personal data.

13. CHANGES TO THIS POLICY

13.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

13.2. Material changes will be communicated through an in-app notification or via the email address associated with your Account at least fifteen (15) days before they take effect.

13.3. The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised. We encourage you to review this Privacy Policy periodically.

13.4. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. CONTACT INFORMATION

For questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Data Controller: Innovarify Teknoloji ve Medya Limited Sirketi Address: Idealtepe Mah. Rifki Tongsir Cad. Aris Apt No: 29 B, Maltepe/Istanbul, Turkey Tax Office: Kucukyali Privacy Email: privacy@eventroy.com General Email: info@innovarify.com Legal Email: legal@eventroy.com In-App: Profile > Send Feedback