Back to home

Legal

Privacy & Personal Data Protection Notice

Last updated: 7 July 2026

Kutlava (kutlava.com) is a digital memory-album service that collects photos, videos and voice notes via a QR code. This notice explains the principles under which we process the personal data of both the event owners who open an account and the guests who add content to an album. This English text is provided for information; the Turkish version prevails.

Kutlava is a global service, and we process your data in line with generally accepted international data-protection principles. Depending on your country you may have additional rights — for example, Türkiye's Personal Data Protection Law (KVKK, Law No. 6698) and, in the European Economic Area (EEA), the GDPR grant such protections and rights. The rights described below are aligned with the data-subject rights in those regimes.

Kutlava is built privacy-first: the guest flow needs no app and no sign-up, content pre-screening runs largely on the guest's own device, and rejected content is never surfaced to the guest. The sections below detail what we process and why.

1. Data Controller

Your personal data is processed by the following company acting as data controller:

  • Trade name: Eymence LLC
  • Formed in: Wyoming, United States (LLC)
  • Address: 30 N Gould St, Ste N, Sheridan, Wyoming, United States
  • Email: [email protected]
  • Phone: +1 202 773 4550

Eymence LLC is a company formed in the United States, so your personal data may be processed and stored in the US and in the other countries where our service providers operate. See the “Data Transfers and International Transfers” section below for details.

2. Personal Data We Process

Account owner (event host) data

When you open an account, our authentication layer (Better Auth) processes:

  • Your name and email address,
  • Your password — stored only in an irreversibly hashed form; no one, including us, can read it in the clear,
  • Your preferred language (locale) and account plan (free / event / forever archive),
  • Session records: session token, IP address and browser (user agent), with session creation and expiry times,
  • Details of the events you create (title, date, cover image, visibility mode and album settings).

Guest data

Guests who scan an event QR add content without installing an app or signing up. We process:

  • Uploaded media: photos, videos and voice notes, plus the small preview (thumbnail) images generated in the guest's browser,
  • An OPTIONAL name and contact detail (email or phone) requested only AFTER a successful upload — this step is entirely optional and exists only so the album link can reach the guest,
  • An anonymous guest-session cookie placed in the browser (about 13 months) so the same guest can see their own uploads, and the per-guest upload counter tied to it,
  • Written guestbook messages and an optional author name.

Technical and transaction data

  • IP address: used transiently for rate-limiting to prevent abuse, and reduced to your country via Cloudflare's CF-IPCountry header to set your currency and language. It is not used to build a persistent profile beyond determining pricing and locale.
  • Payment transaction data: the plan purchased, amount, currency, Stripe checkout session id and payment status. Payment card data (such as your card number) is never seen or stored by Kutlava; only Stripe processes it (see Transfers).

3. Special-Category Data — Face Photo Search (Biometric Data)

On paid plans, and only when the event owner explicitly enables it per event, the “Find my photos by face” feature lets a guest find their own photos with a selfie. Face data is special-category personal data that requires explicit consent under the GDPR; in Turkish law this corresponds to KVKK's “special-category personal data”. We process it only with the individual's explicit, separate consent.

We describe exactly how the feature works in the product:

  • The feature is off by default; unless the owner turns it on, no photo is analysed for faces and no interface is shown to guests.
  • When on, face representations (embeddings — 512-dimension numeric vectors) are extracted from the album's photos and stored only to match within that same event.
  • The selfie a guest takes to search is NEVER stored: it is converted to a vector on the spot, compared, and immediately discarded.
  • Face embeddings are deleted when the event archive closes (when the plan's retention period ends); they are not kept once no longer needed.
  • Declining this processing does not prevent a guest from adding photos/videos/voice notes; only the face-search feature is unavailable.

4. AI Content Pre-Screening

To help filter inappropriate content, images pass a lightweight AI pre-screen before upload. This runs entirely in the guest's own browser — the image is never sent to any server for scanning. This is a deliberate privacy-positive choice.

The result can only push a frame into the event owner's approval queue; it never automatically deletes anything, and the result is never shown to the guest (no shaming). The owner always makes the final decision.

5. Purposes of Processing

  • Creating your account, authenticating you and securely managing your account,
  • Building your event album, collecting guest content, and running the approval queue and visibility rules,
  • Letting guests see their own uploads and, optionally, receive the album link,
  • Running purchase, billing and refund processes on paid plans,
  • Offering the right currency and language for your country,
  • Keeping the service secure and preventing abuse and inappropriate content,
  • Meeting our legal obligations and responding to legal requests.

6. Legal Bases for Processing

We process your personal data only where we have a valid legal basis. The main bases we rely on are:

  • Necessity for the performance of the contract with you (providing the account and event service, taking payment),
  • Necessity to comply with our legal obligations (financial and statutory retention),
  • Our legitimate interests, provided your fundamental rights are not harmed (service security, abuse prevention),
  • For special-category data (the biometric data in face photo search), your explicit consent only.

These bases align with the lawful grounds for processing under regimes such as the KVKK and the GDPR.

7. Data Transfers and International Transfers

To provide the service we work with a small number of processors. As a global service, your data may be processed in the different countries where those providers operate — including the United States and Europe. International transfer is not an exception but the ordinary way cloud-based services work; when we transfer data we apply appropriate technical and organisational safeguards, including contractual protections.

ProviderPurposeData transferredLocation
Cloudflare R2Media (photo/video/audio) storage and deliveryUploaded media and previewsGlobal (incl. US)
StripeTaking and processing paymentsPayment card data, transaction detailsUS / global
Hosting provider (Hetzner)Application and database serverAccount, event, guest and transaction dataGermany (EU)

When face photo search is enabled, photos are additionally sent to a face-analysis microservice to extract embeddings; this happens only while the feature is active and explicit consent is present.

8. Retention Periods

  • Event albums and guest content are retained according to the chosen plan: on the free and event plans access closes at the set retention date (the event's expiry); on the forever archive plan they are kept until you delete them.
  • The anonymous guest-session cookie is retained for about 13 months.
  • Face embeddings (biometric data) are kept only while the event archive stays open and are deleted when it closes.
  • Payment and invoice records are kept for the mandatory periods required by applicable financial and legal rules.
  • At the end of the period, personal data is deleted, destroyed or anonymised.

9. Data Security

We take reasonable technical and organisational measures: passwords are irreversibly hashed, data is transmitted over encrypted connections (HTTPS/TLS), media is uploaded directly from the browser to storage over secure signed URLs and never passes through our servers, and access is restricted. Visibility rules run through a single central guard; rejected content drops from sharing but remains in the guest's own view.

10. Your Rights as a Data Subject

By contacting us, you have the right to:

  • Learn whether your personal data is processed and, if so, access it and obtain a copy (right of access),
  • Request correction of incomplete or inaccurate data (right to rectification),
  • Request erasure of your data (right to erasure / to be forgotten),
  • Request restriction of processing in certain cases,
  • Receive the data you provided in a structured, commonly used, machine-readable format and, where possible, have it transferred to another controller (data portability),
  • Object to processing based on legitimate interests,
  • Object to decisions based solely on automated processing that significantly affect you,
  • Withdraw any consent you have given, at any time — withdrawal does not affect the lawfulness of processing before it,
  • Claim compensation if you suffer damage due to unlawful processing,
  • Lodge a complaint with the competent data-protection authority in your country (in Türkiye, the Personal Data Protection Board; in the EEA, the relevant supervisory authority).

The laws of your country may grant you additional rights, which you may also exercise.

11. How to Apply

You can submit requests regarding the rights above, together with information verifying your identity, by emailing [email protected] or writing to 30 N Gould St, Ste N, Sheridan, Wyoming, United States. Requests are handled free of charge and within a reasonable time; the timeframe depends on the nature of the request and the periods set by applicable law (for example, 30 days under the KVKK, one month under the GDPR).

12. Cookies

Kutlava uses only cookies necessary for the service to work and to remember your preferences; it uses no advertising or third-party tracking cookies. See the Cookie Policy for details.

13. Children's Data

Kutlava is not directed at people under 18 and does not knowingly collect personal data from minors. Event owners and guests who add images of children to an album are themselves responsible for obtaining the necessary permissions.

14. Changes

We may update this notice from time to time. The current version is always published on this page; the update date at the top shows the latest change.

15. Contact

For any question or request about the processing of your personal data, reach us at [email protected].