Privacy Policy

Last updated: 2026-05-25

Privacy sits at the centre of how LiveAlbum is built. This document tells you what we collect, why, how long we keep it, and how you can take control — written in plain language. Our KVKK Data Protection Notice (/kvkk) covers the legal frame; this Privacy Policy explains how that frame works in practice.

1. Introduction

LiveAlbum is a photo-sharing album for life's celebrations: weddings, engagements, henna nights, baby showers, birthdays and graduations. Guests scan a QR code, upload photos and videos, and your album fills up in real time. Delivering this service means we handle personal data: your account, your event, your payments and the content your guests share. This Privacy Policy describes that handling openly. We revisit it regularly and email or in-app notify you when meaningful changes happen.

2. Scope

This policy applies to the LiveAlbum website, mobile web experience, guest QR upload flow, payment and subscription management, AI-assisted QR card and invitation generation, customer support and marketing communications. It covers free accounts, Pro and Business subscribers, and visitors who upload content as guests via a QR code. Links to third-party sites are outside this policy — please read their notices separately.

3. Data Controller

Under Article 3/1-ı of Turkey's Personal Data Protection Law (KVKK), Async Yazılım Bilişim Programlama San. ve Tic. Ltd. Şti. is the controller responsible for processing your personal data. Our full legal name, tax number, MERSIS number, registered address and contact details appear in the company block at the bottom of this page. Any question, request or objection about your data goes directly to the controller.

4. Privacy Contact and KVKK Requests

Under KVKK Article 13 and the Communiqué on the Procedures and Principles of Application to the Data Controller, we commit to answer privacy requests free of charge within 30 days. You can reach us by email at [email protected], through the online form at /kvkk-basvuru, by registered post, or via KEP (Registered Electronic Mail). Please include your full name, account email and a clear description of your request so we can verify your identity.

5. Identity Data

When you create an account we collect your name and surname; under KVKK's protections for minors we also collect your date of birth to verify you are 18 or older. The gender field is asked only as an optional cue for AI couple-QR card generation and can be left blank.

  • Name, surname — account and contract
  • Date of birth — age verification (18+)
  • Gender (optional) — only for AI couple-QR card direction

6. Contact Data

We collect your email address — it is the primary identifier for your account, security and billing. Phone number is optional and shared by customers who want SMS reminders close to event day. KEP (Registered Electronic Mail) may be provided voluntarily by corporate customers.

7. Account and Authentication Data

To keep your account safe we process session metadata alongside the credentials you use to sign in. We never store your password itself — only a bcrypt hash with 12 rounds of work factor. Session, IP, browser and device data are used for suspicious-login detection and security analytics.

  • Password hash (bcrypt, 12 rounds)
  • Session identifier and last sign-in timestamp
  • IP address and approximate city-level geolocation
  • User-Agent — browser and OS
  • Anonymous device fingerprint for session integrity

8. Event Content

Setting up your album means giving us details about your event: name, date, venue, theme, couple or solo cover photo, expected guest count and music preference. We use these to render your event page, design your QR QR card and power the Live Wall experience. You decide whether the event is private, password-protected or public.

9. Guest Data and Uploads

When guests scan your QR code and upload photos, videos or messages, that content lands in your LiveAlbum album. Guests can choose a nickname, real name or avatar — email or phone are never required. As the host you have full control: you can delete, hide or download anything. Ensuring your guests' uploads rest on genuine consent is your responsibility as host.

10. Payment Metadata

When you upgrade to Pro or Business the payment is handled by Stripe Payments, a PCI-DSS Level 1 certified global payment institution. Sensitive card data — number, expiry, CVV — never reaches LiveAlbum; we only see the order reference, amount (VAT included), timestamp, status and instrument type (credit or debit card). Invoices are issued under Turkish tax law and delivered through e-Arşiv.

11. Usage and Performance Data

We collect aggregated, largely anonymous usage signals — page views, session length, feature adoption, error logs, performance metrics — to keep the product healthy. These data shape product decisions; they are not used to identify individual users for advertising or profiling.

12. Marketing Preferences

Whether you want marketing email, SMS or phone calls is entirely your choice, set by explicit opt-in. We store your channel preferences, timestamped consent text, per-channel status (email/SMS/call) and the corresponding IYS (Turkish Message Management System) registration record. Marketing consent is never required to use LiveAlbum, and you can withdraw it any time.

13. AI Generation Data

When you use our AI QR card and invitation tools we process the style, palette, slogan, optional couple photo, event metadata and the underlying generation prompt. Image inputs sent to our AI provider are contractually deleted shortly after the generation completes. On our side we keep the generated QR card, the style you used and your daily generation allowance usage log — they stay in your history until you delete them or close your account.

14. Delivering the Service

Creating your account, publishing your event, generating QR codes, accepting guest uploads, letting you view and download your album — these all require processing personal data. The legal basis is KVKK Article 5/2-c (performance of a contract). Without this processing LiveAlbum cannot technically operate.

15. Security and Fraud Prevention

We process session, IP and behavioural signals to defend against account takeover, brute-force attacks, bot traffic and content abuse. The legal bases are KVKK Article 5/2-f (legitimate interest) and Article 5/2-ç (legal obligation, including Law No. 5651). The scope is proportional — we use what we need to protect customers and their guests, no more.

16. Meeting Legal Obligations

Turkish Tax Procedure Law, Commercial Code, Law No. 5651 and KVKK secondary regulation require us to keep invoices, ledgers, access logs and consent records for prescribed periods. The legal basis is KVKK Article 5/2-ç (compliance with a legal obligation). We answer lawful requests from authorities under the same framework.

17. Marketing Communication

Product updates, seasonal campaigns, discount announcements and event inspiration are sent only when you have given explicit consent. Legal bases are KVKK Article 5/1 (explicit consent) and Article 6 of Law No. 6563 on Regulation of Electronic Commerce. Every consent is uploaded to Turkey's national IYS registry within three business days and can be audited there.

18. Product Improvement and Analytics

Understanding which features customers actually rely on helps us improve. We process aggregated, largely anonymous usage analytics on the legal basis of KVKK Article 5/2-f (legitimate interest). These analytics are never used for individual behavioural profiling or ad targeting; ad-measurement cookies are off by default and activate only with your explicit opt-in.

19. AI QR card and Invitation Generation

When you ask our generative AI tool to design an invitation or QR card we process your choices and (if you provide one) a couple photo. The legal basis is KVKK Article 5/2-c (contract performance, at your request). The AI output belongs to you; the underlying model never carries guest data from one customer to another.

20. Sharing with Service Providers

We work with a small, carefully vetted set of contracted hosting and service providers — for hosting, backup, transactional email, SMS delivery, payment processing and AI generation. Each one is bound by a data processing agreement that bans them from using, selling or disclosing your data for their own purposes. Your data is processed and stored in Turkey, subject to the security audits required by applicable law.

21. Payment Provider: Stripe

Plan purchases are processed by Stripe Payments, a PCI-DSS Level 1 certified global payment institution (transfers to the European Economic Area are safeguarded by standard contractual clauses under KVKK art. 9). We share only the amount, order reference and purpose of the payment with Stripe; card details are held by Stripe under PCI-DSS and never passed to us. Stripe's own privacy policy is published on their website.

22. SMS Provider: NetGSM

For event-day reminders, verification codes and marketing SMS we rely on NetGSM, a Turkey-based messaging provider. We share only your phone number and the SMS body — nothing else. All marketing SMS respect the consents you have given through IYS.

23. Sharing with Public Authorities

When a court, prosecutor, the Personal Data Protection Authority, the BTK or another competent public body makes a lawful request, we are obliged to provide the data covered by that request. We evaluate every request for legality and scope, and disclose only what the request strictly requires. Where the law allows, we notify you that a disclosure has been made.

24. We Do Not Sell Your Data

We never sell, rent or transfer your personal data to third parties or advertising networks for marketing. LiveAlbum's business model is transparent subscription revenue — not the monetisation of user data. This commitment is foundational to our policy and will not change.

25. General Retention Principle

We keep personal data only for as long as the processing purpose, legal retention duty or reasonable service period requires — whichever is longest. When the period ends, data is destroyed or irreversibly anonymised in line with KVKK Article 7 and the Regulation on Deletion, Destruction or Anonymisation of Personal Data.

26. Account Data

Identity, contact and security data are kept while your account is active. If you ask us to delete your account, data enters a 30-day recoverable buffer (soft delete) so you can change your mind. After 30 days the data is permanently deleted or anonymised.

27. Event Album and Content

Your event photos and videos are kept for the archive window defined by your subscription. Pro keeps your album active for 30 days from the event date; Business keeps it for one year, with an option to extend. When the window closes you can still download the full archive as a ZIP or extend the plan to retain access.

28. Payment and Invoice Records

Under Article 253 of the Tax Procedure Law and Article 82 of the Turkish Commercial Code, invoices, payment receipts and related accounting records are kept for 10 years from the invoice date. This duty survives account deletion; financial records are destroyed at the end of the statutory period.

29. Access and Security Logs

As a hosting provider under Law No. 5651 we keep access logs (IP, timestamp, port, service identifier) for a minimum of 6 months and a maximum of 2 years. These logs are provided only on lawful request from a competent authority — never for marketing or profiling.

30. Marketing Consent and Withdrawals

Marketing consents are stored for as long as the consent is active. When you withdraw consent, under Article 7 of the relevant IYS regulation the withdrawal record may be kept for up to three years — solely to prove that no further marketing was sent on the same channel. After that, the record is deleted.

31. Protecting Children's Data

LiveAlbum is intended for people aged 18 and over. We verify age at signup via date of birth and do not accept registrations from minors. When events such as baby showers, children's birthdays or graduations naturally involve photos of children, the host (event owner) is responsible for ensuring these uploads have appropriate parental or legal-guardian consent. Families can request content removal at any time, through the host or directly via us.

32. Technical Safeguards

We apply industry-standard technical safeguards: all network traffic uses TLS 1.2 or higher, storage is AES-256 disk-encrypted, passwords are hashed with bcrypt at 12 rounds, sessions ride httpOnly secure cookies, and critical operations require step-up verification. Continuous vulnerability scanning, automated dependency monitoring and peer code review are part of our daily process.

33. Organisational Safeguards

Our staff and contracted partners sign confidentiality agreements, complete KVKK awareness training and access only the data required for their role (need-to-know principle). Internal access events are logged, production data may not be used in development environments, and we run regular internal audits and risk assessments.

34. Data Breach Notification

If a personal data breach occurs, we notify the Personal Data Protection Board within 72 hours and affected data subjects without undue delay, as required by KVKK Article 12/5 and the Board's resolution dated 24/01/2019. Notifications describe the nature of the breach, its likely consequences, and the measures taken or planned. If you suspect a security issue, please write to [email protected].

35. Right of Access

Under KVKK Article 11 you have the right to learn whether your data is processed, for which purposes, with whom it is shared and how it is stored. On request we provide a categorised summary and, where applicable, a copy of your data. A reasonable fee may apply only if requests become repetitive or excessive.

36. Right to Rectification

If you discover that data we hold about you is incomplete or inaccurate, you can ask us to correct it. Most fields (name, email, phone, event details) can be updated directly from your account settings; for anything you cannot edit yourself, write to [email protected].

37. Right to Erasure

You can ask us to delete your data. Once an account-deletion request is received, a 30-day recoverable buffer begins; during this window you can reverse the request. After 30 days the data is permanently deleted or anonymised under KVKK Article 7. Data with a statutory retention duty (such as payment records) continues to be stored for the legal minimum and is destroyed at the end of that period.

38. Right to Restrict Processing

You can restrict specific processing — for example, switching off marketing communications or disabling analytics cookies. Per-channel marketing toggles (email/SMS/call) in your account settings take effect immediately. The change applies to future communications; historical messages require a separate erasure request.

39. Data Portability

You have the right to receive the personal data you provided, and your event content, in a structured, widely used format (JSON plus a media archive). Open /dashboard/hesap/verilerim to start an export; when the archive is ready you'll receive an email with a secure, time-limited download link. We offer this beyond what KVKK strictly requires, inspired by GDPR Article 20.

40. Right to Object

If you feel an automated process has produced an outcome that affects you adversely, you can object and request human review. You can also object to processing based on legitimate interest by explaining your specific situation; we evaluate the objection and stop the processing where your reasoning prevails.

41. Withdrawing Consent

Consent-based processing — such as marketing communication, analytics cookies or using a couple photo in AI generation — can be withdrawn at any time. Withdrawal applies going forward; it does not retroactively invalidate processing carried out while the consent was active.

42. Complaint to the Authority

If we deny your request, if our answer falls short, or if we fail to respond within 30 days, you may file a complaint with the Personal Data Protection Board. Complaints can be submitted online at kvkk.gov.tr or by registered post to the Authority's address. A prior request to us is a prerequisite for filing with the Board.

43. How to Exercise Your Rights

To exercise any of the rights above, send your request via (i) email to [email protected], (ii) the online form at /kvkk-basvuru, (iii) registered post or (iv) KEP to Async Yazılım Bilişim Programlama San. ve Tic. Ltd. Şti.. Include your full name, account email and a clear description of what you'd like done. Under the Application Communiqué we answer within 30 days, free of charge. If a request requires costly action, fees set by the Authority may apply.

44. Cookie Policy

Cookies and similar tracking technologies are covered by a separate policy at /cerez. All non-essential cookies (analytics, advertising, marketing) are off by default and activate only when you opt in via the cookie banner. You can change your choice at any time from the cookie preference centre.

45. Marketing Email

With your explicit consent we send product updates, seasonal campaigns and event-planning tips by email. Every marketing email carries a one-click unsubscribe link and the change is honoured immediately. Transactional emails — security, payment confirmation, event reminders — are independent of marketing consent; they are part of providing the service.

46. Marketing SMS

Marketing SMS is sent only when you have shared a phone number and explicitly opted in to that channel. Each marketing SMS includes the keyword RET (Turkish for 'reject') — replying with it ends your subscription. The opt-out is reflected in IYS within three business days at the latest.

47. Marketing Phone Calls

We do not currently make marketing phone calls. If we activate this channel in the future, calls will be made only to customers who have opted in, in line with their IYS registration and the Consumer Protection Law No. 6502. You can switch this off from your account settings or directly via IYS.

48. IYS Synchronisation

Under Law No. 6563 on the Regulation of Electronic Commerce and the IYS regulation, every consent, withdrawal and complaint is uploaded to Turkey's national IYS registry (iys.org.tr) within three business days. You can sign in at iys.org.tr with e-Devlet to review and update all consents directly.

49. Changes to This Policy

We may update this Privacy Policy when regulations evolve, new features ship or our business processes change. For material changes we send advance notice to your account email and post an in-app announcement, giving you a reasonable window to review before the change takes effect. Every update is reflected in the 'last updated' date at the top of this page.

50. Version History

Version: 1.0.0. Effective date: 25 May 2026. This is the first comprehensive version of the Privacy Policy. Previous versions are available on request at [email protected].

51. VERBIS Exemption

Under KVKK Board principle decisions 2018/87 and 2023/1154, Async Yazılım Bilişim Programlama San. ve Tic. Ltd. Şti. is exempt from registration with the Data Controllers' Registry (VERBIS) due to having fewer than 50 annual employees, an annual balance sheet total below TRY 100 million, and a main activity that does not involve processing special category personal data. This exemption does not remove our other KVKK obligations; should the criteria be exceeded, registration will be completed within 3 months.

52. How to Reach Us

We are always available for privacy questions, requests and concerns. Use [email protected] for general inquiries, [email protected] for KVKK requests, and [email protected] for security reports. Phone, registered address and MERSIS number are listed in the company block at the bottom of this page.

Company Details

Legal Name
Async Yazılım Bilişim Programlama San. ve Tic. Ltd. Şti.
Address
Alacamescit Mah. Çancılar Cad. Çakar Erdoğan İş Hanı Kapı No:62/306, Osmangazi/Bursa 16120
Phone
+90 539 634 46 01
Email
[email protected]
Tax Office
Yıldırım Vergi Dairesi Müdürlüğü
Tax ID
0911099493
MERSIS No
0091109949300001
Website
livealbum.app

Group Company (International)

Legal Name
EEC LABS LTD
Company Type
Private company limited by shares
Registered Office
England and Wales
Address
Suite 10885, 5 Brayford Square, London, United Kingdom, E1 0SG
SIC Codes
62012, 58290, 62020, 47910