Privacy Policy

1. Introduction and General Information

This Privacy Policy ("Policy") explains our practices regarding personal data collected, processed, and stored through the dugungaleri.com website and all related services ("Platform", "Service") operated by Wedding Gallery ("Company", "we", "our").

This Policy has been prepared in accordance with Personal Data Protection Law No. 6698 ("KVKK"), the European Union General Data Protection Regulation ("GDPR"), and other relevant legislation.

2. Data Controller

Acting as data controller within the scope of KVKK:

• Trade Name: Wedding Gallery (Düğün Galerisi)
• Website: dugungaleri.com
• Email: bilgi@dugungaleri.com

You can contact us using the above contact information for any questions, requests, and applications regarding your personal data.

3. Collected Personal Data

The following categories of personal data are collected through our Platform:

3.1. Identity Information

• Name and surname
• Email address
• Google account information (if signing in with Google)
• Profile photo (optional)

3.2. Account and Security Information

• User ID
• Encrypted password
• Account creation date
• Last login date and time
• Authentication tokens

3.3. Content Data

• Uploaded photos and videos
• Photo and video metadata (including EXIF data: capture date, device info, location data)
• Event names and descriptions
• Uploader nicknames
• Like and interaction data
• AI-generated content (quests and wishes)

3.4. Payment Information

• Billing address
• Payment history
• Subscription status

Note: Sensitive payment information such as credit card number, CVV, and expiration date is not stored directly by us; this information is securely processed by our PCI DSS compliant payment processor Paddle.

3.5. Technical and Usage Data

• IP address
• Browser type and version
• Operating system
• Device identifiers (Device ID)
• Access date and time
• Page view data
• Click and interaction data
• Session duration
• Referral URLs

3.6. Cookie Data

• Session cookies
• Preference cookies
• Analytics cookies (Google Analytics)
• Local storage data (localStorage)

4. Data Processing Purposes

Your personal data is processed for the following purposes:

4.1. Service Delivery

• Creating and managing user accounts
• Authentication and security
• Providing photo and video upload, storage, and sharing services
• QR code generation and event management
• Providing gallery viewing and download functions
• AI-powered content creation (photo quests, wedding wishes)

4.2. Payment Processing

• Premium membership sales and processing
• Invoice creation and sending
• Payment verification and confirmation
• Managing refunds and cancellations

4.3. Communication

• Responding to customer support requests
• Service-related notifications (password reset, account security)
• Event reminders and updates
• Legal notices and policy updates

4.4. Analysis and Improvement

• Analysis of platform usage statistics
• Improving user experience
• Detecting and fixing technical issues
• Developing new features

4.5. Security and Compliance

• Preventing fraud and abuse
• Fulfilling legal obligations
• Enforcing terms of service
• Ensuring platform security

5. Legal Basis

The legal bases for processing your personal data are as follows:

5.1. Under KVKK (Turkish Data Protection Law)

• Explicit Consent (Art. 5/1): Marketing communications, cookie preferences
• Performance of Contract (Art. 5/2-c): Service delivery, account management, payment processing
• Legal Obligation (Art. 5/2-ç): Tax legislation, consumer rights
• Legitimate Interest (Art. 5/2-f): Security, fraud prevention, service improvement

5.2. Under GDPR

• Consent (Art. 6/1-a): Analytics cookies, marketing
• Contract (Art. 6/1-b): Service provision
• Legal Obligation (Art. 6/1-c): Tax and accounting obligations
• Legitimate Interest (Art. 6/1-f): Security and fraud prevention

6. Data Sharing and Transfer

Your personal data may be shared with the following parties and for the following purposes:

6.1. Service Providers

• Firebase (Google Cloud): Authentication, database (Firestore), file storage (Cloud Storage), hosting, and analytics services. Data may be processed on servers located in the USA. Google uses Standard Contractual Clauses (SCC) for GDPR compliance.
• Paddle: Secure payment processing. Paddle acts as Merchant of Record and manages all payment processing, tax calculations, and invoicing.
• Google AI (Gemini API): AI-powered content creation (photo quests, wedding wishes). Processed data: event context, language preference.
• Google Analytics: Website traffic analysis and user behavior statistics.

6.2. Legal Requirements

Your personal data may be shared with authorized authorities in the following cases:

• Court order or legal requirement
• Proper requests from official authorities
• Use in legal proceedings to protect our rights
• When the safety of users or third parties is threatened

6.3. International Data Transfer

Some of our service providers operate in the USA and other countries. These transfers are made:

• To countries providing adequate protection under Article 9 of KVKK or
• To countries secured by Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR)

6.4. Guest Users and Event Participants

When you upload photos/videos to an event:

• Your uploaded content may be viewed by the event organizer and other event participants
• Your nickname (if any) may be shown to other users
• The event organizer can download and use all uploaded content

7. Cookies and Tracking Technologies

7.1. What Are Cookies?

Cookies are small text files that websites place in your browser. These files are used for purposes such as remembering your preferences, managing your session, and analyzing your site usage.

7.2. Types of Cookies We Use

Essential Cookies:

• Session management cookies
• Security cookies
• Firebase Authentication cookies

These cookies are necessary for the Platform to function properly and cannot be disabled.

Preference Cookies:

• Language preferences
• Display settings
• Device identifiers (for guest tracking)

Analytics Cookies:

• Google Analytics (_ga, _gid, _gat)
• Firebase Analytics

These cookies help us collect site usage statistics.

7.3. Local Storage (localStorage)

Our Platform stores the following data in your browser's local storage:

• Guest device IDs (in guest_xxxxxxx format)
• Session information
• Application preferences

7.4. Managing Your Cookie Preferences

You can manage your cookie preferences through the following methods:

• Through the cookie consent banner displayed on our site
• By blocking or deleting cookies from your browser settings
• By using the Google Analytics opt-out add-on

Disabling essential cookies may cause the Platform not to function properly.

8. Data Security

We implement the following technical and administrative measures to ensure the security of your personal data:

8.1. Technical Measures

• Encryption: All data transfers are encrypted with SSL/TLS (HTTPS)
• Password Security: Passwords are encrypted with one-way hash algorithms (Firebase Authentication)
• Firewall: Cloud Firestore and Cloud Storage security rules
• Access Control: Role-based access management
• Token-Based Authentication: JWT-based secure session management
• File Validation: Type and size control of uploaded files

8.2. Administrative Measures

• Minimum data collection principle
• Regular security assessments
• Data breach response procedures
• Staff privacy training

8.3. File Security

• Maximum file size: 100 MB
• Allowed file types: JPEG, PNG, HEIC, MP4
• Time-limited access with signed URLs (15 minutes - 1 hour)
• Collision prevention with unique file names

8.4. Payment Security

• PCI DSS compliant secure payment processing by Paddle
• Credit card information is not stored on our servers
• 3D Secure verification support

9. Data Retention Periods

Your personal data is retained for the duration required by the processing purpose and within the framework of our legal retention obligations:

9.1. Content Data

• Photos and Videos: 365 days from event creation date (for Premium events)
• Thumbnails: Same duration as original file
• Event Metadata: During and 365 days after the event

9.2. Account Data

• Active Accounts: As long as the account is active
• Deleted Accounts: Completely deleted within 30 days of deletion request (subject to legal obligations)

9.3. Transaction Records

• Payment Records: 10 years per tax legislation
• Invoices: 10 years
• Log Records: 2 years

9.4. Analytics Data

• Google Analytics Data: 26 months (Google's default period)

9.5. Expiry of Retention Period

Data whose retention period has expired is securely deleted or anonymized in the first periodic destruction process following the end of the relevant period.

10. Your Rights

You have the following rights under KVKK and GDPR:

10.1. Right to Information

You have the right to request whether your personal data is being processed and, if so, information about it.

10.2. Right of Access

You have the right to access your processed personal data and obtain a copy of it.

10.3. Right to Rectification

You have the right to request the correction of incomplete or inaccurate personal data.

10.4. Right to Erasure (Right to Be Forgotten)

Under certain conditions, you have the right to request the deletion of your personal data. These conditions include:

• The purpose of data collection no longer exists
• You withdraw your consent and there is no other legal basis
• You object to data processing

10.5. Right to Restriction of Processing

In certain situations, you can request that the processing of your data be restricted.

10.6. Right to Data Portability

You have the right to receive your personal data that you provided to us in a structured, commonly used, and machine-readable format.

10.7. Right to Object

You have the right to object to data processing activities based on our legitimate interests.

10.8. Right to Object to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you.

10.9. Exercising Your Rights

To exercise your rights:

• Email: bilgi@dugungaleri.com

Your request will be responded to within 30 days at the latest after verification of your identity. This period may be extended up to 60 days for complex requests.

10.10. Right to Complain

If you believe there is a violation regarding the processing of your personal data, you have the right to apply to the Personal Data Protection Authority (www.kvkk.gov.tr).

11. Children's Privacy

Our Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from individuals under 18.

As a parent or guardian, if you believe your child has provided us with personal information, please contact us immediately. If we detect such information, we will immediately delete that data from our systems.

In case of uploading photos of children at wedding events, these uploads are the responsibility of the event organizer and/or the child's parent/guardian.

12. Policy Changes

We may update this Privacy Policy from time to time. When changes are made:

• The updated policy will be published on this page
• The "Last update" date will be revised
• You will be notified by email for significant changes
• Your consent may be requested again when necessary

Your continued use of the Platform after changes constitutes acceptance of the updated Policy.

13. Contact

For questions about this Privacy Policy or the processing of your personal data:

• Email: bilgi@dugungaleri.com
• Website: dugungaleri.com

We will respond to your requests within 30 days at the latest.