Privacy Policy

Last updated: May 25, 2026 · Effective immediately · Version 2.0

1. Who we are

Picsaris is operated by ThinkAway Studio ("Picsaris", "we", "us", "our"), an individual sole-proprietor developer based in Türkiye (Apple Developer Team ID: 272G8P4977; iOS bundle identifier: com.thinkawaystudio.picsaris). For the purposes of GDPR and KVKK we act as the data controller (veri sorumlusu) for the personal data described below.

2. What data we collect (categories)

Under KVKK (Law No. 6698) Article 6, biometric data is "özel nitelikli kişisel veri" (special-category personal data) and requires explicit consent. We have grouped every piece of data we collect into the following categories for full transparency:

Category	What's included	Source
Identity	Full name, account UUID	You (sign-up form); Apple/Google during OAuth
Contact	Email address (incl. Apple "Hide My Email" private relay aliases)	You; Apple/Google during OAuth
Credentials	Password hashed with bcrypt (cost factor 10) when you use email/password; OAuth subject identifiers (sub) when you use Apple/Google	You; sign-in providers
Biometric (special category)	A single selfie photo and the numeric face template AWS Rekognition derives from it	You — only if you opt in
User content	Event photos you upload, event name, description, cover image, your event roles (organizer / photographer / guest)	You; other event members
Purchase	App Store transaction identifier, purchased product ID, entitlement state, package quotas remaining	Apple App Store via RevenueCat (we never see your payment card)
Consent	The date and version of the Privacy Policy you accepted	You (by checking the consent box)
Technical & risk	IP address, user-agent, request path, status code, response time (server access logs)	Automatic during HTTP requests; used only for debugging, abuse detection, and security

2.1 Data we explicitly do NOT collect

• We do not collect your location (no GPS, no Wi-Fi triangulation, no EXIF geo-tag parsing).
• We do not use third-party analytics SDKs (no Google Analytics, no Mixpanel, no Amplitude, no Firebase Analytics, no Sentry, no Crashlytics).
• We do not show advertising and do not collect data for advertising or profiling.
• We do not track you across other apps or websites and we never request App Tracking Transparency permission on iOS.
• We do not access your contacts, calendar, microphone, or device files outside of those you explicitly pick.
• We do not read or store your payment card details. In-app purchases are processed entirely by Apple's App Store; we only receive a non-sensitive transaction identifier via RevenueCat.
• We do not sell, rent, or share your personal data with data brokers.

3. Why we collect it (purposes & legal bases)

Under GDPR Article 6 and KVKK Article 5, the legal basis for each processing activity is shown below:

• Provide the core service (account creation, joining events, uploading and viewing photos) — performance of a contract (GDPR 6(1)(b) · KVKK 5(2)(c)).
• Face matching from your selfie — explicit consent (GDPR 9(2)(a) · KVKK 6(2)). You give this consent by checking the box during sign-up and by uploading a selfie. You can withdraw consent at any time by deleting your selfie or your account, with effect for the future.
• Process in-app purchases — performance of a contract (GDPR 6(1)(b) · KVKK 5(2)(c)). Apple processes the payment; we record the entitlement.
• Security, fraud prevention, abuse mitigation, server logs — legitimate interests (GDPR 6(1)(f) · KVKK 5(2)(f)).
• Legal compliance (responding to lawful requests from courts or authorities) — legal obligation (GDPR 6(1)(c) · KVKK 5(2)(ç)).
• Bookkeeping for IAP receipts (Vergi Usul Kanunu Md. 253) — legal obligation.

4. Biometric data and face matching

4.1 The technical flow

1. You optionally take or pick a single selfie inside the Picsaris app.
2. The selfie is uploaded over TLS to our server, then to a private Cloudflare R2 bucket.
3. We send the selfie to Amazon Web Services (AWS) Rekognition (region: EU-Frankfurt or EU-Ireland). AWS extracts a numeric face template (a "face vector") and stores it in a Rekognition collection that is unique to each event you join — your template is never compared across events.
4. When other guests upload photos to that same event, AWS extracts face templates from each photo and compares them against the templates already in that event's collection. If similarity ≥ 90%, the photo is linked to your account inside that event so it appears in your "For You" feed.
5. Once matching is complete, AWS retains the face template until you delete your selfie or your account, at which point the template is removed from the collection via the Rekognition DeleteFaces API.

4.2 What you can do at any time

• Skip the selfie — Picsaris works without a selfie; you simply won't see a "For You" feed.
• Replace your selfie from the Profile screen — the old template is deleted from AWS before the new one is indexed.
• Remove your selfie entirely — Profile → tap the selfie → "Remove photo".
• Delete your account — Profile → "Delete account". This permanently removes every face template we have stored, the selfie file in R2, the matches table rows, and your account record. The deletion is irreversible.

4.3 No facial recognition database

Picsaris does not build a cross-event facial-recognition database. Each event has its own isolated Rekognition collection, and templates are never reused across events or shared with any party other than AWS for the purpose of completing the match.

5. Organizer, photographer, guest — who sees what

Picsaris has three role types within an event. Here is exactly what each role can see and do with your data:

• Organizer (created the event): sees the list of event members (name, email, role), sees all uploaded photos, can edit event details, can delete any photo or the entire event. The organizer is a data controller for the photos they collect from guests at their event; Picsaris is a data processor for the organizer with respect to that event content.
• Photographer (invited by organizer): can upload event photos at scale and view all photos in the event. Cannot see other guests' selfies (the selfie is used internally for matching only).
• Guest (joined via QR or join code): can upload their own photos (if the organizer permits guest uploads), can view all event photos, and can see the photos that contain their face in a "For You" feed. Guests do not see other guests' selfies, full names, or emails.

When you join an event as a guest you are giving the event organizer reasonable, customary permission to display you in event photos uploaded by other attendees. If you want to be removed from a specific event's matches you can leave that event from the events list at any time.

6. Sub-processors and third-party services

We share the minimum data necessary with the following processors. Each is bound by either Standard Contractual Clauses (SCCs), the EU–US Data Privacy Framework, a data-processing addendum, or all of the above:

• Amazon Web Services EMEA SARL — Rekognition (face detection & matching). Region: EU. AWS Privacy Notice.
• Cloudflare, Inc. — R2 Object Storage (photos, thumbnails, selfies). Cloudflare Privacy Policy.
• Cloudflare, Inc. — CDN (edge delivery of photos). No personal data is processed beyond the IP address visible to the edge during request routing.
• Apple Inc. — Sign in with Apple, In-App Purchase processing, TestFlight, App Store distribution, Push Notification Service (currently unused). Apple Privacy Policy.
• Google LLC — Sign in with Google (only if you choose this method). Google Privacy Policy.
• RevenueCat, Inc. — Receipt validation and entitlement tracking for IAPs. RevenueCat Privacy Policy.
• DigitalOcean, LLC — Server hosting (region: Frankfurt). DigitalOcean Privacy Policy.
• Expo, Inc. — OTA (over-the-air) JavaScript updates for the app. Only your device's installed app-version metadata is processed during update polling; no personal data is sent. Expo Privacy Policy.

We never sell personal data and we do not share it with advertisers, data brokers, or social-graph services.

7. SDKs and libraries bundled in the app

For transparency, here is the list of native or third-party SDKs that are part of the Picsaris iOS app binary and what they do:

• expo-apple-authentication — wraps Apple's AuthenticationServices for Sign in with Apple.
• @react-native-google-signin/google-signin — wraps Google's GoogleSignIn-iOS SDK for Sign in with Google.
• react-native-purchases (RevenueCat) — receipt validation for in-app purchases.
• expo-camera — used only when you scan an event QR code or capture a selfie. Camera frames are never sent to any third party from the SDK itself.
• expo-image-picker — used when you choose photos from your library to upload. The picker is sandboxed; we only receive the photos you select.
• expo-media-library — used when you save event photos to your photo library.
• expo-secure-store — stores your JWT access token in the iOS Keychain.
• expo-updates — checks for OTA JS updates on app launch.

None of these SDKs perform user tracking, analytics, or advertising.

8. Website cookies

This Privacy Policy and the small landing page at picsaris.app are static HTML. We do not set any cookies, use any local storage, or run any analytics scripts on these pages. The only third-party request the page makes is to fonts.googleapis.com to load fonts, which transmits your IP address to Google solely for the purpose of serving the font file (no profiling cookies are involved). If you prefer to avoid that request, your browser's "Block third-party requests" setting will stop it; the page will still display correctly with system fonts as a fallback.

9. Marketing communications

We do not send marketing emails, promotional push notifications, or SMS. The only emails you may receive from us are: (a) password-reset emails (if you trigger one), (b) account-deletion confirmations, and (c) urgent service notices (security incidents, breaking-change announcements). You cannot opt into marketing because we don't have any.

10. How long we keep your data

Data	Retention
Account record (name, email, OAuth IDs, password hash)	Until you delete your account; 30-day grace for accidental deletion is not currently offered — deletion is immediate and irreversible.
Selfie photo (Cloudflare R2)	Until you remove the selfie or delete your account.
Face template (AWS Rekognition)	Until you remove the selfie or delete your account.
Event photos (Cloudflare R2)	Until the organizer deletes the photo or the entire event; for paid plans, photos may be removed after the plan's 1-year validity window ends.
Match records (database rows)	Deleted via cascade when you delete your account or when an event is deleted.
Purchase records (IAP transactions)	10 years to satisfy Türkiye's Vergi Usul Kanunu Md. 253 (Tax Procedural Law). Email address is detached from the record on account deletion; only the transaction ID and amount remain.
Server access logs (IP, path, status)	30 days, then permanently deleted.
Consent records (privacy acceptance timestamp)	For the lifetime of the account, plus 3 years thereafter (proof of consent under GDPR Art. 7(1)).

11. Your rights

Depending on where you live, you have some or all of the following rights:

• Access (GDPR Art. 15 / KVKK 11(b)) — get a copy of the personal data we hold about you.
• Rectification (GDPR Art. 16 / KVKK 11(d)) — correct inaccurate data.
• Erasure (GDPR Art. 17 / KVKK 11(e), "right to be forgotten") — built into the app: Profile → Delete account. This removes your account, selfie, face templates, and matches.
• Restriction of processing (GDPR Art. 18 / KVKK 11(d)).
• Data portability (GDPR Art. 20) — receive your data in a machine-readable format (email us; we deliver JSON within 30 days).
• Object (GDPR Art. 21) — to processing based on legitimate interests.
• Withdraw consent (GDPR Art. 7(3) / KVKK 6) — for face matching, by deleting your selfie. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
• Lodge a complaint — EEA/UK users may complain to their national data-protection authority. Turkish residents may complain to the Kişisel Verileri Koruma Kurulu (KVKK) at kvkk.gov.tr.
• California (CCPA / CPRA): California residents have the rights to know, delete, correct, opt out of "sharing"/"sale", and limit the use of sensitive personal information. We do not sell or "share" personal information for cross-context behavioural advertising — there is nothing to opt out of, but we honour the right by design.

To exercise any right that is not already built into the app, email privacy@picsaris.app. We respond within 30 days. We may ask you to verify your identity (typically by signing in with the same account or replying from the email on file).

12. Security measures

• All traffic between the app and our servers is encrypted with TLS 1.2 or 1.3; we set Strict-Transport-Security with a one-year max-age plus includeSubDomains.
• Passwords are hashed with bcrypt (cost factor 10). We never store plain-text passwords.
• OAuth identity tokens (Apple/Google) are verified against the provider's public keys before any account is created or linked.
• Selfies and event photos are stored in private Cloudflare R2 buckets. They are served via a CDN URL that does not require authentication but contains an unguessable UUID in the path, and the URL is only shared with members of the event.
• API access is gated by short-lived JWT access tokens with a per-account token_version mechanism that immediately invalidates every existing token on account deletion, password change, or selfie-state change.
• The server is hosted in Frankfurt, accessed only by the developer over SSH with key-only authentication and a non-default port.
• Production database access uses a non-superuser account with the principle of least privilege.
• HTTP responses include X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and Referrer-Policy: no-referrer.
• No system is perfectly secure. If you find a vulnerability, please email security@picsaris.app; we acknowledge within 7 days. We will not pursue legal action against good-faith security researchers who follow responsible disclosure.

13. Children's privacy

Picsaris is not directed at children under 13 (under 16 in the EEA where local law applies the higher GDPR age, under 14 in Türkiye per the KVKK Kurul's interpretation of explicit consent capacity). We do not knowingly collect personal data from children below the applicable age. If you are a parent or guardian and believe your child has provided us with personal data, please email privacy@picsaris.app and we will delete the account immediately.

Apple's App Store Age Rating for Picsaris is 12+ (chosen based on user-generated photo content).

14. International data transfers

Our primary infrastructure is in the European Union (Frankfurt and Ireland). However, some sub-processors (Apple, Google, RevenueCat, Cloudflare, Expo) may transfer personal data to the United States or other jurisdictions outside the EEA/UK/Türkiye. We rely on the EU Standard Contractual Clauses (and the UK Addendum where applicable), on each provider's certification under the EU–US Data Privacy Framework, and on equivalent safeguards under KVKK Article 9, as the legal mechanisms for these transfers. The list of sub-processors and their locations is kept current in Section 6.

15. Changes to this policy

If we change this policy in a way that materially affects your rights, we will: (a) update the "Last updated" date and version number at the top, (b) increment the PRIVACY_VERSION stored in our backend, and (c) require you to re-accept inside the app before continuing to use it. Minor editorial changes (typo fixes, link updates) are made without a version bump.

A complete version history is available on request from privacy@picsaris.app.

16. Contact

For any privacy question, request, or complaint:

• Privacy: privacy@picsaris.app
• Security disclosures: security@picsaris.app
• General contact: hello@picsaris.app
• Operator: ThinkAway Studio (sole proprietorship, Türkiye)
• Apple Developer Team ID: 272G8P4977
• Bundle identifier: com.thinkawaystudio.picsaris