Facerog - PRIVACY POLICY

Version: 3.0 | Last Updated: 26 April 2026

1. IDENTITY OF THE DATA CONTROLLER

This Data Subject Notice ("Notice") has been prepared in accordance with the Turkish Personal Data Protection Law No. 6698 ("KVKK") of the Republic of Türkiye and the European Union General Data Protection Regulation No. 2016/679 ("GDPR").

HUF Bilgi Teknolojileri Danışmanlık Pazarlama ve Ticaret A.Ş. ("Facerog" or "Company"), acting as the data controller, holds the security of personal data of valued participants ("Data Subject" or "User") to whom we provide services through the Facerog mobile application and website ("Platform") to the highest standard.

Company Information:

Title: HUF Bilgi Teknolojileri Danışmanlık Pazarlama ve Ticaret A.Ş.
Address: Üçgen Mah. Abdi İpekçi Cad. Sitesi No: 13 İç Kapı No: 101 Muratpaşa/Antalya, Türkiye
Email: [email protected]
Registered Electronic Mail (KEP): [email protected]
Phone: 0850 307 5048

2. CATEGORIES OF PERSONAL DATA PROCESSED

Data Category	Data Types	Processing Purpose
Identity Information	Name, surname	Membership, service provision
Contact Information	Email address, phone number (optional)	Login, verification, notifications
Special Category Personal Data (Biometric)	Face geometry, vectorial face print, biometric template, expression data (Liveness)	Photo matching, security verification
Visual Records	Event photographs	Service provision, matching
Transaction Security	IP address, device information, log records	Security, legal obligation (Law No. 5651)
Financial Information	Masked card information, payment history	Subscription payments (via Iyzico)
Usage Data	Event history, QR code, album preferences	Service improvement
Marketing and Advertising Data	Cookie identifiers (_fbp, _fbc), browser/device information, visited URLs, conversion events, ad click identifiers (fbclid)	Ad measurement, conversion tracking, retargeting — only with explicit consent
User Profile Links (Optional)	Social media account URLs (Instagram, X (Twitter), LinkedIn, etc.) and/or personal website address voluntarily added by the user to their profile	Digital business card feature — enabling the user to introduce themselves to others
Messaging Data	End-to-end encrypted (E2EE) message content (ciphertext — limited to text and references to event photos already on the platform) and messaging metadata: sender/recipient user IDs, timestamps, delivery/read status	Provision of the private messaging service between users

3. PURPOSES OF PROCESSING PERSONAL DATA

Your personal data is processed in accordance with the principles of the KVKK and GDPR for the following purposes:

a) Biometric Matching: Automatic detection — using artificial intelligence — of photographs belonging to you among thousands of event photographs, with reference to the selfie you take or your past event photographs.
b) System Security (Liveness Check): Liveness testing via the camera to prevent fake account creation and to prevent someone else's photograph from being used to log in.
c) Cross-Event Matching: Storing your face template so that your photographs can be automatically found in subsequent events without you needing to retake a selfie.
d) Subscription Operations: Collecting subscription fees and issuing invoices.
e) Legal Obligations: Responding to requests from competent authorities and keeping log records (Law No. 5651).
f) Communication: Service-related notifications, security alerts, and support requests.
g) Marketing and Advertising Activities: If you provide explicit consent, measuring your behavior on our site through tracking technologies such as the Meta Pixel, performing conversion tracking, displaying interest-based ads on Meta platforms (Facebook, Instagram), and creating retargeting and lookalike audiences. This processing takes place only when you accept the "Marketing" category in the cookie consent banner.
h) Site and Application Performance Analysis: If you provide explicit consent, generating anonymous usage statistics through Google Analytics 4.
i) Digital Business Card Feature: Displaying the social media account links (Instagram, X (Twitter), LinkedIn, etc.) and personal website address that the user voluntarily adds to their profile, when the user chooses to share their profile with another individual.
j) User-to-User Messaging: Enabling private messaging between platform users, ensuring content confidentiality through end-to-end encryption (E2EE), and delivering delivery/read receipts.

4. LEGAL BASES FOR PROCESSING PERSONAL DATA

Processing Activity	KVKK Legal Basis	GDPR Legal Basis
Biometric data processing	Explicit consent (Art. 6/2)	Explicit consent (Art. 9/2-a)
Membership and service provision	Performance of a contract (Art. 5/2-c)	Performance of a contract (Art. 6/1-b)
Fraud prevention (Liveness)	Legitimate interest (Art. 5/2-f)	Legitimate interest (Art. 6/1-f)
Log and invoice retention	Legal obligation (Art. 5/2-ç)	Legal obligation (Art. 6/1-c)
Security measures	Legitimate interest of the data controller (Art. 5/2-f)	Legitimate interest (Art. 6/1-f)
Marketing, advertising, conversion tracking (Meta Pixel) and optional analytics (GA4)	Explicit consent (Art. 5/2-a)	Explicit consent (Art. 6/1-a) — additionally, for cookies, e-Privacy Directive 2002/58/EC Art. 5(3)
Social media links voluntarily added by the user to their profile (digital business card)	Explicit consent (Art. 5/2-a)	Explicit consent (Art. 6/1-a)
User-to-user messaging service (E2EE) and message metadata	Performance of a contract (Art. 5/2-c)	Performance of a contract (Art. 6/1-b)

5. TRANSFER OF PERSONAL DATA

5.1. Domestic Transfers:

Note: Your raw biometric face map (vectorial data) is under no circumstances shared with organizers or third parties. Organizers can see only the matching result.

Recipient	Transferred Data	Purpose	Legal Basis
Event Organizers	Name-Surname, order information	Invoicing, service performance	Performance of a contract
Iyzico (Payment Service Provider)	Financial information	Payment security	Performance of a contract
Technical Suppliers	Transaction security data	Server, cloud services	Legitimate interest
Legal Authorities	Requested data	Legal obligation	Legal obligation

5.2. International Transfers (KVKK Art. 9 and GDPR Notice):

Due to the cloud services and third-party advertising/analytics tools used in the platform infrastructure, your data may be processed on servers located outside Türkiye. Following the amendment to the KVKK by Law No. 7456, Art. 9 permits cross-border transfers (i) to countries with an adequacy decision, (ii) where appropriate safeguards are in place (a Standard Contract notified to the Turkish DPA, undertakings, or Binding Corporate Rules), or (iii) under certain exceptional circumstances (including explicit consent). Our transfers rely on the following safeguards:

AWS transfer: A Standard Contract was executed on 15.03.2026 under KVKK Art. 9/3 and notified to the Turkish Personal Data Protection Board on 17.03.2026 — within the statutory 5 business-day period. The contract incorporates both EU SCC Module 2 and Module 3 within the meaning of GDPR Art. 46.
Other transfers (Google, Meta, etc.): Rely on your explicit consent under KVKK Art. 9 and on the EU Commission's Standard Contractual Clauses (SCC) under the GDPR.

Foreign Recipient	Country	Transferred Data	Purpose	Legal Safeguard
Google LLC / Google Ireland Ltd. (Google Analytics 4, Firebase)	Ireland / USA	Anonymous usage data, FCM token	Site analytics, push notifications	SCC + Explicit consent (for analytics)
Meta Platforms Ireland Limited (Meta Pixel)	Ireland / USA	Cookie identifiers, IP, visited URLs, conversion events	Ad measurement, retargeting, lookalike	SCC + Explicit consent + Meta Joint Controller Addendum
Amazon Web Services, Inc. (AWS) — 410 Terry Ave North, Seattle, WA 98109-5210, USA	USA	Application data (encrypted server-side with AES-256), backups, log records	Server hosting, storage (S3), backup, content delivery (CloudFront)	A Standard Contract was executed on 15.03.2026 under KVKK Art. 9/3 and notified to the Turkish Personal Data Protection Board on 17.03.2026. The contract incorporates the EU Commission's Standard Contractual Clauses, including both Module 2 (Controller → Processor — covering participant face vectors and account data which Facerog processes as data controller) and Module 3 (Processor → Sub-processor — covering organization photographs which Facerog processes as data processor on behalf of the event organizer). The AWS Data Processing Addendum (DPA) and the GDPR Art. 46 SCC safeguards additionally apply.

6. TECHNICAL INFORMATION ABOUT BIOMETRIC DATA

6.1. The selfie photo you take is converted into a mathematical sequence (vector). This vector is compared with the photographs in the database.

6.2. Technical security measures: AES-256 encryption, access control, log recording, storage of biometric data logically and physically segregated from identity and profile information, and regular security audits.

Personal data is hosted on data center infrastructure used by Facerog that holds international security certifications such as ISO 27001 and SOC 2 Type II, with the necessary technical and administrative measures taken under KVKK Art. 12 and GDPR Art. 32.

6.3. Facerog never sells or transfers your biometric data to third parties for marketing purposes. Marketing/advertising cookies (Meta Pixel) do not contain biometric data.

6.4. Compliance with the decision of the Turkish Personal Data Protection Board on "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data" is ensured.

7. DATA RETENTION PERIODS

Data whose retention period has expired is destroyed periodically under the "Personal Data Retention and Destruction Policy."

Data Category	Retention Period	Basis
Identity and contact information	Parties with a commercial relationship: Membership period + 10 years; Participants who have not made purchases: Membership period + 3 years	Turkish Code of Obligations Art. 146
Biometric vector	While the account is active (destroyed within 30 days upon deletion / consent withdrawal)	KVKK Art. 6, Explicit Consent
Transaction security (logs)	2 years	Law No. 5651
Financial information	10 years	Tax Procedure Law
Visual records (photographs)	Determined by the event organizer	Contract
Usage data	2 years	Legitimate interest
Marketing/advertising cookies (Meta Pixel: _fbp, _fbc)	90 days (deleted immediately upon consent withdrawal)	Explicit consent
User profile links (social media URLs)	Until removed from profile by the user; destroyed within 30 days when the account is deleted	Explicit consent
Encrypted message content (E2EE ciphertext)	Retained while the account is active; destroyed within 30 days upon account deletion. (Per-message deletion is not yet offered.)	Performance of a contract
Messaging metadata (sender/recipient IDs, timestamps, status)	Retained while the account is active; destroyed within 30 days upon account deletion.	Performance of a contract
E2EE public key (e2e_public_key — server-side)	While the account is active; destroyed within 30 days upon account deletion	Performance of a contract
Inactive account data	Destroyed after 24 months of inactivity	KVKK Art. 4

8. RIGHTS OF THE DATA SUBJECT (KVKK Art. 11 and GDPR)

As a Facerog user, you have the following rights:

a) Access and Information: To learn whether your data is being processed and to request a copy.
b) Rectification: To request the correction of incorrectly or incompletely processed data.
c) Erasure / Right to be Forgotten: To request that your personal data be deleted from the system.

Important Erasure Exception (Group Photos): When you delete your account, your biometric data and profile are deleted. However, if you appear in group photos, those photos may not be deleted because their deletion would prevent other persons' access. In such a case, the tag bearing your name is removed and you are anonymized within the system; however, other participants continue to have access to the photo. This practice is carried out under KVKK Art. 5/2-f for the protection of the legitimate interests of other participants and pursuant to the principle of proportionality.

Ownership Notice: Ownership of the photographs belongs to the Organizer/Photographer. To request destruction of the original file, you must contact the Event Official.

d) Data Portability: To request your data in a machine-readable format (XML/JSON). Note: Biometric vector data is in a platform-specific mathematical format and is therefore outside the scope of data portability.
e) Withdrawal of Consent: You may withdraw your consent for biometric data processing at any time via the in-app option "Contact > Facerog > I Want to Withdraw My Explicit Consent for Biometric Data," in writing to [email protected], or via the Data Subject Application Form. You may withdraw your cookie consent for marketing (Meta Pixel) and analytics (GA4) instantly with a single click via the "Cookie Preferences" link at the bottom of the website; upon withdrawal, existing _fbp/_fbc cookies are deleted and no further pixel events are sent.
f) Right to Object: To object to automated matching results.

Information About AI Matching: Facerog performs photo matching through an AI-based facial recognition algorithm. The system's approximate accuracy rate is around 88%, and 100% accuracy is not guaranteed. Mismatches or incorrect matches may result from twin/family resemblance or excessive facial similarity, low resolution/light/angle issues, partial face obstruction (glasses, masks, etc.), or the photographer not uploading or grouping the relevant photo into the system. In such cases, Facerog does not bear technical responsibility. You have the right to object to matching results under KVKK Art. 11/1-g.

g) Complaint to the Authority: If your application is rejected or remains unanswered, you may file a complaint with the Turkish Personal Data Protection Board.

9. APPLICATION METHODS

To exercise your rights pursuant to KVKK Art. 13, you may apply through the following methods:

Your applications will be concluded free of charge within 30 (thirty) days at the latest, depending on the nature of the request. If the operation requires a separate cost, the fee in the tariff determined by the Turkish Personal Data Protection Board may be charged.

Application Method	Address / Information
Written Application (Wet Signed)	Üçgen Mah. Abdi İpekçi Cad. Sitesi No: 13 İç Kapı No: 101 Muratpaşa/Antalya, Türkiye
Registered Electronic Mail (KEP)	[email protected]
Email with Secure Electronic Signature	[email protected]
In-App Application	Contact > Facerog > Other
Data Subject Application Form	facerog.com/kvkk-basvuru

10. CHILDREN'S PRIVACY

10.1. The platform is open to users of all ages. Processing the personal and biometric data of users under the age of 18 is subject to the explicit consent of a parent or guardian under KVKK Art. 6 and GDPR Art. 8 (the platform applies an 18-year threshold by policy).

10.2. A participant under the age of 18 using the platform acknowledges and declares that they act with the knowledge and consent of their parent/guardian.

10.3. Where children appear in photographs taken at events, obtaining the necessary parental/guardian consent prior to the event is the responsibility of the Organization Manager.

10.4. Facerog applies the same technical and administrative security measures to child users as to adults and takes reasonable measures including age-range estimation technology.

10.5. A parent or guardian may at any time request the deletion of a child's account and the destruction of all data by contacting [email protected] or via the in-app "Data Subject Application Form."

10.6. Marketing/advertising cookies (Meta Pixel) and targeted advertising are not activated for users determined to be under the age of 18.

11. COOKIES AND TRACKING TECHNOLOGIES

Cookies, tracking pixels (including the Meta Pixel), and local storage technologies are used on the platform to provide the service, ensure security, improve user experience, and — only with your explicit consent — to perform analytics measurement and marketing/advertising activities.

Cookies are divided into three categories:

Strictly necessary cookies: Used for authentication (JWT), session security, and rate limiting; do not require consent.
Analytics cookies: Google Analytics 4 (_ga, _ga_*) — activated only with your explicit consent.
Marketing/advertising cookies: Meta Pixel (_fbp, _fbc, fr) — activated only with your explicit consent; involve data sharing with Meta Platforms Ireland Limited and data may be transferred to the USA (under SCC safeguards).

For detailed information on cookie categories, durations, third-party recipients, and the consent/rejection mechanism, please refer to our Cookie Policy. You can manage your cookie preferences at any time via the "Cookie Preferences" link at the bottom of the website.

12. DISCLOSURE REGARDING GOOGLE USER DATA

(Google API Services User Data Policy & Limited Use Compliance)

This section is prepared for users who access our application through Google OAuth APIs, in accordance with the Google API Services User Data Policy and the Google APIs Terms of Service. The "Sign in with Google" feature operates via Firebase Authentication using the Google OAuth 2.0 protocol.

12.1. Data Accessed

When the "Sign in with Google" feature is used, only the following two pieces of information are obtained from your Google account:

Your email address (email scope) — Used to identify your account and to send you service-related system notifications.
Your name and surname (profile scope) — Used to display your username in the application interface.

No other data from your Google account is requested. In particular, NO ACCESS is requested to: profile picture, contacts, calendar, Drive files, Gmail content, Google Photos, YouTube history, location history, search history, or any other extended Google APIs. No sensitive or restricted OAuth scopes are configured in our Google Cloud Console; only the basic (non-sensitive) email and profile scopes used automatically by Firebase Authentication are in use.

The "Sign in with Google" flow is performed on the Facerog side through Firebase Authentication. Firebase is a Google-provided service that handles authentication; the ID Token returned by Google is verified by Firebase, and only the two pieces of information identified above are passed through Firebase to the Facerog backend.

12.2. Data Usage

User data obtained from Google is used solely for the following purposes:

Authentication and account creation: Uniquely identifying your account in our system using the Google-assigned identifier and enabling sign-in.
Profile creation: Displaying your name in the application interface.
Service communication: Using your email address only for system notifications directly related to the service (security alerts, account verification, password reset, service interruption, etc.).
Account matching: Preventing the creation of multiple accounts with the same email address.

User Control — Editing Your Name: The name and surname obtained from Google are pre-filled into your profile only at the time of initial account creation. You may edit, change, replace with a username (display name), or otherwise update this information at any time within the platform via the Profile > Edit Profile menu. Once changed, your profile name is stored independently in the Facerog database and is not synchronized back to your Google account.

Limited Use Disclosure: Facerog fully complies with the "Limited Use" requirements of the Google API Services User Data Policy. User data obtained from Google:

Is used solely to provide user-facing features that are prominent in the user interface;
Is not processed, transferred, or sold for advertising purposes;
Is not used to train artificial intelligence/machine learning models;
Is not processed for any other purpose without the user's specific and explicit consent.

12.3. Data Sharing

User data obtained from Google:

Is under no circumstances sold, rented, or traded to third parties.
Is under no circumstances transferred to advertising networks, data brokers, or third parties for marketing purposes.
Is not matched with marketing/advertising cookies (Meta Pixel); no Google account data — whether hashed or in clear form — is sent to Meta.
May only be shared in the following limited categories:
- Service infrastructure providers: AWS (hosting — under a KVKK Art. 9/3 standard contract), solely as a data processor and under contractual confidentiality obligations.
- Legal obligation: Court orders, prosecutor requests, or other binding requests from competent authorities (KVKK Art. 5/2-ç, GDPR Art. 6/1-c).
- Your explicit instruction: Third-party integrations expressly authorized by you (e.g., a data portability request).

12.4. Data Storage & Protection

Encryption: All user data obtained from Google is stored encrypted server-side with AES-256. TLS 1.2+ is used for transmission.
Infrastructure: Data is hosted on AWS cloud infrastructure in data centers certified to ISO 27001 and SOC 2 Type II.
Access Control: Access to data is limited via role-based access control (RBAC); access to the production environment is protected with multi-factor authentication (MFA).
Logical Segregation: Google identity data is held in a database separate from biometric data.
Logging and Monitoring: Data access events are logged and reviewed regularly.
Security Audits: Regular penetration tests and vulnerability scans are performed.

12.5. Data Retention & Deletion

Retention Period: Identity data obtained via Google is retained while your account is active. Accounts inactive for 24 months are destroyed as inactive accounts (KVKK Art. 4 — proportionality).
Account Deletion: When you delete your account, all user data obtained from Google (email, name-surname, profile picture URL, Google sub identifier) is destroyed within 30 days from all production systems and subsequently from backups.
Deletion Methods:
- In-app: Profile > Account Settings > Delete My Account
- Email: written request to [email protected]
- Data Subject Application Form: facerog.com/kvkk-basvuru
Permission Revocation on Google's Side: You can revoke Facerog's access to your Google account at any time directly through Google: https://myaccount.google.com/permissions
Response Time: Deletion requests are processed within 30 days at the latest, and the result is communicated to you.

Information: Pursuant to the Google API Services User Data Policy, you can contact us at [email protected] for any questions regarding our practices on data obtained through Google.

13. SIGN IN WITH APPLE

For Apple ID users, the "Sign in with Apple" feature is provided. This is an authentication service offered by Apple Inc., operating over the OAuth 2.0 / OpenID Connect protocols. On the Facerog side, this sign-in flow is implemented through Firebase Authentication, which manages both the Google and Apple providers; the identity token returned from Apple is verified by Firebase, and Facerog receives only the limited information described below.

13.1. Apple User Data Accessed

When "Sign in with Apple" is used, only the following information is obtained from your Apple account:

Email address — One of the following two options as chosen by the user:
- Real email: The personal email address registered to the user's Apple ID.
- Hidden email (Hide My Email): A relay address generated by Apple in the format [email protected], which does not disclose the user's real email address. Emails sent to this address are forwarded to the user's real address through Apple's servers.
Name and surname — Apple transmits the name to the application only on the user's first sign-in; subsequent sign-ins do not share this information. The user can edit the name on the Apple sheet before sending it, or leave it blank.

No other data from your Apple account (iCloud content, contacts, calendar, photos, etc.) is requested.

13.2. Important Note About Hide My Email

Apple's "Hide My Email" feature: If you use this feature, Facerog never sees or stores your real email address. We retain only your relay address ending in privaterelay.appleid.com. All email communications (account verification, notifications, support) are conducted via this relay address. You can disable or delete the forwarding of the relay address on Apple's side at any time via Apple ID Settings > Apps Using Apple ID; doing so terminates email communication with Facerog.

13.3. Use, Sharing, Storage and Deletion

For email and name data obtained via Apple:

Purpose of use: Account creation, authentication, name display, and delivery of service-related system notifications. Not processed for advertising, profiling, or marketing purposes.
User Control — Editing Your Name: The name received from Apple (transmitted only on the first sign-in) is pre-filled into your profile by default. You may edit, change, replace with a username (display name), or otherwise update this information at any time within the platform via the Profile > Edit Profile menu. Such changes are not synchronized back to your Apple ID account; they are stored solely in the Facerog database.
Sharing: All principles set out in Section 12.3 for Google data (not sold to third parties, not transferred to ad networks, not matched with the Meta Pixel) apply equally to data obtained from Apple.
Storage and protection: The technical and administrative safeguards in Section 12.4 (AES-256 encryption, AWS infrastructure, RBAC, MFA, logging/monitoring) also apply to Apple data.
Retention period and deletion: The rules in Section 12.5 (destruction after 24 months of inactivity, destruction within 30 days of account deletion) also apply to Apple data.
Permission revocation on Apple's side: You can revoke Facerog's access at any time via Apple ID Settings > Password and Security > Apps Using Apple ID.

14. USER-PROVIDED PROFILE LINKS (DIGITAL BUSINESS CARD)

Facerog enables users to optionally add social media account links (e.g., Instagram, X (Twitter), LinkedIn) and/or a personal website address to their profile as a digital business card.

Optional: This feature is entirely at the user's discretion; sharing links on the profile is not a prerequisite for using the service.
Visibility: Links you add to your profile become visible to other users only in the following situations:
- If you post a story within an event you joined via QR code, other users attending that event will be able to view your profile (including the social media links you have added);
- If you move an event photo to a "public album," other users attending that event will be able to view your profile.
Unless one of the situations above occurs, your profile links are not displayed to other users. If you delete the story or remove the photo from the public album, profile visibility is withdrawn within the scope of that event.
User Control: You can edit or completely remove the links you have shared at any time via your profile settings. Removal takes effect immediately.
Legal Basis: This processing is based on your explicit consent under KVKK Art. 5/2-a and GDPR Art. 6/1-a. Sharing the link constitutes the giving of such consent; removing it from your profile is treated as withdrawal of consent.
Facerog's Responsibility: Facerog stores only the URL you provide as plain text. It does not fetch content (no embedding) from the linked platforms, does not verify the accuracy or safety of the URLs, does not perform click-tracking on these links, and does not process your profile links for advertising or marketing purposes.
Third-Party Responsibility: A user clicking a link on your profile is redirected to the relevant social media platform (Meta Platforms, Inc. / Meta Platforms Ireland Ltd., X Corp., LinkedIn Corporation, etc.). After redirection, data processing is governed entirely by the privacy policy and terms of the relevant third-party platform; Facerog is not responsible for the data processing practices of these third parties.

15. USER-TO-USER MESSAGING AND END-TO-END ENCRYPTION (E2EE)

Facerog allows users to exchange private messages with each other within the platform. The messaging infrastructure operates with end-to-end encryption (E2EE) in order to maintain the highest level of content confidentiality.

15.1. End-to-End Encryption Architecture

Key Generation: Upon account creation, an ECDH (Elliptic Curve Diffie-Hellman) key pair is generated on your device. The private key (e2e_private_key, in JWK format) is stored only in your device's local storage and is under no circumstances transmitted to Facerog servers. The public key (e2e_public_key) is stored on the server so that other users can send you secure messages.
Encryption: Before sending a message, the content is encrypted on your device using the recipient's public key. Only the encrypted content (ciphertext) reaches Facerog servers.
Decryption: The recipient can decrypt the message only on their own device, using their own private key. For performance, decrypted messages are temporarily cached in the browser's local storage (decrypted_messages_*); this cache is not transmitted to the server.

15.2. What the Server Can and Cannot See

Data inaccessible (kept private) on the server: The actual content of messages — the text, images, or other content you send or receive. Facerog employees, system administrators, and no third party can read, decrypt, or recover this content.

Metadata processed on the server: The following data is processed in unencrypted form so that the messaging service can technically function:

Sender and recipient user IDs
Message timestamps (sent, delivered, read)
Message status (sent / delivered / read)
Length of the encrypted content — format information only, not content

Content scope: Only text may be exchanged in messages, along with references to event photos already on the platform. Uploading additional images or files from your device or external sources is not supported within the messaging feature.

15.3. Requests from Competent Authorities

Important: If a court, prosecutor, or competent authority lawfully requests your messaging records, Facerog can provide only the metadata and the encrypted content (ciphertext). Because the key required to decrypt the encrypted content (the private key) resides solely on the user's device, Facerog cannot deliver message content in clear (readable) form. This is a deliberate technical design decision aligned with the data minimization and security principles under KVKK Art. 12 and GDPR Art. 32; it forms the technical basis of our guarantee that no other party can read your messages.

15.4. Key Loss and Access Risk

If you clear your device's local storage, reinstall your browser, change devices, or sign in from a different browser, you may lose your private key (e2e_private_key). In that case, you will permanently lose access to your previously encrypted messages; the server cannot decrypt them on your behalf either. This is a natural consequence of the E2EE architecture — Facerog cannot recover lost keys because it never had access to them in the first place.

15.5. Abuse Reporting

You may report any issues with other users (harassing messages, fraud attempts, etc.) to [email protected] or via the in-app "Contact Us" menu. There is currently no automated reporting system; the reporting and review process is conducted manually between Facerog and the user. Because message content is E2EE-encrypted, Facerog cannot perform proactive content moderation. When submitting a report, you may need to share the relevant messages with us as evidence (e.g., a screenshot or the decrypted content available on your device).

15.6. Legal Basis and Retention

The provision of the messaging service and the processing of metadata and encrypted content rely on the performance of a contract under KVKK Art. 5/2-c and GDPR Art. 6/1-b. For retention periods, please refer to the table in Section 7 of this Policy. Upon account deletion, all messaging data (encrypted content, metadata, and your public key on the server) is destroyed within 30 days.

16. POLICY CHANGES

This policy may be revised in line with changes in legal regulations or service updates. Changes will be communicated to users via email and in-app notifications.

17. CONTACT

Company Title: HUF Bilgi Teknolojileri Danışmanlık Pazarlama ve Ticaret A.Ş.

Email: [email protected]

KEP: [email protected]

Address: Üçgen Mah. Abdi İpekçi Cad. Sitesi No: 13 İç Kapı No: 101 Muratpaşa/Antalya, Türkiye