Privacy Policy
1. Summary
Davetiye is an iOS app that uses generative AI to create event invitation designs. This policy explains what data we collect, why we collect it, who we share it with, and what rights you have over it.
Key points:
- We don't ask for your email, name, or phone to sign up. We use a device-bound anonymous identifier (Firebase UID).
- The content of your invitation (names, date, venue) is sent to AI providers. This is required to generate the image.
- Photos you upload are sent to OpenAI for style analysis only. They are not used as training data.
- Generated invitations are stored on Firebase Storage and accessible by anyone with the link. Don't include sensitive information.
2. Data We Collect
2.1 Automatically collected
| Data | Source | Purpose |
|---|---|---|
| Firebase User ID (anonymous) | Firebase Anonymous Auth | Session + credit balance tracking |
| Push notification token (FCM) | Apple Push Notification Service | Notifying you when generation completes |
| Device and app version | iOS / SDK | Debugging and compatibility |
| Crash data | Apple / SDK | App stability |
2.2 Data you provide
| Data | Required? | Destination |
|---|---|---|
| Event type (wedding/engagement/henna/circumcision/birthday) | Yes | Firebase + OpenAI/fal.ai (inside prompt) |
| Names of the couple/person | Yes (for some templates) | Firebase + OpenAI/fal.ai |
| Date and time | No | Firebase + OpenAI/fal.ai |
| Venue name and address | No | Firebase + OpenAI/fal.ai + Google Places |
| Custom notes, style modifications | No | Firebase + OpenAI/fal.ai |
| Reference photo | No | OpenAI (GPT-4o Vision) — not stored permanently on our side |
2.3 Generated output
- AI-generated invitation images are stored on Firebase Storage.
- Links are publicly accessible to anyone who has them. Don't include sensitive information in the invitation.
2.4 Product analytics
- On first launch we ask for your consent. If you decline, none of the below is collected.
- If you consent, PostHog records events such as: generation started/completed, share, purchase events, watermark removal.
- If you additionally opt into "session flow analytics", on-screen interactions are recorded.
- You can change your consent at any time in Settings.
2.5 Purchase data
- Credit packs are purchased through the Apple App Store.
- Apple validates the transaction receipt. We store only the transaction ID and product purchased.
- We never see or store your payment card information. This is handled entirely by Apple.
3. Data We Do NOT Collect
- Your name, surname, email, or phone (we don't require an account)
- Location data
- Contacts, calendar, health data
- Camera (you can only pick existing photos from your Photo Library)
- Advertising tracking data (we don't collect IDFA)
4. Third Parties We Share Data With
| Service | Purpose | Data shared |
|---|---|---|
| OpenAI (USA) | Invitation generation and reference photo analysis | Event details (names, date, venue), reference photo, customization text |
| fal.ai (USA) | Alternative/fallback image generation | Same prompt text |
| Google Firebase (USA/EU) | Auth, database, storage, push notifications | Firebase UID, event details, generated images, FCM token |
| Google Places API (USA/EU) | Venue autocomplete | Venue name you type |
| PostHog (EU) | Product analytics, session replay | Event names, Firebase UID, (if session replay consented) screen captures |
| Apple App Store | In-app purchase | Purchase receipt |
OpenAI and fal.ai servers are partly located in the USA. International data transfer therefore applies. The legal basis for this transfer is that it's necessary to provide the service (GDPR Art. 49(1)(b), KVKK Art. 9/2-a).
5. Legal Basis
| Purpose | GDPR basis | KVKK basis |
|---|---|---|
| Generate invitation (core service) | Contract (Art. 6(1)(b)) | Performance of contract (Art. 5/2-c) |
| Anonymous account creation | Contract | Performance of contract |
| Product analytics | Consent (Art. 6(1)(a)) | Explicit consent (Art. 5/1) |
| Session replay | Consent | Explicit consent |
| Debugging, crash analysis | Legitimate interest (Art. 6(1)(f)) | Legitimate interest (Art. 5/2-f) |
| Purchase verification | Legal obligation + contract | Legal obligation + contract |
6. Retention Periods
We keep your data for as long as your account is active. When you request account deletion (Settings → Privacy → Delete my account), we remove your generated invitations, credit balance, and account-linked records from our systems.
Data transferred to third-party processors (OpenAI, fal.ai, Firebase, PostHog, Apple) is subject to each provider's own retention policies — see the links in §4.
7. Your Rights
Under GDPR (EU) and KVKK (Turkey) you have the following rights:
- Right to be informed about data processing.
- Right of access to a copy of the data we hold about you.
- Right to rectification of incorrect data.
- Right to erasure ("right to be forgotten").
- Right to restrict processing.
- Right to data portability — receive your data in a machine-readable format.
- Right to object to processing based on legitimate interest.
- Right to withdraw consent at any time.
To exercise these rights, email info@daveto.app. We respond within 30 days.
8. Children's Privacy
Davetiye is designed for users 13 years and older. We don't knowingly collect data from children under 13. If you believe your child has sent us data, email info@daveto.app and we'll delete it.
Parental consent is recommended for users under 18. The app is not in the Kids / Family category.
9. Security
- All network traffic is encrypted with TLS.
- We use Firebase authentication tokens.
- Generated invitation images are stored on Firebase Storage and are publicly accessible to anyone with the URL — don't include sensitive personal information.
- No system is 100% secure. In the event of a breach, we'll notify relevant authorities and affected users within 72 hours as required by KVKK and GDPR.
10. Changes to This Policy
When this policy changes we update the date and version number. For material changes we show an in-app notice.
11. Contact
Data controller: The developer of Davetiye (individual Apple Developer account)
Contact: info@daveto.app
All requests are accepted via email. For official correspondence that requires a physical address, identity verification will be completed by email first and the address will be provided in response.
Users residing in Turkey may file complaints with the Personal Data Protection Authority (kvkk.gov.tr). EU residents may complain to their local Data Protection Authority.