Privacy Policy

• Account: name, email, password (cryptographically hashed), profile photo.

• Phone: for verification; the verified number is linked to your account.

• Dance profile: home city, dance role, level, styles, social handles (optional).

• Tickets & payments: purchased tickets, payment metadata (amount, status), Iyzico transaction id. Card details NEVER reach us — stored only with Iyzico.

• Enrollments & attendance: dance school enrollments, session attendance, instructor-entered records.

• Communication & social: message contents, partner requests, follows, ratings.

• Device: OS version, push token, IP (session logs), language preference.

• Create your account and let you sign in.

• Sell event tickets / class enrollments, issue tickets, validate QR at the door.

• Collect monthly subscription fees via Iyzico (Merchant of Record) and issue invoices.

• Content moderation, account security, abuse detection.

• Legal obligations (tax, e-Archive invoices, audit).

• Transactional push / email notifications (ticket status, partner match, festival reminders).

• Marketing communication ONLY with your explicit consent.

• Contract performance: ticketing, enrollment, membership.

• Legal obligation: invoicing, KVKK / GDPR notice & retention.

• Legitimate interest: security, abuse detection, service improvement.

• Explicit consent: marketing communication, phone verification.

• Iyzico (payment processor) — iyzico.com

• NetGSM — SMS verification codes.

• Cloudflare, Inc. — server infrastructure (Workers + R2).

• Neon — database hosting (EU data center).

• Apple, Inc. and Google LLC — app distribution + push (APNs / FCM).

• e-Archive invoice provider (Paraşüt or equivalent) — legal invoicing.

All processors are bound by a data processing agreement.

Cloudflare and Apple/Google infrastructure may process some data outside Turkey. Transfers are made under KVKK Art. 9; EU Standard Contractual Clauses apply where relevant.

• Account data: until account deletion.

• Tickets & payments: 10 years (tax law).

• Messages: until deletion of either user; auto-anonymized otherwise.

• Logs (session, error, audit): 90 days.

• On deletion, non-mandatory data is removed within 30 days.

You have the right to: know whether your data is processed, request information about processing, learn the parties to whom it has been transferred, request correction of incomplete/incorrect data and deletion where law allows, be informed about updates to recipients, object to automated decisions, and seek damages for unlawful processing.

GDPR adds: data portability (Art. 20) and the right to lodge a complaint with a supervisory authority.

Requests: privacy@lativa.app

The mobile app uses no cookies. The admin panel uses only a session cookie required to operate the service.

Data in transit uses TLS 1.3, database is encrypted at rest, passwords are hashed with PBKDF2-SHA256 (100k iterations), phone codes are SHA-256 hashed.

Lativa is not intended for users under 16. If we learn that someone under 16 has provided data, we delete the account.

When we materially change this policy we notify in-app and may ask for renewed explicit consent.

Data controller: Lativa Technology [legal entity TBD before public launch]

Email: privacy@lativa.app

KVKK / privacy questions: kvkk@lativa.app