Kliqa Privacy Policy
Last updated: 5 June 2026
This policy explains how Kyuriosity d.o.o., Celovška cesta 32, 1000 Ljubljana, Slovenia ("Kliqa", "we") processes personal data when you use kliqa.ai (the "Service"). We comply with Regulation (EU) 2016/679 ("GDPR") and the Slovenian Personal Data Protection Act (ZVOP-2).
Contact (data protection matters): privacy@kliqa.ai
1. Roles: Who Is Responsible
- Hosts and Guests using Kliqa for private events (birthdays, weddings, family gatherings): Kliqa is the data controller for the personal data described in this policy.
- Business customers (e.g., corporate events): the business is the controller of Guest event data and Kliqa acts as processor under our Data Processing Annex. This policy still applies to the business contact's own account data.
2. What Data We Process
Host account data: name, email address, password (hashed, via Supabase Auth), event configuration (event name, honoree name, occasion, theme), notification preferences.
Guest data: display name entered when joining an event; photos taken in the app (original capture and AI-transformed versions); quiz answers, scores, and streaks; messages/shoutouts (text, and voice/video if enabled); mission/challenge completions; word game progress.
Purchase data: purchased pack/tier, credit balance and transactions, gift code records, recipient email (if you send a gift), billing country, withdrawal-waiver consent record (timestamp, IP address, product). Card details are processed by Stripe — we never see your full card number.
Technical data: IP address, device/browser type, approximate country (for pricing/tax), logs, and whether you use the app as an installed PWA or in the browser.
We do not perform facial recognition and do not extract or store biometric identifiers from photos. Photos are processed as images, not as biometric templates.
3. Why and on What Legal Basis
| Purpose | Data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Providing the Service (events, feed, gallery) | Account, Guest, event data | (b) contract |
| AI photo transformation (Glow Up) | Photo captured by the Guest | (b) contract — the transformation is the requested service |
| Payments, credits, tax, fraud prevention | Purchase, technical data | (b) contract; (c) legal obligation (tax/accounting); (f) legitimate interest (fraud) |
| Withdrawal-waiver consent logging | Consent record incl. IP | (c) legal obligation |
| Transactional email (receipts, gift codes, credit expiry, subscription notices) | Email, purchase data | (b) contract; (f) legitimate interest |
| Service security, debugging, abuse prevention | Technical data, logs | (f) legitimate interest |
| Analytics & measurement (Google Analytics) | Technical/usage data, online identifiers | (a) consent — set only after you opt in via the cookie banner |
| Marketing/audience tools (e.g. Meta) | Online identifiers | (a) consent — set only after you opt in via the cookie banner |
| Marketing email to Hosts (if any) | (a) consent — opt-in, withdrawable anytime |
We do not sell personal data. Analytics and marketing tools that use cookies or similar identifiers are loaded only after you consent through the cookie banner; see the Cookie Policy. You can withdraw consent at any time via "Cookie settings".
4. AI Processing — What Happens to Photos
When a Guest takes a Glow Up photo, the captured image and the selected style context are sent to our AI provider, Google (Gemini API), which returns the transformed image. Per Google's Gemini API terms applicable to paid services, submitted content is not used to train Google's models. Both the original and transformed photos are stored in the event gallery hosted on Supabase. AI-generated images are labelled as AI-generated, including machine-readable marking, in line with the EU AI Act.
5. Recipients and Sub-processors
| Provider | Purpose | Location / transfer safeguard |
|---|---|---|
| Supabase | Database, authentication, file storage, realtime | United States; EU-US Data Privacy Framework + Standard Contractual Clauses |
| Vercel | Application hosting and delivery | United States; EU-US Data Privacy Framework + SCCs |
| Google (Gemini API) | AI photo transformation | United States; EU-US Data Privacy Framework + SCCs |
| Stripe | Payments, tax calculation, receipts | EU/US; EU-US Data Privacy Framework + SCCs |
| Google Analytics | Usage analytics (consent-based) | United States; EU-US Data Privacy Framework + SCCs |
| Resend | Transactional email (receipts, gift codes, expiry reminders) | United States; EU-US Data Privacy Framework + SCCs |
International transfers. Our core infrastructure (Supabase, Vercel, Google) stores and processes data in the United States. We rely on the EU-US Data Privacy Framework (for certified providers) and the European Commission's Standard Contractual Clauses, with supplementary measures where appropriate, to safeguard these transfers under Chapter V GDPR. We will update this list before adding sub-processors.
Event Content is also visible to other participants of the same event (the feed is shared within the event) and to the Host. Event Content is not public; access requires the event link/QR code.
6. Retention
- Event Content (photos, messages, quiz data): retained until 12 months after the last transaction on the Host's account (a purchase, subscription payment, or credit use). Activity within that window resets the 12-month clock. Hosts can delete individual content or entire events at any time; deletion removes the content for all participants. We notify Hosts by email before content is scheduled for automatic deletion.
- Host account data: until account deletion, then removed within 30 days except where law requires longer.
- Purchase and consent records: 10 years (Slovenian tax/accounting law).
- Logs: up to 12 months.
- Backups: deleted content may persist in encrypted backups for up to 30 days.
7. Children's Data — Our Approach and Safeguards
Kliqa is often used at events where children participate, including children's birthday parties. Under ZVOP-2, the age of digital consent in Slovenia is 15. We take a risk-based, proportionate approach to children's data, in line with the EDPB's guidance on age assurance.
Our model. Guests do not create accounts. Every event is created and controlled by an adult Host — typically the parent or guardian organizing the event. Children participate only through a link the Host chooses to share, under the Host's supervision. The Host is the person who decides to use Kliqa and is responsible for the event.
Account age. You must be at least 15 to create a Host account. We expect Hosts of children's events to be adults with parental responsibility for, or organizational authority over, the event.
Consent and notice. The Host is responsible for informing the parents or guardians of attending children that the event uses Kliqa and that photos and other content their children create will be processed as described in this policy. We support this by providing Hosts with a ready-made notice they can include on the event invitation, and by displaying a clear notice to Guests before they create content at events the Host has marked as a children's event.
Why we do not require formal age verification. Collecting identity documents or using face-based age estimation to verify each child or parent would require gathering more personal data about children, which the EDPB cautions against. Given that event content is private to the event (not public), kept to a minimum, and automatically deleted on our retention schedule, we consider notice plus easy deletion to be the proportionate safeguard rather than upfront verification.
Easy deletion. A parent or guardian — or the Host on their behalf — can have a specific child's photos and content removed at any time, quickly and free of charge, by using the in-app controls or contacting privacy@kliqa.ai (see Section 8). We treat such requests as a priority.
AI transformation. Because Glow Up applies AI transformation to photos that may include children, we label outputs as AI-generated (Section 4), do not use children's images for profiling or advertising, and do not use them to train AI models.
If you believe a child's data has been processed without appropriate authorization, contact privacy@kliqa.ai and we will act promptly.
8. Your Rights
You have the right to access, rectify, erase, and receive a copy of your data, to restrict or object to processing based on legitimate interests, and to withdraw consent at any time. Guests without accounts can exercise rights by contacting privacy@kliqa.ai and identifying the event and display name, or by asking the event Host to delete their content directly.
Complaints: you may contact the Slovenian supervisory authority — Informacijski pooblaščenec, Dunajska cesta 22, 1000 Ljubljana, gp.ip@ip-rs.si — or your local EU supervisory authority.
9. Security
Data is encrypted in transit (TLS) and at rest. Access to production data is restricted and logged. Events are accessible only via their unique link/QR code. Despite safeguards, no system is perfectly secure; we will notify you and the supervisory authority of personal data breaches as required by GDPR Art. 33–34.
10. Automated Decision-Making
We do not make decisions with legal or similarly significant effects based solely on automated processing. AI photo transformation is a creative feature, not an evaluation of you.
11. Changes
We will post updates here and notify Hosts by email of material changes.