MyEvents360

Privacy policy

Last updated: 20 juin 2026

This policy describes how MyEvents360 collects, uses and protects its users' personal data, in accordance with the General Data Protection Regulation (GDPR).

1. Data controller

MyEvents360 — personal project in the process of being incorporated.
Contact: contact@myevents360.com

2. Data we collect

Account data

  • Email address (required, used for authentication)
  • Password (stored hashed, never in plain text)
  • Name or nickname
  • Profile picture (optional)
  • Favorite city (optional)

Event data

  • Title, description, date, location, category
  • Cover image
  • Invited members list
  • Shared photos and videos
  • Group chat messages
  • Questionnaire answers (where applicable)

Technical data

  • Device identifier (for push notifications)
  • Application error logs (anonymized)
  • IP address for API calls (kept temporarily for security)
  • Advertising identifier (IDFA on iOS / Google Advertising ID on Android) — collected only when advertising is enabled and with your consent(see §4 ter).

No precise geolocation data is collected without an explicit user action (via the "Use my location" button when creating an event).

3. Purposes and legal bases

  • Providing the service (authentication, event management, messaging, media sharing) — legal basis: performance of the contract.
  • Sending push notifications about events — legitimate interest + system-level consent.
  • Content moderation (automatic detection of inappropriate content) — legitimate interest to ensure a safe environment.
  • Sending transactional emails (verification, password reset) — performance of the contract.
  • Service improvement (anonymized usage analysis) — legitimate interest.
  • Displaying advertising in the mobile app (via Google AdMob) — legal basis: consent for personalized advertising and tracking, legitimate interest for non-personalized advertising (see §4 ter).

4. Recipients and sub-processors

Data is shared only with the following technical providers, strictly as needed to run the service:

  • Supabase (database) — EU-based servers.
  • Cloudflare R2 (photo and video storage) — global CDN.
  • Cloudflare Pages (web hosting) — United States / global CDN.
  • Railway (API hosting) — United States.
  • Resend (transactional emails) — United States.
  • OpenAI, L.L.C. (automatic content moderation via the Moderation API — omni-moderation-latest model; and AI cover-image generation via the Images API — gpt-image-1-mini model) — United States (see §4 bis and §4 quater).
  • Anthropic, PBC (conversational AI assistant and AI-assisted event creation via the Claude API — Claude Haiku model) — United States (see §4 quater).
  • Expo Push / Apple APNs / Google FCM (push notifications).
  • Google AdMob (advertising in the mobile app — Google Ireland Limited) — see §4 ter.

For transfers outside the EU, MyEvents360 relies on the EU Commission's standard contractual clauses and, where applicable, adequacy decisions (Data Privacy Framework for the United States).

We never sell or rent your personal data to third parties.

4 bis. Automated content moderation

To keep our community safe and detect prohibited content (hate, harassment, threats, violence, self-harm, sexual content, child exploitation, illicit activities), we use the OpenAI Moderation API automated moderation service.

Data sent to OpenAI:

  • The text of messages you post in an event chat, sent at the moment the message is published.
  • The URL of photos you upload to an event (OpenAI downloads the image from our storage and analyses it visually). Analysis runs in the background, shortly after upload.

Purpose: automatic detection of prohibited content. Messages and photos flagged as problematic are automatically hidden and their author is notified. Automated decisions have no legal effect on the user; a human moderator can be contacted for disputed cases.

OpenAI API policy: in accordance with OpenAI's API usage policy effective since March 2023, data sent through the Moderation APIis not retained beyond the time strictly required to process the request and is not used to train OpenAI's models.

Legal basis (GDPR): legitimate interest in protecting users and the community from unlawful content (Article 6.1.f).

Sub-processor: OpenAI, L.L.C., 3180 18th Street, San Francisco CA 94110, USA. Transfers outside the European Union are framed by the EU Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework.

4 ter. Advertising (Google AdMob)

Starting with version 1.3.0, the MyEvents360 mobile app may display advertising served by Google AdMob (Google Ireland Limited). When advertising is enabled, the Google Mobile Ads SDK may access your advertising identifier (IDFA on iOS, Google Advertising ID on Android) to display ads and measure their performance.

Consent: on first launch, a consent screen (Google UMP, GDPR- compliant) collects your choice; on iOS, an App Tracking Transparency prompt is also shown. If you decline, the ads displayed remain non-personalized and no cross-app advertising tracking is performed.

Data involved: advertising identifier, ad-interaction data, and approximate technical information (device type, language). This data is processed by Google under its own policy — see Google's privacy policy and how Google uses data.

Legal basis (GDPR): consent (Article 6.1.a) for personalized advertising and tracking; legitimate interest (Article 6.1.f) for displaying non-personalized advertising. You can withdraw your consent at any time by resetting the advertising identifier in your device settings, or by declining via the consent screen / iOS tracking prompt.

Sub-processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Transfers outside the European Union are framed by the EU Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework.

4 quater. Artificial-intelligence features (assistant and generation)

The app offers generative-AI features that you trigger yourself: the conversational AI assistant, AI-assisted event creation (you describe the event and the AI prepares a draft) and cover-image generation from a text prompt. These features rely on third-party AI providers and are only active when you use them.

Data sent:

  • Assistant and event creation — the text you enter (your question or the event description) together with limited context needed for the response (for example your role in the relevant event) is sent to Anthropic (Claude API) to generate the answer or draft.
  • Cover-image generation — the text (prompt) you provide is sent to OpenAI (Images API, gpt-image-1-mini model) to produce the proposed images.

Purpose: to perform the feature you requested (answer a question, draft an event, generate an image).

Model training: under these providers' commercial terms, data sent through their APIs is not used to train their models and is retained only transiently, for service delivery and safety, in accordance with their respective policies.

Reliability: AI-generated content may contain errors, inaccuracies or outdated information. It is provided as assistance; it is your responsibility to check and correct it before using or publishing it. You remain responsible for the content you share.

Legal basis (GDPR): performance of the service at your request (article 6.1.b) for the processing needed to run the feature, and legitimate interest (article 6.1.f) for security and abuse prevention.

Sub-processors: Anthropic, PBC, San Francisco, United States — see Anthropic's privacy policy; OpenAI, L.L.C., 3180 18th Street, San Francisco CA 94110, United States. Transfers outside the European Union are covered by the European Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework.

5. Retention period

  • User account: until deleted by the user or after 3 years of inactivity.
  • Events and content: as long as the event exists, until deleted by the creator or the user concerned.
  • Technical logs: 60 days max.
  • Transactional emails: 12 months for traceability.

6. Your rights

Under the GDPR, you have the following rights over your data:

  • Right of access: obtain a copy of your personal data.
  • Right of rectification: correct inaccurate data.
  • Right of erasure: request deletion of your account and data ("right to be forgotten").
  • Right of portability: retrieve your data in a structured, readable format.
  • Right to object: object to certain legitimate-interest-based processing.
  • Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise these rights, contact us at contact@myevents360.com. We respond within one month.

You also have the right to lodge a complaint with a supervisory authority (in France, the CNIL).

7. Security

Data is protected by technical and organizational measures: HTTPS for all communications, hashed passwords (bcrypt), short-lived JWT tokens, at-rest encryption at storage providers, restricted access to production data.

8. User-generated content

Photos, videos and messages posted in an event are visible only to members of that event, according to the access settings chosen by the creator. MyEvents360 does not review this content except for reports or automated moderation.

8 bis. Local on-device storage — automatic download of chat media

Starting with version 1.1.0, MyEvents360 automatically downloads to your device the photos, videos, voice messages and documents received in your conversations (direct messages, groups, event chats). These media are stored only on your device, in a dedicated MyEvent360 folder visible in your system's Photos / Files app, and are never sent to third parties or kept elsewhere than the Cloudflare R2 storage where they were already hosted at the time their author shared them.

You stay in control: from Profile → Storage & data, you can enable or disable auto-download per file type (photos / videos / voice messages / documents) and per network condition (Wi-Fi / mobile data / roaming). You can delete downloaded media at any time (Profile → Storage → Manage storage).

iOS / Android permission: on first activation, your operating system prompts for permission to access your photo library (iOS) or media storage (Android). If you decline, media are still downloaded inside the app (accessible via Profile → Storage → Manage storage) without appearing in your system Photos / Files app.

Legal basis (GDPR): performance of the contract — to enable offline access to media received in your conversations and sharing outside the app.

9. Minors

The service is not intended for children under 15. Minors aged 15 to 18 must obtain consent from a parent or legal guardian before creating an account.

10. Changes

This policy may be updated. Any material change will be notified by email or in the app. The last-updated date is shown at the top of the document.