Privacy Policy

Last updated: May 5, 2026

1. Data Controller

Q-eN Computer Tech ("Company", "we", "us"), operating under the brand itsbigday, is the data controller for the digital invitation service available at itsbigday.com.

This Privacy Policy explains how we collect, use and protect your personal data, and describes your rights under applicable law — including the Turkish Personal Data Protection Law (KVKK) for users in Turkey.

2. Data We Collect

2.1 Identity and Contact Data

  • Full name
  • Email address
  • Google profile information (name, email, Google ID) — only when you choose Google sign-in

2.2 Technical Data

  • IP address
  • Anonymous device identifier (browser localStorage)
  • Browser type, version and operating system
  • Access date, time and approximate geographic region (country/city level)
  • Session and authentication token data (HttpOnly cookie)

2.3 Usage Data

  • Invitations, drafts and their contents (text, photos, music)
  • RSVP responses, guestbook entries and survey answers
  • Page views and visit counts
  • Platform preferences (language, UI settings)

2.4 Payment and Billing Data

All payment transactions are processed by PCI DSS Level 1 certified Stripe, Inc. Card numbers, CVV codes and expiry dates are never stored on our servers. We only retain:

  • Stripe transaction reference ID
  • Billing name, email address and country
  • Purchased plan name and transaction date

2.5 Support Data

  • Support ticket subject and message content
  • Invitation data you choose to associate with a ticket

3. How We Use Your Data

  • Creating and managing your account, and verifying your identity
  • Delivering the invitation creation, management and sharing service
  • Sending email verification, password reset and service notifications
  • Processing payments and generating billing records
  • Providing customer support and resolving complaints
  • Detecting and preventing fraud, spam and platform abuse
  • Managing email deliverability (bounce and complaint tracking via AWS SNS)
  • Statistical analysis to improve the service
  • Complying with US federal and Connecticut state legal obligations
  • Sending marketing communications, with your explicit consent

4. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Performance of a contract: Account creation, invitation delivery, payment processing and support
  • Legitimate interests: Platform security, fraud detection and service performance monitoring
  • Legal obligation: US federal and Connecticut state record-keeping requirements
  • Consent: Marketing communications and optional analytics features (you may withdraw consent at any time)

For users in Turkey, these bases correspond to KVKK Article 5(2)(c), 5(2)(f), 5(2)(a) and 5(1) respectively.

5. Third-Party Service Providers

We share your data only with the following processors and only for the stated purposes:

Natro (Email Delivery)

Your email address is processed through Natro mail hosting to deliver verification emails, service notifications and support replies.

Stripe, Inc. (Payment Processor)

Stripe serves the payment interface for paid plans. Stripe is PCI DSS Level 1 certified. Card data never leaves Stripe's infrastructure. See stripe.com/privacy.

Google LLC (Authentication)

If you choose to sign in with Google, you are redirected to Google's OAuth 2.0 service. We receive only your name, email address and Google account ID. If you prefer email/password sign-in, no data is shared with Google. See policies.google.com/privacy.

We do not sell your personal data. We may disclose data to competent authorities when required by US law (court order, regulatory demand, etc.).

6. International Data Transfers

The Company is based in the United States (Connecticut). Your data is processed across the following infrastructure:

  • Database and application server: Private server infrastructure hosted in Germany (account information, invitation content, payment records, etc.)
  • Amazon Web Services S3 (File Storage): File-based content such as photos and other media is stored in AWS S3 cloud storage.

For users in Turkey, data is transferred from Turkey to the US. We safeguard this transfer by:

  • Relying on Standard Contractual Clauses (SCCs) or equivalent safeguards with our processors (AWS, Stripe, Google).
  • The transfer being necessary to perform the service contract (KVKK Art. 9/2-b, c).
  • Your consent, given when you register or purchase a plan.

7. Data Retention

  • Account and identity data: 7 years after account closure (US federal tax law)
  • Payment and billing records: 7 years from transaction date
  • Email delivery logs: 1 year
  • Bounce/complaint records: Indefinitely, until the block is lifted
  • Visit and usage analytics: 2 years
  • Support tickets: 3 years after closure
  • Invitation content: Permanently deleted 90 days after account closure

8. Cookies and Similar Technologies

We use cookies and local storage (localStorage) technologies to improve your experience, ensure security, and analyze usage statistics.

8.1 Essential Cookies and Technologies

These are necessary for the basic functions of the system and cannot be disabled:

  • refreshToken (HttpOnly, Secure cookie): Required for secure session management. It cannot be read by browser-side JavaScript, protecting against XSS attacks.
  • NEXT_LOCALE (cookie): Used to remember your language preference (TR/EN).
  • inv_device_id (localStorage): An anonymous identifier assigned to your device. This data is essential for two primary purposes: (1) Remembering your RSVP responses on your device and allowing you to update them, (2) Providing completely anonymous and aggregate statistics (total views and unique visitor counts) to the invitation host. No personal data is collected or used for profiling via this identifier.
  • cookieConsent (localStorage): Used to remember your cookie preferences (accept/reject). This data is stored in your browser for 180 days.

8.2 Optional Analytics and Marketing Technologies

These are only activated if you give explicit consent (via the cookie banner):

  • Analytics Information: Data such as page views, time spent on the platform, and interaction rates may be analyzed anonymously to improve service quality.
  • Marketing: May be used to deliver personalised campaigns and announcements in the future.

8.3 Third-Party Technologies

The following third-party providers may use their own cookies as part of our service:

  • Stripe: Cookies used by Stripe for payment security and fraud prevention.
  • Google: When using the "Sign in with Google" feature, Google uses its own session management cookies.
  • lucide-react / Material Symbols: These are icon libraries and may load from external CDNs, but they do not typically set tracking cookies.

You can change your cookie preferences at any time through your browser settings or the "Cookie Settings" panel on the platform. Blocking essential cookies may restrict your access to core platform features.

9. Data Security

  • All data in transit is encrypted with TLS/HTTPS.
  • Passwords are stored using one-way hashing (bcrypt).
  • Authentication uses short-lived JWT access tokens and a secure HttpOnly refresh token cookie.
  • IP-based rate limiting and bounce/complaint monitoring prevent email abuse.
  • Access to production infrastructure is restricted to authorised personnel.

10. Your Privacy Rights

All users may contact us at any time to:

  • Access a copy of their personal data
  • Correct inaccurate or incomplete data
  • Request deletion of their account and associated data
  • Opt out of marketing communications (unsubscribe link in every email)
  • Object to data processing based on legitimate interests

Users in Turkey additionally hold all rights under KVKK Article 11, including the right to lodge a complaint with the Personal Data Protection Authority (kvkk.gov.tr) if their request is not addressed.

To exercise any right, email support@itsbigday.com with identity verification. We will respond within 30 days.

11. Children's Privacy

The Service is not directed at children under 13 (US COPPA) or under 18. We do not knowingly collect personal data from minors. If we become aware of such data, it will be deleted immediately. Please contact support@itsbigday.com with any concerns.

12. Policy Changes

We may update this policy from time to time. Material changes will be communicated at least 30 days before taking effect via email or in-app notification.

13. Contact