vioworks
Attended an event? Enter your event code and take a selfie — our AI finds your photos instantly using face recognition.
Let your clients browse and pick their favourite shots. Share a link, they select — you get notified instantly.
Easily send large photo sets to agencies, clients, or collaborators — up to 5 GB, with a shareable download link.
Agencies, brands & event teams — set up an event, share a code, and deliver everyone’s photos automatically.
Free while we figure out pricing 🎉

Privacy Policy

Last updated: 3 June 2026

⚠️ This document was prepared for informational purposes and should be reviewed by a qualified legal professional before publication.

1. Introduction

Welcome to Vioworks ("Vioworks", "we", "us", or "our"), accessible at vio.works and operated by Company Legal Name, located at Registered Address (City, Turkey). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website, create an account, or use any of our services.

Our platform provides three core services, each involving different data processing: Send Photos (file transfer), Find Your Photos (AI-powered face recognition), and Photo Selection (client photo selection workflow). By using our services, you acknowledge that you have read and understood this Policy.

This Policy should be read together with our Terms of Use.

2. Who We Are

The data controller responsible for your personal data is Company Legal Name, located at Registered Address. For any privacy-related question or to exercise your rights, you can contact us at emre@emretopdemir.com.

For certain services, you may act as a data controller yourself. For example, when a photographer uploads event photos to Find Your Photos or Photo Selection, the photographer is the controller of those photos and Vioworks acts as a data processor on their behalf.

3. Data We Collect

3.1 Account Data

When you register, we collect your name, email address, and password (stored only as a secure cryptographic hash, never in plain text). We may also store your account preferences and subscription/plan details.

3.2 Send Photos — File Transfer

When you use Send Photos, we collect and temporarily store the image and media files you upload, together with optional metadata such as transfer title, folder name, message, sender email, and recipient email addresses. Files are stored on Amazon S3 and are automatically deleted after the transfer expiry period.

3.3 Find Your Photos — Face Recognition (Biometric Data)

This service involves the processing of biometric data, which is a special category of personal data:

  • Event photos uploaded by photographers are indexed via Amazon Rekognition. Facial feature vectors (mathematical embeddings — not the images themselves) are stored in a Rekognition Collection associated with the specific event.
  • Selfie photos taken by attendees to find themselves are used only for matching. The selfie image is never stored on our servers — a temporary facial vector is generated, compared against the event collection, and discarded immediately after the search.
  • Facial embeddings and event photos are deleted when the event is deleted by the photographer or when the storage period for that event expires.

ℹ️ Biometric data is processed under GDPR Article 9 and KVKK Article 6, on the basis of the explicit consent obtained from the attendee at the moment of selfie capture. You may withdraw consent at any time.

3.4 Photo Selection

When the Photo Selection service is used, we collect:

  • The name entered by the client reviewing the gallery
  • The photos selected and any notes or comments left on individual photos
  • The photographer's email address, used to send selection notifications
  • Compressed / resized preview versions of the uploaded photos (original full-resolution files are not retained)

3.5 Technical & Usage Data

For security, fraud prevention, and performance, we may automatically collect your IP address, browser type, device type, operating system, referring pages, and pages visited within our platform.

3.6 Cookies

We use only essential cookies required for authentication and session management. We do not use advertising, analytics-profiling, or third-party tracking cookies. See Section 10 for details.

4. How We Use Your Data

We process your personal data for the following purposes:

  • To provide, operate, maintain, and improve our services
  • To authenticate users and manage accounts and subscriptions
  • To perform face recognition matching within the Find Your Photos service
  • To deliver email notifications (transfer alerts, selection submissions, account messages)
  • To process payments and manage billing, where applicable
  • To enforce our Terms of Use, prevent fraud, and protect the security of the platform
  • To comply with applicable legal obligations

We do not sell your personal data. We do not use your photos or facial data for advertising, for training artificial intelligence models, or for any purpose beyond delivering the service you requested.

5. Legal Bases for Processing (GDPR / KVKK)

Account & service deliveryPerformance of a contract
Find Your Photos (biometric data)Explicit consent (GDPR Art. 9 / KVKK Art. 6)
Send Photos & Photo SelectionContract + legitimate interests
Security, fraud prevention, logsLegitimate interests
Email notificationsContract / legitimate interests
Legal & tax complianceLegal obligation

6. Third-Party Services (Processors)

We rely on the following trusted sub-processors, each bound by a Data Processing Agreement (DPA):

Amazon Web Services (AWS)

File storage (S3) and face recognition (Rekognition). Data may be processed in the EU (Frankfurt) and US East regions.

https://aws.amazon.com/privacy

Supabase

Database and authentication. Hosted on EU infrastructure.

https://supabase.com/privacy

Resend

Transactional email delivery.

https://resend.com/legal/privacy-policy

Vercel

Application hosting and serverless functions.

https://vercel.com/legal/privacy-policy

7. Data Retention

Account dataUntil account deletion
Transfer files (Send Photos)Deleted automatically after transfer expiry
Event photos & face embeddingsDeleted when event is deleted or storage period expires
Selfie photos (Find Your Photos)Never stored — discarded immediately after matching
Selection preview photosDeleted after client access period + 30-day buffer
Selection notes & picksDeleted when the session is deleted
Usage & security logsRetention period — e.g. 90 days

8. Your Rights

Depending on your location, under the GDPR (EU/EEA), the KVKK (Turkey), or other applicable law, you have the right to:

  • Access — request a copy of the data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — request that we restrict processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw Consent — withdraw your consent for biometric processing at any time, without affecting prior lawful processing

To exercise any of these rights, contact us at emre@emretopdemir.com. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority (see Section 14).

9. Biometric Data — Additional Information

The Find Your Photos feature processes biometric data (facial recognition vectors), which constitutes "special category personal data" under GDPR Article 9 and KVKK Article 6.

We process this data solely on the basis of explicit consent obtained from attendees at the time of selfie capture. Consent may be withdrawn at any time by contacting emre@emretopdemir.com.

Facial embeddings are computed and matched by Amazon Rekognition under a Data Processing Agreement with AWS. The original selfie image used for searching is never persisted to our storage.

10. Cookies

We use only essential cookies for authentication and session management — these are strictly necessary for the platform to function. We do not use advertising or behavioural-tracking cookies. Because the cookies we use are essential, disabling them in your browser may prevent you from logging in or using core features.

11. Security

  • Encrypted data transmission everywhere (TLS / HTTPS)
  • Private S3 bucket access only through short-lived signed URLs
  • Authentication and access controls on all API endpoints
  • No plain-text password storage (passwords are hashed)
  • Automated deletion of expired files, galleries, and embeddings

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay where required by law.

12. International Data Transfers

Your data may be transferred to and processed in the United States, where parts of the AWS and Vercel infrastructure operate. Such transfers are safeguarded by Standard Contractual Clauses (SCCs), the AWS Data Processing Addendum, and the Vercel Data Processing Agreement.

13. Children's Privacy

Our services are not directed to children under 16, and we do not knowingly collect personal data from children under 16. If a photographer captures event photos that may include minors, the photographer is responsible for obtaining the appropriate consent. If you believe a child has provided us with personal data, please contact emre@emretopdemir.com and we will delete it.

14. Contact & Supervisory Authority

Data Controller: Company Legal Name

Address: Registered Address

Email: emre@emretopdemir.com

Jurisdiction: City, Turkey

Residents of Turkey may file a complaint with the Personal Data Protection Authority (KVKK) at kvkk.gov.tr. Residents of the EU/EEA may lodge a complaint with their local data protection authority.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email and reflected by the "Last updated" date above. Your continued use of our services after an update constitutes acceptance of the revised Policy.