Privacy Policy

1. Data controller

Kalfa RSVP (“we”, “us”) is the data controller for personal data processed in connection with the kalfa.me event management platform. For privacy inquiries:

2. Information we collect

2.1 You provide directly

• Name and email (registration)
• Phone number (OTP verification and voice services)
• Organization name and contact details
• Event details: name, date, location, guest information
• Payment method data (processed via a secure payment gateway — we do not store full card numbers)

2.2 Collected automatically

• IP address and server access data
• Browser type and operating system
• Usage data (pages viewed, actions taken)
• Cookies and session identifiers

2.3 From event guests

• Guest name, phone, RSVP responses
• Responses to event questionnaires
• Number of companions

2.4 From Instagram / Facebook Login

When you connect an Instagram Business account via Facebook Login, we receive and store the following data from Meta's platform:

• Instagram user ID and Facebook user ID
• Instagram username and display name
• Profile picture URL
• Follower count (at time of connection)
• OAuth access token (used to publish content on your behalf)

Permissions we request: instagram_basic, instagram_content_publish, pages_show_list, business_management.

This data is used solely to enable Instagram content publishing features within the platform. We do not sell, transfer, or use this data for advertising purposes. To delete your Instagram data, see Instagram Data Deletion.

3. Purposes of processing

4. Legal bases (GDPR-style framing)

• Consent: optional marketing or newsletters where applicable
• Contract: delivering the service, payments, invitations
• Legal obligation: accounting, anti-fraud requirements
• Legitimate interests: security, fraud prevention, service improvement

5. Retention

• Account data: while the account is active, plus 30 days after deletion
• Event and guest data: up to 3 years from the event date (customer support)
• Payment records: 7 years where required by applicable law
• System logs: 90 days
• Cookies: as described in section 9

6. Third parties

We do not sell your personal data. We share data only with processors needed to run the service:

• SUMIT / payment partners: billing and transactions
• Telnyx / Voximplant: SMS and voice telephony
• Google (AI): Gemini Live for processing voice RSVP calls where enabled
• Meta (Facebook / Instagram): OAuth authentication and Instagram Business API for content publishing. Data received from Meta is governed by Meta Platform Terms and is not sold or used for advertising.
• Cloud hosting: secure infrastructure
• Authorities: when required by lawful request

7. Your rights

Depending on your jurisdiction, you may have rights to access, rectify, delete, restrict or object to processing, data portability, and to withdraw consent. Contact us to exercise these rights.

Email: privacy@kalfa.me — we aim to respond within 30 days.

8. Security

• TLS/HTTPS for data in transit
• Encryption and access controls for stored data
• Role-based access (RBAC)
• Strong authentication options (OTP / passkeys)
• Monitoring and security reviews

9. Cookies

You can block cookies in your browser; blocking session cookies may prevent sign-in.

10. International transfers

Some subprocessors (e.g. Telnyx / Voximplant, Google) may process data outside your country. We use appropriate safeguards such as standard contractual clauses and, where applicable, recognized frameworks (e.g. EU-US Data Privacy Framework for US transfers).

11. Children

The service is not directed at children under 18. We do not knowingly collect data from children. If we learn we have done so unlawfully, we will delete it promptly.

12. Contact

Questions or requests: