Privacy Policy

This Privacy Policy explains how W3 Culture S.R.L. ("we", "us", or "our") collects, uses, and protects your personal data when you use Easy360 (accessible at easy360.net and app.easy360.net). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Romanian data protection law.

1. Who We Are

Data Controller:

• Company: W3 Culture S.R.L.
• Registered office: Timișoara, Romania
• Email: support@easy360.net
• Platform: Easy360 — a 360° video/photo booth management platform

For questions about this Privacy Policy or your personal data, contact us at support@easy360.net.

2. Personal Data We Collect

We collect the following categories of personal data:

Account Registration Data

• Full name
• Email address
• Password (stored as a bcrypt hash — never in plaintext)
• Date and time of account creation
• Date and time of Terms & Conditions acceptance, and version accepted

Payment Data

• Billing country and VAT details (where applicable)
• Payment transaction identifiers provided by Stripe
• Note: We do not store payment card numbers. All card data is processed and stored exclusively by Stripe, Inc., our payment processor.

Mobile In-App Subscription Data

• When you subscribe to Easy360 Premium from inside the iOS or Android app, the purchase is processed by Apple In-App Purchase or Google Play Billing.
• We do not receive your payment card details, Apple ID, or Google account credentials. These are handled exclusively by Apple Inc. or Google LLC.
• We do receive, via our subscription management provider RevenueCat, Inc.: your Easy360 user ID (so the purchase is linked to your account), an anonymous Apple/Google transaction identifier, the product purchased, the renewal date, and subscription lifecycle events (renewal, cancellation, billing failure, refund).

Usage and Technical Data

• Device type and operating system
• App version
• IP address (collected transiently for security and abuse prevention)
• Feature usage logs (e.g., events created, recordings initiated)

Event Media Data

• Videos and photos captured during 360° booth sessions ("Event Content")
• Only the most recently recorded video per account is retained on our servers. All other recordings are the User's responsibility to save locally.
• Event Content is deleted from our servers when the User deletes the Event or requests removal.

3. Legal Basis for Processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)): Processing your account and payment data is necessary to provide the Easy360 service you have subscribed to.
• Legal obligation (Art. 6(1)(c)): Retaining payment records for 82 months in compliance with Romanian accounting regulations (Legea nr. 82/1991).
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, abuse detection, and platform improvement — where our interests do not override your fundamental rights.
• Consent (Art. 6(1)(a)): Where we send marketing communications, we rely on your explicit opt-in consent, which you may withdraw at any time.

4. How We Use Your Data

• To create and manage your account
• To process payments and manage subscriptions via Stripe
• To provide and operate the Easy360 platform and 360° booth features
• To send transactional emails (account confirmation, password reset, subscription receipts)
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations (accounting, tax, regulatory)
• To respond to support requests
• To improve the platform based on aggregated, anonymised usage analytics

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

5. Data Sharing and Third Parties

We share personal data only with the following trusted service providers, under strict data processing agreements:

• Stripe, Inc. — Payment processing. Stripe acts as an independent data controller for payment card data. See stripe.com/privacy.
• Hetzner Online GmbH — Cloud infrastructure (servers located in Germany and Finland, within the EU/EEA). All application data and databases are hosted on Hetzner infrastructure.
• RevenueCat, Inc. — Mobile in-app subscription management. RevenueCat validates Apple/Google purchase receipts on our behalf, sends us subscription lifecycle webhooks, and stores the data described under "Mobile In-App Subscription Data" above. See revenuecat.com/privacy.
• Apple Inc. / Google LLC — Where you purchase a subscription inside the iOS or Android app, Apple or Google acts as merchant of record and independent data controller for your payment information. See apple.com/legal/privacy and policies.google.com/privacy.

We may also disclose personal data where required by law, court order, or lawful request from a public authority.

6. Data Retention

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion upon request.
• Payment records: Retained for 82 months after the end of the contractual relationship, as required by Romanian accounting law.
• Event media (videos/photos): Only the most recent video per account is retained on our servers temporarily. Deleted when the Event is deleted or upon request.
• Support correspondence: Retained for up to 3 years for legal and quality assurance purposes.
• Technical logs: Retained for up to 90 days.

7. International Data Transfers

Your personal data is stored on servers within the European Union (Hetzner Cloud, Germany/Finland). We do not transfer your personal data outside the EEA, except where required by law or where Stripe processes payment data (Stripe is certified under EU Standard Contractual Clauses). Any such transfers are safeguarded by appropriate legal mechanisms under GDPR Chapter V.

8. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@easy360.net. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian supervisory authority: ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) at dataprotection.ro.

9. Cookies and Analytics

The Easy360 mobile app (app.easy360.net) does not use tracking cookies. The marketing website (easy360.net) may use:

• Essential cookies: Required for authentication and session management. These cannot be disabled.
• Analytics cookies: Used to understand how visitors use the website (e.g., page views, session duration). These are only set with your consent.

You can manage cookie preferences at any time through your browser settings or our cookie consent banner on the website.

10. Children and Age Requirements

Easy360 is a business-to-business (B2B) platform intended exclusively for use by companies, event operators, and adult professionals (18 years of age or older). We do not knowingly collect personal data from children under the age of 16. If we become aware that a minor has created an account, we will delete the account and associated data promptly.

Users of the Easy360 platform are responsible for ensuring that attendees of their 360° booth events provide appropriate consent for recording, including where those attendees may be minors.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include:

• TLS encryption for all data in transit
• Passwords stored using bcrypt hashing
• Access controls limiting data access to authorised personnel only
• Infrastructure hosted on ISO 27001-certified data centres (Hetzner)

Despite these measures, no system is completely secure. If you believe your account has been compromised, contact us immediately at support@easy360.net.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email or via a notice in the platform. The updated policy will be effective from the date shown at the top of this document. Continued use of Easy360 after changes are published constitutes acceptance of the revised policy.