Privacy Policy

Last updated: 2026-05-05

eventist (the "Service") is a small platform that lets people create private events, share photos with the people they invite, and — at the user's explicit request — publish selected photos to their own Instagram account. This page explains what we collect, why, where it lives, and how to delete it.

1. Who runs this service

eventist is operated as a small project by an individual developer for MVP / demo purposes. For any privacy question, including data deletion requests, contact loftcustomweb@gmail.com.

2. What we collect

• Account identity (from Google, via Dex): the OpenID Connect sub identifier, your email address, your display name, and your Google profile picture URL. We never receive or store your Google password.
• Linked Instagram account (only if you connect one): your Instagram user id, your Instagram username, the OAuth access token Meta issues to us, and that token's expiry. Tokens are stored so we can publish content on your behalf when you ask us to.
• Content you create: events, photos, captions, comments, likes, and reports you submit through the app.
• Session cookie: a signed cookie used to keep you logged in for up to 7 days. It contains only the identity claims above; no third-party tracking IDs.

We do not use analytics, advertising trackers, or third-party fingerprinting scripts. We do not buy or sell user data.

3. How we use it

• To authenticate you and keep your session.
• To show your name, photo, and content to other people you've granted access to (event members you've approved).
• To publish a photo to your Instagram account when you click the publish action — never automatically.
• To respond to abuse reports and keep the service usable.

4. Who we share it with

• Google — handles the sign-in flow. Google only sees that you signed in to eventist; we never send Google your event or photo data.
• Meta / Instagram — only when you explicitly publish a photo. At that moment we send Meta the image URL and your caption. Meta then fetches the image from our storage. If you have not linked Instagram, we never contact Meta.
• Google Cloud — our Postgres database and photo blob storage are hosted on Google Cloud (Compute Engine + Cloud Storage, EU region). Google acts as a sub-processor under their standard terms.

We do not share your data with anyone else. We do not transfer it outside of Google Cloud's EU region as part of normal operation.

5. How long we keep it

• Account record: as long as your account exists.
• Photos and event content: until you delete them, or you delete the account.
• Instagram tokens: until you click Disconnect on /me, the token expires, or you delete the account.
• Server logs: short-lived; rotated within 30 days.

6. Your rights

You can see everything we hold about you on /me and your event pages. You can delete photos and unlink Instagram from those pages directly. To delete your entire account and everything linked to it, follow the steps on /data-deletion or email loftcustomweb@gmail.com.

7. Security

Traffic to eventist is served over HTTPS (LetsEncrypt). Sessions are signed with a server-side secret. Third-party access tokens (Instagram) are stored in our database — they're not encrypted at rest, which is why this service is positioned as MVP / demo and not for high-stakes accounts.

8. Children

eventist is not directed at children under 13. If you believe a child has signed up, contact us and we'll delete the account.

9. Changes

We may update this policy as the product changes. The "Last updated" date at the top of this page reflects the most recent change.