Privacy Policy

Smileys Community ("Smileys", "we", "us", "our") is a company incorporated in New Jersey, United States. We operate a curated social platform that organises events, interest-based clubs, and community experiences for expats and global professionals in cities around the world. We currently operate in Istanbul, Turkey, with plans to expand to additional cities.

Our members come from over 45 countries, including European Union member states. Because we actively serve EU residents, we are subject to the EU General Data Protection Regulation (GDPR) in addition to applicable US law.

You can reach us through our contact page.

We collect information you provide directly when you apply to join, create an account, or use our platform:

• Identity: Full name, nationality, languages spoken
• Contact: Email address, phone number
• Profile: Profile photo, bio, neighborhood, interests, Instagram handle (optional), gender (optional)
• Application data: Date of birth, profession, LinkedIn profile (optional), time living in Istanbul, and your reasons for joining — collected as part of the membership review process
• Activity: Events you join, clubs you're a member of, RSVPs, attendance history, reviews you leave
• Payments: Payment status and transaction records for paid events (we do not store full card details)
• Communications: Messages you send through our contact form

We also collect limited technical data automatically:

• IP address (used for rate limiting and security)
• Browser type and device information (from standard HTTP headers)
• Session tokens stored as secure, httpOnly cookies

We do not use tracking pixels, advertising cookies, or third-party analytics scripts. We operate an internal analytics dashboard for operational purposes (e.g. event attendance trends) — this data is never shared externally.

We use the data we collect to:

• Review and process your membership application
• Create and manage your account
• Match you with relevant events, clubs, and members
• Send you event confirmations, reminders, and community updates
• Enable hosts to manage events and guest lists
• Maintain the safety and quality of the community (moderation)
• Respond to your support requests and messages
• Comply with legal obligations

We do not use your data for targeted advertising, profiling for commercial purposes, or automated decision-making that has legal or significant effects on you.

Smileys Community is subject to the laws of the State of New Jersey and the United States. Because we actively serve EU residents, we are also bound by the EU General Data Protection Regulation (GDPR). Where GDPR applies, we process your personal data on the following legal bases:

• Contract: Processing necessary to provide membership, event access, and club participation
• Legitimate interests: Community safety, moderation, fraud prevention, and platform improvement
• Consent: Marketing communications and optional features — you may withdraw consent at any time
• Legal obligation: Where required by applicable law

If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (CCPA). At our current scale we fall below the thresholds that trigger full CCPA obligations, but we honour those rights — including the right to know what data we hold and to request its deletion — for all members regardless of location.

Our platform serves members from over 45 countries across multiple cities. Your personal data may be transferred to and processed in countries other than your own, including the United States where we are incorporated and the countries in which we operate. We take steps to ensure that any such transfers are subject to appropriate safeguards, consistent with GDPR requirements and applicable US law.

If you are located in the European Union, data transfers to third countries are carried out in accordance with Chapter V of the GDPR.

We do not sell, rent, or trade your personal data. We share it only in the following limited circumstances:

• Other members: Your name and profile photo are visible to approved Smileys members. Your phone number and email are never publicly visible.
• Event hosts: When you RSVP to an event, the host sees your name and profile photo for guest list management.
• Service providers: We use Resend to deliver transactional emails. They process your email address solely to deliver messages on our behalf and are bound by data processing agreements.
• Legal requirements: If required by law, court order, or to protect the rights and safety of our community.

We retain your personal data for as long as your account is active. If you request account deletion, we will permanently delete your data within 30 days, except where we are required by law to retain certain records.

Application data from rejected or withdrawn applications is deleted after 12 months.

Server logs containing IP addresses are retained for a maximum of 90 days for security purposes.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a portable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request that we restrict processing of your data
• Withdrawal of consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, use our contact form. We will respond within 30 days.

We use one essential cookie: a secure, httpOnly session cookie (smileys_session) that keeps you logged in for up to 30 days. This cookie is strictly necessary for the platform to function and does not track you across other websites.

We do not use advertising cookies, social media tracking cookies, or third-party analytics cookies.

We take reasonable technical and organisational measures to protect your data, including:

• Passwords stored as salted bcrypt hashes — we cannot see your password
• Session tokens signed with HS256 JWT and stored in httpOnly cookies
• HTTPS enforced across all pages
• Rate limiting on authentication and upload endpoints
• Application access restricted to approved members only

No system is completely secure. If you discover a security vulnerability, please report it privately through our contact form.

Smileys Community is intended for adults aged 18 and over. By applying to join or creating an account, you confirm that you are at least 18 years old. If we become aware that a minor has submitted their data, we will delete it promptly. If you believe this has occurred, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify members by email or through an in-app notice. The date at the top of this page always reflects when the policy was last updated.

Continued use of Smileys after changes take effect constitutes acceptance of the revised policy.

This Privacy Policy is governed by and construed in accordance with the laws of the State of New Jersey, United States, without regard to conflict of law principles. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts of New Jersey.

If you are located in the European Union or another jurisdiction with a data protection supervisory authority and believe your rights have been infringed, you have the right to lodge a complaint with your local authority.

If you have any questions about this Privacy Policy or how we handle your data, please contact us: