GDPR COMPLIANCE POLICY
Last Updated: 13 April, 2026
Introduction
Eventech Systems Limited (company number 15953654, registered office at 24 Devonshire Buildings, Bath, BA2 3PE, United Kingdom) operates the eventcloud platform (the "Platform"). This GDPR Compliance Policy (the "Policy") sets out how we comply with the General Data Protection Regulation (EU) 2016/679 ("EU GDPR") and the UK GDPR (together, "GDPR").
This Policy is intended for our Customers (event organisers) who use the Platform to collect and process attendee data, as well as for regulatory authorities and the public. It supplements our Privacy Policy and Terms and Conditions, which remain in full force and effect.
Our Role as Data Processor
For all attendee data collected via the Platform, eventcloud acts exclusively as a Data Processor. Our Customers act as Data Controllers. This means:
- Customers determine the purposes and means of processing attendee data.
- We process attendee data only on documented instructions from the Customer.
- We do not use attendee data for our own purposes, including marketing or commercial gain.
- We do not sell attendee data.
Our Privacy Policy (available at www.eventcloud.io/privacy-policy) and Terms and Conditions (available at www.eventcloud.io/terms) contain the binding Data Processing Agreement (DPA) between eventcloud and each Customer, as referenced in Article 28(3) of the GDPR.
Lawful Bases for Processing
As a Data Processor, we rely on our Customers to establish and document their own lawful bases for processing attendee data. However, for the processing activities we perform on behalf of Customers, the relevant lawful basis is typically Legitimate Interests (specifically, the provision of a ticketing and registration service as requested by the Customer and consented to by the attendee when purchasing a ticket or registering for an event).
For our direct processing of Customer account data (names, email addresses, company information), our lawful basis is Performance of a Contract.
Data Protection Officer (DPO)
Under Article 37 of the GDPR, a Data Protection Officer is not required for Eventech Systems Limited because:
- We are not a public authority.
- We do not carry out large-scale systematic monitoring of individuals.
- We do not process large-scale special categories of data (health, biometric, political opinions, etc.) as part of our core business.
All data protection inquiries should be directed to [email protected]. For security-specific matters, contact [email protected].
Data Subject Rights (Attendees)
When an attendee (ticket buyer) wishes to exercise their GDPR rights (access, rectification, erasure, restriction, portability, or objection), we follow this procedure:
Step 1: The attendee contacts the event organiser (Customer) directly. The Customer is the Data Controller and is best placed to respond.
Step 2: If the attendee contacts us instead, we will forward the request to the relevant Customer within 72 hours and assist the Customer in responding where possible.
Step 3: The Customer can delete or modify attendee data with a single button within the eventcloud dashboard.
Step 4: If a Customer fails to respond to a valid data subject request, we reserve the right to escalate the matter or, in exceptional circumstances, to delete the data after reasonable attempts to contact the Customer.
For Customers (event organisers) exercising their own rights regarding their account data, they should contact [email protected]. Customers can also update their own first and last names directly within the app. Email address changes require account re-invitation.
Data Breach Response
In the event of a personal data breach (as defined in Article 4(12) of the GDPR), we will adhere to the following timeline and procedure:
Within 72 hours of becoming aware of the breach:
- We will notify the affected Customer(s) via email.
- We will notify the UK Information Commissioner's Office (ICO) where required by law.
- For breaches involving EU attendee data, we will also notify the lead supervisory authority in the EU where required.
Breach notifications will include:
- A description of the nature of the breach.
- The categories and approximate number of individuals affected.
- The categories and approximate number of data records concerned.
- The name and contact details of our breach response contact ([email protected]).
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach.
The [email protected] mailbox is monitored by our internal compliance team. Any employee who becomes aware of a potential breach must report it immediately to [email protected].
Data Protection Impact Assessments (DPIAs)
Under Article 35 of the GDPR, a DPIA is required when processing is likely to result in a high risk to the rights and freedoms of individuals.
We conduct DPIAs in the following circumstances:
- Before introducing any new high-risk processing activity (e.g., new third-party integrations, new forms of data collection, new uses of attendee data).
- When required by a supervisory authority.
- When requested by a Customer for a high-risk event (e.g., large-scale processing of special category data).
DPIAs are conducted by a third-party contracted data protection specialist whom we appoint on a case-by-case basis. The results of any DPIA will be documented and retained for a minimum of three years.
Record of Processing Activities (ROPA)
Under Article 30 of the GDPR, we maintain an internal Record of Processing Activities. This record includes:
- The name and contact details of Eventech Systems Limited.
- The purposes of processing (provision of the eventcloud Platform).
- The categories of data subjects (Customers and Attendees).
- The categories of personal data (as listed in our Privacy Policy).
- The categories of recipients (sub-processors listed in Section 9 below).
- International transfer details (see Section 10).
- Retention schedules (30 days post-cancellation).
- A general description of our technical and organisational security measures.
The ROPA is maintained by [email protected] and is reviewed and updated at least annually or whenever a material change occurs. The ROPA is not publicly available but is provided to supervisory authorities upon request.
Sub-processors
We engage the following sub-processors to provide the Platform. As required by Article 28(3) of the GDPR, each sub-processor is bound by a written contract (a Data Processing Agreement or equivalent) that imposes the same data protection obligations as those set out in our agreement with our Customers.
Current list of sub-processors:
- Stripe (payment processing) â Privacy policy: https://stripe.com/privacy
- Resend.com (transactional emails) â Privacy policy: https://resend.com/privacy
- fly.io (hosting, app and databases) â Privacy policy: https://fly.io/legal/privacy-policy/
- Google (SSO authentication) â Privacy policy: https://policies.google.com/privacy
- Microsoft (SSO authentication) â Privacy policy: https://privacy.microsoft.com/en-us/privacystatement
- Apple (SSO authentication) â Privacy policy: https://www.apple.com/legal/privacy/
We do not maintain a public list of sub-processors beyond this policy, as the list changes infrequently. If we intend to add a new sub-processor, we will notify affected Customers via email at least 14 days in advance where required by our agreement with the Customer. Customers may object to a new sub-processor on reasonable data protection grounds.
All sub-processors are prohibited from using personal data for any purpose other than providing the specific service to eventcloud. Sub-processors are not permitted to sell or market to data subjects using data obtained through the Platform.
International Data Transfers
The eventcloud Platform stores data in region-specific locations based on the Customer's location, using fly.io's infrastructure:
- UK Customers: Data stored in the United Kingdom.
- EU Customers: Data stored within the European Union.
- US Customers: Data stored in the United States.
- Rest of World: Data stored at the nearest available node.
For EU attendee data that is transferred to the United States (when the Customer is based in the US), this constitutes an international transfer under Chapter V of the EU GDPR. For such transfers, we rely on the following safeguards:
- fly.io implements Standard Contractual Clauses (SCCs) approved by the European Commission.
- fly.io is SOC2 compliant.
- Where applicable, we rely on the EU-US Data Privacy Framework for transfers to certified entities.
For UK attendee data transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as implemented by fly.io.
For EU attendee data that remains within the EU (EU Customers), no international transfer occurs. For UK attendee data that remains within the UK (UK Customers), no international transfer occurs.
Authentication services (Google, Microsoft, Apple) and email services (Resend.com) may process data globally. Where these services transfer data outside the UK or EEA, they each maintain their own SCCs or equivalent safeguards as documented in their respective privacy policies.
Data Retention and Deletion
We retain all personal data (Customer and Attendee) for the duration of the Customer's paid subscription.
After a Customer cancels their subscription:
- All data is retained for exactly 30 days.
- During this 30-day period, the Customer may request data recovery (though data export is not available).
- After 30 days, all data is permanently and irrecoverably deleted from our active systems, backups, and archives.
- No data is retained beyond the 30-day period for any reason except where required by law (e.g., tax records, ongoing legal proceedings). In such exceptional cases, only the minimum required data is retained and is isolated from operational systems.
Data minimisation reviews are conducted annually by [email protected] to ensure we are not retaining data beyond the stated retention period.
Data Protection Training
All Eventech Systems Limited employees and contractors who have access to personal data (including attendee data) must complete annual data protection training. Training covers:
- The principles of the GDPR.
- Data subject rights and how to handle requests.
- Data breach identification and reporting.
- Security best practices.
- The specific data flows of the eventcloud Platform.
Training completion is tracked by [email protected]. New hires must complete training within 30 days of starting employment or contracting.
Security Measures
We implement the following technical and organisational security measures, as required by Article 32 of the GDPR:
- Encryption of data in transit using TLS 1.2 or higher (HTTPS).
- Encryption of data at rest using industry-standard AES-256 encryption on fly.io infrastructure.
- Regular security assessments and penetration testing (conducted at least annually).
- Access controls restricted to named individuals on a need-to-know basis.
- Multi-factor authentication for administrative access to infrastructure.
- Logging and monitoring of access to personal data.
- Secure backup procedures with the same 30-day retention schedule.
- Formal security incident response plan.
While no system is completely secure, these measures are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Automated Decision-Making and Profiling
eventcloud does not use any automated decision-making or profiling that has legal or significant effects on individuals. Specifically:
- No automated decisions are made about ticket approvals or rejections.
- No credit scoring, risk assessment, or behavioural profiling is performed.
- No algorithmic decisions are made that affect an individual's rights.
All decisions about ticket purchases and event access are made by the Customer (event organiser) or by the attendee themselves through normal transaction processes.
Compliance Monitoring
Compliance with this GDPR Policy is overseen by [email protected]. The compliance function includes:
- Annual review and update of this Policy.
- Annual review of the Record of Processing Activities.
- Coordination of data breach response.
- Oversight of data protection training.
- Liaison with supervisory authorities when required.
- Management of data subject requests escalated to eventcloud.
Reporting Concerns and Supervisory Authorities
If you have a concern about how we handle personal data, please contact us first at [email protected]. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:
- United Kingdom: Information Commissioner's Office (ICO) â www.ico.org.uk
- European Union (any member state): Your local data protection authority. A list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en
- Ireland (our EU lead authority, should one be required): Data Protection Commission â www.dataprotection.ie
Changes to This GDPR Policy
We may update this GDPR Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify Customers via email at least 30 days prior to the change taking effect. The current version is always available at www.eventcloud.io/gdpr-policy.
By using the eventcloud Platform as a Customer, you acknowledge that you have read, understood, and agree to comply with your own obligations as a Data Controller under the GDPR. This Policy does not create any additional liability for eventcloud beyond that already set out in our Terms and Conditions and Privacy Policy.