1. Data controller
The controller of personal data for the EventApp platform is:
[DE COMPLETAT ÎNAINTE DE PUBLICARE]
Registered office: [DE COMPLETAT ÎNAINTE DE PUBLICARE]
Tax ID: [DE COMPLETAT ÎNAINTE DE PUBLICARE] · Trade Registry No.: [DE COMPLETAT ÎNAINTE DE PUBLICARE]
2. Contact for data protection
For questions or requests about your personal data, write to [DE COMPLETAT ÎNAINTE DE PUBLICARE].
This draft does not name a DPO, since a formal designation and their contact details have not been confirmed. Before publication it must be decided whether a DPO is required, and a real, monitored address for personal data requests must be added.
3. EventApp and organizer roles
EventApp's status as controller, joint controller, or processor must be assessed separately for each data flow, depending on who determines the purposes and means of processing.
The exact relationship between EventApp and organizers for the data of attendees at a specific event (independent controllers, joint controllers, or EventApp as the organizer's processor) depends on the features actually enabled for that organizer and is a classification that must be confirmed by an attorney for each data flow. We do not assert a single uniform classification without this confirmation.
4. Categories of data subjects
- ›Users with an account (buyers, sellers on the resale market)
- ›Guest buyers (guest checkout)
- ›Organizers and their validation staff (scanning staff)
- ›Platform visitors, without an account and without a purchase
5. Actual data categories
| Category | Data processed |
|---|---|
| Account | Email, hashed password, name and optional phone number |
| Guest purchase | Email and phone provided for the order |
| Orders | Order amount and status, payment information, and technical data required for security |
| Tickets | Ticket identifier, status, and validation history |
| Payments | Stripe payment and transaction identifiers; not the full card number |
| Billing | Name, company, tax ID, and billing address, if provided |
| Organizers and staff | Identification and contact data, roles, and payment account identifiers |
| Transfer and resale | Transaction data and information required to pay the seller |
| Support | Content of correspondence with the support team, if you write to us |
| Consents | Preferences regarding marketing communications and notifications |
| Technical and security data | IP address, device information, and security events |
| Data received from third parties | Delivery/error confirmations from email and payment providers |
6. Data sources
Data comes directly from you (registration, order, and billing forms), is generated automatically by the platform (technical logs, ticket status), or is received from our providers (Stripe for payment confirmation, the email provider for delivery status).
7. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing the account | Art. 6(1)(b) — performance of a contract |
| Processing the order and delivering the ticket | Art. 6(1)(b) — performance of a contract |
| Validating the ticket at entry | Art. 6(1)(b) + Art. 6(1)(f) — contract and legitimate interest (fraud prevention) |
| Issuing the fiscal document | Art. 6(1)(c) — legal obligation |
| Platform security and abuse prevention | Art. 6(1)(f) — legitimate interest |
| Marketing communications by email/SMS | Art. 6(1)(a) — consent, revocable at any time |
8. Legitimate interests
We rely on legitimate interest for: preventing fraud in purchasing and resale, account and infrastructure security, diagnosing technical errors, and maintaining service quality. We do not use legitimate interest as a basis for direct marketing.
9. Mandatory and optional data
Email is required to deliver the ticket, whether or not you have an account. Phone number and full name for billing are optional, except when you request an invoice for a legal entity, in which case billing data becomes necessary to issue the fiscal document. Not providing the mandatory data makes it impossible to complete the order.
10–11. Recipients and providers
Data may be shared with providers necessary to deliver the service. The final list must be completed exclusively with providers active in production and their legal names from the company’s contracts.
Stripe
Payment processing
Data shared: Data required to authorize and manage the transaction
Billing provider — to be confirmed
Issuing fiscal documents, if the integration is active
Data shared: Billing data and order amount
Email provider — to be confirmed
Sending transactional emails
Data shared: Email address, name, and content of the communication
Storage provider — to be confirmed
Storing files and data exports
Data shared: Files and exports generated on request
Monitoring provider — to be confirmed
Error diagnostics and performance monitoring, if active
Data shared: Technical data associated with errors, subject to configured filters
Hosting provider — to be confirmed
Hosting and operating the service
Data shared: Data required to provide the hosting service
The full legal names and registered offices of these providers, required in a final document, must be filled in from the company’s actual contracts/accounts with each provider.
12. Transfers outside the EEA
Some providers may involve transfers outside the European Economic Area. The providers, countries, transfer basis, and applicable safeguards must be filled in from the contracts and documentation of active providers before publication. the actual transfer mechanisms for each provider.
13. Data retention
| Category | Period |
|---|---|
| Account deletion request (grace period) | 30 days from the request, during which you can change your mind |
| Financial/accounting documents | The period required by Romanian accounting law — confirm the exact value with the company’s accountant |
| Technical and security data | [TO BE COMPLETED BEFORE PUBLICATION — the period must be set and implemented] |
| Marketing consents | Until consent is withdrawn |
After the 30-day grace period for a deletion request expires, the account’s identifying data is anonymized, and financial data required for legal obligations is kept separately, no longer associated with your current identity.
14. Your rights
You have the following rights, detailed in full at /gdpr:
Access
Request a copy of your data
Rectification
Correct inaccurate data
Erasure
Request deletion of your data
Restriction
Limit the processing of your data
Portability
Receive your data in a structured format
Objection
Object to processing based on legitimate interest
15. Withdrawing consent
You can withdraw your consent for email/SMS marketing at any time, from your account settings or by writing to [DE COMPLETAT ÎNAINTE DE PUBLICARE]. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
16. Objection to marketing
You can object at any time to the processing of your data for direct marketing purposes. Upon receiving such an objection, we stop sending marketing communications to you.
17. Questions and resolution of requests
For any question, ambiguity, or request regarding personal data, please use the contact indicated in section 2. We will review the situation and try to provide a direct explanation or solution, within the timelines provided by law.
Without affecting the possibility of a direct resolution, data subjects also have the legal right to contact the competent supervisory authority. In Romania, this is ANSPDCP, available at dataprotection.ro.
18. Automated decisions
The ticket validation system may automatically flag a scan as suspicious (for example, an already-used ticket), but the platform does not currently describe an automated decision with significant legal effects taken without human intervention. If such processing is introduced, this section will be updated with a concrete description.
19. Minors’ data
The platform does not technically verify users’ age at registration. Conditions regarding platform use by minors are described in the Terms & Conditions, section “Rules for minors” — this is a contractual condition, not an existing technical control.
20. Security measures
- Passwords are protected by cryptographic measures and are not stored in plain text.
- Sensitive data is protected by appropriate technical measures and access controls.
- Connections to the platform are protected by encryption.
- EventApp does not receive or store the full card number.
- Access to systems that process data is limited to authorized personnel and services.
These measures reduce the risk of unauthorized access, but no platform can guarantee absolute security. We do not claim that data is invulnerable or “impossible to compromise.”
21. Security breaches
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify ANSPDCP within the timelines set by GDPR (Art. 33) and, if the risk is high, we will inform you directly (Art. 34).
22. Changes to the policy
We may update this policy to reflect legal or operational changes. Significant changes will be communicated by email or through a visible notice on the platform.
23. Effective date and document version
Version: draft v0.1 — unpublished · Effective date: [DE COMPLETAT ÎNAINTE DE PUBLICARE — data publicării reale].
draft v0.1 — unpublished — technical legal draft prepared for attorney review, not an approved or final document.