Privacy Policy

Last updated: 2 June 2026

This Privacy Policy explains how Eventrelic ("we," "us," "our") collects, uses, stores, and protects your personal data when you use our website and service at event-relic.com. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is Eventrelic, reachable at [email protected].

2. What Data We Collect

Category	Data collected	When
Account data	Email address, hashed password, account role, registration date	When you register
Usage data	Pages visited, filters applied, features used (via Google Analytics — anonymised)	While using the Service
Technical data	IP address, browser type, device type, referrer URL	Automatically on each request
Preferences	Sector filters, notification preferences stored in your account	When you configure settings
Communications	Email address and content of any messages you send us	When you contact support
Payment data	We do not store card data. Payments are handled by Stripe; see Stripe's Privacy Policy	When you subscribe

3. Legal Basis for Processing (GDPR Article 6)

• Contract performance — processing your account data is necessary to provide the Service you signed up for.
• Legitimate interests — we use anonymised analytics to understand how the Service is used and improve it. This does not override your rights.
• Legal obligation — we may retain certain data to comply with applicable laws (e.g. accounting regulations).
• Consent — where we rely on consent (e.g. marketing emails), you may withdraw it at any time.

4. How We Use Your Data

• To create and manage your account and provide access to the Service.
• To send transactional emails (account verification, password reset, subscription receipts).
• To improve the Service through anonymised usage analytics.
• To detect and prevent fraud, abuse, and security incidents.
• To comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects.

5. Data Sharing and Third Parties

Provider	Purpose	Location
Supabase / fly.io	Database and API hosting	EU (Frankfurt)
Cloudflare	CDN, DDoS protection, CAPTCHA (Turnstile)	Global (EU adequacy)
Google Analytics	Anonymised usage analytics	US (Standard Contractual Clauses)
Stripe	Payment processing	US/EU (Standard Contractual Clauses)
Anthropic	AI content classification (news summaries — no personal data sent)	US

All third-party processors are subject to data processing agreements and/or Standard Contractual Clauses where required by GDPR.

6. Data Retention

• Account data: retained while your account is active, then deleted within 30 days of account closure.
• Usage logs: retained for up to 90 days for security and debugging purposes.
• Analytics data: retained by Google Analytics per their standard retention settings (default 14 months).
• Backups: database backups may be retained for up to 30 days after deletion.

7. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion of your personal data ("right to be forgotten"). You can delete your account directly in the app settings.
• Restriction: request that we restrict processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

8. Cookies

We use the following cookies and similar technologies:

• st_token: a secure, httpOnly session cookie used for authentication. Expires after 7 days.
• Google Analytics (_ga, _gid): anonymised analytics cookies. You can opt out via Google's opt-out tool.
• Cloudflare: security and bot-detection cookies set by Cloudflare's infrastructure.

We do not use advertising tracking cookies or sell cookie data.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS/TLS), hashed password storage (bcrypt), httpOnly session cookies, and regular security audits. No system is completely secure; in the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority as required by law.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact us and we will delete the account.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date above and, where required, by notifying registered users by email.

12. Contact and Complaints

For privacy questions or to exercise your rights: [email protected]

If you are unsatisfied with our response, you have the right to lodge a complaint with your national supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK: ico.org.uk.