1. INTRODUCTION AND SCOPE
Eventably, LLC (“Eventably,” “we,” “our,” or “us”) values User privacy and is committed to protecting User personal data. This Privacy & Data Protection Policy (“Policy”) outlines how we collect, use, disclose, process, and safeguard User information when Users use our platform, websites, mobile applications, and related services (collectively, the “Platform”), in accordance with applicable privacy laws including the General Data Protection Regulation (“EU GDPR”), the UK GDPR, and the California Consumer Privacy Act (“CCPA”).
This Policy applies to all users of the Eventably Platform, including event organizers (“Organizers,” “Customers”) and event attendees (“Consumers” or “Attendees”), and covers all interactions via our Platform, websites, Application Programming Interface (“API”), and related services. By using our Platform, each User acknowledges that such User has read and understood this Policy and consents to the collection, processing, and use of such User’s personal data as described herein.
2. ROLES AND RESPONSIBILITIES IN DATA PROCESSING
Eventably as Data Controller and Processor.
Eventably acts in different capacities depending on the type of data processing involved. For our own business operations, marketing communications, and Platform functionality, we act as a data controller. When processing personal data on behalf of Organizers, such as attendee information for specific events, we may act as a data processor.
Joint Controller Arrangements.
In certain circumstances, such as marketing communications to attendees or Platform analytics, Eventably may act as a joint controller with Organizers. In such cases, both parties share responsibility for ensuring compliance with applicable data protection laws.
Organizer Responsibilities.
Each Organizer is solely responsible for their own data protection practices, including publishing and enforcing their own privacy policies for event attendees. Organizers must ensure compliance with applicable data protection laws when collecting and processing attendee information through their events. Eventably disclaims any responsibility for the legality, accuracy, or adequacy of privacy policies created or implemented by Organizers.
API User Responsibilities.
Third-party developers and organizations using our API (“API Users”) are responsible for their own data protection practices and compliance with applicable privacy laws. API Users must implement appropriate privacy policies, obtain necessary consents from their users, and ensure lawful processing of personal data accessed through our API. Eventably is not responsible for API Users’ data protection practices or compliance failures.
Three-Party Data Relationships.
Our Platform facilitates data processing relationships between multiple parties: Eventably, Organizers, API Users, and Consumers. Personal data may flow between these parties as necessary to facilitate event organization, ticket sales, API integrations, and event management services.
3. PERSONAL DATA WE COLLECT
Contact and Identity Information.
This includes User names, email addresses, phone numbers, postal addresses, usernames, and other contact details Users provide when creating accounts or purchasing tickets. We may also collect government-issued identification information when required for age verification or compliance purposes.
Payment and Transaction Data.
We collect payment information including credit card details, billing address, and transaction history. Payment processing is handled by third-party providers such as Stripe, and we do not store complete payment card information on our servers.
Event and Attendance Information.
This includes User event attendance history, ticket purchases, event preferences, seating selections, special accommodation requests, and communications with Organizers regarding specific events.
Technical and Usage Data.
We automatically collect IP addresses, device information, browser type, operating system, Platform usage patterns, page views, click-through rates, and other technical data through cookies and similar tracking technologies. For API Users, we collect API usage patterns, request volumes, authentication data, and integration performance metrics.
Communication and Marketing Data.
This includes User marketing preferences, communication history with our support team, feedback and reviews Users provide, and User responses to surveys or promotional campaigns.
User-Generated Content.
We collect any content Users voluntarily submit through the Platform, including profile information, event reviews, forum posts, and communications with other Users or Organizers.
API Integration Data.
We collect data related to API usage including authentication credentials, API keys, integration configurations, data access patterns, and technical logs necessary for API functionality, security, and support.
4. HOW WE COLLECT YOUR DATA
Direct Collection.
We collect personal data directly from Users when they create accounts, purchase tickets, contact customer support, subscribe to newsletters, complete surveys, register for API access, or otherwise voluntarily provide information through the Platform.
Automatic Collection.
We automatically collect certain information through cookies, web beacons, log files, and similar tracking technologies when Users use our Platform. This includes usage patterns, device information, and technical data necessary for Platform functionality.
Third-Party Sources.
We may receive personal data from third-party sources including payment processors, analytics providers, marketing platforms, social media platforms, API integration partners, and other integrated services that Users choose to connect with their accounts.
Organizer Sharing.
When Users purchase tickets for events, Organizers may share additional information about such Users with us, such as special accommodation requests, dietary preferences, or other event-specific data necessary for event management.
API Data Access.
We collect personal data through our API when API Users access Platform functionality on behalf of their users. This data is processed in accordance with API agreements and applicable data protection laws.
5. PURPOSES OF DATA PROCESSING AND LEGAL BASES
Account Management and Platform Services.
We process User data to create and manage User accounts, facilitate ticket purchases, provide customer support, enable API access, and deliver Platform functionality. The legal basis for this processing is contractual necessity and our legitimate interests in providing requested services.
Payment Processing and Transaction Management.
We process payment and billing information to complete ticket purchases, process refunds (when applicable), and maintain transaction records. This processing is based on contractual necessity and legal obligations for financial record-keeping.
Event Facilitation and Communication.
We share relevant attendee information with Organizers to facilitate event management, enable direct communication between Organizers and attendees, and support event delivery. This processing is based on contractual necessity and our legitimate interests in facilitating the event marketplace.
API Services and Integration Support.
We process data to provide API functionality, authenticate API Users, monitor API usage, provide technical support, and ensure API security and performance. This processing is based on contractual necessity and our legitimate interests in providing API services.
Platform Security and Fraud Prevention.
We process data to detect and prevent fraudulent transactions, protect against security threats, investigate policy violations, and maintain Platform integrity. This processing is based on our legitimate interests in protecting our business and Users, and legal obligations for security and fraud prevention.
Analytics and Platform Improvement.
We analyze usage patterns, User behavior, and Platform performance to improve our services, develop new features, and optimize User experience. This processing is based on our legitimate interests in business development and service improvement.
Marketing and Communications.
We send transactional communications related to User accounts and purchases based on contractual necessity. Marketing communications are sent based on User consent, which Users may withdraw at any time through their account settings or unsubscribe links.
Legal Compliance and Protection.
We process data as necessary to comply with applicable laws, respond to legal requests, enforce our terms and policies, and protect our rights and the rights of others. This processing is based on legal obligations and our legitimate interests in legal protection.
6. DATA SHARING AND THIRD-PARTY PROCESSORS
Payment Processors.
We share payment and billing information with Stripe and other approved payment processors to facilitate ticket purchases and financial transactions. These processors are contractually obligated to protect User data and use it only for payment processing purposes.
Cloud Hosting and Infrastructure.
We use Amazon Web Services (“AWS”) for cloud hosting and data storage. AWS provides industry-leading security measures and is contractually bound to protect User data in accordance with our instructions and applicable data protection laws.
Analytics and Marketing Services.
We share limited data with Google Analytics for Platform usage analysis and with HubSpot for customer relationship management and marketing communications. These services are configured to respect User privacy preferences and comply with applicable data protection requirements.
Organizers and Event Management.
We share relevant attendee information with Organizers for events Users register for or purchase tickets to attend. This includes contact information, ticket details, and any special requirements Users specify. Organizers are responsible for their own data protection practices and compliance with applicable privacy laws.
API Users and Integration Partners.
We share data with authorized API Users and integration partners as necessary to provide requested API functionality and services. All API Users are contractually obligated to protect User data and comply with applicable data protection laws.
Legal and Compliance Sharing.
We may share data when required by law, legal process, or governmental request, or when necessary to protect our rights, safety, or property, or that of our Users or the public.
All third-party processors are carefully vetted and contractually obligated to implement appropriate security measures, process data only for specified purposes, and comply with applicable data protection laws. We maintain data processing agreements with all processors that handle personal data on our behalf.
7. INTERNATIONAL DATA TRANSFERS
Cross-Border Processing.
If any User is located outside the United States, such User’s personal data may be transferred to and processed in the United States where our servers and primary business operations are located. The United States may not provide the same level of data protection as the User’s home country.
Transfer Safeguards.
For data transfers from the European Economic Area (“EEA”) and the United Kingdom, we implement appropriate safeguards including Standard Contractual Clauses (“SCC”s) approved by the European Commission and the UK International Data Transfer Addendum (“IDTA”). These instruments provide contractual protections for User personal data during international transfers.
Adequacy Decisions and Frameworks.
Where available, we rely on adequacy decisions and approved international frameworks to facilitate lawful data transfers. We regularly review and update our transfer mechanisms to ensure ongoing compliance with evolving international data protection requirements.
Processor Transfers.
Our third-party processors may also process User data internationally. We ensure that all such processors implement appropriate safeguards for international transfers and comply with applicable data protection laws in all jurisdictions where they operate.
8. DATA RETENTION AND DELETION
General Retention Principles.
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the type of data and the purposes for which it is processed.
Account Data Retention.
We retain account information and User profiles for as long as User accounts remain active. When Users close their accounts, we may retain certain information for a reasonable period to comply with legal obligations, resolve disputes, and prevent fraud.
Transaction and Financial Data.
We retain payment and transaction information for the periods required by applicable financial regulations and tax laws, typically seven (7) years from the date of the transaction. This retention is necessary for legal compliance, tax reporting, and dispute resolution.
API Usage Data.
We retain API usage logs, authentication records, and technical data for periods necessary to ensure API security, provide technical support, and comply with legal obligations. API access credentials may be retained for reasonable periods after account closure for security and audit purposes.
User-Generated Content.
Content Users submit through the Platform, such as event reviews and communications, may be retained indefinitely unless Users specifically request deletion. This supports the ongoing value of the Platform community and event information for future Users.
Marketing and Communication Data.
We retain marketing preferences and communication history until Users withdraw consent or close their accounts. Transactional communications may be retained longer for legal compliance and dispute resolution purposes.
Deletion Procedures.
When personal data is deleted, we use secure deletion methods to ensure it cannot be recovered. Some information may persist in backup systems for limited periods or may be retained in anonymized form for analytical purposes.
9. YOUR PRIVACY RIGHTS
Subject to applicable laws in User jurisdictions, Users may have the following rights regarding their personal data:
Access Rights.
Users have the right to request access to the personal data we hold about them, including information about how it is processed, shared, and retained. We will provide this information in a clear and understandable format within thirty (30) days of the request.
Rectification Rights.
Users may request correction of inaccurate or incomplete personal data. We will promptly update User information when Users demonstrate that corrections are necessary and provide adequate verification of the correct information.
Erasure Rights (“Right to be Forgotten”).
Users may request deletion of their personal data in certain circumstances, such as when it is no longer necessary for the original purposes, when Users withdraw consent, or when it has been unlawfully processed. We may retain certain data when required by law or for legitimate business purposes.
Restriction and Objection Rights.
Users may request restriction of processing or object to certain types of data processing, particularly for marketing purposes or processing based on legitimate interests. We will honor such requests unless we have compelling legitimate grounds to continue processing.
Data Portability Rights.
Users have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit this data to another service provider. This right applies to data processed based on consent or contractual necessity.
API Data Rights.
API Users have additional rights regarding data accessed through our API, including the right to audit their API usage, review data access logs, and ensure compliance with their own privacy obligations to their users.
California Consumer Privacy Rights.
If any User is a California resident, such User has additional rights under the CCPA including the right to know what personal information is collected, the right to delete personal information, the right to opt-out of the sale of personal information, and the right to non-discrimination for exercising these rights.
10. SECURITY MEASURES AND DATA PROTECTION
Technical Security Measures.
We implement industry-standard security practices to protect User personal data, including SSL encryption for all data transmissions, encryption at rest for stored data, secure access controls with multi-factor authentication, API rate limiting and authentication, and regular security monitoring and intrusion detection systems.
Organizational Security Measures.
Our security program includes comprehensive access control policies limiting data access to authorized personnel only, regular security training for all employees, incident response procedures for potential data breaches, and regular security audits and vulnerability assessments.
Third-Party Security.
We require all third-party processors to implement appropriate technical and organizational security measures to protect personal data. We regularly review and audit our processors’ security practices to ensure ongoing compliance with our security standards.
API Security.
We implement comprehensive API security measures including authentication protocols, authorization controls, rate limiting, encryption in transit and at rest, and continuous monitoring for unauthorized access or unusual activity patterns.
Data Breach Response.
In the event of a data breach that poses a risk to User rights and freedoms, we will notify affected Users and applicable regulatory authorities within the timeframes required by applicable law. We maintain detailed incident response procedures to minimize the impact of any security incidents.
Security Limitations.
While we implement robust security measures, no system is completely secure. Users play an important role in protecting their data by maintaining strong passwords, keeping their account information current, and promptly reporting any suspicious activity.
11. COOKIES AND TRACKING TECHNOLOGIES
Cookie Usage.
We use cookies and similar tracking technologies to enhance User Platform experience, analyze usage patterns, and provide personalized content. Cookies are small text files stored on User devices that help us recognize Users and remember their preferences.
Types of Cookies.
We use several categories of cookies: Essential cookies required for Platform functionality and security; Preference cookies that remember User settings and choices; Analytics cookies that help us understand how Users use the Platform; and Marketing cookies that enable personalized advertising and marketing communications.
Third-Party Cookies.
We use third-party cookies from services including Google Analytics for website analytics, Google AdWords for advertising, HubSpot for customer relationship management, LinkedIn and Facebook for social media integration, and Microsoft Clarity for User behavior analysis. These services may collect information about User browsing activity across different websites.
Cookie Management.
When Users first visit our Platform, they will see a cookie banner requesting their consent for non-essential cookies. Users can manage their cookie preferences at any time by clicking the “Cookie Preferences” link in our website footer. Essential cookies cannot be disabled as they are required for Platform functionality.
Consent and Withdrawal.
Users may withdraw their consent for non-essential cookies at any time through their browser settings or our cookie preference center. Disabling certain cookies may limit User ability to use some Platform features.
Cookie Retention.
Session cookies expire when Users close their browsers, while persistent cookies remain on User devices until they expire or are manually deleted. Cookie retention periods vary based on their purpose and are specified in our detailed cookie settings.
12. DATA PROCESSING AGREEMENTS AND COMPLIANCE
Processor Relationships.
When Eventably processes personal data on behalf of Organizers, we act as a data processor and maintain appropriate data processing agreements that specify the purposes and scope of processing, duration of processing, categories of personal data and data subjects, and obligations and rights of both parties.
API Data Processing.
For API Users, we maintain specific API agreements that govern data processing, specify permitted uses of accessed data, establish security requirements, and ensure compliance with applicable data protection laws.
Subprocessor Management.
We maintain a list of approved subprocessors including Stripe for payment processing, Amazon Web Services for hosting, Google Analytics for analytics, and HubSpot for customer relationship management. We may update this list as business needs require, and significant changes will be communicated to affected Organizers and API Users.
International Transfer Mechanisms.
Our data processing agreements incorporate appropriate international transfer mechanisms including European Commission SCC and the UK IDTA to ensure lawful transfers of personal data across borders.
Data Subject Rights Support.
We assist Organizers and API Users in responding to data subject requests by providing technical and organizational measures that enable compliance with access, rectification, erasure, and portability requests. Organizers and API Users remain primarily responsible for responding to data subject requests related to their events and services.
Security and Breach Notification.
We maintain appropriate technical and organizational security measures and notify Organizers and API Users of any personal data breaches that may affect their event or integration data within seventy-two (72) hours of becoming aware of the breach.
13. COMPLIANCE WITH INTERNATIONAL PRIVACY LAWS
GDPR Compliance.
For Users in the European Economic Area and the United Kingdom, we comply with the GDPR and UK GDPR respectively. This includes implementing appropriate lawful bases for processing, providing required transparency information, respecting individual rights, and maintaining appropriate security measures.
CCPA Compliance.
For California residents, we comply with the CCPA including providing required disclosures about personal information collection and sharing, respecting opt-out rights, and ensuring non-discrimination for exercising privacy rights. We do not sell personal information as defined by the CCPA.
Other Jurisdictional Requirements.
We monitor and comply with evolving privacy laws in other jurisdictions where we operate or have Users, including Canada’s Personal Information Protection and Electronic Documents Act and similar privacy frameworks worldwide.
Cross-Border Cooperation.
We cooperate with privacy regulators and data protection authorities worldwide and respond promptly to lawful requests for information or assistance in privacy investigations and enforcement actions.
14. POLICY UPDATES AND CHANGES
Modification Rights.
We may update this Privacy & Data Protection Policy from time to time to reflect changes in our practices, legal requirements, or business operations. The most recent version will always be available on our Platform with the effective date clearly indicated.
Notification of Changes.
For material changes that significantly affect how we collect, use, or share User personal data, we will provide prominent notice through email notification, Platform announcements, or other appropriate communication methods at least thirty (30) days before the changes take effect.
Continued Use Consent.
User continued use of the Platform after any policy changes constitutes acceptance of the updated policy. If any User does not agree to any changes, such User should stop using the Platform and may exercise their data deletion rights if desired.
Version Control.
We maintain records of previous policy versions and can provide information about specific changes upon request. This helps ensure transparency about how our privacy practices evolve over time.
15. CONTACT INFORMATION AND DATA PROTECTION OFFICER
For questions, concerns, or requests regarding this Privacy & Data Protection Policy or our data protection practices, please contact us:
Eventably, LLC
3601 Patuxent River Road
Davidsonville, MD 21035, USA
Email: talktous@eventably.com
Privacy Inquiries.
For specific privacy-related inquiries, you may also contact us at: [Insert Privacy Contact Email]
Data Protection Officer.
[If applicable, include DPO contact information or state that a DPO has not been appointed if not required under applicable law]
Regulatory Complaints.
If any User believes we have not adequately addressed their privacy concerns, such User has the right to lodge a complaint with the appropriate data protection authority in their jurisdiction. For EU residents, Users may contact their local supervisory authority. For UK residents, Users may contact the Information Commissioner’s Office.
Note:
This Privacy & Data Protection Policy is part of Eventably’s comprehensive legal framework and works in conjunction with our Terms of Use, Cookie Policy, API Terms of Service, and Data Processing Agreements to govern the collection, use, and protection of personal data on our Platform.
Last Updated:
June 24, 2025