Privacy Policy

Eventium operates the technology platform that lets promoters sell tickets and attendees buy them. We are the controller for the data we collect directly through the platform (user accounts, purchases, organizer profiles, etc.).

When you buy a ticket, the event organizer is the independent controller of the data they receive to manage entry and communicate with you. Eventium acts as processor for that portion.

Account data: email, hashed password, first name, last name, gender, date of birth, phone number, and profile picture if you choose to upload one.

Organizer data: brand name, public bio, logos, social links, tax and bank details for payouts.

Purchase data: tickets bought, amounts, payment method (handled by Stripe — we never store full card numbers), events attended.

Technical data: IP address, device type, browser, strictly necessary cookies, and aggregated usage metrics.

Contract performance (Art. 6(1)(b) GDPR): process purchases, issue tickets, manage your account, and grant access to events.

Legal obligations (Art. 6(1)(c) GDPR): invoicing, tax duties, fraud prevention, and responding to lawful requests from authorities.

Legitimate interest (Art. 6(1)(f) GDPR): platform security, aggregated analytics to improve the service, abuse prevention.

Consent (Art. 6(1)(a) GDPR): marketing communications, non-essential cookies, and personalized advertising. You can withdraw consent at any time.

Event organizers: they receive the minimum necessary (name, email, ticket type) to manage entry and communications.

Payment processors (Stripe): to execute transactions securely. Stripe acts as an independent processor.

Infrastructure providers: Supabase (EU-hosted database), Vercel (hosting), Resend (transactional email).

Competent authorities when a legal obligation or court order applies.

We never sell or rent your personal data to third parties for advertising.

Our primary database is hosted in the European Union. Some providers operate in the US and Australia; in those cases we rely on the EU Standard Contractual Clauses and additional safeguards required post-Schrems II.

Access: obtain a copy of the data we hold about you.

Rectification: correct inaccurate data.

Erasure ("right to be forgotten"): delete your data when no longer needed or when you withdraw consent.

Portability: receive your data in a structured, machine-readable format.

Objection and restriction of processing in the cases set out in the GDPR.

To exercise any right, email legal@eventium.app attaching a copy of a valid ID. We respond within one month.

You can lodge a complaint with the Spanish DPA (aepd.es) or the UK ICO (ico.org.uk).

We handle your data in accordance with the Australian Privacy Principles (APPs). You can request access and correction by emailing legal@eventium.app. If you believe we have breached the APPs you can file a complaint with the Office of the Australian Information Commissioner (OAIC).

If you are a California resident, the California Consumer Privacy Act grants additional rights: to know what personal information we collect, to access it, to request its deletion, and to opt out of the "sale" of personal information. Eventium does not sell personal information within the meaning of the CCPA.

To exercise these rights, email legal@eventium.app with "CCPA Request" in the subject line. We will verify your identity before processing the request.

We keep your data while your account is active and for the legal retention periods applicable to tax and accounting obligations. After that, data is deleted or irreversibly anonymized.

We apply technical and organizational measures proportional to the risk: TLS encryption in transit and at rest, role-based access control, backups, and change auditing. No system is perfectly secure — we will notify material breaches within the deadlines mandated by applicable law.

We may update this policy to reflect legal or operational changes. The new version will be published on this page with the updated date. Material changes will be communicated by email or a prominent notice in the platform.