Privacy and Data Protection Policy

Last Updated: November 11, 2025

Data protection is a top priority for us. This privacy policy provides a detailed overview of how we collect, use, store, and protect your personal information, your rights as a user, and how we ensure the security of your data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

1. Data Controller

• Name: Bálint István Berente
• Address: 1111 Budapest, Fraknó utca 16/B
• Email: [email protected]
• Phone: +36 20 945 9429

For questions regarding data protection, please contact us at: [email protected]

2. What Data Do We Collect?

2.1. Data Provided During Registration and Account Management

When you create an account, we collect and store:

• Email address (required, used for account identification and communication)
• First name (optional)
• Last name (optional)
• Password (stored in encrypted format using industry-standard hashing algorithms)
• Locale preference (default: "hu", used for language settings)
• Email verification status (to ensure account security)

2.2. Data Collected During Service Usage

Event and Experience Management:

• Event/experience information (title, organizer, location, dates, description, theme colors)
• Event logos and banners (uploaded images)
• Event locations and maps
• Session information (titles, descriptions, dates, locations)
• Speaker information (names, titles, email addresses, profile images)
• Session tags and categorization
• Announcements and notifications
• Form definitions and configurations

Order and Payment Information:

• Order details (billing name, email, country, city, postal code, address)
• Ticket purchases and assignments
• Ticket serial numbers and usage history
• Payment status and transaction records
• Billing addresses (stored for future purchases)

User Participation Data:

• User roles and permissions for events (attendee, editor, admin)
• Phone numbers (optional, when provided for event participation)
• Notes and additional information (optional, when provided by event organizers)
• Favorite sessions
• Session questions submitted (may be anonymous or attributed)
• Form responses (including text, numbers, dates, file uploads, and other submitted data)
• Feedback submissions (text, location, timestamp)

Communication and Collaboration:

• Chat conversations with AI agent (titles, messages, timestamps)
• AI-generated responses and tool usage
• Notification preferences and subscriptions
• Push notification tokens (for mobile/web push notifications)
• Email invitations sent and received

Task Management:

• Task assignments and status
• Task deadlines and updates

2.3. Automatically Collected Data

Analytics and Usage Data:

• Website visit statistics and page views
• Feature usage and interaction patterns
• Error logs and performance metrics
• Device and browser information (collected anonymously through PostHog)

Technical Data:

• IP addresses (processed for security and analytics purposes)
• Session identifiers
• Cookies and similar tracking technologies (see Cookie Policy section)

2.4. AI Services Data

When using the PlanMate AI Agent:

• User questions and prompts are temporarily processed through the OpenAI API
• AI conversations (chat history) are stored in our database to maintain conversation context
• Chat messages include both user inputs and AI-generated responses
• AI quota usage is tracked per experience
• Important: AI conversations are associated with your user account and experience, but are not used for user identification or profiling purposes outside of the service context

3. Legal Basis and Purpose of Data Processing

We process your personal data based on the following legal grounds:

3.1. Contract Performance

• Creating and managing user accounts
• Facilitating event creation and management
• Processing ticket purchases and orders
• Providing access to event content and features
• Delivering notifications and communications related to your events

3.2. Legitimate Interests

• Improving and optimizing our services
• Analyzing usage patterns to enhance user experience
• Ensuring platform security and preventing fraud
• Providing customer support
• Sending important service updates

3.3. Consent

• Analytics and usage tracking (via PostHog)
• Optional features and data collection

3.4. Legal Obligations

• Compliance with tax and accounting requirements
• Responding to legal requests and court orders

4. How Do We Protect Your Data?

4.1. Technical Security Measures

• Encryption: All sensitive data, including passwords, is stored using industry-standard encryption. Data transmission occurs over encrypted channels (HTTPS/TLS).
• Database Security: Data is stored in a PostgreSQL database hosted on Railway. Railway implements robust security measures including network isolation, access controls, and regular security updates. For more information, see Railway's Privacy Policy.
• Access Controls: We implement role-based access controls and authentication mechanisms to ensure only authorized personnel can access personal data.
• Regular Updates: We maintain and update our systems regularly to address security vulnerabilities.

4.2. Organizational Security Measures

• Limited access to personal data on a need-to-know basis
• Regular security training for personnel
• Incident response procedures

4.3. Data Retention

• Account Data: Retained while your account is active and for a reasonable period after account deletion to comply with legal obligations.
• Event Data: Retained for the duration of the event and as necessary for historical records and legal compliance.
• Chat/AI Data: Stored as long as your account is active. You can delete individual chats or request deletion of all chat data.
• Analytics Data: Aggregated and anonymized data may be retained for longer periods for statistical purposes.

5. Data Sharing and Third-Party Services

We work with the following third-party service providers to deliver our services:

5.1. Payment Processing - Stripe

Purpose: Processing payments for ticket purchases and subscriptions.

Data Shared:

• Payment method information (processed directly by Stripe, not stored by us)
• Billing information (name, email, address) for transaction processing
• Order metadata (order ID, experience ID)

Important: We do not store credit card numbers or full payment card details. All payment data is handled directly by Stripe in compliance with PCI DSS standards.

Privacy Policy: Stripe Privacy Policy

5.2. AI Services - OpenAI

Purpose: Providing AI-powered assistance through the PlanMate AI Agent.

Data Shared:

• User prompts and questions
• Conversation context and history
• Experience and event data necessary for AI responses

Processing: Data is sent to OpenAI's API over encrypted channels. OpenAI processes this data to generate responses but does not use it to train their models without explicit consent (based on OpenAI's current policies).

Privacy Policy: OpenAI Privacy Policy

Data Location: OpenAI may process data in various regions. Please review their privacy policy for current data processing locations.

5.3. Analytics - PostHog

Purpose: Understanding how users interact with our platform to improve services.

Data Shared:

• Anonymized usage statistics
• Feature usage patterns
• Error logs and performance metrics
• Device and browser information (anonymized)

Privacy Policy: PostHog Privacy Policy

Data Location: PostHog data is stored on EU servers as configured in our implementation.

Cookies: PostHog uses cookies and similar technologies. See our Cookie Policy section below.

5.4. Hosting - Railway

Purpose: Hosting our database and application services.

Data Stored: All application data, including personal information, is stored on Railway's infrastructure.

Privacy Policy: Railway Privacy Policy

5.5. Data Transfers

• We do not sell your personal data to third parties.
• Data is only shared with the service providers listed above as necessary to provide our services.
• All third-party service providers are contractually obligated to protect your data and comply with applicable data protection laws.
• We ensure appropriate safeguards are in place for any international data transfers.

6. Cookies and Tracking Technologies

6.1. What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide, protect, and improve our services.

6.2. Types of Cookies We Use

Essential Cookies:

• Required for the website to function properly
• Include authentication and session management cookies
• Cannot be disabled without affecting website functionality

Analytics Cookies (PostHog):

• Used to collect anonymous usage statistics
• Help us understand how users interact with our platform
• Can be managed through your browser settings or PostHog's opt-out mechanisms

6.3. Managing Cookies

You can control cookies through:

• Your browser settings (most browsers allow you to refuse or delete cookies)
• PostHog opt-out: Contact us or use PostHog's privacy controls
• Note: Disabling certain cookies may limit website functionality

7. Your Rights Under GDPR

As a data subject, you have the following rights:

7.1. Right of Access

You can request access to all personal data we hold about you, including:

• Account information
• Event participation data
• Order history
• Chat/AI conversation history
• Form responses
• Any other personal data we process

How to exercise: Contact us at [email protected] with your request.

7.2. Right to Rectification

You can request correction of inaccurate or incomplete personal data.

How to exercise: Update your information through your profile settings, or contact us for assistance.

7.3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data, subject to legal retention requirements.

How to exercise: Contact us at [email protected]. We will delete your data unless we have a legal obligation to retain it.

Note: Deletion may affect your ability to access past events, orders, or other service features.

7.4. Right to Restrict Processing

You can request that we limit how we process your personal data in certain circumstances.

7.5. Right to Data Portability

You can request a copy of your data in a structured, commonly used, and machine-readable format.

7.6. Right to Object

You can object to processing of your personal data based on legitimate interests, including:

• Analytics and usage tracking
• Direct marketing (if applicable)

7.7. Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

7.8. Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated data protection laws.

Hungarian Authority: National Authority for Data Protection and Freedom of Information (NAIH)

7.9. Response Time

We will respond to your requests within one week, or inform you if we need additional time.

8. Children's Privacy

Our services are not intended for children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

9. International Data Transfers

Your data may be processed and stored in different countries:

• Primary Storage: Railway hosting infrastructure (location may vary)
• Analytics: PostHog EU servers
• AI Processing: OpenAI infrastructure (may include international locations)
• Payment Processing: Stripe infrastructure (global)

We ensure appropriate safeguards are in place for international transfers, including:

• Standard contractual clauses
• Adequacy decisions by the European Commission
• Compliance with GDPR requirements

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected users without undue delay
• Provide clear information about the nature of the breach and recommended actions

11. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will:

• Update the "Last Updated" date at the top of this policy
• Notify users of material changes via email or prominent website notice
• Provide a reasonable period for review before changes take effect

We encourage you to review this policy periodically to stay informed about how we protect your data.

12. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

Email: [email protected]

We are committed to addressing your concerns and will respond to your inquiries promptly.

13. Additional Information for Event Participants

If you are participating in an event organized through our platform:

• Data Access: You can request access to your personal data (name, email, ticket information) from the event organizer.
• Data Sharing: Your information may be visible to event organizers and administrators for event management purposes.
• Event-Specific Data: Form responses, questions, and other event participation data are accessible to event organizers. Your data is only associated with the specific event and will be deleted alongside the event.
• Privacy Settings: Some events may allow you to submit questions or feedback anonymously.

This privacy policy is effective as of the date listed above and applies to all users of our services.