Privacy Policy
EventCorner Privacy Policy
How EventCorner processes data across the mobile app, organizer app, waitlist, and websites.
Document version: 2026-06-10. Effective June 10, 2026.
Controller and roles
Controller: NO-CODE POLAND SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
Address: ul. Na Zaspę 45/2, 80-547 Gdańsk
Registry/tax identifier: KRS: 0001151051, REGON: 540702741
Privacy contact: hello@eventcorner.app
NO-CODE POLAND SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ is the controller for accounts, waitlist, service security, and its own product communication as the operator of EventCorner. For participant data of a specific event, the event organizer is the controller and NO-CODE POLAND SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ acts as a processor for the organizer app and backend.
Data categories
- account and session: email, OTP codes, session tokens, sign-in state;
- profile: name, headline, bio, tags, LinkedIn, profile photo;
- events: memberships, roles, visibility, invite codes, active event;
- activity: agenda likes, attendee favorites, survey responses, feedback;
- organizers: invites, roles, event settings, audit logs;
- technical: rate limiting, push tokens, errors, security metadata;
- waitlist: email, optional name, source, and consent records.
Purposes and legal bases
- service delivery, sign-in, and event participation: GDPR Art. 6(1)(b);
- security, anti-abuse, rate limiting, and audit logs: GDPR Art. 6(1)(f);
- legal obligations and GDPR request handling: GDPR Art. 6(1)(c);
- marketing and newsletter: GDPR Art. 6(1)(a), only after separate consent;
- event operation by an organizer: the legal basis defined by that organizer.
Visibility and sharing
Attendee profiles stay private unless the user chooses event visibility. Organizers see data needed to run the event. Attendees see only profile data shared through event visibility.
We use the providers listed in the Subprocessors section below. Where providers process data outside the EEA, we rely on their available transfer safeguards, including standard contractual clauses where required.
Retention
- OTP codes: removed after expiry/use, no later than 24h;
- sessions: valid for 30 days, expired sessions cleaned after 7 days;
- rate limits: 30 days;
- push devices: inactive entries after 90 days;
- event participant and survey data: default 90 days after event end;
- organizer invites: anonymized 90 days after expiry/revocation;
- audit logs: 12 months, then actor and metadata anonymization;
- waitlist: until consent withdrawal, conversion, or completion of the waitlist purpose.
Subprocessors
Subprocessor list version: 2026-06-10
| Provider | Purpose | Location |
|---|---|---|
| Vercel | web application hosting, edge/network security, and deployments | USA / global |
| Convex | application backend, database, server-side functions, and storage | USA / global |
| Resend | transactional email delivery, including OTP codes | USA / global |
| Expo / EAS | builds, distribution, and mobile/push services required by the Expo app | USA / global |
| Apple / Google | mobile app distribution and operating-system push services | USA / global |
Changes to this list are published in this section. Questions can be sent to hello@eventcorner.app.
DPA and organizer data processing
DPA version: 2026-06-10
Party roles
NO-CODE POLAND SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, as the operator of EventCorner, is the processor and processes data only to provide the organizer app, mobile app, and backend. The organizer is the controller for participant data of a specific event.
Instructions and scope
- accounts, invites, roles, and event access;
- profiles, attendee visibility, and networking;
- agenda, map, partners, surveys, feedback, and notifications;
- security, audit, backups, and retention.
Security
The EventCorner operator applies access control, rate limiting, signed webhooks, retention, audit-log anonymization, and minimization of data returned by APIs.
Deletion and return
After an event ends, participant data is deleted or anonymized under the configured retention settings, by default after 90 days, unless a shorter period is agreed or a legal hold applies.
Incidents and subprocessors
The EventCorner operator notifies the organizer of a relevant incident without undue delay and uses subprocessors listed publicly.
Your rights
You may request access, export, rectification, deletion, restriction, objection, or portability. Marketing consent can be withdrawn at any time. The mobile app includes data export and account deletion, and requests can also be sent to hello@eventcorner.app.
Age
EventCorner is intended for adult B2B event participants, 18+.