PRIVACY POLICY

Effective Date: February 15, 2026

Last Updated: February 15, 2026

Eventified (“we,” “us,” or “our”) operates the website located at eventified.ai and the web application located at app.eventified.ai (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you access or use the Service.

By creating an account, accessing the Service, or submitting any information to us, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must not use the Service.

This Privacy Policy applies to all users of the Service, including visitors to our marketing website, registered account holders, and any individuals whose contact information is extracted from badge images uploaded to the Service.

1. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set forth below:

  • “Personal Information” means any information that identifies, relates to, describes, or could reasonably be linked to you or another identifiable individual, directly or indirectly.

  • “User” means any individual who creates an account or uses the Service.

  • “Extracted Contact Data” means the structured personal information (such as name, job title, company, email address, and phone number) derived from badge images through our AI-powered extraction process.

  • “Badge Image” means any photograph, screenshot, or digital image of an event badge, name tag, or similar identification material uploaded to the Service by a User.

  • “Connected CRM” means any third-party customer relationship management platform that a User authorizes Eventified to integrate with, including but not limited to HubSpot, Salesforce, and Marketo.

  • “Service Providers” means third-party companies and individuals that perform services on our behalf, such as hosting, authentication, payment processing, AI processing, error monitoring, and analytics.

2. Information We Collect

2.1 Information You Provide Directly

(a) Account Registration Information. When you create an account, we collect your full name, email address, and authentication credentials. If you register using a third-party single sign-on provider (such as Google), we receive the profile information you authorize that provider to share with us, which typically includes your name, email address, and profile photo.

(b) Badge Images. When you use the scanning feature, you upload Badge Images containing the personal information of individuals you have met at events. These images are transmitted to our AI processing infrastructure for data extraction.

(c) Payment Information. When you subscribe to a paid plan, your payment card details (card number, expiration date, CVV, and billing address) are collected and processed directly by our PCI DSS Level 1 compliant payment processor. We do not receive, store, or have access to your full payment card number or CVV. Our payment processor provides us with limited information, including the last four digits of your card number, card brand, expiration date, billing address, and transaction history, solely for account management and receipt purposes.

(d) Communications. When you contact us via email or through in-app support channels, we collect the content of your messages, your email address, and any attachments you provide.

(e) CRM Authorization Credentials. When you connect a third-party CRM, we collect and store OAuth access tokens and refresh tokens necessary to maintain the integration on your behalf. We do not collect or store your CRM login credentials (username and password).

2.2 Information Collected Automatically

(a) Usage Data. We automatically collect information about your interactions with the Service, including: pages and features accessed, scan counts and timestamps, actions taken within the dashboard, session duration and frequency, and referral source (the URL that directed you to our Service).

(b) Device and Technical Data. We collect technical information about the device and software you use to access the Service, including: IP address, browser type and version, operating system, device type and screen resolution, language preferences, and time zone.

(c) Error and Performance Data. We use error monitoring services that automatically collect technical diagnostic data when errors occur, including stack traces, the sequence of actions leading to an error, browser and device information, and performance metrics. This data is used solely for debugging and improving Service reliability.

(d) Cookies and Similar Technologies. We use the following categories of cookies and similar tracking technologies:

  • Strictly Necessary Cookies: Required for authentication, session management, and security. These cannot be disabled without breaking core Service functionality.

  • Functional Cookies: Used to remember your preferences and settings (such as theme selection and dashboard layout).

  • Analytics Cookies: Used to understand how Users interact with the Service in aggregate, to inform product improvements. These cookies do not identify you personally.

We do not use advertising cookies, retargeting pixels, or any tracking technologies for the purpose of serving or targeting advertisements.

You may control cookie settings through your browser preferences. Disabling strictly necessary cookies may impair Service functionality.

3. How We Use Your Information

We process your information for the following specific purposes:

(a) Providing and Operating the Service. Processing Badge Images through AI-powered extraction to generate Extracted Contact Data; storing Extracted Contact Data in your account; syncing Extracted Contact Data to your Connected CRM upon your instruction; generating CSV exports upon your request; and maintaining your account, authentication, and session management.

(b) Billing and Payment Processing. Processing subscription payments, generating receipts, managing plan upgrades and downgrades, and handling billing inquiries.

(c) Service Improvement and Development. Analyzing aggregate usage patterns to improve existing features and develop new ones; monitoring Service performance, reliability, and uptime; identifying and resolving bugs, errors, and technical issues.

(d) Security and Fraud Prevention. Detecting, investigating, and preventing unauthorized access, abuse, fraud, and other harmful activities; enforcing our Terms of Use and other policies; protecting the rights, property, and safety of Eventified, our Users, and the public.

(e) Communications. Sending transactional communications, including account confirmations, payment receipts, subscription notifications, security alerts, and Service updates. With your explicit consent, sending promotional communications about new features, product updates, and offers. You may opt out of promotional communications at any time by clicking the unsubscribe link in any email or by contacting us at privacy@eventified.ai.

(f) Legal Compliance. Complying with applicable laws, regulations, and legal processes; responding to lawful requests from governmental authorities; establishing, exercising, or defending legal claims.

4. How We Share Your Information

We do not sell, rent, lease, or trade your Personal Information to any third party for their own marketing purposes. We do not and will not sell your Personal Information as defined under the California Consumer Privacy Act (CCPA) or any similar legislation.

We share your information only in the following limited circumstances:

4.1 Service Providers

We engage third-party service providers who process data on our behalf under contractual obligations that require them to protect your information and use it only for the purposes we specify. These providers fall into the following categories:

  • AI Processing Provider: Badge Images are transmitted to our AI processing provider’s API for contact data extraction. The AI provider processes the image and returns structured data. Under our contractual agreement with this provider, Badge Image data submitted via API is not used to train, improve, or develop their AI models, and is not retained beyond the processing session.

  • Cloud Infrastructure and Hosting Providers: Our application and database are hosted on cloud infrastructure providers that maintain industry-standard security certifications. All data at rest is encrypted.

  • Authentication Provider: User authentication and session management are handled by a dedicated identity management provider. This provider processes your login credentials, profile data, and session tokens.

  • Payment Processor: All payment card processing is handled by a PCI DSS Level 1 compliant payment processor. This processor collects and stores payment card data directly; we never receive or store your full card number.

  • Error Monitoring Provider: Technical error data is transmitted to our error monitoring provider for debugging and Service reliability purposes. This provider receives technical diagnostic data only and does not receive your contact data or Badge Images.

  • Communication Providers: We use email delivery and internal notification services to send transactional emails and receive internal operational alerts (such as new account notifications). These providers process only the minimum data necessary for message delivery.

4.2 Connected CRM Providers

When you explicitly authorize a CRM integration, we transmit Extracted Contact Data to the Connected CRM you have designated. This data transfer occurs only upon your affirmative instruction (clicking “Sync” or enabling automatic sync) and is governed by your separate agreement with the CRM provider. We transmit only the contact data fields necessary for creating or updating contact records. We do not access, retrieve, or store data from your CRM beyond what is necessary to confirm successful synchronization.

4.3 Legal and Regulatory Disclosure

We may disclose your information if we have a good-faith belief that disclosure is reasonably necessary to: comply with applicable law, regulation, legal process, or enforceable governmental request; enforce our Terms of Use, including investigation of potential violations; detect, prevent, or address fraud, security issues, or technical problems; or protect the rights, property, or safety of Eventified, our Users, or the public as required or permitted by law.

Where legally permissible, we will make reasonable efforts to notify you before disclosing your information in response to legal process.

4.4 Business Transfers

In the event that Eventified is involved in a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or a portion of its assets, or similar transaction, your information may be transferred as part of that transaction. We will provide notice via email and/or a prominent notice on our website before your information is transferred and becomes subject to a different privacy policy. In any such event, the acquirer will be required to honor the commitments made in this Privacy Policy until it is amended in accordance with Section 14.

4.5 With Your Consent

We may share your information with third parties when you have given us your explicit, informed consent to do so.

4.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for analytics, research, or business purposes. This data does not constitute Personal Information under applicable law.

5. Badge Image Processing and Data Lifecycle

Due to the sensitive nature of Badge Images and Extracted Contact Data, we provide this additional transparency about how badge data is handled:

(a) Upload and Transmission. When you upload a Badge Image, it is transmitted over an encrypted connection (TLS 1.2 or higher) to our servers.

(b) AI Processing. The Badge Image is passed to our AI processing API via an encrypted connection for contact data extraction.

(c) Temporary Storage Only. Badge Images are held in temporary memory during processing and are not permanently stored on Eventified’s servers or databases. Once extraction is complete and the Extracted Contact Data has been returned to your dashboard, the Badge Image is discarded.

(d) AI Provider Data Handling. Under our data processing agreement with our AI provider, Badge Images submitted through our API are not used to train, fine-tune, or improve their models; are not stored beyond the immediate processing session; and are not accessible to the AI provider’s employees except as necessary to resolve technical issues, and only with our authorization.

(e) Extracted Contact Data Storage. The structured Extracted Contact Data (name, job title, company, email, phone) is stored in your account in our encrypted database for as long as your account is active or until you delete it.

(f) User Responsibility. You are responsible for ensuring that you have an appropriate legal basis (such as legitimate interest or consent) for uploading and processing Badge Images containing other individuals’ personal information. See Section 10 for more on your obligations.

6. Data Retention

We retain your information for the following periods:

  • Badge Images: Not permanently stored. Processed in temporary memory and discarded upon completion of extraction. No Badge Images are retained in our database or file storage systems.

  • Extracted Contact Data: Retained for the duration of your active account. You may delete individual contacts or all Extracted Contact Data at any time through the Service dashboard. Deletion is permanent and irreversible.

  • Account Information: Retained for the duration of your active account. Upon account deletion or termination, we will delete your Personal Information within thirty (30) calendar days, except where retention is required by applicable law.

  • Billing and Transaction Records: Retained for seven (7) years from the date of the transaction to comply with tax, accounting, and financial reporting obligations.

  • Usage Logs and Analytics Data: Retained for twelve (12) months for Service improvement and security purposes, after which they are anonymized or permanently deleted.

  • Error Monitoring Data: Retained for ninety (90) days, after which it is automatically purged.

  • Communication Records: Retained for twenty-four (24) months from the date of the communication, or longer if related to an unresolved support issue or legal matter.

7. Data Security

We implement comprehensive technical, administrative, and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

7.1 Technical Safeguards

  • All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher

  • All data stored in our database is encrypted at rest using AES-256 encryption

  • OAuth tokens for CRM integrations are stored in encrypted form and are never exposed to client-side code or browser storage

  • API keys and secrets are managed through environment-level configuration and are never committed to source code repositories

  • Regular automated vulnerability scanning and dependency auditing

7.2 Authentication and Access Controls

  • User authentication is managed by a dedicated, enterprise-grade identity management platform with support for multi-factor authentication (MFA)

  • Access to production systems, databases, and infrastructure is restricted to authorized personnel through role-based access control (RBAC) with mandatory MFA

  • All access to production systems is logged and auditable

  • Principle of least privilege is enforced across all internal systems

7.3 Organizational Safeguards

  • Security incident response procedures with defined escalation paths

  • Regular security reviews of third-party Service Providers and their certifications

  • Data processing agreements with all Service Providers that mandate equivalent or greater security standards

While we implement robust security measures designed to protect your information, no electronic transmission or storage method is completely secure. We cannot guarantee absolute security. In the event of a security breach affecting your Personal Information, we will notify you and applicable regulatory authorities in accordance with applicable law.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights with respect to your Personal Information:

  • Right of Access: You may request a copy of the Personal Information we hold about you in a structured, commonly used, machine-readable format.

  • Right to Rectification: You may request that we correct any inaccurate or incomplete Personal Information.

  • Right to Erasure (Right to Be Forgotten): You may request the deletion of your Personal Information, subject to our legal retention obligations. You may also delete your Extracted Contact Data directly through the Service dashboard at any time.

  • Right to Data Portability: You may request a copy of your data in a portable, machine-readable format (JSON or CSV).

  • Right to Restrict Processing: You may request that we restrict the processing of your Personal Information in certain circumstances.

  • Right to Object: You may object to the processing of your Personal Information for certain purposes, including direct marketing.

  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing that occurred prior to withdrawal.

  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at privacy@eventified.ai. We will verify your identity before processing your request and will respond within thirty (30) calendar days. If we require additional time (up to an additional sixty days), we will inform you of the reason for the extension.

We will not discriminate against you for exercising any of these rights.

9. International Data Transfers

9.1 Transfer Mechanisms

Eventified operates from Canada. Your Personal Information may be transferred to, stored in, and processed in countries other than your country of residence, including Canada and the United States, where our Service Providers maintain infrastructure. These countries may have data protection laws that differ from those in your jurisdiction.

Where we transfer Personal Information outside of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we ensure that appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission; data processing agreements with all Service Providers that include commitments to protect Personal Information in accordance with this Privacy Policy; and selection of Service Providers that maintain recognized security certifications and compliance frameworks.

9.2 Legal Bases for Processing (EEA/UK Users)

If you are located in the EEA or UK, our legal bases for processing your Personal Information under the General Data Protection Regulation (GDPR) are:

  • Performance of a Contract: Processing necessary to provide the Service you have requested (account management, badge scanning, CRM syncing, billing).

  • Legitimate Interests: Processing necessary for our legitimate business interests, including Service security, fraud prevention, analytics, and product improvement, where those interests are not overridden by your fundamental rights and freedoms.

  • Consent: Processing based on your freely given, specific, informed consent, such as marketing communications. You may withdraw consent at any time.

  • Legal Obligation: Processing necessary to comply with applicable laws and regulations.

10. Your Obligations as a Data Controller

When you upload Badge Images containing other individuals’ personal information and direct us to extract, store, and sync that data, you act as the data controller for that Extracted Contact Data. Eventified acts as a data processor on your behalf.

As a data controller, you are responsible for:

  • Ensuring you have a valid legal basis (such as legitimate interest, consent, or contractual necessity) for collecting and processing the personal information contained in the Badge Images you upload

  • Complying with all applicable data protection laws in your jurisdiction, including the GDPR, CCPA, PIPEDA, or other applicable regulations

  • Responding to data subject access requests, deletion requests, or other rights requests from individuals whose data you have processed through the Service

  • Ensuring that your use of the CRM sync and CSV export features complies with the terms of service and privacy policies of the receiving platforms

Eventified is not responsible for your compliance with data protection laws in your capacity as a data controller. If an individual whose data has been extracted contacts us directly, we will refer them to you unless deletion of the data from our systems is requested and legally required.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”):

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom it was shared.

  • Right to Delete: You have the right to request deletion of your Personal Information, subject to certain exceptions permitted by law.

  • Right to Correct: You have the right to request correction of inaccurate Personal Information.

  • Right to Opt-Out of Sale or Sharing: We do not sell or share (as those terms are defined under the CCPA) your Personal Information. Therefore, no opt-out mechanism is required.

  • Right to Limit Use of Sensitive Personal Information: We do not process sensitive personal information for purposes beyond those permitted under the CCPA.

  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact us at privacy@eventified.ai or use the account deletion tools in your Service dashboard. We will verify your identity before processing your request.

In the twelve (12) months preceding the effective date of this Privacy Policy, we have not sold any consumer’s Personal Information.

12. Canadian Privacy Rights (PIPEDA)

For Users located in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

Under PIPEDA, you have the right to: access the Personal Information we hold about you; request correction of inaccurate information; withdraw consent for the collection, use, or disclosure of your Personal Information (subject to legal or contractual restrictions); and lodge a complaint with the Office of the Privacy Commissioner of Canada.

We collect, use, and disclose your Personal Information only for the purposes identified in this Privacy Policy and with your knowledge and consent, except where otherwise permitted or required by law.

13. Children’s Privacy

The Service is not directed to individuals under the age of sixteen (16). We do not knowingly collect Personal Information from children under 16. If we become aware that we have inadvertently collected Personal Information from a child under 16, we will take prompt steps to delete such information. If you believe a child under 16 has provided us with Personal Information, please contact us immediately at privacy@eventified.ai.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

  • Minor Changes: We will update the “Last Updated” date at the top of this Privacy Policy and post the revised version on our website.

  • Material Changes: We will provide you with prominent notice at least thirty (30) calendar days before the changes take effect. Notice will be provided via email to the address associated with your account and/or via a conspicuous notice within the Service.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you must stop using the Service and delete your account.

15. Third-Party Websites and Services

The Service may contain links to third-party websites, services, or resources that are not operated by us. We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through or in connection with our Service.

16. Do Not Track Signals

Some web browsers transmit “Do Not Track” (DNT) signals. Because there is no universally accepted standard for how to respond to DNT signals, the Service does not currently respond to DNT signals. However, as stated in Section 2.2(d), we do not use advertising or retargeting cookies.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:

Eventified

Email: privacy@eventified.ai

Website: eventified.ai

For data protection inquiries from the European Union or United Kingdom, you may also contact your local supervisory authority.

For privacy inquiries from Canada, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.