Privacy Policy

1. Introduction

Welcome to [TODO: Company Name] ("we," "us," or "our"). We are committed to protecting your personal data and your privacy rights. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our event management, booking, and electronic signing platform (the "Service").

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

[TODO: Company Information]
Company Name: [TODO]
Registered Address: [TODO]
Organization Number: [TODO]
Data Protection Officer: [TODO: Email]

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide to us, including:

• Account Information: Name, email address, password, profile picture
• Event Registration: First name, last name, email, phone number, and any custom form data requested by event organizers
• Booking Information: Contact details, preferences, payment information (if applicable)
• Electronic Signatures: Typed names, drawn signatures, identity verification data (e.g., BankID), IP address, geolocation data (for audit trail)
• Communications: Messages you send us, support inquiries, feedback
• Payment Information: [TODO: Payment processor] processes payments on our behalf. We do not store full credit card numbers.

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Usage Data: Pages viewed, time spent, features used, actions taken
• Device Information: Browser type, operating system, device identifiers, screen resolution
• Log Data: IP address, timestamps, referring URLs, error logs
• Cookies and Tracking: See our Cookie Policy for details

2.3 Information from Third Parties

• OAuth Providers: When you sign in with Google or GitHub, we receive your name, email, and profile picture from these services
• Identity Verification: When using electronic signatures, we may receive verification data from identity providers (e.g., BankID, SMS verification)
• [TODO: List other third-party sources]

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Service Provision

• Create and manage your account
• Process event registrations and bookings
• Facilitate electronic signature workflows
• Send transactional emails (confirmations, reminders, receipts)
• Provide customer support

3.2 Legal Compliance and Security

• Maintain audit logs for electronic signatures (legal requirement)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Service
• Resolve disputes and protect our rights

3.3 Service Improvement

• Analyze usage patterns to improve features and user experience
• Conduct research and development
• Perform A/B testing and analytics

3.4 Communications

• Send administrative messages (service updates, security alerts)
• Send marketing communications (with your consent - you can opt out anytime)
• Respond to your inquiries and requests

Legal Basis for Processing (GDPR):

• Contract: Processing necessary to provide the Service you requested
• Consent: For marketing communications, cookies, and optional features
• Legal Obligation: To comply with laws (e.g., maintaining signature audit trails)
• Legitimate Interest: To improve our Service, detect fraud, and ensure security

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers (Processors)

We share data with trusted third-party service providers who assist us in operating the Service:

• Cloud Hosting: Google Cloud Platform (data stored in [TODO: Region])
• Email Service: MailerSend (for transactional and marketing emails)
• Payment Processing: [TODO: Stripe, PayPal, etc.]
• Analytics: [TODO: Google Analytics, Plausible, etc.]
• Error Tracking: [TODO: Sentry, if implemented]
• [TODO: List all subprocessors]

These service providers are bound by data processing agreements (DPAs) and are only authorized to use your information as necessary to provide services to us.

4.2 Event Organizers and Tenant Owners

When you register for an event or book a resource, your information is shared with the event organizer (tenant owner) who created the event. They are the data controller for this information and are responsible for their own privacy practices.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to:

• Comply with legal process
• Enforce our Terms of Service
• Respond to claims that content violates rights of third parties
• Protect the rights, property, or safety of our company, users, or the public

4.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

4.5 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5. Data Security

We implement technical and organizational security measures to protect your information:

• Encryption: Data encrypted in transit (TLS/HTTPS) and at rest (database encryption)
• Access Controls: Role-based access control (RBAC) and principle of least privilege
• Authentication: Password hashing (bcrypt), multi-factor authentication [TODO: When implemented]
• Audit Logging: All access to sensitive data is logged and monitored
• Security Testing: Regular vulnerability assessments and penetration testing
• Incident Response: Documented procedures for security incidents

While we strive to protect your information, no security system is impenetrable. We cannot guarantee the absolute security of your data.

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods:

• Account Data: Until you delete your account, plus [TODO: 30 days] for recovery
• Event Registrations: [TODO: 3 years] after event completion
• Signature Audit Logs: [TODO: 7 years] (legal requirement for e-signatures)
• Analytics Data: [TODO: 90 days]
• Application Logs: [TODO: 90 days]
• Backup Data: [TODO: 30 days] in encrypted backups

After the retention period expires, we will delete or anonymize your information in accordance with our data retention policy.

7. Your Privacy Rights

7.1 Rights Under GDPR (EU Users)

If you are in the European Economic Area (EEA), you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 How to Exercise Your Rights

To exercise any of these rights:

• Account Settings: Update your profile information in your account settings
• Data Export: [TODO: When implemented] Click "Export My Data" in Settings → Privacy
• Account Deletion: [TODO: When implemented] Click "Delete My Account" in Settings → Privacy
• Email Opt-Out: Click "Unsubscribe" in any marketing email
• Contact Us: Email [TODO: privacy@yourcompany.com] with your request

We will respond to your request within 30 days. For verification purposes, we may request additional information to confirm your identity.

7.3 California Privacy Rights (CCPA)

California residents have additional rights:

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed
• Right to opt-out of sale of personal information (we do not sell data)
• Right to deletion of personal information
• Right to non-discrimination for exercising privacy rights

8. Children's Privacy

Our Service is not intended for children under the age of [TODO: 13 or 16 depending on jurisdiction]. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [TODO: privacy email]. We will delete such information from our records.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from your jurisdiction.

[TODO: Specify data locations]
Primary Data Storage: [TODO: EU, US, etc.]
Subprocessors' Locations: [TODO: List countries]

For EU users, we ensure adequate protection through:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Other appropriate safeguards under GDPR

10. Third-Party Links

Our Service may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top indicates when this policy was last revised. We will notify you of material changes by:

• Posting a notice on our Service
• Sending an email to your registered email address
• [TODO: Other notification methods]

Your continued use of the Service after changes take effect constitutes your acceptance of the revised Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

EU Representative: [TODO: If required under GDPR Article 27]

Supervisory Authority:
[TODO: For EU users] You have the right to lodge a complaint with your local data protection authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten): https://www.imy.se

13. Special Provisions for E-Signatures

Our electronic signature feature collects additional information required for legal validity and audit purposes:

13.1 Signature Audit Trail

For each signature, we record:

• Signer's name and email address
• Timestamp (UTC)
• IP address
• Geolocation (if available)
• Device information (user agent)
• Identity verification method and result (e.g., BankID)
• Document hash (to detect tampering)
• All actions (viewed, signed, declined)

13.2 Legal Retention

Signature audit logs are retained for [TODO: 7 years] as required by law for evidentiary purposes. These logs cannot be deleted, even upon account deletion request, to maintain the legal validity of signed documents.

13.3 Identity Verification Data

When using identity verification services (e.g., BankID, SMS verification), we receive and store verification results. We do not receive or store national ID numbers or other highly sensitive identity data beyond what is necessary for verification.