Privacy Policy

Summary of Key Points

• What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us, the choices you make, and the features you use.
• Do we process any sensitive personal information? We do not process sensitive personal information.
• Do we collect any information from third parties? We do not collect any information from third parties.
• How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.
• With which parties do we share personal information? We may share information in specific situations and with specific third parties.
• How do we keep your information safe? We have appropriate organisational and technical processes in place to protect your personal information. However, no electronic transmission over the internet can be guaranteed to be 100% secure.
• What are your rights? Depending on where you are located, the applicable privacy law may mean you have certain rights regarding your personal information.
• How do you exercise your rights? By contacting us at ask.kulsa@gmail.com.

1. What Information Do We Collect?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our Services, participate in activities on the Services, or otherwise contact us.

Personal Information Provided by You may include:

• Names
• Email addresses
• Institution / university
• Job titles and positions
• Usernames
• Passwords
• Profile photos (optional)

Sensitive Information. We do not process sensitive information.

Payment Data. We may collect data necessary to process your payment if you choose to make purchases. All payment data is handled and stored by Stripe. We store only a payment intent reference — we do not store your card details. You may find Stripe’s privacy notice at stripe.com/gb/privacy.

Social Media Login Data. We may provide you with the option to register using your existing social media account details. If you choose to do so, we will receive certain profile information about you from the social media provider, such as your name and email address.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, and other technical information.

We also collect information through cookies and similar technologies.

Log and Usage Data. Service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services, including your IP address, device information, browser type, and information about your activity in the Services.

2. How Do We Process Your Information?

We process your personal information for the following reasons:

• To facilitate account creation and authentication and otherwise manage user accounts.
• To deliver and facilitate delivery of services to the user.
• To respond to user enquiries and offer support.
• To fulfil and manage your orders, including event registrations, ticket orders, payments, and refunds.
• To send you transactional and operational communications, such as order confirmations, rejections, cancellations, and refund notifications.
• To protect our Services, including fraud monitoring and prevention.
• To identify usage trends so we can improve our Services.
• To save or protect an individual’s vital interest, such as to prevent harm.

3. What Legal Bases Do We Rely On to Process Your Information?

The UK GDPR requires us to explain the valid legal bases we rely on:

• Consent. We may process your information if you have given us permission for a specific purpose. You can withdraw your consent at any time.
• Performance of a Contract. We may process your information when necessary to fulfil our contractual obligations to you.
• Legitimate Interests. We may process your information when reasonably necessary to achieve our legitimate business interests, provided those interests do not outweigh your fundamental rights and freedoms.
• Legal Obligations. We may process your information where necessary for compliance with our legal obligations.
• Vital Interests. We may process your information where necessary to protect vital interests.

In legal terms, we are generally the ‘data controller’ under UK data protection law.

4. When and With Whom Do We Share Your Personal Information?

We share your personal data only with the following service providers acting as data processors on our behalf:

• Supabase — database and authentication provider (servers located in the EU/EEA)
• Stripe — payment processing (PCI-DSS compliant; see stripe.com/gb/privacy)
• Google (Gmail / Nodemailer) — transactional email delivery
• Vercel — website hosting and deployment infrastructure

Business Transfers. We may share or transfer your information in connection with any merger, sale of assets, financing, or acquisition.

We do not sell your personal data. We do not share your data with advertisers or third-party marketing platforms.

5. Do We Use Cookies and Other Tracking Technologies?

We use session cookies to maintain your login state and keep your account secure. These cookies are strictly necessary for the Services to function and do not require your consent under UK law.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not serve advertisements on our platform.

If you disable cookies in your browser, you will not be able to log in to the Services.

6. How Do We Handle Your Social Logins?

Our Services may offer you the ability to register and log in using your third-party social media account details. Where you choose to do this, we will receive certain profile information about you from your social media provider, such as your name and email address.

We will use the information we receive only for the purposes described in this Privacy Notice. We recommend that you review your social media provider’s privacy notice.

7. How Long Do We Keep Your Information?

• Account data is retained while your account is active.
• Order and payment records are retained for a minimum of 6 years from the date of the transaction, in accordance with UK financial record-keeping requirements.
• Audit logs of order status changes are retained for 2 years.
• Profile data not required for legal compliance will be deleted or anonymised within 3 months of account termination upon your request.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it, or securely store and isolate it from further processing until deletion is possible.

8. How Do We Keep Your Information Safe?

We have implemented appropriate and reasonable technical and organisational security measures, including:

• Encrypted data storage and transmission (HTTPS/TLS)
• Row-level security on our database ensuring users can only access their own data
• Stripe’s PCI-compliant infrastructure for all payment handling
• JWT-based authentication with secure session management

However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. You should only access the Services within a secure environment.

9. Do We Collect Information From Minors?

We do not knowingly collect, solicit data from, or market to children under 18 years of age. By using the Services, you represent that you are at least 18. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to delete such data.

If you become aware of any data we may have collected from children under age 18, please contact us at ask.kulsa@gmail.com.

10. What Are Your Privacy Rights?

Under the UK GDPR, you have the following rights:

• Right to access — request a copy of the personal information we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure — request deletion of your personal data (subject to legal retention obligations)
• Right to restriction — ask us to limit how we process your data in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right not to be subject to automated decision-making — we do not make solely automated decisions that significantly affect you

To exercise any of these rights, contact us at ask.kulsa@gmail.com. We will respond within 30 days.

If you believe we are unlawfully processing your personal information, you have the right to complain to the UK Information Commissioner’s Office (ICO).

Withdrawing your consent

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at ask.kulsa@gmail.com. This will not affect the lawfulness of processing before its withdrawal.

Account information

If you would like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user profile, or contact us. Upon account termination, we will deactivate or delete your account from our active databases but may retain some information as required by law.

11. Controls for Do-Not-Track Features

At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will inform you in a revised version of this Privacy Notice.

12. Do We Make Updates to This Notice?

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated ‘Last updated’ date at the top. If we make material changes, we may notify you by prominently posting a notice or directly sending you a notification.

13. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at ask.kulsa@gmail.com or contact us by post at:

14. How Can You Review, Update, or Delete the Data We Collect From You?

Based on applicable laws, you may have the right to request access to the personal information we collect, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent.

To request to review, update, or delete your personal information, please contact us at ask.kulsa@gmail.com. We will respond within 30 days.