Eventfull
Join Waitlist

DRAFT — review with legal counsel before launch. This document is a working draft prepared by the Eventfull team and has not yet been reviewed or signed off by qualified legal counsel. It is published for transparency and feedback only. Final terms may differ.

Legal

Privacy Policy

How we handle the personal data you share with Eventfull — covering Hong Kong, Singapore, and EU/UK visitors.

Last updated: 28 April 2026
Effective: On launch

1. Overview

This Privacy Policy explains how Eventfull (“Eventfull,” “we,” “us”) collects, uses, discloses, and safeguards personal data when you visit our website at eventfull.me, join our waitlist, partner with us as a community organizer, or use the Eventfull mobile application (collectively, the “Service”). It applies to data subjects in Hong Kong, Singapore, the European Economic Area, the United Kingdom, and other jurisdictions where the Service is offered.

Eventfull is operated from Hong Kong with planned operations in Singapore. We comply with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), the Singapore Personal Data Protection Act 2012 (“PDPA”), and — where applicable — the EU/UK General Data Protection Regulation (“GDPR”).

2. Data we collect

2.1 Information you provide

  • Waitlist sign-up: email address, optional name, market preference (HK / SG), and the community or interest you indicate.
  • Community / partner applications: contact name, email, community name, market, approximate community size, optional notes.
  • App account (post-launch): name, email, phone number (optional), profile photo (optional), authentication identifiers from Apple / Google sign-in.
  • Event content: events you create, RSVPs, guest lists, dietary notes, payment splits, group chat messages.
  • Payments: we do not store full card numbers. Payments are processed by Stripe, PayMe (HKMA-licensed), and PayNow (MAS-licensed) — see §5.
  • Support correspondence: emails to admin@eventfull.me and any attachments you choose to send.

2.2 Information collected automatically

  • Analytics: page views, referrers, device type, browser, approximate location (city-level, derived from IP), session duration. We use GA4, PostHog, and a cookieless fallback (Plausible) for visitors who do not consent to cookies.
  • Cookies & similar technologies: strictly necessary cookies for session and locale; optional analytics cookies subject to your consent (see §8).
  • Server logs: IP address, user-agent, request metadata for security and abuse prevention, retained 30 days.

2.3 Sensitive data

We do not intentionally collect special-category data (health, race, political views, biometric, etc.). Dietary notes you add to an event are processed only to share with the organizer and host venue, and are not used for profiling.

3. How we use your data

  • To operate, secure, and improve the Service.
  • To send you launch updates, waitlist confirmations, and partner onboarding messages — only on the legal basis you selected (consent or legitimate interest).
  • To facilitate event RSVPs, payments, reminders, and organizer-to-guest communication.
  • To analyse aggregate usage and improve product design (we never sell personal data).
  • To comply with legal, regulatory, and tax obligations.
  • To detect, prevent, and respond to fraud, abuse, or violations of our Terms.

5. Who we share data with

  • Service providers (processors): Vercel (hosting), Resend or SendGrid (email), Stripe / PayMe / PayNow (payments), Apple / Google (sign-in & push), GA4 / PostHog (analytics). Each is bound by data-processing terms.
  • Event organizers and co-attendees: when you RSVP to an event, the organizer can see your RSVP, dietary note (if provided), and any messages you post in the event chat.
  • Authorities: where required by law, court order, or to protect the rights, property, or safety of users or the public.
  • Corporate transactions: in the event of a merger, acquisition, or asset sale, with continuity of these commitments.

6. Cross-border transfers

Our infrastructure is hosted on Vercel (regions in Asia-Pacific and the US). Data may therefore be transferred outside Hong Kong, Singapore, the EEA, or the UK. We rely on the European Commission’s Standard Contractual Clauses, the UK’s International Data Transfer Addendum, and equivalent safeguards for transfers to jurisdictions without an adequacy decision.

7. Data retention

  • Waitlist email: retained until launch in your market plus 12 months, or until you unsubscribe.
  • Partner applications: 24 months from the last interaction.
  • App account & event data: for the life of your account; deleted within 30 days of account closure except where statute requires longer (e.g. payment records, 7 years in HK / 5 years in SG).
  • Analytics: aggregated indefinitely; identifiable session data 14 months max.
  • Server logs: 30 days.

8. Cookies

On first visit you are presented with a cookie banner offering three options: accept all, accept strictly necessary only, or customise. Strictly necessary cookies (session, locale, CSRF) require no consent. Analytics and preference cookies are loaded only after explicit opt-in. You can change your choice anytime via the “Cookie settings” link in the footer.

9. Your rights

9.1 Hong Kong (PDPO)

You have the right to (a) request access to your personal data, (b) request correction, and (c) ascertain our policies and practices in relation to personal data. Requests are handled within 40 days, free of charge for the first request in a 12-month period.

9.2 Singapore (PDPA)

You may (a) withdraw consent at any time, (b) request access to and correction of your personal data, and (c) request deletion where the data is no longer necessary for a legal or business purpose. We respond within 30 days.

9.3 EU / UK (GDPR)

You have the right to access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection to processing (including direct marketing), and the right not to be subject to automated decision-making. You may lodge a complaint with your supervisory authority (e.g. Ireland’s DPC, the UK ICO, or your local DPA).

9.4 How to exercise your rights

Email privacy@eventfull.me with sufficient information for us to verify your identity. We will not charge a fee except where requests are manifestly unfounded or excessive.

10. Security

We use TLS in transit, encryption at rest for production databases, scoped access controls, and regular dependency scanning. No system is perfectly secure; if a breach occurs that is likely to result in a high risk to your rights, we will notify you and the relevant authority without undue delay (within 72 hours under GDPR, and per PDPA / PDPO breach notification standards).

11. Children

The Service is not intended for children under 16. We do not knowingly collect data from children. If you believe a minor has provided personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page and, where appropriate, via email. The “Last updated” date above always reflects the current version.

13. Contact

Data controller: Eventfull Limited (Hong Kong, company registration pending)
General privacy enquiries: privacy@eventfull.me
General contact: admin@eventfull.me

See also our Terms of Service and Acceptable Use Policy.