Last updated: 13 February 2026
1. Controller and Contracting Entity (IT/CH/UK/USA)
This Privacy Policy explains how personal data is processed in connection with the Eventboost website(s) (the “Site”) and the Eventboost platform and related services (the “Services”).
For processing performed for Eventboost’s own purposes (account, contract management, billing, security, marketing), the data controller is the relevant Eventboost group entity that contracts with you (the “Contracting Entity”), as identified in the Order Form / order / accepted proposal and the applicable contractual documents.
Eventboost operates through entities in Italy, Switzerland, the United Kingdom and the United States (each an “Eventboost Entity”). Operational activities (support, IT, security, admin) may be performed by other Eventboost Entities acting as processors/sub-processors with appropriate safeguards.
Eventboost Entities:
- Switzerland (CH): Eventboost SA – Corso San Gottardo 46E, 6830 Chiasso TI – VAT Code: CHE 177.500.574
- Italy (IT): Eventboost SRL – Via Carloforte 6, 09123 Cagliari (CA) – VAT Code: IT03858700929
- United Kingdom (UK): Eduversal LTD – 49 Effra Rd, The Link, Unit BB26 London SW21BZ
- United States (US): Eventboost INC – c/o 230 park Avenue, 3rd Floor West, New York, NY 10169
Privacy contact:
privacy@eventboost.com2. Roles: Controller vs Processor (DPA)
Eventboost may process personal data as:
(A) Controller
For Organizer account/contract data and Site/Service technical and security data.
(B) Processor on Organizer’s behalf
For event-related data uploaded/managed by an Organizer (attendees, invitees, speakers, sponsors, staff). Such processing is governed by the DPA (Article 28 GDPR), which forms part of the contractual framework (Master Terms/Terms & Conditions + Order Form + DPA).
Eventboost does not use Organizer event data for its own purposes (e.g., Eventboost marketing).
3. Categories of personal data
3.1 Controller data
Account identifiers, authentication data, billing/payment-related data (as needed), technical/security logs, communication preferences.
3.2 Processor data (Organizer event data)
Registration and attendance management data, event communications, and special categories only if provided by the Organizer and lawfully processed.
4. Purposes and legal bases (Controller processing)
We process Controller data for:
- service delivery and account administration (Art. 6(1)(b))
- billing/accounting and legal obligations (Art. 6(1)(b)/(c))
- security and fraud prevention (Art. 6(1)(f))
- legal claims/defence (Art. 6(1)(f))
- service communications (Art. 6(1)(b)/(f))
- B2B marketing (consent where required; otherwise Art. 6(1)(f) with opt-out)
5. “Purposes, legal basis and further details” table
Legend: C = Controller / P = Processor (DPA)
Purpose | Role | Legal basis | Data (examples) | Details | Retention (indicative) |
|---|---|---|---|---|---|
Account creation, authentication, access management | C | 6(1)(b); 6(1)(f) security | Account, access logs | Role-based access & logging | Contract term + up to 6 months |
Service delivery and support | C / P* | C: 6(1)(b); P: DPA | C: account; P: event data | *Depends on support scope | C: as above; P: per DPA |
Billing, accounting, tax compliance | C | 6(1)(b); 6(1)(c) | Billing, transactions | Payment providers as processors | Up to 10 years (or legal period) |
Security, anti-abuse, audits | C | 6(1)(f); sometimes 6(1)(c) | Logs, IP, security events | See Security & Safety page | Based on security need |
Service communications | C | 6(1)(b); 6(1)(f) | Email/in-app | Not marketing | Relationship term |
B2B marketing | C | Consent or 6(1)(f) | Contact data | Opt-out always | Until opt-out or ~24 months |
Event operations (registrations/check-in/badges) | P | Attendee data | Organizer instructions | Per DPA | |
Organizer-sent emails/SMS/notifications | P | Attendee contacts | Organizer determines lawful basis/content | Per DPA | |
Strictly necessary cookies | C | exemption/legitimate interest | Cookie IDs | See Cookies Policy | Cookie duration |
Non-essential cookies | C | consent where required | Cookie IDs | See Cookies Policy | Cookie duration |
Privacy requests handling | C / P | 6(1)(c)/(f); P: DPA assistance | Request data | Organizer is primary for event data | As needed |
6. Recipients
We may share data within the Eventboost group and with service providers strictly as needed to deliver the Services, under appropriate contractual/security measures. Eventboost does not sell personal data.
7. International transfers (EU/CH/UK/US)
Where transfers are required, we apply appropriate safeguards (e.g., adequacy decisions, SCCs, UK mechanisms, Swiss adaptations, technical measures). Processor transfers/sub-processors are governed by the DPA.
8. Retention
- account/contract data: contract term + typically up to 6 months post-termination (including trial), unless legal claims/obligations require longer;
- accounting: up to 10 years or statutory period;
- marketing: until opt-out or typically 24 months since last contact.
Processor data retention is governed by the DPA and Organizer instructions.
9. Data subject rights
You may exercise applicable rights (access, rectification, erasure, restriction, portability, objection, consent withdrawal) and lodge a complaint with the competent authority.
Contact: privacy@eventboost.com.
If your data was submitted by an Organizer for an event, please contact the Organizer first; Eventboost will assist under the DPA.
10. UK/CH/US best efforts
We use best efforts to align with applicable privacy laws in the UK, Switzerland and the US depending on context and applicability, maintaining transparency, minimization, security and accountability principles.
11. Changes
We may update this Policy; changes are effective upon publication.
