Evnyo Privacy Policy

Welcome to the Evnyo platform, a pay-per-event SaaS solution designed for European SMEs to manage their events. The protection of your personal data is our absolute priority. This privacy policy explains transparently how Evnyo processes your data, in full compliance with Regulation (EU) 2016/679 (GDPR) and applicable national laws. Drafted to the highest legal standards, this policy reflects our commitment to privacy and security. We detail the purposes of data processing, our legal bases, the sub-processors we use, the security measures implemented, your rights and how to exercise them.

Evnyo is committed to respecting the principles of lawfulness, fairness, transparency, data minimisation and purpose limitation provided for by the GDPR. We also ensure accountability by rigorously documenting our compliance. By using our platform, you remain in control of your data: we only use it for the explicit purposes described below and we never commercialise it.

The data controller for data collected via the Evnyo platform is MACK, a French limited liability company with share capital of €246,389.00, registered office APPARTEMENT 6 2 ALL SAINT MICHEL 59890 QUESNOY SUR DEULE, registered with the Lille Métropole Trade and Companies Register under number 852 895 747, SIRET 85289574700032 (hereinafter "Evnyo" or "we"). As data controller, we determine the purposes and means of processing relating to the management of the site and customer accounts. Furthermore, when we process participant data on behalf of our customers (event organisers), we act as a processor in accordance with Article 28 of the GDPR (see "Sub-processing" section below).

Appointment of a Data Protection Referent: As an SME, Evnyo does not have the legal obligation to appoint a DPO within the meaning of Article 37 of the GDPR and equivalent national legislation, as our core activity does not consist of large-scale processing requiring regular and systematic monitoring of data subjects, nor large-scale processing of special categories of data. This assessment has been carried out in accordance with the guidelines of the European Data Protection Board (EDPB) and national authorities. However, for transparency and continuous improvement of our practices, we have chosen to appoint a data protection referent. This referent does not have DPO status within the meaning of Article 37 GDPR.

Competent supervisory authorities: Depending on your place of residence, the competent supervisory authority is:

• France: Commission Nationale de l'Informatique et des Libertés (CNIL)
• United Kingdom: Information Commissioner's Office (ICO)
• Germany: Länder data protection authorities and Bundesbeauftragte für den Datenschutz
• Spain: Agencia Española de Protección de Datos (AEPD)
• Italy: Garante per la protezione dei dati personali
• Portugal: Comissão Nacional de Proteção de Dados (CNPD)
• Poland: Urząd Ochrony Danych Osobowych (UODO)
• Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
• Netherlands: Autoriteit Persoonsgegevens (AP)
• Belgium: Autorité de protection des données (APD/GBA)
• Austria: Datenschutzbehörde (DSB)

For any questions relating to this policy or to exercise your rights (detailed below), you may contact our data protection referent:

• Dominique PRASIVORAVONG – Evnyo Data Protection Referent
• Contact: privacy@evnyo.com (or by post to our registered office address, for the attention of the data protection referent)

We collect and process personal data only for specific, explicit and legitimate purposes. Below you will find the detailed list of our processing purposes, as well as the corresponding legal basis for each of them, in accordance with Article 6 of the GDPR:

• Sending invitations and reminders for events: Evnyo enables organisers to send invitations by email (via Postmark) and SMS (via Twilio) to participants, to follow up with people who have not responded or to send them reminders before the event. This processing is necessary for the performance of the contract that binds us to our organiser customers (Article 6(1)(b) GDPR) – we act on the instructions of our customers to contact guests as part of event organisation. The organiser, as the person responsible for invitations, ensures that they have an adequate legal basis (for example their legitimate interest in inviting their professional contacts).

• Participation tracking and check-in management: Our platform processes guest responses (confirmed participation, refusal, etc.), tracks registrations and manages event access. This data allows the organiser to track attendance in real time and manage participant presence on the day. Processing is carried out as part of the service provided (event management), on a contractual basis (Article 6(1)(b)).

• Contact import: Evnyo offers a contact import feature to help our customers easily integrate their guest lists (for example from an address book). This operation, triggered at the user's request, involves processing contact details (e.g. names, emails, numbers) of your contacts in order to add them as guests. The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements. The legal basis is contract performance and the organiser's legitimate interest in simplifying the addition of participants (Article 6(1)(b) or (f) depending on the case). The customer undertakes to only import contacts that they are authorised to use and to have informed these people if necessary.

• Data correction and AI image generation: To improve the user experience, we offer AI-assisted features. Specifically, Evnyo may send to OpenAI excerpts of data provided by the customer (for example a poorly structured CSV file or a copy-pasted list of participants) in order to correct the format or automatically generate an image (event visual) on request. These processing activities are intended to facilitate event preparation (standardised data, attractive visuals). The legal basis is based on contract performance – these features being activated only at your request to serve you. Note: Data transmitted to OpenAI is limited to what is strictly necessary (minimisation principle) and subject to automated processing. In accordance with OpenAI's terms of use, data submitted via their API is not used to train their models (except explicit opt-in on our part, which we do not do) and is automatically deleted from their systems within a maximum of 30 days after processing. Important: Google Workspace contact data is used exclusively for event invitations. No AI/ML models use Google Workspace API data. Our AI features operate independently from Google data sources.

• Anonymised statistics: Evnyo may develop global and anonymised statistics from event data (e.g. average response rate, total number of participants, etc.) in order to provide organisers with indicators of the success of their events and to improve our services. No personal data appears in these statistics (results are irreversibly aggregated). The production of such statistics having no impact on privacy (non-identifying data), it may be carried out on the basis of our legitimate interest in evaluating and improving our services (Article 6(1)(f) GDPR).

• Payment processing and billing: Evnyo uses Stripe to process payments from our organiser clients for using our pay-per-event platform, as well as for managing recurring billing and subscriptions. This function includes secure processing of banking details, payment validation, billing schedule management and transaction tracking. The legal basis for this processing is the performance of the contract that binds us to our clients (Article 6(1)(b) GDPR) – this payment data is essential to provide our paid service and meet our contractual billing obligations.

• Cookies and consent management: On our website, we use cookies and trackers in accordance with the requirements of the ePrivacy Directive (2002/58/EC) and its national transpositions, particularly the strict German and French cookie regulations. Non-essential cookies (for example for audience measurement or personalisation features) are only placed after obtaining your prior, free, specific, informed and unambiguous consent via our consent banner managed by CookieYes. This consent is recorded and documented in accordance with the strictest standards. The legal basis for the use of non-essential cookies is your explicit consent (Article 6(1)(a) GDPR). Regarding cookies strictly necessary for the operation of the service (e.g. to remain logged into your account), they are based on our legitimate interest or the technical necessity linked to the execution of the requested service (Article 6(1)(b) or (f)). You can manage your cookie preferences at any time using the consent tool (CMP) and withdraw your consent as easily as you gave it. (See "Cookies" section below.)

• Documentation of consent and legal obligations: In order to demonstrate our regulatory compliance in all countries where we operate, we keep proof of any consent you may have given (for example your consent to cookies via CookieYes, or to receiving communications if applicable). Under the GDPR and equivalent national laws, the data controller must be able to provide proof at any time that the person has consented under valid conditions. We therefore document the conditions for collecting consent and maintain a register of consent in accordance with the recommendations of European data protection authorities. This processing is necessary to comply with a legal obligation incumbent upon us (Article 6(1)(c) GDPR, Art. 7(1) GDPR – ability to prove consent). For example, the log of consent collected via CookieYes (including the history of each user's choices, an identifier, date/time and anonymised IP address) is stored securely in order to constitute proof in case of control or challenge.

In all circumstances, Evnyo only processes your personal data for the aforementioned purposes and will never carry out subsequent processing incompatible with these purposes without informing you and, where appropriate, obtaining your consent again. Furthermore, no automated decision-making or profiling within the meaning of Article 22 GDPR is implemented through our services.

As part of the above purposes, Evnyo may collect different categories of personal data:

• Identification and contact data: name, first name, email address, telephone number of participants invited to an event (provided by the organiser or by the participant themselves during registration). For customer users (organisers), we collect names, first names, professional contact details, function/title, as well as information relating to the company (company name, address, VAT where applicable) when creating the account and billing.

• Event-related data: information linked to the invitation and participation of people – e.g. invitation status (sent/opened), response (yes/no/pending), number of companions, preferences expressed (e.g. time slot choice or dietary requirements, if the organiser requests it), actual presence during check-in. This data enables event logistics tracking.

• Imported data: if the organiser uses the contact import function, Evnyo will process data from their third-party address book (e.g. Gmail, Outlook contacts) that they have selected – typically name, email, company, telephone of contacts to be invited. Important: this import is only carried out at the user's initiative and with their explicit authorisation to access these contacts via the third-party service (which may request the corresponding OAuth authorisation). Evnyo does not use this data beyond constituting the guest list.

• Content provided: any free content that you might enter on the platform, for example the personalised invitation message, the event logo or visual (which may contain an image, potentially someone's face if you upload it, etc.), or files that you attach (e.g. event programme PDF). This content is only used as part of the event (invitation distribution, making available to participants, etc.). When Evnyo uses OpenAI to generate an image or reformat provided text, the prompt and/or data sent to the AI may include certain elements of this provided content (e.g. raw text containing names). However, we ensure that we do not send superfluous or highly sensitive information to these external services.

• Technical and browsing data: when you use the platform or visit the site, we may collect certain technical data: IP address (anonymised for audience measurement), device and browser information, language preferences, connection logs (dates/times) and cookies (see dedicated section). This data is mainly used for security, service provision (e.g. keeping your session open) and aggregated statistics. It can also be used to detect and prevent abusive use of the platform.

All data collected is collected directly from you (organiser user or guest) or comes from your use of the services (e.g. participation status). In the rare cases where data is transmitted to us by an authorised third party (e.g. a colleague registers you for an event via Evnyo), the organiser undertakes to have obtained the necessary authorisations. We ask our organiser-customers to ensure that they properly inform participants of the use of the Evnyo platform to manage invitations, in accordance with Article 14 GDPR where applicable.

Your personal data is accessible to authorised Evnyo personnel to the strict extent necessary (principle of limited access – for example, our support team may access information from your account to assist you). Apart from these internal accesses protected by confidentiality commitments, Evnyo does not communicate your data to third parties, except to its duly authorised technical service providers, listed below. These service providers act on our behalf and for our account as sub-processors, according to our instructions and in compliance with this policy.

We select our sub-processors with the greatest care, ensuring that they present sufficient guarantees in terms of data protection (expertise, security measures, GDPR compliance). Important: As an SME, Evnyo relies on standard contracts and DPAs (Data Processing Addendums) offered by its service providers. We do not have the contractual weight to negotiate personalised clauses with technology giants, but we ensure that their standard conditions meet the requirements of Article 28 of the GDPR. These standard DPAs define the subject matter and duration of processing, the nature of operations performed, the types of data and data subjects concerned, as well as the confidentiality, security and assistance obligations incumbent upon them. Our sub-processors will never use your data for purposes other than those we have specified to them according to their general terms of use. Here is the complete list of our service providers and their exact role:

• CookieYes – Consent Management Platform (CMP): cookie consent management tool. CookieYes deploys the cookie banner on our site and records each user's choices regarding cookies. Role: ensure that non-essential trackers are only activated with consent, and keep proof of the user's consent or refusal. Location: CookieYes Limited is a company registered in the United Kingdom. Consent preferences may be stored locally (via a technical cookie on your browser) and/or on CookieYes servers. This data (anonymous consent identifier, date, type of consent) is purely technical and used to prove compliance with your choices.

• Google API Data Usage Declaration: Evnyo's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. For more information about these requirements you can visit: Google Workspace API User Data Policy and Google API Services User Data Policy .

• OpenAI – Artificial Intelligence (AI): advanced AI service that we use via API for specific features (e.g. correcting poorly formatted data, generating images on demand). Role: algorithmic processing of content we submit to produce a result (corrected file or generated image) returned to Evnyo. Location: United States (OpenAI, Inc.). Data transmitted: text excerpts or instructions that you provide us for AI use (which may contain personal data if you have included it). Guarantees: In accordance with OpenAI's API terms of use (OpenAI API Data Processing Terms), the data we transmit is not used by OpenAI to train their AI models (except explicit opt-in on our part, which we do not do) and is automatically deleted from their systems within a maximum of 30 days after processing. OpenAI is contractually committed not to use this data for purposes other than providing the requested service.

• Supabase – Database & File hosting: Supabase is our application infrastructure provider. Role: hosting the PostgreSQL database containing Evnyo data (accounts, events, invitations, responses, etc.), and storage of associated files (e.g. images of your events) in a dedicated space (bucket). Location: European Union. We use Supabase's European servers (EU region) so that all data and files are hosted exclusively in Europe. Note that Supabase relies on certified data centres (they notably use GDPR-compliant regional Cloud infrastructures). Data stored in the database or bucket is encrypted at rest (see Security section) and is only accessible to Evnyo applications and our authorised administrators. Supabase does not access data in plain text and does not use it other than for the technical needs of storage.

• Vercel – Front-end hosting: Vercel is the hosting platform for our application front-end (Evnyo website and user interface). Role: distribution of the web application and static content to end users, via a global content delivery network (CDN) for optimal performance. Location: mainly in the United States (Vercel Inc.), with a CDN around the world (including servers in Europe) to bring content closer to the user. Transfer guarantees: Vercel is certified to the EU-US Data Privacy Framework and offers a standard Data Processing Addendum compliant with GDPR. Data concerned: essentially technical browsing data. When you use Evnyo, your browser connects to Vercel servers to load the interface; Vercel may log technical data (e.g. IP address, date, requested resource) for logging and caching needs, but does not process any stored application personal data (the database remains with Supabase). Vercel logs are only used for troubleshooting purposes and are purged regularly.

• Postmark – Transactional email sending: emailing service (offered by Wildbit/ActiveCampaign) used to route emails generated by Evnyo. Role: reliable sending of transactional emails related to events (e.g. invitations, registration confirmations, reminders, post-event follow-ups) on behalf of the organiser. Location: mainly in the United States (Postmark sending servers), with redundant infrastructures. Transfer guarantees: Postmark offers a standard Data Processing Addendum (DPA) compliant with GDPR requirements and contractual guarantees for international transfers. Data transmitted: recipient's email address, invitation or message content (possibly including the guest's name, event details, etc.). Postmark acts as a simple sending vector and temporarily stores sending information (email log, delivery status) for tracking and proof of sending purposes. These logs are kept for a limited time then deleted according to their retention policy. Postmark is contractually bound to respect the confidentiality of transmitted data.

• Twilio – Transactional SMS sending: platform used for sending SMS (for example invitations or SMS reminders, or verification messages) to participants who have provided a telephone number. Role: route SMS to your contacts' telephone operators. Location: Twilio Inc. is an American company, but has points of presence in the EU. By default, SMS requests from Evnyo are routed via servers located in the EU. However, in case of overload or need for international routing, the message may be processed by a server outside the EU (e.g. in the United States) to guarantee deliverability – this is the international "fallback". Transfer guarantees: Twilio has Binding Corporate Rules (BCR) approved by European data protection authorities and offers a Data Processing Addendum compliant with GDPR. Data transmitted: recipient's telephone number, SMS text content (possibly including the event name or a confirmation link). Twilio only retains this data for logging and billing (message details) and deletes it according to deadlines compliant with telecom regulations.

• Stripe – Payment processing: payment platform used to process payments from our event organiser clients and billing for our services. Role: secure processing of credit card payments, bank transfers, and other payment methods, as well as billing and subscription management. Location: Stripe Europe, Ltd. (Ireland) for European clients, with infrastructure distributed across Europe and SEPA compliance. Transfer guarantees: Stripe has comprehensive GDPR certifications and applies Standard Contractual Clauses (SCCs) for any transfers outside the EU. Data transmitted: organiser billing details (name, address, email, payment information), transaction amounts, billing history. Stripe acts as a data controller for payment-related aspects and as a processor for data we transmit to them as part of our service. Payment data is encrypted and secured according to PCI DSS standards. Stripe retains transaction data according to its own retention policies and financial regulatory obligations.

• OVH – Domain name & DNS management: OVHcloud is our registrar and DNS host for the evnyo.com domain. Role: technical management of the domain name, DNS records (notably those linked to email sending, such as SPF/DKIM), and hosting of certain ancillary functions (e.g. site redirection to Vercel). Location: France (OVH, French company). Personal data: very little data in reality – OVH essentially processes technical data (DNS queries from visitors, which do not contain personally identifiable data per se except possibly the IP of the person making the query). For transparency, we mention OVH because it is a service provider in our technical chain, but it does not exploit any end user data.

Each aforementioned service provider only acts on Evnyo's instructions and never for its own account. We maintain control of your data. If in the future we were to use new service providers or change one of them, we would update this list and, where appropriate, inform you beforehand if this impacts your data. You of course retain your rights (see "Your Rights" section) including on data processed through these sub-processors: Evnyo remains your single point of contact.

Evnyo ensures that all its sub-processors offer robust contractual guarantees in terms of data protection, in accordance with Article 28 of the GDPR. This means in particular that:

• We only authorise our sub-processors to process data for specific and documented purposes, in connection with our instructions. A sub-processor cannot under any circumstances reuse your data for its own use (e.g. marketing) or transmit it to third parties without authorisation.

• Each sub-processor is bound by a strict confidentiality clause concerning the data to which they may have access. The personnel of our service providers authorised to handle your data are subject to a legal or contractual duty of confidentiality.

• Our contracts require these service providers to implement all security measures required by Article 32 of the GDPR (see details in the Security section below), and to assist us in enabling the exercise of your rights (e.g. if you requested deletion of your data, the sub-processor must cooperate to delete them from their systems).

• No further sub-processor (called "second-level sub-processor") may be engaged without our prior written authorisation. If one of our service providers wishes to recruit another to execute part of the processing, they must inform us beforehand and contract with them identical obligations. In any case, the initial service provider remains fully responsible to Evnyo for any fault of their further sub-processor (principle of cascading responsibility, Art. 28(4) GDPR).

• At the end of the service, our contracts stipulate that sub-processors must, at Evnyo's choice, delete all personal data or return it to us and destroy any existing copy (except contrary legal obligation). For example, if you delete an event and request deletion of participant data, we will ensure that this information is also deleted from our service providers' systems (Supabase, backups, etc.).

• Finally, our sub-processors must provide us with all information necessary to demonstrate compliance with GDPR requirements and allow any audits to be carried out. Evnyo carries out regular due diligence (review of certifications, third-party audits, security reports) to ensure continued compliance with these obligations.

By working with an ecosystem of compliant and contractually committed service providers, Evnyo guarantees that the sub-processing of certain operations does not weaken the level of protection applied to your data.

Evnyo places particular importance on data sovereignty and localization. All your files and data are hosted exclusively within the European Union through our technology partner Supabase, whose European infrastructure ensures strict data localization on EU territory. This European approach allows us to maintain optimal legal control over your information, with the documents you import and participant lists remaining physically on European servers, subject to European regulation. The benefits are twofold: reduced latencies thanks to geographical proximity with your European participants, and better legal control, with your data not exposed to the extraterritorial legislation of third countries. In summary, Evnyo prioritizes European hosting compliant with digital sovereignty requirements, guaranteeing enhanced security and reinforced GDPR compliance.

Evnyo aims as far as possible to avoid data transfers outside the European Economic Area (EEA). The general rule is that data is processed and stored within the EU. However, some of our sub-processors or tools being based outside the EU, international data transfers may occur in a limited manner. We detail below these cases and the guarantees put in place:

• No unframed transfer: No transfer of personal data is carried out to a non-EEA member country without protection. All our international flows are framed to ensure a level of data protection essentially equivalent to that of the EU. In practice, this means that if your data is to leave European soil, Evnyo relies on one of the mechanisms provided for by the GDPR: for example, the existence of an adequacy decision by the European Commission for the destination country, or the signing of Standard Contractual Clauses (SCCs) when it is a transfer to a service provider located in a country without adequacy.

• Service providers located outside the EU: Among our listed sub-processors, some are established in the United States (e.g. OpenAI, Postmark, Twilio, Vercel) or in Ireland (Stripe). As such, data transmitted to them as part of their mission constitutes transfers outside the EU mainland. Important: Evnyo ensures that all its non-EU subcontractors have validated transfer mechanisms (BCR, SCCs, adequacy decision). The standard DPAs used comply with Article 28 GDPR requirements. Specifically:
• Stripe: based in Ireland (EU) for European clients, has comprehensive GDPR certifications and applies Standard Contractual Clauses (SCCs) for any transfers outside the EU
• Twilio: has Binding Corporate Rules (BCR) approved by European authorities and adheres to the conditions of their standard Data Processing Addendum
• Postmark: offers a standard Data Processing Addendum (DPA) compliant with GDPR requirements
• Vercel: certified to the EU-US Data Privacy Framework and offers a standard DPA
• OpenAI: applies the standard OpenAI API Data Processing Terms (retention ≤ 30 days, no training without opt-in)

These mechanisms, although not individually negotiated by Evnyo, offer legal guarantees equivalent to SCCs to protect your data during international transfers.

• United Kingdom: The service provider CookieYes being based in the United Kingdom, it should be noted that the United Kingdom benefits from an adequacy decision by the European Commission since 28 June 2021, allowing data transfers under the same conditions as to the EEA (in accordance with Article 45 GDPR). However, the United Kingdom now applies the UK GDPR and the Data Protection Act 2018, which may present divergences from the European GDPR. Evnyo monitors the evolution of this adequacy decision and British regulations, and will take necessary measures if the situation were to change (e.g. conclusion of a UK Addendum to SCCs, etc.).

• Special case of Twilio (SMS): As mentioned, Twilio has legally approved mechanisms. Twilio has notably implemented internal Binding Corporate Rules (BCR) validated by European authorities, which constitute its main transfer instrument. In addition, Twilio adheres to SCCs for third countries not covered by its BCR. Thus, the use of Twilio to send SMS (including if they are routed outside the EU) remains compliant with European requirements.

• Proportionality: We ensure that data sent outside the EU is minimised with regard to the purpose. For example, when OpenAI is requested to correct text, we only transmit the necessary text, without additional metadata. Similarly, for an SMS via Twilio, only essential information (SMS content, number) is concerned. None of your Evnyo data is massively or systematically hosted outside the EU, any transfers are punctual and circumscribed.

• Transfer risk assessment: Before using any service provider located outside the EU, Evnyo assesses the risks linked to the transfer of personal data taking into account:
• The nature and sensitivity of the data transferred (minimisation to what is strictly necessary)
• The purpose and duration of processing
• The contractual guarantees offered by the service provider (DPA, BCR, Data Privacy Framework certification)
• The legislation of the destination country and risks of government access
• Additional technical security measures (encryption, pseudonymisation)

This assessment allows us to ensure that each transfer benefits from an adequate level of protection, even without negotiating personalised SCCs.

In summary, no transfer of your data outside the EEA takes place without strict framework. Evnyo remains attentive to case law developments (Schrems II judgment, etc.) and authority recommendations to adjust if necessary its international transfer mechanisms. Our objective is that your data benefits wherever it is from a level of confidentiality and security compliant with European standards.

Evnyo only retains your personal data for limited periods, proportionate to the purposes for which it was collected, and in compliance with legal requirements. Here are our main retention policies:

• Event and participant related data: Personal data of guests/participants (names, contacts, status, etc.) is retained during the lifetime of the event and its active management, then deleted or anonymised 90 days after the end of the event or termination of the contract, whichever comes first. In practice, as soon as an event is past and closed by the organiser, a retention counter starts. After 90 days, we purge from our database all identifying details relating to this event (list of participants with their information). This 3-month period after the event allows the organiser to still access reports and statistics, carry out post-event follow-ups (anonymous thanks, reports) and manage any claims (e.g. request for certificate of attendance) before deletion. After this deadline, the organiser no longer has access to participants' personal data on Evnyo, this being either definitively deleted or kept in aggregated/anonymised form for global statistics. (Example: an 80% participation rate may be retained without any mention of who participated or not.)

• Customer account data (organiser): Information relating to your Evnyo account (user profile, client company information, billing history) is retained as long as you use our services and are an active customer. If you decide to close your account or in case of contract termination, we will delete or anonymise your profile data and past events at the latest 30 days after the end of the contract, except for those we must keep longer to comply with our legal obligations or establish proof of a right. For example, billing data (invoices issued, payment information) will be retained in accordance with accounting and tax obligations for the legal duration (in France, 10 years for accounting documents). They will then be deleted. Similarly, contractual exchanges that may have legal value may be archived for the time of applicable legal prescriptions.

• Technical logs and browsing data: System activity logs (connections, actions performed) are retained for security and traceability for a period of 12 rolling months, except different legal requirement. More sensitive logs (e.g. administrator access logs) may be kept for up to 2 years. IP addresses collected for security or logging purposes are generally retained for 3 months (except IPs associated with administration logs, retained for 2 years). Browsing data collected for statistical purposes (via analytical cookies) is aggregated and anonymised immediately, but raw data associated with cookies (e.g. cookie identifier) may be retained for a maximum of 13 months in accordance with recommendations from European data protection authorities, particularly the strict requirements of the French CNIL and German authorities.

• Consent: Consent records (e.g. CMP logs from CookieYes, opt-in proof) will be retained for the time necessary to be able to prove compliance in all countries where we operate. Thus, cookie consent logs are archived for 6 months to 13 months (depending on whether the user maintains their choices or renews them), in line with the strictest national cookie regulations. Proof of consent to receive communications (if Evnyo offers a newsletter or other) would be retained until cessation of sending + 3 years (prescription period). Generally, we do not delete proof of consent as long as the relevant processing is ongoing and not disputed. In case of consent withdrawal, we may retain the information that you have objected (opposition list) as long as necessary not to solicit you unduly.

• Backups: Our system performs regular encrypted database backups to ensure service continuity. These backups may contain personal data and are generally retained for 30 rolling days before being overwritten by new backups. Thus, even after deletion of data in the main database, a copy may remain in a backup until it expires. After 30 days, backups containing this obsolete data are automatically destroyed. Backups are only accessible for restoration purposes by our administrators and are subject to the same security and confidentiality measures.

At the end of the above durations, data is either securely deleted or made irreversibly anonymous. When data is anonymised, it falls outside the scope of GDPR (no person is identifiable anymore) and may be retained longer without particular limit, for example to feed our global statistics or internal analyses.

Special exceptions: It may happen that we must retain certain data longer in case of litigation or investigation (e.g. data freeze at the request of an authority, or retention until resolution of a dispute). In this case, we will block access to the relevant data and retain it for the time necessary for judicial or administrative action. Your data may also be retained longer if the law requires it (e.g. as part of a legal obligation of retention or public archiving).

We regularly reassess our retention policies to avoid storing personal data longer than necessary. If you believe that one of your data items is unduly retained, do not hesitate to exercise your right to erasure (see below "Your Rights"), we will analyse your request carefully in compliance with GDPR.

Evnyo implements rigorous technical and organisational security measures to protect your data against risks of loss, alteration, disclosure or unauthorised access, in accordance with Article 32 of the GDPR. Our security approach is based on industry best practices and continuous risk assessment. Among the measures in place:

• Exchange encryption (TLS): All communications between your browser/device and the Evnyo platform are protected by end-to-end TLS 1.3 encryption (https). This guarantees that the data you transmit or consult on Evnyo cannot be intercepted or read by a third party during transit. You can verify the presence of the security padlock in your browser when using the service.

• Data encryption at rest: Personal data stored in our database as well as files imported into the Supabase bucket are encrypted at rest using state-of-the-art algorithms (AES-256 for example). Encryption at rest means that even in case of physical access or theft of storage media, data remains unreadable without the appropriate decryption keys. These encryption keys are kept secret and protected on secure modules.

• Access control and enhanced authentication: Internally, access to personal data is strictly reserved for people who need it for their functions (need-to-know principle). We use fine-grained role-based access management (RBAC – Role-Based Access Control) to segment permissions within our team. For example, a support technician can see certain data from your account to help you, but will not have access to financial data or guest lists of other customers. In addition, all our administrator and sensitive accounts are protected by mandatory multi-factor authentication (MFA), reducing the risk of intrusion via password theft. Customer user authentication also supports security standards (salted hashed passwords, complexity requirements, possibility of 2FA if you wish, etc.).

• Testing, audits and security maintenance: We regularly carry out penetration testing and vulnerability analysis on our platform to identify potential flaws. Any software component or dependency is updated promptly when a security patch is available. We follow OWASP Top 10 recommendations to prevent common application vulnerabilities (injections, XSS, CSRF, etc.). Furthermore, our critical sub-processors (e.g. Supabase, Vercel) are certified or audited (ISO 27001, SOC 2 Type II certifications, etc.), ensuring a high level of infrastructure security.

• Integrity and resilience: Our systems integrate mechanisms guaranteeing the confidentiality, integrity, availability and resilience of your data. For example, we duplicate data on several redundant servers to prevent loss in case of failure (with regular backups as mentioned). Access to production data is logged and monitored continuously. Any anomaly (unjustified access attempt, suspicious traffic spike, etc.) triggers real-time security alerts. We also have emergency restoration procedures tested regularly to quickly restore service and data access in case of major incident (business continuity plan/disaster recovery plan).

• Development security: Our teams integrate security from the design of new features (privacy by design & by default, Art. 25 GDPR). Test environments are isolated from real data (we use fictitious datasets for development so as not to expose real data). Any code modification is subject to reviews (code review) and unit/functional tests including on security aspects.

• Staff confidentiality and training: Each Evnyo employee with access to personal data is contractually subject to a confidentiality obligation. In addition, we regularly raise awareness among all staff of good data protection practices (GDPR training, IT security, procedures to follow in case of incident, etc.).

• Physical and environmental measures: Although Evnyo is a cloud solution, we ensure that our hosts have robust physical protection measures (24/7 monitored data centres, biometric or badge physical access control, electrical redundancy, fire detection, etc.).

In case of personal data breach despite all these precautions (e.g. proven intrusion, loss or unauthorised disclosure of data), we undertake to follow the legal procedure: notification to the CNIL within 72 hours if required (Article 33 GDPR) and communication to data subjects when the breach is likely to result in a high risk for them (Article 34 GDPR). We have an internal security incident register and an incident response plan to effectively manage this type of situation. Our objective is to be proactive and transparent: if you are affected by a serious incident, you will be informed as soon as possible, with all information about the nature of the incident and measures taken.

In accordance with GDPR, you have a set of rights relating to your personal data. Evnyo is committed to guaranteeing effective respect for these rights and offering you simple ways to exercise them. Here is a summary of your fundamental rights:

• Right to be informed: you have the right to be clearly informed about the processing of your data (this is precisely the purpose of this privacy policy). We strive to provide you with all information required by Articles 13 and 14 GDPR (controller identity, purposes, legal bases, recipients, retention periods, etc.).

• Right of access: you may ask us to confirm that we hold personal data concerning you, and if so, obtain a copy as well as information about the processing methods (purposes, data categories, recipients, etc.). Concretely, this allows you to know what data we have about you. We will provide this information in an understandable form and by the communication means of your choice (electronic or paper). Note: for event guests, insofar as Evnyo acts as a processor for the organiser, it is often more relevant to first approach the organiser (data controller) for access to your registration data. However, you may also contact us directly; we will then coordinate with our customer to provide you with a complete response.

• Right to rectification: if you find that data concerning you is inaccurate or incomplete, you may request its correction or update. For example, if your name is misspelled or if you change email address, we will make the modification as soon as possible. In practice, organiser users can rectify certain information in their account themselves via profile settings. For participants, a request may be addressed to the organiser or to us, and we will rectify on instruction from the organiser.

• Right to erasure ("right to be forgotten"): you may obtain deletion of your personal data from our files, particularly if it is no longer necessary in relation to the purposes for which it was collected, or if you withdraw your consent (when processing was based on consent). This right is not absolute: we may have to retain certain data if a legal obligation requires us to do so or if it is still necessary to establish/exercise/defend a right in court. Concretely, for a guest who no longer wishes to appear in the participant list, the organiser or ourselves can delete their data (which will be carried out except legitimate impediment). If Evnyo intervenes as a processor, we will inform the organiser of your erasure request and, except legitimate contrary instruction from them, we will proceed with effective deletion of your data in our systems and confirm the operation.

• Right to restriction of processing: in certain situations, you may request restriction (temporary freeze) of the processing of your data. For example, if you contest the accuracy of data or the lawfulness of processing, while we verify or find an agreement, you may request that the data no longer be used (but simply retained). When restriction is granted, we no longer process the data except to retain it or for imperative legal reasons. We will inform you beforehand if restriction must be lifted.

• Right to object: you have the right to object, for reasons relating to your particular situation, to any processing of your data based on Evnyo's legitimate interest (Article 6(1)(f)). If you exercise this right, we will cease the contested processing, unless there are legitimate and compelling reasons to continue (for example, the need to retain certain data for the defence of rights in court) or if processing is required by law. You may also object at any time to the processing of your data for prospecting purposes (e.g. if Evnyo sent newsletters or marketing communications – which we only do with consent). In this latter case, the objection is absolute: we will stop sending solicitations without condition. Regarding cookies, your right to object translates into the possibility of refusing any non-essential cookie via the CMP (which is a form of objection to advertising profiling processing for example).

• Right to data portability: you have the right to receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format, and to transmit it to another data controller if you wish. This right only applies to data that you have actively provided (e.g. your profile information, imported guest lists) or generated by your activity, and only for automated processing based on your consent or a contract. In practice, organisers can export much data themselves via our interface (e.g. export the list of event participants in CSV). If you want Evnyo to facilitate transfer to another service, we will do our best (e.g. provide a file containing your events and invited contacts). For participants, portability may be exercised with the organiser (who is responsible for processing their invitation data) or with Evnyo who will relay the request.

• Right not to be subject to automated decision-making: Evnyo does not make any decisions having legal or significant effects on you in an automated way (without human intervention). This right, provided for in Article 22 GDPR, targets cases like automatic profiling leading to service refusal, etc., which does not occur here. In any case, you would have the right to request human intervention, express your point of view and contest the decision.

In addition to these rights, we remind you that if the processing of your data is based on your consent, you may withdraw this consent at any time (as easily as you gave it). Withdrawal of consent terminates the relevant processing for the future, without retroactive effect (this does not affect the lawfulness of past processing). For example, you can unsubscribe from a newsletter or refuse optional cookies, we will respect this choice immediately.

Exercising your rights: These rights may be exercised free of charge (except repeated abuse) by contacting us at the contact details indicated in the Data Controller section. To facilitate your procedures, you can send an email to privacy@evnyo.com specifying the purpose of your request and justifying your identity (to prevent a third party from exercising your rights in your place fraudulently, we might ask you for proof or verification). You may also send a postal letter to our legal address (mentioned on our site) for the attention of the data protection referent. We will acknowledge receipt of your request and respond as soon as possible.

Response time: We undertake to respond to you within 1 month from receipt of the request. If your request is complex or we receive many, this deadline may be extended by 2 additional months, but you will then be informed of the need for extension within the first month. In case of exceptional refusal to grant your request (for example if it is manifestly unfounded or excessive, Art. 12(5) GDPR), we will explain the reasons and you will have the possibility to challenge this decision.

Evnyo will always strive to facilitate the exercise of your rights. No reasonable request will be ignored. If you believe that we have not satisfied you in exercising your rights, or more generally that we do not respect our data protection obligations, you have the right to lodge a complaint with the competent supervisory authority of your country of residence:

• France: Commission Nationale de l'Informatique et des Libertés (CNIL) - Website: cnil.fr, "Complaints" section. Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
• United Kingdom: Information Commissioner's Office (ICO) - Website: ico.org.uk
• Germany: Depending on your Land of residence, contact the competent authority via bfdi.bund.de
• Spain: Agencia Española de Protección de Datos (AEPD) - Website: aepd.es
• Italy: Garante per la protezione dei dati personali - Website: garanteprivacy.it
• Portugal: Comissão Nacional de Proteção de Dados (CNPD) - Website: cnpd.pt
• Poland: Urząd Ochrony Danych Osobowych (UODO) - Website: uodo.gov.pl
• Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) - Website: dataprotection.ro
• Netherlands: Autoriteit Persoonsgegevens (AP) - Website: autoriteitpersoonsgegevens.nl
• Belgium: Autorité de protection des données (APD/GBA) - Website: dataprotectionauthority.be
• Austria: Datenschutzbehörde (DSB) - Website: dsb.gv.at

If you reside in another EU/EEA country, you may contact the data protection authority of your country, which will transmit where appropriate to the lead authority (the French CNIL for Evnyo) or process in cooperation with it according to the GDPR one-stop-shop mechanism.

However, we invite you to contact us first: we are open to dialogue and will do everything possible to directly resolve any problem you bring to our attention.

(Note: For participants invited via Evnyo, remember that the event organiser is generally the main "data controller" for your invitation data. Evnyo then acts as a processor. Thus, you may address your requests either directly to the organiser (who will relay them to us if necessary), or to Evnyo via our data protection referent – we will cooperate closely with the organiser to respond to you.)

The Evnyo site and platform use cookies and similar technologies for various purposes, in accordance with the requirements of the ePrivacy Directive (2002/58/EC) and its national transpositions, particularly:

• France: Articles 82 et seq. of the amended Loi Informatique et Libertés
• Germany: Telemediengesetz (TMG) and strict BGH requirements
• Spain: Ley de Servicios de la Sociedad de la Información (LSSI)
• Italy: Codice Privacy and Garante guidelines
• United Kingdom: Privacy and Electronic Communications Regulations (PECR)
• Netherlands: Telecommunicatiewet and strict Autoriteit Persoonsgegevens guidelines
• Belgium: Loi du 13 juin 2005 relative aux communications électroniques
• Austria: Telekommunikationsgesetz (TKG) and strict DSB standards
• Other countries: Equivalent national regulations

Enhanced consent: During your first visit, a consent banner (provided by CookieYes) allows you to accept or refuse non-essential cookies in a granular manner by category. In accordance with the strictest European standards, we obtain your prior, free, specific, informed and unambiguous consent for each purpose. You can modify your choices at any time by clicking on the "Cookies" link or dedicated icon available on the site, and withdraw your consent as easily as you gave it.

The cookies we use are classified into the following categories:

• Strictly necessary cookies: essential for the operation of the site or provision of the service you request. For example, session cookies to keep you logged in, or those used to remember consent choices. These cookies do not require prior consent according to the exception in Article 5(3) of the ePrivacy Directive. You cannot disable them without impairing the service, but they do not process personal data other than purely technical.

• Performance and statistics cookies: these cookies (Google Analytics or equivalent, configured in compliance with regulations with IP anonymisation and limited retention duration) help us understand how the site is used, which pages are most visited, etc. We have configured these tools to anonymise your IP and avoid any individual tracking. They are only placed with your explicit consent. The data collected is aggregated to improve our services and site ergonomics.

• Functionality cookies: improve your experience (e.g. remembering your display preferences, language, etc.). They are optional and subject to prior consent.

• Communication cookies: if Evnyo integrates live chat modules, video conferencing or other third-party services (e.g. for webinars) in the future, these services might place their own cookies. They will also be subject to consent and clearly identified in the CMP.

Retention duration: Each cookie has a predefined lifespan proportionate to its purpose (e.g. session, 1 month, 13 months maximum for analytical cookies). You will find details of each cookie, its purpose, issuer and duration in our Cookie Policy accessible via the CMP.

Consent traceability: Evnyo maintains a detailed register of cookie consent via CookieYes, which allows us to keep proof of your agreement or refusal for each cookie category on our site. This traceability guarantees that we respect your preferences continuously and allows us to demonstrate our compliance in case of control.

No data monetisation: We do not sell browsing data to advertisers or other third parties. If third-party cookies (e.g. embedded YouTube, Google Maps) were used, they would also be subject to your prior consent and clearly identified.

For more information about our use of cookies, and how to configure them, consult our dedicated "Cookie Management Policy" page or contact us.

Evnyo allows event participants to upload photos to event albums when this feature is enabled by the organizer. When uploading photos to an event, users must provide explicit consent and acknowledge the following responsibilities:

User consent and responsibilities: Before uploading any photo, users must confirm that:

• They have the right to share the uploaded content
• All identifiable people in the photos have given their consent to be photographed and for the photos to be shared in the event context
• The event organizer may use these photos within the scope of the event
• They accept full responsibility for the content they upload

Responsibility allocation: To ensure clear accountability:

• The uploader is solely responsible for the content they upload, including obtaining necessary permissions from people appearing in photos
• The event organizer is responsible for moderating content if they have enabled moderation, and for the use they make of uploaded photos
• Evnyo acts as a technical intermediary and is not responsible for user-uploaded content, but will cooperate with legitimate removal requests

Image rights and privacy: Users uploading photos must respect:

• The image rights of all people appearing in photos
• Privacy laws applicable in their jurisdiction
• The event's specific context and any restrictions communicated by the organizer

Content removal: If you appear in a photo and wish to have it removed, you can:

• Contact the event organizer directly
• Use the report function available on each photo
• Contact our data protection officer at privacy@evnyo.com

We will process removal requests in accordance with applicable laws and may require proof of identity to ensure the legitimacy of the request.

Technical measures: For transparency, we record:

• Consent confirmation (timestamp and anonymized IP)
• Upload metadata for accountability
• All photos are processed to remove GPS location data for privacy

This privacy policy may evolve, particularly to reflect changes in our practices or to comply with possible legal/regulatory modifications. In case of substantial modification (e.g. new purposes, new recipients, etc.), we will inform you beforehand, via a notice on the site or an email, and if required by law, we will seek your consent when the modification requires it. The updated version of the policy will always be accessible on our site in the "Privacy" section. We invite you to consult it periodically.

Effective date: This policy is in force from 06/01/2025.

By choosing Evnyo, you entrust your data to a platform that places privacy and security at the heart of its concerns. We hope this document has provided you with all the transparency expected about our practices. If you have any additional questions about your data or our compliance, please do not hesitate to contact us – our team and our data protection referent are here to provide you with expert and personalised responses.

Thank you for your trust, and successful events with Evnyo!