Welcome to our Privacy Policy

Effective Date: March 10, 2026  |  Last Updated: March 10, 2026

Eventic ("we", "us", or "our") is committed to protecting the privacy and personal data of every person who visits or uses the Eventic platform (the "Platform"), accessible at eventic.in. This Privacy Policy describes what personal data we collect, why we collect it, how we use and protect it, and the rights available to you — including rights under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).

This Policy applies to all users worldwide, with additional provisions specifically for residents of the European Economic Area (EEA), the United Kingdom (UK), and the United States (California). By accessing or using the Platform you acknowledge that you have read and understood this Policy.

1. Who We Are & Data Controller

The data controller responsible for your personal data is:

• Company name: EventicHub Pvt. Ltd.
• Website: https://eventic.in
• Contact email: contact@eventic.in
• Data Protection / Privacy enquiries: privacy@eventic.in

For EEA/UK residents: if you require a local representative or wish to lodge a complaint with a lead supervisory authority, please contact us at the email above and we will direct you to the appropriate contact.

2. Information We Collect

2.1 Information You Provide Directly

When you register, create an invitation, make a purchase, or contact us, we may collect:

1. Identity data: Full name, username, profile photo
2. Contact data: Email address, phone number, billing address, country
3. Account credentials: Hashed passwords (we never store plain-text passwords)
4. Event & invitation data: Event name, date, venue, guest list details, RSVP responses, media uploads (photos, music files)
5. Payment data: Billing name, billing address, last four digits of card, and transaction identifiers. Full card numbers are processed exclusively by our PCI-DSS certified payment processors and are never stored on our servers.
6. Communications: Messages, support tickets, and feedback you send us
7. Preferences: Language, currency, notification settings

2.2 Information We Collect Automatically

When you use the Platform, we automatically collect:

1. Device & technical data: IP address, browser type and version, operating system, device identifiers, screen resolution
2. Usage data: Pages visited, features used, time spent, search queries, links clicked, referring URLs
3. Location data: Country/region inferred from IP address. Precise geolocation is only collected with your explicit consent.
4. Cookie & tracking data: See Section 8 (Cookies) for full details
5. Log data: Server logs recording access times, error rates, and API calls

2.3 Information We Receive From Third Parties

1. Social login providers (Google, etc.): If you sign in via a third-party account we receive your name, email, and profile photo as permitted by that provider's settings.
2. Payment processors (e.g., PayPal, Razorpay): Transaction status, fraud signals, and billing confirmations.
3. Analytics providers: Aggregated or pseudonymised user behaviour data.
4. Anti-fraud and security services: Risk scores and flagged signals.

3. Legal Basis for Processing Personal Data (EEA & UK Users)

Under GDPR, we process your personal data only where we have a valid legal basis. The bases we rely on are:

1. Contract (Art. 6(1)(b)): Processing is necessary to provide the services you have requested — creating invitations, managing RSVPs, processing payments, and delivering your account.
2. Legal obligation (Art. 6(1)(c)): We must retain certain financial and transactional data to comply with tax, accounting, and anti-money-laundering laws.
3. Legitimate interests (Art. 6(1)(f)): We process certain data for fraud prevention, platform security, service improvement, and internal analytics, where those interests are not overridden by your rights.
4. Consent (Art. 6(1)(a)): For marketing emails, non-essential cookies, and precise geolocation — collected only with your explicit, freely given, and withdrawable consent.
5. Vital interests / Public task: In rare emergency circumstances that require disclosing data to protect life or comply with law enforcement.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. To withdraw consent, email privacy@eventic.in or use the account settings page.

4. How We Use Your Information

1. To create and manage your account and deliver the core invitation services
2. To process payments and issue receipts or refunds
3. To send transactional emails (booking confirmations, RSVP notifications, password resets)
4. To send marketing communications — only where you have provided explicit consent, and always with a clear unsubscribe link
5. To personalise your experience and show relevant templates or features
6. To detect, investigate, and prevent fraudulent transactions and abuse
7. To analyse usage patterns and improve Platform functionality and performance
8. To comply with applicable laws, regulations, legal processes, and lawful governmental requests
9. To enforce our Terms of Service and other policies
10. To respond to your enquiries and provide customer support

5. Data Sharing & Disclosure

We do not sell your personal data to third parties. We share your data only in the circumstances described below.

5.1 Service Providers (Data Processors)

We engage trusted third-party vendors to operate certain parts of the Platform. These processors act only on our instructions and are bound by data processing agreements in accordance with GDPR requirements:

• Cloud hosting & infrastructure: Amazon Web Services (AWS) / equivalent
• Payment processing: Razorpay, PayPal — subject to their own PCI-DSS and GDPR compliance programmes
• Email delivery: Transactional and marketing email providers
• Analytics: Google Analytics (with IP anonymisation enabled), Microsoft Clarity
• Customer support tools: Helpdesk software used to manage support tickets
• QR code generation & media storage: Secure object storage services
• Anti-fraud / security: Third-party risk and fraud detection services

5.2 Business Transfers

If Eventic is involved in a merger, acquisition, restructuring, or sale of all or a portion of its assets, your data may be transferred. We will notify you via email and/or a prominent notice on the Platform before your data is transferred and becomes subject to a different privacy policy.

5.3 Legal & Regulatory Disclosures

We may disclose your data when required by law, court order, regulatory authority, or to protect the rights, property, or safety of Eventic, our users, or the public. We will, where legally permitted, notify you of such a request.

5.4 With Your Consent

We may share data with third parties when you have given us explicit consent to do so.

6. International Data Transfers

Eventic operates globally. Your data may be transferred to, stored, and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.

For transfers from the EEA or UK to third countries not deemed adequate by the European Commission, we rely on one or more of the following safeguards:

1. European Commission Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs)
2. Adequacy decisions covering the destination country
3. Binding Corporate Rules (where applicable)
4. Derogations under Art. 49 GDPR for specific situations (e.g., explicit consent, performance of a contract)

To obtain a copy of the safeguards we have put in place for international transfers, contact us at privacy@eventic.in.

7. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy and to comply with our legal obligations. Our general retention schedule is:

• Account & profile data: Retained for the life of your account plus 30 days after account deletion (to allow for accidental deletion recovery). Thereafter, data is permanently deleted or anonymised.
• Invitation & event data: Retained for the life of your account. After account deletion, retained for up to 90 days then permanently purged.
• Payment & transaction records: Retained for 7 years to comply with financial and tax legislation.
• Server and security logs: Retained for up to 12 months and then deleted.
• Marketing consent records: Retained until you withdraw consent, plus 3 years as proof of consent.
• Support correspondence: Retained for 3 years after the case is closed.

When data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with any individual.

8. Cookies & Tracking Technologies

We use cookies and similar tracking technologies (pixels, local storage, session tokens) to operate and improve the Platform. Cookies are small text files placed on your device.

8.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the Platform to function — session management, security tokens, CSRF protection, load balancing. These cannot be disabled without breaking core features.
• Functional Cookies: Remember your preferences such as language, currency, and logged-in state for a better experience.
• Analytics Cookies: Help us understand how users navigate the Platform (e.g., Google Analytics, Microsoft Clarity). We use IP anonymisation and do not store full IP addresses via these tools.
• Marketing / Targeting Cookies: Used to deliver relevant advertising and to measure the effectiveness of our campaigns. These are set only with your explicit consent.

8.2 Your Cookie Choices

On your first visit, we present a cookie consent banner. You can accept all, accept necessary only, or customise your preferences. You may also:

1. Change your cookie preferences at any time via the "Cookie Settings" link in the footer
2. Configure your browser to block or delete cookies (see your browser's help documentation)
3. Use browser extensions designed to block trackers

Disabling non-essential cookies may reduce the quality of your experience but will not prevent you from using the core features of the Platform.

8.3 Third-Party Tracking

Google Analytics data is subject to Google's Privacy Policy. Microsoft Clarity data is subject to Microsoft's Privacy Statement.

9. Payment Data & Financial Security

All payment transactions on the Platform are processed by PCI-DSS Level 1 certified third-party payment processors. We do not store, process, or transmit full credit or debit card numbers on our servers. The payment processors we work with — including Stripe and PayPal — employ industry-standard encryption and tokenisation.

We retain only non-sensitive payment metadata (transaction ID, amount, currency, payment status, last four digits of card) necessary for billing, refunds, and fraud prevention.

10. Data Security

We implement a comprehensive set of technical and organisational security measures, including:

1. Encryption in transit: All data exchanged between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
2. Encryption at rest: Sensitive data fields are encrypted in our database using industry-standard algorithms.
3. Password security: Passwords are hashed using a strong one-way algorithm (bcrypt / Argon2). We never store plain-text passwords.
4. Access controls: Strict role-based access control ensures only authorised personnel can access personal data, on a need-to-know basis.
5. Regular security audits: We perform periodic vulnerability assessments and penetration tests.
6. Incident response: We maintain a documented data breach response plan. In the event of a breach that poses a risk to your rights, we will notify relevant supervisory authorities within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.

Despite our best efforts, no method of transmission or electronic storage is 100% secure. If you suspect any unauthorised access to your account, please contact us immediately at security@eventic.in.

11. Your Rights Under GDPR (EEA & UK Residents)

If you are located in the EEA or UK, you have the following rights under the GDPR and UK GDPR:

1. Right of Access (Art. 15): Request a copy of the personal data we hold about you and information on how we process it.
2. Right to Rectification (Art. 16): Request that we correct inaccurate or incomplete personal data.
3. Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data where it is no longer necessary, or you withdraw consent, or there is no overriding legitimate interest for us to retain it.
4. Right to Restriction of Processing (Art. 18): Ask us to halt certain processing activities in specific circumstances (e.g., while a rectification request is pending).
5. Right to Data Portability (Art. 20): Receive a machine-readable copy of data you provided to us, and request that we transmit it to another controller.
6. Right to Object (Art. 21): Object at any time to processing based on legitimate interests or for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds.
7. Rights related to automated decision-making (Art. 22): We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing, including profiling.
8. Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without penalty.
9. Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection supervisory authority. For example:
   • EU: Find your national authority
   • UK: UK Information Commissioner's Office (ICO)

To exercise any of these rights, submit a request to privacy@eventic.in. We will respond within 30 days. We may need to verify your identity before processing your request. Requests are free, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

12. Your Rights Under CCPA / CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

12.1 Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following CCPA categories of personal information:

• Identifiers (name, email, IP address, account username)
• Personal Records (billing address, payment information)
• Commercial information (purchase history, subscription details)
• Internet or electronic network activity (browsing history on the Platform, usage data)
• Geolocation data (country/region derived from IP)
• Inferences drawn to create a profile about your preferences

12.2 Your California Rights

1. Right to Know (§ 1798.100): You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purposes, and the categories of third parties with whom we share it.
2. Right to Delete (§ 1798.105): You may request deletion of personal information we have collected, subject to certain exceptions (e.g., data needed to complete a transaction, comply with a legal obligation, or for security purposes).
3. Right to Correct (§ 1798.106): You may request that we correct inaccurate personal information.
4. Right to Opt-Out of Sale or Sharing (§ 1798.120): We do not sell your personal information as defined under the CCPA. We do not share it for cross-context behavioural advertising. You may still submit an opt-out request at privacy@eventic.in.
5. Right to Limit Use of Sensitive Personal Information (§ 1798.121): We do not use sensitive personal information beyond purposes necessary to provide the requested service.
6. Right to Non-Discrimination (§ 1798.125): We will not discriminate against you for exercising any of your CCPA rights. We will not deny services, charge different prices, or provide a lesser quality of service because you exercised a privacy right.

12.3 How to Submit a CCPA Request

Submit verifiable consumer requests to privacy@eventic.in. We will acknowledge receipt within 10 business days and respond within 45 calendar days (extendable by a further 45 days where reasonably necessary with prior notice). You may submit up to two requests per 12-month period.

12.4 Authorised Agents

California residents may designate an authorised agent to make requests on their behalf. The agent must provide written permission signed by you, and we may require verification of your identity directly.

13. Children's Privacy

The Platform is not directed to children. We define "children" as:

• Under 13 in the United States (COPPA)
• Under 16 (or the applicable age of digital consent in your country) in the EEA and UK under GDPR

We do not knowingly collect personal data from children under these ages. If we become aware that we have inadvertently collected such data, we will take prompt steps to delete it. If you are a parent or guardian and believe your child has submitted personal data to us, please contact us at privacy@eventic.in.

14. Third-Party Links & Services

The Platform may contain links to third-party websites and services (e.g., social media sharing, map embeds, payment gateways). Once you leave our Platform, we have no control over the content or privacy practices of those third parties. We encourage you to read the privacy policies of any external services you use. This Policy does not apply to third-party websites or services.

15. Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) feature. Because there is currently no uniform standard for interpreting DNT signals, our Platform does not respond differently to DNT requests. We do, however, provide robust cookie controls as described in Section 8 to let you manage tracking directly.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

1. Notify the relevant supervisory authority (e.g., applicable EU Data Protection Authority or the UK ICO) within 72 hours of becoming aware of the breach, where feasible.
2. Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms, with clear information about the nature of the breach and recommended protective steps.
3. Maintain an internal record of all data breaches regardless of whether notification is required.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

1. Update the "Last Updated" date at the top of this page
2. Post a prominent notice on the Platform homepage or within your account
3. Send you an email notification if the changes materially affect your rights (where we hold a valid email address for you)

Your continued use of the Platform after any changes take effect constitutes your acceptance of the updated Policy. If you do not accept the revised Policy, you should discontinue using the Platform and may request deletion of your account.

18. Contact Us & Exercising Your Rights

For general privacy enquiries or to exercise any of the rights described in this Policy:

• Privacy email: privacy@eventic.in
• General contact: contact@eventic.in
• Security disclosures: security@eventic.in
• Website: eventic.in/contact

We will acknowledge your request within 5 business days and aim to resolve all requests within the timeframes required by applicable law (30 days under GDPR; 45 days under CCPA).

If you are an EEA or UK resident and are not satisfied with our response, you have the right to escalate your complaint to your local data protection supervisory authority. You can find details of EU supervisory authorities at edpb.europa.eu, and the UK ICO at ico.org.uk.