Privacy Policy

1 Data Controller & Contact Details

The data controller responsible for your personal data is:

As data controller, WEMARKETEVENTS.AI LTD determines the purposes and means of processing personal data in connection with the EventPulse platform. Where we process personal data on behalf of our clients (for example, data belonging to their end users or campaign contacts), we act as a data processor and the client is the data controller. In those cases, processing is governed by a separate Data Processing Agreement.

2 Scope of This Policy

This privacy policy applies to:

• Visitors to our marketing website at wemarketevents.ai
• Subscribers to and users of the EventPulse platform at app.wemarketevents.ai
• Individuals who contact us by email, telephone, or through web forms
• Prospective clients, partners, and press contacts
• Any individual whose personal data is processed by us in the course of delivering our services

This policy is written in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Where we serve users in the European Economic Area (EEA), we also comply with the EU GDPR.

This policy does not apply to third-party websites or services that we link to. We encourage you to read the privacy policies of any third-party services you use.

3 Personal Data We Collect

We collect personal data in the following categories depending on how you interact with us:

3.1 — Account & Identity Data

• Full name and email address (collected at registration or via Stripe checkout)
• Organisation name and job title (provided during onboarding)
• Password (stored as a one-way encrypted hash via Supabase Auth — we cannot read your password)
• Profile preferences set within the EventPulse platform

3.2 — Billing & Transaction Data

• Subscription plan and billing interval
• Invoice history and payment status
• Country of billing (used for VAT purposes)
• We do not store card numbers, CVVs, or full payment details. All payment processing is handled directly by Stripe, Inc. under their own privacy policy and PCI-DSS compliance framework.

3.3 — Technical & Usage Data

• IP address and approximate geographic location (country/region level)
• Browser type, version, and operating system
• Device type (desktop, mobile, tablet)
• Pages visited within the EventPulse platform and time spent on each
• Features used, reports viewed, and actions taken within the platform
• Referring URL (how you arrived at our website)
• Session start and end times
• Error logs and crash reports

3.4 — Communication Data

• Email correspondence with our team
• Support requests and responses
• Feedback submitted through the platform or website
• Records of consent for marketing communications

3.5 — Event & Campaign Configuration Data

• Event name, dates, target registrations, and total campaign budget
• Conversion targets and custom goal definitions
• Campaign notes and annotations made within the platform

3.6 — Data We Do Not Collect

Unless you voluntarily provide it, we do not collect: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sexual orientation, or criminal conviction data. See Section 8 for our Special Category Data policy.

4 Third-Party Platform Data (OAuth Connections)

EventPulse's core function is to aggregate and analyse marketing campaign data from third-party advertising and analytics platforms. To do this, we connect to those platforms via OAuth 2.0 — an industry-standard authorisation protocol that allows you to grant us read access to your data without sharing your passwords.

4.1 — Platforms We Connect To

4.2 — How We Store OAuth Tokens

When you authorise a platform connection, the platform issues us an access token (and in some cases a refresh token). These tokens are sensitive credentials — they are equivalent to a temporary password granting access to your advertising data.

We protect these tokens as follows:

• All tokens are encrypted using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode) before being written to our database. This is military-grade encryption.
• The encryption key is stored separately from the encrypted data — in Netlify's secure environment variable store, not in the database itself.
• Tokens are stored in a dedicated oauth_tokens table with row-level security policies. Application users cannot read raw token values — only our server-side functions can decrypt them.
• Refresh tokens are used automatically to renew access without requiring you to re-authorise, reducing friction.

4.3 — Data Minimisation

We request only the minimum OAuth scopes necessary to provide the EventPulse service. We do not request write access to any platform. We cannot create, modify, or delete campaigns, ads, or settings on any connected platform — access is strictly read-only.

4.4 — Revoking Access

You can revoke platform access at any time by:

• Disconnecting the platform from within EventPulse (Settings → Connected Platforms)
• Revoking app permissions directly within the platform (e.g. Google Account → Third-party apps, Meta Business → Connected Apps, LinkedIn → Permitted Services)

Upon revocation, we immediately delete the associated OAuth token from our database and cease all data pulls from that platform. Historical data already processed and displayed within EventPulse will remain available until account deletion.

4.5 — Account Manager Connections

For Premium plan subscribers, a WeMarketEvents.AI account manager may connect platforms on your behalf using our internal admin tools. In this case, the connection is made using the account manager's authorised credentials on behalf of your workspace. This is recorded in our system as connected_by: admin and is only performed with your explicit instruction or consent.

5 How We Use Your Personal Data

We use personal data for the following purposes:

We will not use your personal data for any purpose that is incompatible with the purposes listed above without providing you with prior notice and, where required, obtaining your consent.

6 Legal Basis for Processing

Under UK GDPR Article 6, we rely on the following legal bases:

6.1 — Performance of a Contract (Article 6(1)(b))

The primary legal basis for processing your personal data is that it is necessary to perform our contract with you — i.e. to provide the EventPulse service you have subscribed to. This includes creating and managing your account, processing payments, connecting advertising platforms, and delivering analytics and reporting.

6.2 — Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests as a business, where these interests are not overridden by your rights and freedoms. These include: improving our platform, ensuring security and fraud prevention, and providing customer support. See Section 7 for our Legitimate Interests Assessment.

6.3 — Legal Obligation (Article 6(1)(c))

We are required by law to retain certain records. Under UK tax law (HMRC requirements), we must retain financial records including invoices and transaction data for a minimum of 6 years. Under UK GDPR, we are required to maintain records of processing activities and, in certain circumstances, to notify the ICO of data breaches.

6.4 — Consent (Article 6(1)(a))

Where we send optional marketing communications, we rely on your freely given, specific, and informed consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected]. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

7 Legitimate Interests Assessment

Where we rely on legitimate interests as our legal basis, we have conducted a balancing test to ensure our interests do not override yours. Our legitimate interests processing includes:

• Platform improvement: We analyse anonymised usage patterns to understand which features are used, identify bugs, and prioritise development. This is a reasonable business interest and uses data in a way users would expect. Individual users are not singled out.
• Security and fraud prevention: We monitor for unusual login patterns, API abuse, and potential security threats. This protects both our business and our clients' data. The processing is proportionate to the risk.
• Customer support: Maintaining records of support interactions allows us to provide consistent, informed support. Users benefit directly from this processing.
• Business analytics: Aggregated, anonymised data about platform usage helps us make informed business decisions. Individual users cannot be identified from this data.

In each case, we have assessed that the processing is necessary, proportionate, and that the impact on individuals is minimal or positive. If you wish to object to any processing based on legitimate interests, see Section 16 (Your Rights).

8 Special Category Data

We do not intentionally collect or process special category data as defined under UK GDPR Article 9. Special category data includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation data.

Our platform is designed for B2B marketing analytics. The data we process relates to advertising campaigns and event registrations — not to individuals' sensitive personal characteristics.

If you believe you have inadvertently shared special category data with us (for example, in a support email), please contact us at [email protected] and we will ensure it is deleted promptly.

9 Children's Data

EventPulse is a professional B2B SaaS platform intended solely for use by individuals aged 18 or over. We do not knowingly collect personal data from anyone under the age of 18.

If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at [email protected]. We will investigate and, if confirmed, delete any such data without undue delay.

By using EventPulse, you represent and warrant that you are at least 18 years of age.

10 Marketing Communications

We may send you marketing communications about EventPulse products, features, event industry insights, or partner offers, but only where we have your explicit consent or (in limited circumstances permitted by PECR) where you are an existing customer and the communication relates to similar services.

10.1 — Transactional vs Marketing Emails

The following emails are transactional and are sent as part of the service contract. You cannot opt out of these while your account is active:

• Account creation and welcome emails
• Password reset and security notifications
• Weekly campaign digest reports
• Real-time performance alerts triggered by your configured thresholds
• Subscription billing notifications (invoices, payment failures, trial expiry)

10.2 — Opting Out of Marketing

Every marketing email we send includes an unsubscribe link. You may also opt out at any time by emailing [email protected] with the subject line "Unsubscribe". We will process your request within 5 business days.

Opting out of marketing does not affect your ability to use EventPulse or your receipt of transactional service emails.

10.3 — No Data Selling or Third-Party Marketing

We will never sell your personal data to third parties for marketing purposes. We will never share your data with third parties to enable them to market their products or services to you without your explicit consent.

11 Automated Decision-Making & Profiling

UK GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

EventPulse uses AI and machine learning to generate campaign insights, anomaly detection, and performance recommendations. However, these outputs are advisory only — they are presented to human users who make their own decisions. No automated decision with legal or similarly significant effect is made about any individual based on our processing.

We do not use your personal data for behavioural profiling, credit scoring, or any form of automated individual assessment. Our AI processes aggregated campaign performance data — not personal characteristics.

12 Sharing & Disclosure of Personal Data

We do not sell, rent, or trade your personal data. We share personal data only in the following circumstances:

12.1 — Service Providers (Data Processors)

We share data with trusted third-party service providers who process it strictly on our behalf, under our instruction, and bound by data processing agreements:

12.2 — Legal Requirements

We may disclose personal data where required to do so by law, court order, or regulatory authority — including HMRC, the ICO, or law enforcement agencies. We will, where legally permitted, notify you before making such a disclosure.

12.3 — Business Transfers

In the event of a merger, acquisition, sale of assets, or insolvency, your personal data may be transferred to a successor entity. We will notify you by email and post a prominent notice on our website at least 30 days before any such transfer, and you will retain your rights under this policy.

12.4 — With Your Consent

We will share your data with third parties in any other circumstance only with your explicit prior consent.

13 International Data Transfers

Some of our service providers are based in the United States or other countries outside the UK. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place as required by UK GDPR Chapter V.

The safeguards we rely on include:

• UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) approved under the UK GDPR framework, incorporated into our contracts with US-based processors.
• UK Adequacy Decisions: Where the ICO or UK Government has determined that a country provides an adequate level of protection, we rely on that adequacy finding.
• Certification frameworks: Where applicable, we work with providers certified under recognised frameworks (e.g. the UK-US Data Bridge).

You may request a copy of the specific transfer mechanism we rely on for any particular provider by contacting [email protected].

14 Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

When data reaches the end of its retention period, it is securely deleted or anonymised such that it can no longer be attributed to an individual. You may request earlier deletion by exercising your Right to Erasure (see Section 16).

15 Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. Our measures include:

15.1 — Technical Controls

• Encryption at rest: OAuth tokens encrypted with AES-256-GCM. Database-level encryption provided by Supabase (AWS).
• Encryption in transit: All data transmitted over TLS 1.2 or higher (HTTPS enforced on all endpoints, HSTS headers deployed).
• Row-Level Security (RLS): Database policies ensure users can only query data belonging to their own workspace — cross-tenant data access is architecturally impossible at the database layer.
• Authentication: Secure session management via Supabase Auth (JWT tokens with expiry). Password hashing using bcrypt.
• Environment isolation: Production and development environments are strictly separated. No real client data is used in development or testing.
• Secrets management: API keys, OAuth credentials, and encryption keys are stored in Netlify's encrypted environment variable store — not in source code or version control.
• Security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy, and Content Security Policy headers are deployed on all pages.

15.2 — Organisational Controls

• Access to production systems is restricted to authorised personnel on a need-to-know basis.
• Staff with access to personal data are bound by confidentiality obligations.
• Third-party service providers are assessed for security practices before engagement and bound by data processing agreements.
• Dependencies and software libraries are reviewed and updated regularly to address known vulnerabilities.

15.3 — Limitations

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a breach, we will follow the procedures set out in Section 19.

16 Your Rights Under UK GDPR

UK GDPR grants you the following rights in relation to your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month of receiving your request (this may be extended by a further two months for complex requests, in which case we will inform you).

We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee.

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of that data (a "Subject Access Request" or SAR), along with information about how it is used.
• Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete personal data completed without undue delay.
• Right to Erasure — "Right to be Forgotten" (Article 17): You have the right to request deletion of your personal data where: the data is no longer necessary; you withdraw consent; you object and there is no overriding legitimate interest; the data has been unlawfully processed; or deletion is required by law. This right is not absolute — we may need to retain certain data to comply with legal obligations.
• Right to Restrict Processing (Article 18): You have the right to request that we restrict processing of your data in certain circumstances — for example, while we verify a rectification request or consider an objection.
• Right to Data Portability (Article 20): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV), and to transmit it to another controller.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately. Where you object to other legitimate interests processing, we will assess whether our interests are overridden by your rights.
• Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to solely automated decisions with significant legal effect. As noted in Section 11, we do not make such decisions.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

17 Cookies & Tracking Technologies

We use cookies and similar tracking technologies on our website and platform in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR).

17.1 — What Are Cookies

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work, improve performance, and provide information to website owners.

17.2 — Cookies We Use

17.3 — Managing Cookies

You can control and delete cookies through your browser settings. Most browsers allow you to refuse some or all cookies. Refusing essential cookies may prevent you from logging in to EventPulse. For more information, visit aboutcookies.org or the ICO's cookie guidance.

18 Third-Party Links & Integrations

Our website and platform may contain links to third-party websites, or integrations with third-party services. Clicking on a third-party link will take you to that organisation's website. We have no control over and accept no responsibility for the privacy practices or content of third-party websites.

When you connect a third-party platform (Google, Meta, LinkedIn) to EventPulse via OAuth, you are also subject to that platform's terms of service and privacy policy. We encourage you to review those policies:

• Google Privacy Policy
• Meta Privacy Policy
• LinkedIn Privacy Policy

19 Data Breach Procedures

Despite our security measures, no system is completely immune to breach. We have procedures in place to respond promptly and responsibly in the event of a personal data breach.

19.1 — Detection & Containment

Upon detecting or suspecting a breach, we will immediately take steps to contain it, assess the scope and severity, and preserve evidence for investigation.

19.2 — Regulatory Notification

In accordance with UK GDPR Article 33, we will notify the Information Commissioner's Office (ICO) of any breach that poses a risk to the rights and freedoms of individuals within 72 hours of becoming aware of it, unless the breach is unlikely to result in such a risk.

19.3 — Individual Notification

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, in accordance with UK GDPR Article 34. Our notification will include: a description of the breach; the categories and approximate number of individuals affected; the likely consequences; and the measures taken or proposed to address the breach.

19.4 — Records

We maintain an internal register of all data breaches, including those not reported to the ICO, as required by UK GDPR Article 33(5).

20 Data Protection Officer

UK GDPR requires certain organisations to appoint a Data Protection Officer (DPO). As a small business engaged primarily in B2B services, we are not currently required to appoint a mandatory DPO under Article 37. However, we have designated a data protection lead responsible for overseeing our compliance with data protection law.

Data protection enquiries should be directed to: [email protected]

We are in the process of registering with the ICO as a data controller under the Data Protection Act 2018, as required for all UK organisations that process personal data. Our ICO registration reference will be published here upon completion.

21 Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. All changes will be posted to this page with an updated effective date.

For material changes — changes that significantly affect how we use your data or your rights — we will notify active subscribers by email at least 30 days before the change takes effect. Continued use of EventPulse after that date constitutes acceptance of the updated policy.

For minor changes (corrections, clarifications, formatting), we will update the page without separate notification, but the effective date will be updated.

We encourage you to review this policy periodically. Previous versions are available upon request by emailing [email protected].

22 Contact Us & Raising Complaints

22.1 — Contact Us

If you have any questions, concerns, or requests in relation to this privacy policy or how we handle your personal data, please contact us:

22.2 — Right to Complain to the ICO

If you are not satisfied with our response, or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's independent authority for data protection: