Privacy Policy

    Last updated: July 2026

    1. Introduction

    Welcome to Conferras. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use and safeguard your information when you use our event networking app and website.

    2. Data Controller

    Company: TenSeven UG (haftungsbeschränkt)
    Address: Tannenstr. 10a, 85764 Oberschleißheim, Germany
    Represented by: Tammo Elsner, Valentin Spörk
    Email: hello (at) go-spread.com
    For any data protection inquiries, please contact us at the email address above.

    3. Data We Collect

    Event organizers: account information (name, email, organization name), securely hashed password, subscription and payment status, event data (name, description, dates, locations, branding assets, agenda, speakers, sponsors) and aggregated usage statistics.

    Event attendees: profile information (name, role, company, interests, optional photo and social links), connections, chat messages, 1:1 meeting requests, bookmarks and event activity. Push notification tokens if you enable notifications.

    Website visitors: contact form submissions (name, email, message content) and standard server logs.

    4. Legal Basis for Processing (GDPR Art. 6)

    Contract fulfillment (Art. 6(1)(b)): Processing necessary to provide our service to organizers and attendees, including account management, event access and subscription handling.

    Consent (Art. 6(1)(a)): For optional features such as push notifications, contact form submissions and marketing communication. You can withdraw consent at any time.

    Legitimate interest (Art. 6(1)(f)): For aggregated analytics to improve our service, and to ensure security and prevent fraud.

    5. Third-Party Services

    Payment processing (Stripe): When you subscribe to a paid plan, your payment information is handled directly by Stripe. We do not store your credit card details. See Stripe's Privacy Policy.

    Hosting & infrastructure: Our service is hosted on infrastructure in the European Union. Some managed services may transfer data to the United States under Standard Contractual Clauses (SCCs) approved by the European Commission.

    Push notifications: If you enable push notifications, we use browser push services (Apple Push Notification Service, Firebase Cloud Messaging) to deliver messages to your device.

    6. Cookies & Local Storage

    We use browser storage (localStorage and sessionStorage) for essential functionality only: authentication tokens to keep you logged in, event session state, PWA install and notification prompt preferences, and your cookie consent choice.

    These items are strictly necessary for the service to function and are not used for tracking or advertising purposes. Analytics cookies, if any, are only loaded after you give consent via our cookie banner.

    7. Data Retention

    • Organizer accounts: retained until you delete your account.
    • Event data: retained until you delete the event or your account.
    • Attendee profiles: retained for the duration of the event and for up to 12 months afterwards, unless you delete your profile earlier.
    • Contact messages: retained for up to 2 years, then deleted.
    • Push notification tokens: deleted when you disable notifications or uninstall the app.

    8. Your Rights (GDPR)

    • Right to Access (Art. 15) — request a copy of the data we hold about you.
    • Right to Rectification (Art. 16) — update your personal information in your account settings.
    • Right to Erasure (Art. 17) — delete your account and all associated data.
    • Right to Data Portability (Art. 20) — export your data in a machine-readable format.
    • Right to Object (Art. 21) — object to processing based on legitimate interest.
    • Right to Withdraw Consent (Art. 7) — withdraw any previously granted consent at any time.

    9. Data Security

    • All data is transmitted over encrypted HTTPS connections.
    • Passwords are securely hashed using industry-standard algorithms.
    • Database access is protected by row-level security policies.
    • Regular security reviews and dependency updates.

    10. International Data Transfers

    Your data is stored on servers located in the European Union. Some third-party services (e.g. Stripe, push notification providers) may transfer data to the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.

    11. Right to Lodge a Complaint

    If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. As we are based in Bavaria, Germany, the competent authority is the Bavarian State Office for Data Protection Supervision.

    12. Changes to This Policy

    We may update this Privacy Policy from time to time. The updated version will be indicated by an updated “Last updated” date at the top of this page. We encourage you to review this Privacy Policy periodically.

    13. Contact Us

    For any questions about this Privacy Policy, contact us at hello (at) go-spread.com.