PRIVACY POLICY

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect includes the following:

• names
• email addresses
• job titles
• contact or authentication data
• billing addresses

Social Media Login Data. You may register or sign in using Google, Microsoft Entra ID, or Apple. If you choose to do so, we receive certain profile information from the provider, as described in HOW DO WE HANDLE YOUR SOCIAL LOGINS? below.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Google API

Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We will also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• Account and authentication. Create and manage organizer accounts, teams, and organizations.
• Events and ticketing. Operate event setup, attendee lists, free and paid registration, QR tickets, and check-in/check-out.
• Payments. Process platform subscriptions and ticket payments via Stripe (including Stripe Connect for organizers).
• Communications. Send transactional emails (tickets, invitations, OTP, support, deletion requests).
• Security and compliance. Fraud prevention, abuse prevention, terms acceptance logs, and legal obligations.
• Event analytics for organizers. Attendance and registration statistics computed from data in our database (not third-party web tracking).

Organizers and attendees. If you are an event organizer (platform account holder), we are generally the controller for your account data. If you are an attendee or ticket buyer, the event organizer is generally the controller for event-related data; we process that data as processor on the organizer's instructions—see our Data Processing Agreement and Terms of Service.

3. WHERE IS YOUR DATA STORED?

Primary application and database data are hosted in the EU where configured (Cloudflare, Supabase/PostgreSQL, Upstash). OAuth identity providers (Google, Microsoft, Apple) and Stripe operate globally and may process data outside the EEA. See our Subprocessor List for details and transfer safeguards.

4. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we rely on the following legal bases to process your personal information:

• Performance of a contract. Providing the Services you sign up for (accounts, events, ticketing, check-in, support).
• Legitimate interests. Securing and improving the Services and fraud prevention (balanced against your rights).
• Consent. Where required (e.g. ticket registration consent, marketing if ever offered). You may withdraw consent where applicable. Learn more about withdrawing your consent.
• Legal obligations. Compliance with law, regulators, and courts.

In legal terms, we are generally the "data controller" under European data protection laws of the personal information described in this Privacy Notice, since we determine the means and/or purposes of the data processing we perform. This Privacy Notice does not apply to the personal information we process as a "data processor" on behalf of our customers. In those situations, the customer that we provide services to and with whom we have entered into a data processing agreement is the "data controller" responsible for your personal information, and we merely process your information on their behalf in accordance with your instructions. If you want to know more about our customers' privacy practices, you should read their privacy policies and direct any questions you have to them.

5. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We share information in specific situations described in this section and/or with the following third parties.

We share personal information with service providers that help us deliver the Services, including:

• Hosting and infrastructure: Cloudflare, Supabase, Upstash
• Email: Resend (primary transactional email)
• Payments: Stripe — platform subscriptions to CheckInOS; ticket payments via Stripe Connect direct charges to the Organizer's connected account (Organizer is merchant for ticket sales; CheckInOS may receive a platform fee)
• Authentication: Google, Microsoft, Apple (when you choose OAuth)

The current list with roles, dates, and status is at /subprocessors.

• Business transfers. In connection with merger, acquisition, or sale of assets.
• Legal requirements. Where required by law, court order, or to protect rights and safety.

6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use cookies and other tracking technologies to collect and store your information.

We use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

Authentication cookies (session and CSRF) are strictly necessary to sign in and secure the Services. Under applicable ePrivacy rules, we do not require a separate cookie banner for those cookies alone. See our Cookie Policy.

We do not use third-party web analytics, advertising, retargeting, or cart-abandonment cookies on the Services. Organizer-facing event analytics are generated from data stored in our platform.

7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or log in to our Services using a social media account, we will have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details (such as Google, Microsoft, or Apple). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive typically includes your name, email address, and sometimes a profile image or provider user ID, depending on the provider and your settings. We do not request your contacts or friends list.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

Platform accounts (organizers): We retain account data while your account is active and as needed for billing, security, legal compliance, and dispute resolution. Verified deletion requests are processed within a reasonable period (typically within 30 days) via /data-deletion or events@checkinos.com — not via instant in-app deletion.

Attendee and ticket data (processor role): Organizers control retention. Our target is to remove or anonymize traceable attendee fields one year after the event end date, keeping anonymized IDs for analytics. Organizer "delete" in the dashboard is a soft-delete (record marked deleted; PII may remain until manual erasure or the planned retention job). Contact the organizer or us for full erasure.

Backup copies may persist until rotated. Terms acceptance logs may be retained for audit purposes even after account deletion where permitted by law.

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

Measures include password hashing, secure sessions (including logout-all-devices), OAuth options, team-scoped event access, signed QR tokens, Stripe webhook verification, and EU-oriented hosting where configured. Details for processor processing are in our DPA.

No method of transmission or storage is 100% secure. Use the Services in a secure environment and protect your credentials.

10. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect data from children under 18, consistent with our Terms of Service. By using the Services, you represent that you are at least 18. If we learn that data from a user under 18 was collected, we will take reasonable steps to delete it. Contact us at events@checkinos.com.

11. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), and Switzerland, you have rights that allow you greater access to and control over your personal information. You can review, change, or terminate your account at any time, depending on your country, province, or state of residence.

In some regions (like the EEA, UK, and Switzerland), you have certain rights under applicable data protection laws. These rights include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. In certain circumstances, you also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section HOW CAN YOU CONTACT US ABOUT THIS NOTICE? below.

We will consider and act upon any request in accordance with applicable data protection laws.

CheckInOS is established in the Netherlands and does not currently have a UK establishment. We have not appointed a UK representative under UK GDPR Article 27; if that becomes required, we will update this notice. UK residents may contact us at events@checkinos.com or complain to the ICO.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

If you are located in Switzerland, you can contact the Federal Data Protection and Information Commissioner.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can:

• Contact us using the contact information provided.

Upon a verified request to terminate your account, we will process deletion within a reasonable period (see Section 8). Some information may be retained where required for fraud prevention, legal compliance, billing records, or terms acceptance audit logs.

Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services.

If you have questions or comments about your privacy rights, you can email us at events@checkinos.com.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

13. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We will update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this page. If we make material changes to this Privacy Notice, we will notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you can email us at events@checkinos.com or contact us by post at:

If you are a resident in the European Economic Area, we are the "data controller" of your personal information. You can contact us directly regarding our processing of your information, by email at events@checkinos.com, or by post to:

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You also have the right to withdraw your consent to our processing of your personal information where applicable. These rights can be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, use /data-deletion or email events@checkinos.com. Attendees should also contact the event organizer for event-specific data.