Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection provisions is:

2. General Information on Data Processing

We only process your personal data to the extent necessary to provide a functional website and our content and services (SaaS application). Konvio Staging is an event management platform that enables organizers (organizations) to plan and run trade fairs, career fairs, and other events.

For event-related data (e.g. attendee registrations, exhibitor data, CRM contacts, form submissions), the respective organizer acts as the data controller. Konvio Staging processes this data as a data processor pursuant to Art. 28 GDPR, solely on the organizer's instructions.

3. Data Collection and Processing

a) Website Visits (Server Log Files)

When you access our website, the browser on your device automatically sends information to our web server. This information is temporarily stored in a log file:

• IP address of the requesting device
• Date and time of access
• Name and URL of the accessed file
• Browser used and, where applicable, operating system

b) Registration and Use of the SaaS Application

When you register for our service, we process the data you provide to fulfill the user agreement and provide the service to you.

c) Sign-in via Google (Social Login)

If you sign in using your Google account, we receive your name, email address, and a unique Google ID from Google. We store an access token for authentication.

d) Contact Requests

When you contact us (e.g. via contact form or email), your information is processed to handle and respond to your inquiry.

e) Event Registration and Check-in

When you register for an event or attend one, we process the data collected during registration as well as check-in and scan data.

f) Exhibitor Registration and Event Participation

Exhibitors participating in an event (including exhibitor applications) provide us with company and personal data.

g) CRM Contact Management

Organizers can create and manage business contacts through the platform. The responsibility for this processing lies with the respective organizer.

h) In-App Messaging

Organizers and exhibitors can exchange messages through the platform. Messages may also be delivered and replied to via email.

i) Form Submissions

Organizers can create custom forms and request attendees or exhibitors to provide information. The type and scope of data collected is determined by the respective organizer.

j) Usage Statistics and Analytics

We collect anonymized and pseudonymized usage data to improve the platform and provide event statistics to organizers. No external analytics services are used.

k) Push Notifications

If you enable push notifications for an event, we store the technical data required for delivery.

l) Feedback and Support Requests

When submitting feedback or support requests through the platform, we process the information you provide.

m) Billing and Payment Data

For subscription and event license billing, we process invoicing data. Credit card details or other payment instrument data are processed exclusively by the external payment service provider and are not stored on our systems.

n) Email Delivery and Logging

We log the sending of system emails (e.g. invitations, confirmations, notifications) to ensure delivery and resolve technical issues.

o) Internal Activity Log (Audit Log)

To ensure the security and integrity of the platform, we log certain user actions in an internal activity log. This serves to detect misuse, analyze errors, and maintain traceability of security-relevant operations.

4. Recipients and Disclosure of Data

We do not transfer your personal data to third parties for purposes other than those listed below. We only share your personal data with third parties where this is permitted by law or where we use service providers (data processors).

We use the following categories of service providers:

• Hosting and server infrastructure: Hetzner Online GmbH (Location: Germany)
• Email delivery (transactional): Scaleway SAS (Location: France)
• Data backup and file storage: Scaleway SAS (Location: France)

Additionally, the following recipients may have access to personal data:

• Organizers (Organizations): Have access to the data of their event attendees, exhibitors, and CRM contacts within their scope of responsibility.
• Exhibitors: May view limited attendee data within an event (e.g. during contact exchange or via scan data).
• Google Ireland Limited: When using sign-in via Google (OAuth). Location: Ireland (EU).

Konvio Staging exclusively uses service providers and recipients based in the European Union or the European Economic Area (EEA).

5. International Data Transfers

No personal data is transferred to countries outside the European Economic Area (EEA). All service providers and data processors we use are based in the EU.

6. Cookies and Web Analytics

We only use technically necessary cookies. No tracking or marketing cookies are used.

• Technically necessary cookies: These are required for the operation of the website (e.g. session cookies for login, CSRF protection).
  
  Legal basis
  Section 165(3) TKG 2021 (exemption from consent requirement) and Art. 6(1)(f) GDPR.

7. Data Retention

We only store personal data for as long as it is necessary for the purposes for which it is processed, or as long as a statutory retention obligation exists. Specifically:

• User accounts: Duration of the user relationship, then deleted within 30 days
• Server log files: 30 days
• Event data (registrations, check-in): Duration of the event plus applicable statutory retention periods
• CRM contacts: Until deletion by the organizer or termination of the user relationship
• Billing data: 7 years pursuant to Section 132 BAO
• Email delivery logs: 90 days
• Push notification subscriptions: Until withdrawal or expiry
• Activity logs (audit log): 90 days
• Feedback and inquiries: 1 year

8. Your Rights (Data Subject Rights)

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification or erasure (Art. 16 & 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)

To exercise your rights, please contact us at the address provided in Section 1.

You also have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. In Austria, this is the:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Wien
https://dsb.gv.at/

9. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place.

10. Requirement to Provide Personal Data

Providing your personal data (name, email address) is contractually required for registration and use of our service. Without this data, we cannot provide the service. For event-related data, the respective organizer determines which information is required.

11. Data Security

We use the widely adopted SSL/TLS (Secure Socket Layer / Transport Layer Security) method in conjunction with the highest level of encryption supported by your browser when you visit our website. Additionally, we implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect your data, including encrypted data transmission, hashed passwords, and regular data backups.

12. Changes to This Privacy Policy

We may update this privacy policy as needed to comply with new laws, regulations, or changes to our data processing practices. The current version is always available on our website.