Privacy Policy

Last updated: 09 June 2026  ·  Evnto, Walthamstow, London

We are committed to protecting your personal data and being transparent about how we use it. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. By using the Evnto platform, you acknowledge that you have read and understood it.

1 Who we are and how to contact us

Evnto ("we", "us", "our") operates the platform at evnto.co.uk and app.evnto.co.uk. We are the data controller for personal data collected when you use our Service, except where noted in section 5 below (where an Organiser is the controller for Trader data).

You can contact us about any privacy matter at:

Evnto — Privacy enquiries

📧 support@evnto.co.uk

Walthamstow, London

2 What personal data we collect

We collect the following categories of personal data depending on how you use the Service:

Account and identity data

  • Full name
  • Email address
  • Password (stored in hashed form — we never store your plain-text password)

Business and profile data

  • Business or trading name
  • Business address and contact details (phone number, business email)
  • Profile photo or logo
  • Business description and product/service categories

Compliance documents (Traders)

  • Public liability insurance certificates
  • Food hygiene certificates
  • Any other compliance documentation uploaded at the request of an Organiser

Financial data

  • Bank account details provided by Organisers for invoice generation purposes (stored within the platform)
  • Payment card data for Organiser subscriptions — this is collected and processed directly by Stripe and is never stored by Evnto

Usage and technical data

  • IP address
  • Browser type and version
  • Actions taken within the platform — for example, signing in, viewing an event, submitting or withdrawing an application, uploading a document. These are recorded in an internal activity log associated with your account and are used for security monitoring, fraud prevention, dispute resolution and platform improvement.
  • Error and diagnostic logs (used internally to identify and fix technical issues)
  • Session data (see our Cookie Policy)

Communications

  • Messages sent to us via email or the contact form
  • Transactional emails (sent via Brevo on our behalf)

3 How we collect your data

We collect data in the following ways:

  • Directly from you — when you register, complete your profile, submit an application, upload documents or contact us.
  • Automatically — when you use the Service, we collect technical and usage data such as your IP address and session information.
  • From Organisers — if an Organiser has sent you an invitation to the platform or an application link, we may receive your email address from them for that purpose.

4 Why we use your data (legal bases)

We only process your personal data where we have a lawful basis to do so. The table below explains our purposes and the corresponding legal basis under UK GDPR.

Purpose Legal basis
Creating and managing your account Contract (Art. 6(1)(b))
Processing Organiser subscriptions and billing Contract (Art. 6(1)(b))
Providing the platform features (event management, applications, invoicing) Contract (Art. 6(1)(b))
Sending transactional and service emails (e.g. application updates, account notifications) Contract (Art. 6(1)(b))
Internal error logging and platform security Legitimate interests (Art. 6(1)(f)) — keeping the platform secure and functional
Complying with legal obligations (e.g. data subject requests, law enforcement) Legal obligation (Art. 6(1)(c))
Resolving disputes and enforcing our Terms Legitimate interests (Art. 6(1)(f))
Sending a one-time onboarding reminder to users who have registered and signed in but not yet completed account setup. This email is sent once per user and contains a clear unsubscribe link. Legitimate interests (Art. 6(1)(f)) — helping users complete a process they chose to start, with minimal privacy impact given the single send and easy opt-out
Sending a one-time deadline reminder when an event a user has saved to their favourites is closing for applications within 3 days and the user has not yet applied. This email is sent once per favourited event and contains a clear unsubscribe link. Legitimate interests (Art. 6(1)(f)) — reminding users of time-sensitive activity directly related to a specific action they took on the platform (saving an event), with minimal privacy impact given the single send and easy opt-out

We do not use your personal data for unsolicited marketing purposes, and we do not use your data for automated decision-making or profiling that produces legal or similarly significant effects. Where we rely on legitimate interests, you have the right to object at any time — see section 9.

5 How we share your data

We do not sell your personal data. We share your data only in the following limited circumstances:

Trader data visible to Organisers

Evnto is the data controller for all personal data held on the platform. When a Trader applies to an Event, certain profile and compliance data (such as business name, contact details and uploaded documents) is made visible to the Organiser of that specific Event through their dashboard. This is a feature of the Service, not a transfer of data — the data remains under Evnto's control at all times. It is not made visible to any other Organiser on the platform.

Organisers are granted a limited, purpose-specific right of access to this data to enable them to manage their events. They do not own or control it. Our Organiser Data Access Policy explains what Organisers can see, how they may use it, and their obligations when doing so.

Organiser data displayed publicly

Certain business information provided by Organisers — including business name, description, logo and event details — is displayed publicly on event listing pages as part of the normal operation of the Service. This allows Traders to find and apply to events. Organisers should only enter information in public-facing fields that they are comfortable displaying publicly.

Service providers (sub-processors)

We share data with trusted third-party providers who help us operate the Service:

  • Brevo (Sendinblue SAS) — transactional email delivery. Brevo processes email address and message content to deliver notifications on our behalf.
  • Stripe Inc. — payment processing for Organiser subscriptions. Stripe is an independent data controller for payment card data and processes it in accordance with their own privacy policy and PCI-DSS standards.

We require all sub-processors to process data only on our documented instructions and in accordance with UK GDPR.

Legal and regulatory disclosure

We may disclose your data to law enforcement, regulatory authorities or courts where we are required to do so by law, or where necessary to protect the safety, rights or property of Evnto or others.

Business transfers

If Evnto is acquired by or merges with another entity, your data may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

6 International transfers

Our platform and primary data storage are hosted on servers located in the UK and/or the European Economic Area (EEA). We take care to ensure that any international transfer of personal data to countries outside the UK/EEA is subject to appropriate safeguards as required by UK GDPR, such as the UK International Data Transfer Agreement (IDTA) or equivalent adequacy mechanisms.

Brevo is headquartered in the EU and processes data within the EEA. Stripe is headquartered in the United States and relies on Standard Contractual Clauses and the UK IDTA for transfers of personal data. Further details are available in their respective privacy policies.

7 How long we keep your data

We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law.

  • Active accounts: We retain your data for as long as your account is active.
  • Inactive accounts: If your account has had no activity for 12 months, we will email you at the address registered to your account to let you know that your account will be closed in 30 days unless you log in. If no login is recorded within that 30-day period, your account will be closed and treated as a closed account for the purposes of retention below.
  • Closed or terminated accounts: Where your account is closed (whether by you, by inactivity, or by us under the Terms of Service), we will retain your personal data for 12 months following the date of closure. After that period, your personal data will be anonymised. This window allows for dispute resolution, potential legal claims and compliance with financial record-keeping obligations. Anonymised records may be retained indefinitely.
  • Error and diagnostic logs: Retained for up to 90 days and then deleted.
  • Activity logs (records of actions taken within the platform such as logins, event views and application events): Retained for 12 months and then deleted or anonymised.
  • Communications (e.g. support emails): Retained for up to 3 years for dispute resolution purposes.
  • Legal retention obligations: Where we are required by law to retain identifiable data for longer (for example, financial records), we will do so and anonymise or delete it as soon as the legal obligation expires.
When we refer to "deleting" your account or data, this means anonymising your personal information so that you can no longer be identified. Regardless of how an account is closed, we retain personal data for 12 months before anonymising — meaning the maximum time we hold identifiable data from last activity is approximately 24 months (12 months to inactivity closure, plus 12 months retention). Structural records (such as booking history and event applications) are retained in anonymised form and are not removed.

8 Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration. These include:

  • Encrypted HTTPS connections for all data in transit
  • Hashed password storage (plain-text passwords are never stored)
  • Access controls limiting who within Evnto can access personal data
  • Internal error logging to detect and respond to anomalies

No transmission over the internet is completely secure. While we take data security seriously and work to protect your information, we cannot guarantee the absolute security of data transmitted to or from the Service.

If you believe your account has been compromised, please contact us immediately at support@evnto.co.uk.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (the ICO) within 72 hours of becoming aware of it, and will notify you without undue delay where required.

9 Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate or incomplete data.
  • Right to erasure — you can ask us to delete your personal data in certain circumstances (for example, where it is no longer necessary for the purpose it was collected). You can request account deletion directly within the platform or by contacting us.
  • Right to restriction of processing — you can ask us to pause processing of your data in certain circumstances.
  • Right to data portability — you can ask us to provide your data in a structured, machine-readable format where processing is based on your consent or a contract.
  • Right to object — you can object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds to continue.
  • Rights related to automated decision-making — we do not use your data for solely automated decision-making that has legal or significant effects on you.

To exercise any of these rights, please contact us at support@evnto.co.uk. We will respond within one month. We may need to verify your identity before processing your request.

These rights do not apply in all circumstances. Where we are unable to fulfil a request, we will explain why.

10 Children

The Service is not directed at, and is not intended to be used by, anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at support@evnto.co.uk and we will delete it promptly.

11 Third-party links

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites you visit.

12 Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the Service. We will notify you of material changes by email and by displaying a notice within the platform before the changes take effect.

The date at the top of this page shows when the policy was last updated.

13 How to contact us or complain

If you have any questions, concerns or complaints about how we handle your personal data, please contact us first — we will do our best to resolve any issue promptly.

Evnto — Privacy

📧 support@evnto.co.uk

Walthamstow, London

If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)

🌐 ico.org.uk

📞 0303 123 1113