CE corporateevents.at

Privacy Policy

Last updated: · Effective: · Version 1.0

This Privacy Policy explains how corporateevents.at ("we", "us", "our") collects, uses, shares, and protects personal information when you visit the Site or use our services.

For California residents, see the CCPA / CPRA Notice. For EU/UK/EEA residents, see the GDPR / UK Notice.

1. Information we collect

1a. Information you provide directly

  • Lead form submissions: name, email, phone, event type, event date, expected guest count, budget band, optional message, and TCPA consent record (timestamp, IP hash, user agent, form URL, exact consent text).
  • Reviews you submit: name (or display name), email (for verification, never published), rating, review text.
  • Venue claim requests: claimant name, email, business affiliation evidence (e.g., business email matching the venue's domain).
  • Privacy requests (DSRs): identity verification information you submit to exercise rights.
  • Voluntary correspondence: any information you send to book@corporateevents.at.

1b. Information collected automatically

  • Server logs: IP address, user-agent, referrer, request URL, response status, timestamps.
  • Privacy-preserving analytics: Cloudflare Web Analytics (cookieless) and Google Analytics 4 (with consent — see Cookie Preferences).
  • Cookies: minimal essential cookies (consent record, session). Optional analytics + advertising cookies set only with your explicit consent.

1c. Information from third parties

  • Public business listings: venue names, addresses, phone numbers, hours, photos, and aggregated ratings from public sources (e.g., Google Maps via BrightData / Outscraper).
  • Phone validation: phone number type (mobile, landline, VOIP) via Twilio Lookup, used solely to detect fraudulent submissions.

2. How we use information

  • To provide the Site and services (rendering venue listings, processing lead submissions, hosting reviews).
  • To match planners' lead submissions with eligible venue advertisers in the requested category and city.
  • To verify identity for review submissions, claim requests, and DSRs (via magic-link email).
  • To detect and prevent fraud, spam, abuse (Cloudflare Turnstile, rate limiting, phone validation).
  • To comply with legal obligations (TCPA consent retention, tax reporting, lawful requests).
  • To improve the Site (aggregated analytics, A/B testing — never tied to identifiable individuals without consent).
  • To communicate with you about lead submissions, reviews, claims, account changes, or important Site updates.

3. Legal bases for processing (GDPR)

For EU/UK/EEA visitors:

  • Contract: processing necessary to provide the requested service (e.g., delivering your lead inquiry to selected venues).
  • Legitimate interests: spam prevention, security, aggregated analytics — balanced against your rights.
  • Consent: non-essential cookies, marketing communications, TCPA (phone outreach).
  • Legal obligation: tax records, retention required by law.

You may withdraw consent at any time without affecting the lawfulness of prior processing. See GDPR / UK Notice for full details.

4. How we share information

We do not sell personal information to third parties for their own marketing.

We share limited information with:

  • Venue advertisers who purchase your lead inquiry — receive your name, email, phone, event type, event date, guest count band, budget band, and message. They receive this only because you submitted a quote request and explicitly consented (TCPA checkbox). Up to three venues may receive the same lead at standard tier (shared model).
  • Service providers acting on our behalf under contractual confidentiality:
    • Cloudflare (hosting, CDN, security, analytics, email routing)
    • Resend (transactional email delivery)
    • Twilio (phone-number validation only — no calls or texts initiated by us)
    • Stripe (advertiser billing — never used for planner data)
    • Google Analytics 4 (with consent — cookieless analytics where possible)
  • Legal compliance: in response to lawful requests (subpoenas, court orders) or to protect our rights and the safety of others.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, with notice to affected users.

5. Your rights

You have rights to access, correct, delete, port, and object to processing of your personal information. EU/UK/EEA residents have additional rights under GDPR; California residents have rights under CCPA/CPRA; Colorado/Connecticut/Virginia/Utah/etc. residents have rights under their respective state privacy laws.

Submit any request via the Privacy Requests portal or by emailing book@corporateevents.at. We acknowledge requests within 10 days and fulfill within 45 days (CCPA); 30 days (GDPR), with a possible 60-day extension when needed (we'll notify you).

6. Data retention

  • Lead submissions: 24 months from submission, then deleted, unless retention is required by law (e.g., TCPA evidence — 4 years).
  • TCPA consent records: 4 years from last contact (TCPA SOL + buffer).
  • User-submitted reviews: indefinitely (you can request deletion at any time via DSR).
  • Server logs: 90 days, then aggregated or deleted.
  • Analytics data: aggregated only, indefinite retention with no ability to re-identify.
  • Account data (for advertisers + reviewers): until account deletion + 30-day soft-delete grace period.

7. Data security

We use industry-standard safeguards: TLS encryption in transit, encryption at rest (Cloudflare R2 + D1), restricted access controls (Cloudflare Zero Trust + Google SSO for admin), Turnstile + rate-limiting for forms, regular security review of dependencies. No system is perfectly secure; we will notify affected users of any breach involving personal information as required by law.

8. Children's privacy

The Site is intended for adults using it in a professional capacity (event planning). We do not knowingly collect personal information from children under 13 (or under 16 in the EU/UK). If you believe we have inadvertently collected such information, contact us and we'll delete it promptly.

9. International transfers

Our infrastructure (Cloudflare) may process data in regions outside your own. For EU/UK/EEA residents, transfers to the US rely on Standard Contractual Clauses or other approved mechanisms. See GDPR / UK Notice.

10. Changes to this policy

We may update this policy. The "Last updated" and "Version" metadata at the top of this page reflect the most recent change. Material changes will be notified via banner on the Site for at least 30 days.

11. Contact

Privacy questions: book@corporateevents.at (subject "Privacy"). Formal data subject requests: /privacy-requests/.

Our network

We value your privacy

We use cookies to make this site work, measure performance, and (with your consent) personalize content and ads. You can choose what you're comfortable with. See our Privacy Policy.