Privacy Policy of into.events

1. Data Controller

The controller of personal data processed in connection with the use of the into.events website (hereinafter: "Service") is:

(hereinafter: "Controller").

Contact for data protection matters: [email protected]

Data Protection Officer (DPO): The Controller has not appointed a DPO. All data protection questions and requests should be directed to: [email protected].

2. Scope of this Policy

This Policy sets out the rules for processing the personal data of:

• Users accessing the Service without creating an Account,
• Users with an Account in the Service,
• persons contacting the Controller electronically.

This Policy fulfils the information obligation under Articles 13 and 14 of the GDPR. The rules for the use of cookies are described in a separate Cookie Policy.

3. Purposes and Legal Bases for Processing

3.1. Account Service

• Purpose: creating and maintaining a User Account, authentication, features available after login.
• Legal basis: Article 6(1)(b) GDPR — performance of a contract.
• Data categories: email, password (hashed), first name, date of birth (for age 16+ verification), athlete profile data.
• Retention period: duration of Account + 30-day soft-delete, then anonymisation.

3.2. Email Marketing Newsletter

• Purpose: sending a newsletter with information about new Events, promotions, editorial content.
• Legal basis: Article 6(1)(a) GDPR (consent); additionally Article 10(2) of the Polish Act on the provision of electronic services.
• Data categories: email, first name, preferences (discipline, region).
• Retention period: until consent is withdrawn; consent log — 3 years after withdrawal (burden of proof, Article 7(1) GDPR).

3.3. SMS Marketing Notifications

• Purpose: sending SMS notifications about Event registrations, promotions.
• Legal basis: Article 6(1)(a) GDPR; additionally Article 172 of the Polish Telecommunications Law (separate consent for telephone marketing).
• Data categories: phone number.
• Retention period: until consent is withdrawn; log — 3 years.

3.4. Profiling for Targeted Advertising

• Purpose: tailoring Service advertisements presented to the User on third-party services (Meta, Google, TikTok) based on activity in the Service.
• Legal basis: Article 6(1)(a) GDPR — consent.
• Data categories: cookie/pixel identifiers, IP addresses, analytics events, and upon conversion — hashed contact data (email/phone) transmitted via Meta Conversions API / Google Enhanced Conversions / TikTok Events API.
• Retention period: until consent is withdrawn; events — in accordance with sub-processor policies (typically 14–24 months).

3.5. Service Analytics

• Purpose: traffic analysis, product optimisation, measuring marketing campaign effectiveness.
• Legal basis: Article 6(1)(a) GDPR (consent); when consent is refused, analytics operates in anonymised mode (Consent Mode v2 "denied" with statistical modelling).
• Data categories: GA4 identifiers, IP addresses (anonymised), analytics events.
• Retention period: GA4: 14 months; server logs: 30 days.

3.6. Transactional Communication

• Purpose: service messages (confirmations, password resets, notifications of changes to Terms or Policy).
• Legal basis: Article 6(1)(b) GDPR; Article 6(1)(c) GDPR.
• Retention period: email logs — 3 years.

3.7. Handling Complaints and Enquiries

• Purpose: processing complaints, responding to enquiries.
• Legal basis: Article 6(1)(b) GDPR; Article 6(1)(f) GDPR.
• Retention period: 3 years from the last correspondence.

3.8. Fulfilling Legal Obligations

• Legal basis: Article 6(1)(c) GDPR.
• Retention period: in accordance with applicable regulations (typically 3–5 years).

4. Recipients of Data (Sub-processors)

The Controller uses the services of trusted processors under data processing agreements (Article 28 GDPR):

Full up-to-date list of sub-processors available on request at [email protected].

Data may also be shared with:

• public authorities — exclusively on the basis of applicable law,
• the Controller's legal and accounting advisors — to the extent necessary, under processing agreements or professional secrecy.

5. Transfers Outside the EEA

To the extent that sub-processors process data outside the EEA, the Controller ensures an adequate level of protection through Standard Contractual Clauses (SCC), the EU-US Data Privacy Framework (DPF) and European Commission adequacy decisions. Copies of safeguards are available on request at [email protected].

6. User Rights

Users have the following rights:

1. Right of access to data (Article 15 GDPR).
2. Right to rectification of data (Article 16 GDPR).
3. Right to erasure — "right to be forgotten" (Article 17 GDPR).
4. Right to restriction of processing (Article 18 GDPR).
5. Right to data portability (Article 20 GDPR).
6. Right to object (Article 21 GDPR).
7. Right to withdraw consent (Article 7(3) GDPR) — at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.
8. Right to lodge a complaint (Article 77 GDPR) — with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl).

To exercise the above rights, please contact [email protected]. The Controller processes requests within 30 days; in particularly complex cases, the period may be extended by a further two months.

7. Automated Decision-Making and Profiling

1. The Controller uses profiling to display targeted Service advertisements on third-party services — exclusively after obtaining separate User consent (Section 3.4).
2. Profiling does not produce legal effects for the User or similarly significantly affect them (Article 22(1) GDPR).
3. The User may withdraw consent to profiling at any time in Account settings or at [email protected].

8. Data Security

The Controller applies appropriate technical and organisational measures (Article 32 GDPR):

• connection encryption (TLS/SSL — HTTPS),
• password encryption (one-way hash functions with salt),
• regular backups,
• access control (RBAC + 2FA for administrators),
• infrastructure security updates,
• data processing agreements with sub-processors containing security guarantees.

In the event of a personal data breach, the Controller notifies the supervisory authority within 72 hours (Articles 33–34 GDPR).

9. Cookies and Similar Technologies

The rules for the use of cookies, the full list of cookies, sub-processors using cookie technologies, and the way to withdraw or change consent are described in the separate Cookie Policy.

10. Data of Persons Under 16

The Service is not directed at persons under 16. The Controller does not knowingly collect personal data from children below this age. If the Controller learns that a person under 16 has created an Account, it will promptly take steps to delete such Account and related data.

If you suspect that a person under 16 has provided their data without the consent of a legal guardian, please contact: [email protected].

11. Changes to the Privacy Policy

The Controller reserves the right to make changes to this Policy in the event of a change in applicable law, the scope of Services, sub-processors or Service features. The Controller notifies Users with an Account of material changes at least 14 days before they take effect (email + publication in the Service).

12. Contact

All data protection questions, requests and notifications: