Privacy

Privacy Policy

Last updated: January 2025

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit our website or use our SaaS platform. Personal data is any data by which you can be personally identified.

This Privacy Policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done. We treat your personal data confidentially and in accordance with applicable data protection laws and this Privacy Policy.

Data Collection on Our Website

Data processing on this website is carried out by the website operator. You can find their contact details in the "Data Controller" section of this Privacy Policy.

Your data is collected partly because you provide it to us — for example, data you enter in a registration form, contact form, or sign-up. Other data is collected automatically or with your consent when you visit the website by our IT systems.

2. Data Controller

The data controller for data processing on this website is:

Quick-Event — a brand of ThePlus UG (haftungsbeschränkt)
Hüchtingstraße 5
28816 Stuhr
Germany

Email: info@quick-event.com

The data controller is the natural or legal person who, alone or jointly with others, decides on the purposes and means of processing personal data (e.g., names, email addresses, etc.).

3. Your Rights

You have the right to receive free information at any time about the origin, recipients, and purpose of your stored personal data. You also have the right to request the correction or deletion of this data.

Your rights at a glance:

  • Right of access (Art. 15 GDPR)
  • Right to rectification of inaccurate data (Art. 16 GDPR)
  • Right to erasure ("right to be forgotten", Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

If you have given consent to data processing, you may withdraw it at any time with effect for the future. Data processing that has already taken place is not affected by this.

4. Hosting, Content Delivery, and Email Dispatch

Cloudflare Workers

We host our website and SaaS platform on Cloudflare Workers. The provider is:

Cloudflare, Inc.
101 Townsend St.
San Francisco, CA 94107
USA

Cloudflare Workers provides us with a secure hosting infrastructure with global availability. For EU users, processing is automatically handled via EU locations, as Cloudflare operates a distributed network with over 300 locations worldwide and processes requests via the geographically nearest location.

EU Data Processing

Cloudflare operates a global network with numerous EU locations, including Frankfurt, Amsterdam, Paris, Munich, Madrid, and others. EU users are automatically served via these EU locations, ensuring GDPR-compliant data processing within the EU.

Amazon SES Frankfurt (Email Dispatch)

For sending emails, we use Amazon Simple Email Service (SES) via the EU region Frankfurt. The provider is:

Amazon Web Services, Inc.
410 Terry Avenue North
Seattle, WA 98109
USA

Our email dispatch takes place exclusively via Amazon SES in the Frankfurt Region (eu-central-1):

  • Region: EU (Frankfurt) — eu-central-1
  • API Endpoint: ses.eu-central-1.amazonaws.com
  • SMTP Server: email-smtp.eu-central-1.amazonaws.com
  • Data Processing: Exclusively within the EU

The use of Amazon SES in the Frankfurt Region ensures that all email-related data processing takes place within the EU and complies with GDPR requirements. AWS holds comprehensive data protection certifications (ISO 27017, ISO 27701, ISO 27018) and standard contractual clauses for international data transfers.

Email processing covers: dispatch of transactional emails, event invitations, confirmations, reminders, and system notifications. Processing is based on Art. 6(1)(b) GDPR for contract performance and Art. 6(1)(f) GDPR based on our legitimate interest in communicating with users.

Details on AWS data processing can be found in the AWS Privacy Notice: https://aws.amazon.com/privacy/ and GDPR-specific information: https://aws.amazon.com/compliance/gdpr-center/

Security Features

Cloudflare provides various security services that are processed automatically:

  • Web Application Firewall (WAF): Protection against malicious requests and attacks
  • DDoS Protection: Automatic detection and mitigation of DDoS attacks
  • Bot Management: Detection and filtering of automated traffic
  • SSL/TLS Encryption: Automatic end-to-end encryption of all connections

When using these security services, IP addresses, request timestamps, and metadata are processed. This processing is necessary to protect our website and is based on Art. 6(1)(f) GDPR.

Details on Cloudflare data processing can be found in the Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/

5. Database and Storage

NEON Database

For persistent storage of your data, we use NEON Database. The provider is:

Neon, Inc.
425 1st Street
San Francisco, CA 94105
USA

Our database servers are located in Frankfurt, Germany (EU region). The database connection is made via Cloudflare Hyperdrive, a service provided by Cloudflare that ensures a secure, encrypted connection to regional databases.

Cloudflare Hyperdrive

Hyperdrive is a Cloudflare service for secure database connections. Hyperdrive provides:

  • SSL/TLS Encryption: End-to-end encryption of all database connections
  • Secure Connection Management: Controlled and authenticated database access
  • Regional Security: Connections are managed in secure EU data centers

Security Measures

  • EU Location: Data processing takes place exclusively within the EU (Frankfurt)
  • Encrypted Transmission: All connections between Workers and database are SSL/TLS-encrypted
  • Access Control: Strict authentication and authorization
  • Regular Backups: Automatic, encrypted data backups
  • Security Infrastructure: Additional security layer through Cloudflare's security architecture

Data processing is based on Art. 6(1)(b) GDPR for contract performance and Art. 6(1)(f) GDPR based on our legitimate interest in secure data storage.

6. Analytics Tools and Tracking

Google Analytics (via Cloudflare Zaraz)

This website uses Google Analytics to analyze user behavior. Google Analytics is integrated exclusively via Cloudflare Zaraz and is only activated if you have explicitly consented via the cookie banner.

The provider of Google Analytics is:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

Cloudflare Zaraz

We use Cloudflare Zaraz as a consent management platform and for GDPR-compliant integration of tracking tools. Zaraz provides the following privacy and security benefits:

  • Consent Management: Tracking is only activated after explicit consent
  • Data Minimization: Only necessary data is transmitted
  • EU Processing: Processing takes place via EU servers
  • Secure Data Transmission: Encrypted transmission of all analytics data

Processing only takes place with your explicit consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time by adjusting the cookie settings.

Data Collected

Google Analytics collects the following data (only with consent):

  • Pages visited and time spent
  • Technical information (browser, operating system, screen resolution)
  • Anonymized IP addresses
  • Referrer URLs
  • Usage statistics (anonymized and aggregated)

IP anonymization is activated, so your IP address is truncated within EU member states. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.

7. SSL/TLS Encryption

This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the fact that the address bar in your browser changes from "http://" to "https://" and by the padlock symbol in your browser bar.

When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties. Our entire infrastructure (website, API, database connections) exclusively uses encrypted connections.

8. Customer Accounts and Event Registration

We distinguish between two types of users of our platform, which result in different data processing:

Customer Registration (Event Organizers)

Event organizers can register on our website to gain access to our SaaS platform and create and manage events. This constitutes a contract for the use of our services.

The following mandatory information is collected during customer registration:

  • Email address (as username and for communication)
  • Name (first and last name of the contact person)
  • Company name/organization (optional)
  • Password (stored in encrypted form)

Additional information may be provided optionally to complete the profile. Processing is based on Art. 6(1)(b) GDPR for contract performance.

Event Participants (Guests without a Customer Account)

Event participants register directly for specific events without creating a customer account with us. They interact exclusively with the event pages of our customers. In this case, we act as a data processor for the respective event organizer.

The following data may be collected during event registration (depending on configuration by the event organizer):

  • Name and contact details
  • Event-specific information (e.g., dietary requirements, hotel rooms)
  • Attendance confirmations and check-in status
  • Payment information (processed via Stripe)

Important Note: The respective event organizer (our customer) is legally responsible for event participant data. Please address questions about your participant data directly to the organizer.

Data Deletion

Customer Account Data: Data collected during customer registration is stored for as long as the customer account exists. Upon account deletion, data is deleted unless statutory retention periods apply.

Event Participant Data: This is managed in accordance with the requirements of the respective event organizer and applicable retention periods.

9. Data Processing for Event Organizers

As a SaaS platform for event management, we process participant data on behalf of our customers (event organizers) for their events. In this relationship, we act as a data processor within the meaning of Art. 28 GDPR.

Different Data Processing Roles

For our customers (event organizers): We are the controller for their customer account data and the provision of our SaaS services.

For event participants: We are the data processor and process their data exclusively on behalf of and in accordance with the instructions of the respective event organizer.

Participant Data Processed

Depending on the event configuration by our customers, the following participant data may be processed:

  • Name and contact details of event participants
  • Event-specific registration data and preferences
  • Selection of options (e.g., workshops, meals, accommodation)
  • Check-in status and attendance confirmations
  • Payment data (processed via Stripe as payment service provider)

Legal Basis and Responsibility

Controller for Participant Data: The respective event organizer (our customer) is the data controller for all participant data of their event and determines the purposes and means of data processing.

Our Role: We process participant data exclusively in accordance with the instructions of the event organizer and on the basis of a data processing agreement pursuant to Art. 28 GDPR.

Your Rights as Event Participant: For questions about your participant data, or requests for access, correction, or deletion, please contact the respective event organizer directly, as they are the data controller.

10. Retention Periods

The retention period depends on the role in which we process your data:

Customer Account Data (Event Organizers)

For data for which we are the controller:

  • Customer Account Data: Until deletion of the customer account
  • Billing Data: 10 years (statutory tax retention obligation)
  • Contract Data: 6 years after contract end (§ 257 HGB)
  • Support Communications: 3 years after last contact

Event Participant Data (Data Processing)

For participant data for which we are the data processor:

  • Event Participant Data: As required by the event organizer, maximum 7 years after the event
  • Check-in Data: In accordance with the deletion requirements of the event organizer
  • Payment Data: In accordance with payment service provider requirements (Stripe)

Technical Data

System-related data independent of user role:

  • Server Logs: Maximum 30 days
  • Analytics Data: 26 months (Google Analytics standard, only with consent)
  • Security Logs: 12 months for security purposes

Deletion Requests: Customers may request the deletion of their customer account data at any time. Event participants should contact the respective event organizer for deletion requests.

11. International Data Transfers

Parts of our data processing take place with service providers based outside the European Union. This particularly concerns:

  • Cloudflare (USA): EU-US Data Privacy Framework and standard contractual clauses
  • Amazon Web Services/SES (USA): EU-US Data Privacy Framework and standard contractual clauses — however, data processing takes place exclusively via EU infrastructure (Frankfurt Region eu-central-1)
  • Google Analytics (USA): EU-US Data Privacy Framework and standard contractual clauses

All transfers are based on adequacy decisions by the EU Commission or using appropriate safeguards pursuant to Art. 46 GDPR (in particular, standard contractual clauses).

Special safeguards for email dispatch: Although Amazon Web Services is a US company, all email processing for our EU customers takes place exclusively via the Frankfurt Region (eu-central-1) of Amazon SES, ensuring GDPR-compliant data processing within the EU.

12. Contact and Complaints

For questions about the collection, processing, or use of your personal data, or for requests for information, correction, blocking, or deletion of data, and revocation of granted consents, please contact:

Quick-Event — a brand of ThePlus UG (haftungsbeschränkt)
Hüchtingstraße 5
28816 Stuhr
Germany

Email: info@quick-event.com

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of personal data. The competent authority is the supervisory authority of your habitual residence, your place of work, or our company's registered office.

The competent authority for our company is:
The State Commissioner for Data Protection Lower Saxony
Prinzenstraße 5
30159 Hanover
Website: https://lfd.niedersachsen.de