Last Updated: 08/01/2026
Effective Date: 08/01/2026
Welcome to EventLyst ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services (collectively, the "Service").
By using EventLyst, you agree to the collection and use of information in accordance with this Privacy Policy.
Age Requirement: EventLyst is intended for users aged 16 and older. Users under 16 are not permitted to use our Service.
Controller Information: EventLyst
University of Huddersfield
Queensgate, Huddersfield
HD1 3DH, United Kingdom
Email: eventlyst.app@gmail.com
Account Information:
Email address
Full name
University affiliation
Society memberships
Profile information (optional: profile picture, bio)
Event Information:
Events you create (title, description, date, time, location)
RSVPs and attendance confirmations
Poll responses
Comments and interactions within events
Communications:
Messages sent through the app
Support requests and correspondence
Feedback and survey responses
Device Information:
Device type and model
Operating system and version
Unique device identifiers
Mobile network information
Usage Information:
App features used
Time and duration of app usage
Interaction with events, societies, and other users
Push notification interactions
Location Information (if enabled):
Approximate location based on IP address
Precise location (only if you grant permission for location-based features)
Authentication Providers: If you sign up using a third-party service (e.g., Google, Apple), we receive basic profile information from that service as permitted by your privacy settings.
University Systems: With your consent, we may verify your university affiliation through official university systems.
We use your information for the following purposes:
Create and manage your account
Enable you to create and participate in events
Facilitate RSVP tracking and attendance management
Deliver push notifications about events and updates
Process poll responses and voting
Enable communication between society members
Analyze usage patterns and user preferences
Develop new features and functionality
Conduct research and analytics
Test and troubleshoot new features
Monitor and analyze trends and usage
Send event notifications and reminders
Provide customer support
Send administrative messages and updates
Respond to your inquiries and requests
Send marketing communications (with your consent)
Detect, prevent, and address fraud and abuse
Enforce our Terms of Service
Comply with legal obligations
Protect our rights and property
Ensure user safety and platform integrity
Under the General Data Protection Regulation (GDPR) and UK GDPR, we process your personal data under the following legal bases:
Consent: When you provide explicit consent (e.g., marketing communications, location access)
Contract: To perform our contract with you (providing the Service)
Legitimate Interests: For our legitimate business interests, such as:
Improving our Service
Ensuring security and preventing fraud
Analyzing usage and performance
Direct marketing (where permitted)
Legal Obligation: To comply with legal requirements
You have the right to withdraw consent at any time where we rely on consent as the legal basis.
Society Members: Information you share within societies (events, RSVPs, poll responses, comments) is visible to other members of that society.
Event Attendees: Your RSVP status and attendance may be visible to event organizers and other attendees, depending on event settings.
Society Administrators: Society admins can view member lists, event attendance, and engagement metrics for their societies.
We share information with trusted third-party service providers who help us operate our Service:
Authentication & Database:
Supabase (authentication and database services)
Location: EU servers (GDPR compliant)
Push Notifications:
Firebase Cloud Messaging (Google)
Used to send event notifications and updates
Cloud Infrastructure:
Railway.app (backend API hosting)
PostgreSQL database hosting
Analytics (if implemented):
[Analytics provider name]
Used to understand app usage and improve user experience
All service providers are contractually obligated to protect your data and use it only for the purposes we specify.
We may disclose your information if required to do so by law or in response to:
Court orders or legal processes
Government or regulatory requests
Law enforcement investigations
Protection of our rights, property, or safety
Protection of users or the public
If EventLyst is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
We may share your information for any other purpose with your explicit consent.
We retain your personal information for as long as necessary to:
Provide our Service to you
Comply with legal obligations
Resolve disputes
Enforce our agreements
Specific Retention Periods:
Account Data: Retained while your account is active and for 30 days after account deletion
Event Data: Retained for 2 years after event date for historical purposes, then anonymized or deleted
Communications: Retained for 1 year for support purposes
Analytics Data: Retained in aggregated, anonymized form indefinitely
Backup Data: Retained for 90 days in encrypted backups
You can request deletion of your data at any time by contacting us or deleting your account through the app.
We implement appropriate technical and organizational measures to protect your personal information:
Technical Measures:
Encryption in transit (TLS/SSL)
Encryption at rest for sensitive data
Secure authentication protocols
Regular security audits and updates
Access controls and authentication
Secure API endpoints
Organizational Measures:
Limited access to personal data (need-to-know basis)
Staff training on data protection
Data protection policies and procedures
Incident response procedures
However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.
Under data protection law, you have the following rights:
You have the right to request a copy of the personal information we hold about you.
You have the right to correct inaccurate or incomplete personal information.
You have the right to request deletion of your personal information in certain circumstances.
You have the right to request that we limit how we use your personal information.
You have the right to receive your personal information in a structured, commonly used format and transfer it to another service.
You have the right to object to our processing of your personal information in certain circumstances (e.g., direct marketing, legitimate interests).
You have the right not to be subject to decisions based solely on automated processing that significantly affect you.
Where we rely on consent, you have the right to withdraw it at any time.
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: https://ico.org.uk/
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
To exercise any of these rights, please contact us at eventlyst.app@gmail.com
We will respond to your request within 30 days.
You can update your account information at any time through the app settings.
You can opt out of marketing emails by:
Clicking "unsubscribe" in any marketing email
Updating your preferences in app settings
Contacting us directly
You cannot opt out of service-related communications (e.g., account verification, event RSVPs you've made).
You can disable push notifications through:
App settings
Your device settings
You can disable location access through your device settings. This may limit certain features.
Our app may use cookies or similar tracking technologies. You can manage these through your device settings.
You can delete your account at any time through:
App settings → Account → Delete Account
Contacting us at eventlyst.app@gmail.com
Note: Account deletion is permanent and cannot be undone. All your data will be deleted within 30 days, except where we must retain it for legal obligations.
EventLyst is intended for users aged 16 and older.
We do not knowingly collect personal information from users under 16. If we discover that we have collected information from a user under 16, we will delete that information immediately.
If you are a parent or guardian and believe your child under 16 has provided us with personal information, please contact us at eventlyst.app@gmail.com
Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from those in your country.
For users in the UK/EU:
We primarily use EU-based service providers (Supabase EU servers)
Where we transfer data outside the EU/UK, we ensure appropriate safeguards are in place:
Standard Contractual Clauses (SCCs)
Adequacy decisions by the European Commission
Privacy Shield frameworks (where applicable)
Our Service may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties.
We encourage you to review the privacy policies of any third-party services you access through our app.
Multi-Tenant Architecture: EventLyst operates across multiple universities. Your data is logically separated by university and society. Users from other universities cannot access your information unless you are part of a shared society or event.
University Verification: We may verify your university affiliation using your university email address or official university systems. This verification information is used solely to confirm eligibility and is not shared with third parties.
Society Data: Society administrators have access to member lists, event data, and engagement metrics for their specific societies. This is necessary for society management purposes.
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.
We will notify you of material changes by:
Posting the updated policy in the app
Sending an email notification (for significant changes)
Displaying an in-app notification
Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
Right to Know: You have the right to request information about the personal information we collect, use, and disclose.
Right to Delete: You have the right to request deletion of your personal information.
Right to Opt-Out: You have the right to opt out of the "sale" of your personal information. Note: We do not sell personal information.
Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.
To exercise these rights, contact us at eventlyst.app@gmail.com
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: eventlyst.app@gmail.com
Address:
EventLyst
University of Huddersfield
Queensgate, Huddersfield
HD1 3DH, United Kingdom
Response Time: We aim to respond to all inquiries within 30 days.
For questions specifically related to data protection and privacy, you may contact our Data Protection Officer:
Email: [INSERT DPO EMAIL]
Personal Information/Personal Data: Information that identifies or could reasonably be used to identify you.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Controller: The entity that determines the purposes and means of processing personal data (EventLyst).
Processor: An entity that processes personal data on behalf of the controller (e.g., our service providers).
GDPR: General Data Protection Regulation - EU data protection law.
UK GDPR: UK's version of GDPR post-Brexit.
CCPA: California Consumer Privacy Act - California's data protection law.
Data Category
Examples
Purpose
Legal Basis
Account Data
Email, name, university
Account creation & management
Contract
Event Data
Events created, RSVPs, attendance
Service functionality
Contract
Poll Data
Poll responses, votes
Engagement features
Contract
Usage Data
Features used, time in app
Service improvement
Legitimate Interest
Device Data
Device type, OS version
Technical support, compatibility
Legitimate Interest
Location Data
Approximate/precise location
Event location features
Consent
Communication Data
Support messages, feedback
Customer support
Legitimate Interest
Analytics Data
Aggregated usage patterns
Service improvement
Legitimate Interest
Document Version: 1.0
Last Reviewed: 08/01/2026
Next Review Date: 08/01/2027
This Privacy Policy is compliant with GDPR, UK GDPR, and CCPA requirements as of the effective date. We recommend periodic review by legal counsel to ensure ongoing compliance.