Data Processing Notes for Organisers
When you run an event on Cloomba, attendees give you their personal data — name, email, RSVP, sometimes answers to registration questions. Under GDPR, that makes you an independent data controller for that data, regardless of the fact that Cloomba stores it for you.
This page is a plain-language summary of the implications. It is not a substitute for legal advice for high-volume / corporate organisers.
Roles
| Data | Controller | Processor |
|---|---|---|
| Cloomba account data (yours and your guests') | Cloomba | — |
| Guest lists, RSVP answers, check-in records on your events | You (organiser) | Cloomba (we store and serve it on your behalf) |
| Payments | Stripe (their own role) | — |
What this means for you as organiser
- Be lawful: have a clear basis for collecting attendee data. For a free public event, "performance of a contract" (the RSVP) usually covers name and email. Anything beyond that — dietary requirements, t-shirt sizes, accessibility needs — should be optional and asked for a clear reason.
- Be honest: tell attendees what you'll do with what they enter, especially with custom registration questions. A line in the event description is usually enough.
- Be minimal: don't ask for more than you need. Every required field is data you become responsible for.
- Respond to requests: if an attendee asks you to delete their RSVP or correct something, do it.
- Don't reuse data: a Cloomba guest list is for running that event. Adding attendees to an external newsletter or contacting them about unrelated events requires their separate consent.
- Handle exports carefully: the CSV export is personal data. Store it securely and delete it when you no longer need it.
What Cloomba does
- Stores the data in the EU (Railway, Amsterdam).
- Uses sub-processors limited to those needed to run the service (Stripe, Cloudflare, Firebase / Google for auth + push). See Privacy Policy.
- Notifies you and the supervisory authority promptly in the event of a personal-data breach affecting your data.
- Lets you delete an event (which removes the guest list) at any time.
Children
If your event is aimed at under-16s, you have additional consent obligations. Cloomba does not enable accounts for under-16s (Terms of Service §1).
Need a formal DPA?
For organisations whose internal policies or contracts require a formal Data Processing Agreement, contact us — we'll provide one signed by WhiteTown s.r.o.
Contact
WhiteTown s.r.o.
Narcisova 38, 821 01 Bratislava, Slovak Republic
[email protected]