Data Processing Notes for Organisers

Bijgewerkt 11 Jun 2026

When you run an event on Cloomba, attendees give you their personal data — name, email, RSVP, sometimes answers to registration questions. Under GDPR, that makes you an independent data controller for that data, regardless of the fact that Cloomba stores it for you.

This page is a plain-language summary of the implications. It is not a substitute for legal advice for high-volume / corporate organisers.


Roles

DataControllerProcessor
Cloomba account data (yours and your guests')Cloomba
Guest lists, RSVP answers, check-in records on your eventsYou (organiser)Cloomba (we store and serve it on your behalf)
PaymentsStripe (their own role)

What this means for you as organiser

  • Be lawful: have a clear basis for collecting attendee data. For a free public event, "performance of a contract" (the RSVP) usually covers name and email. Anything beyond that — dietary requirements, t-shirt sizes, accessibility needs — should be optional and asked for a clear reason.
  • Be honest: tell attendees what you'll do with what they enter, especially with custom registration questions. A line in the event description is usually enough.
  • Be minimal: don't ask for more than you need. Every required field is data you become responsible for.
  • Respond to requests: if an attendee asks you to delete their RSVP or correct something, do it.
  • Don't reuse data: a Cloomba guest list is for running that event. Adding attendees to an external newsletter or contacting them about unrelated events requires their separate consent.
  • Handle exports carefully: the CSV export is personal data. Store it securely and delete it when you no longer need it.

What Cloomba does

  • Stores the data in the EU (Railway, Amsterdam).
  • Uses sub-processors limited to those needed to run the service (Stripe, Cloudflare, Firebase / Google for auth + push). See Privacy Policy.
  • Notifies you and the supervisory authority promptly in the event of a personal-data breach affecting your data.
  • Lets you delete an event (which removes the guest list) at any time.

Children

If your event is aimed at under-16s, you have additional consent obligations. Cloomba does not enable accounts for under-16s (Terms of Service §1).


Need a formal DPA?

For organisations whose internal policies or contracts require a formal Data Processing Agreement, contact us — we'll provide one signed by WhiteTown s.r.o.


Contact

WhiteTown s.r.o.
Narcisova 38, 821 01 Bratislava, Slovak Republic
[email protected]