Privacy Policy

Atualizado a 14 Jul 2026

This policy explains what personal data Cloomba collects, why we collect it, how we use it, and what rights you have. It applies to everyone who uses Cloomba — organisers, attendees, and visitors.

Cloomba is operated by WhiteTown s.r.o., Narcisova 38, 821 01 Bratislava, Slovak Republic (IČO: 47878606). We are the data controller for the personal data described in this policy.


1. Data we collect

Account data — when you sign in we collect your email address or phone number and, if you use Google or Apple sign-in, your display name and profile photo as provided by those services.

Profile data — your chosen username, bio, and any links you add to your public profile.

Event data — event titles, descriptions, locations, dates, cover images, and other details you enter when creating or editing an event.

Attendance data — RSVP status, ticket type, check-in records, and any answers you provide to organiser registration questions.

Media — photos and videos you upload to event media walls, together with any captions you add.

Communications — messages sent via event updates, and your notification preferences.

Technical data — IP address, browser type, device type, and usage logs collected automatically when you use the platform. We use this data to operate the service securely and to fix bugs.

Payment data — if you purchase a ticket, payment is processed by Stripe. Cloomba does not store your card details. We receive confirmation of payment and payout-related data from Stripe.


2. Why we collect it and our legal basis

PurposeLegal basis
Creating and managing your accountContract (Art. 6(1)(b) GDPR)
Letting you create, publish, and manage eventsContract
Processing ticket purchases and payoutsContract
Sending transactional emails (RSVP confirmations, reminders)Contract
Sending push notifications you have enabledConsent (Art. 6(1)(a))
Sending notifications to a Telegram account you connectConsent (Art. 6(1)(a))
Operating the platform securely and preventing abuseLegitimate interests (Art. 6(1)(f))
Complying with legal obligations (VAT, accounting)Legal obligation (Art. 6(1)(c))

We do not use your data for advertising or sell it to third parties.


3. Who we share data with

We share data only where necessary to operate the service:

  • Stripe — payment processing and organiser payouts. Stripe is a data processor acting on our instructions. See Stripe's privacy policy.
  • Firebase (Google) — authentication and push notification delivery. See Google's privacy policy.
  • Cloudflare — content delivery and DDoS protection for media files.
  • Railway — our server infrastructure, hosted in EU West (Amsterdam, Netherlands).
  • Telegram (optional) — only if you connect your Telegram account in Settings → Preferences. We then share your Telegram chat ID and the content of the notifications you have enabled for Telegram with Telegram FZ-LLC, which operates outside the EU. This is optional, based on your consent, and you can disconnect at any time.

All processors are contractually bound to handle your data in accordance with GDPR.

We do not transfer personal data outside the European Economic Area except where a valid transfer mechanism applies (e.g. Standard Contractual Clauses with Stripe and Google), or where you have explicitly chosen to receive notifications via Telegram, which we rely on your consent to do (Art. 49(1)(a) GDPR).


4. Organiser access to attendee data

When you RSVP to an event, the organiser can see your name, profile photo, RSVP status, and any answers you gave to their registration questions. This is necessary to run the event. Organisers are independent data controllers for this data and must handle it in accordance with GDPR.

Your email address and phone number. An organiser may switch on email or phone collection for their event. When they have, the RSVP form asks you for it and tells you, at that moment, that the organiser will receive it. If you provide it, it appears in that event’s guest list and CSV export.

This is separate from the email address or phone number on your Cloomba account, which we do not give to organisers. We may email you on an organiser’s behalf — an invitation, or an announcement about an event you are attending — without disclosing your address to them. Every such email carries an unsubscribe link.

Other attendees. An organiser can choose to make the guest list visible to the people attending. Other attendees then see your name and profile photo — never your email address, phone number, registration answers, or what you paid.


5. How long we keep your data

DataRetention
Account and profile dataUntil you delete your account
Event and attendance records3 years after the event date
Payment and payout records10 years (legal accounting obligation)
Technical logs90 days
Deleted contentRemoved within 30 days of deletion

6. Your rights

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data where we no longer have a lawful basis to hold it.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent (e.g. push notifications), you can withdraw it at any time in your account settings.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Slovak data protection authority: Úrad na ochranu osobných údajov SR (dataprotection.gov.sk).


7. Cookies

We use a small number of essential cookies to keep you signed in and remember your language preference. We do not use advertising or tracking cookies. See our Cookie Policy for details.


8. Security

We use industry-standard measures to protect your data: encrypted connections (HTTPS), access controls, and regular security reviews. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority as required by GDPR.


9. Children

Cloomba is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with their data, contact us and we will delete it promptly.


10. Changes to this policy

We will notify you of material changes by email at least 14 days before they take effect. The current version is always available at cloomba.com/legal/privacy.


11. Contact

WhiteTown s.r.o.
Narcisova 38, 821 01 Bratislava, Slovak Republic
[email protected]