Last updated: March 14, 2026
Eventually (“we”, “us”, or “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our event management platform at eventually.one and any associated services (collectively, the “Service”). Please read this policy carefully. If you do not agree with the terms of this policy, please do not access or use the Service.
Eventually is the data controller for personal data collected through the platform. For the purposes of the General Data Protection Regulation (GDPR) and UK GDPR, we are responsible for deciding how and why your personal data is processed. If you have questions about this policy or our data practices, you may contact us at hello@eventually.one.
We collect personal data in the following categories:
When you create an Eventually account, we collect your name, email address, and a hashed password. We do not store plain-text passwords. If you sign in via a third-party OAuth provider (e.g. Google), we receive your name and email from that provider.
Event organizers provide event details including title, description, date, location, and images. Attendees who register for events provide their name, email address, and any additional fields required by the organizer (such as dietary preferences, company name, or ticket tier selection). We store registration status, check-in timestamps, and QR code tokens.
We do not store raw payment card data. Payment processing is handled by Stripe. When you purchase a ticket, Stripe collects and processes your card details directly. We receive a payment confirmation and a Stripe customer/payment-intent ID. If you are an organizer using Stripe Connect, we also collect your Stripe Connect account ID for payout purposes.
We store the content of emails and notifications sent through the platform (event confirmations, reminders, blast emails) as well as delivery status. We also store phone numbers if organizers enable SMS or WhatsApp reminders for their events.
If you consent to analytics cookies, we collect information about how you interact with the platform, including pages visited, features used, and session duration. We also collect technical data such as your IP address, browser type, operating system, and referring URL for security and platform stability purposes.
Eventually includes an AI writing assistant powered by third-party AI providers (currently MiniMax AI). When you use the AI assistant to generate event descriptions or other content, your input text is sent to MiniMax AI for processing. Please do not include sensitive personal data in AI assistant prompts. See Section 7 for more information about AI processing.
We use your personal data for the following purposes:
For users in the European Economic Area, United Kingdom, and Switzerland, we rely on the following legal bases under the GDPR:
We use the following categories of cookies:
Essential cookies are required for the platform to function. They include your authentication session token, CSRF protection tokens, and your cookie consent preferences. These cookies cannot be disabled without preventing you from using the Service.
With your consent, we use analytics tools to understand how the platform is used. Analytics data is aggregated and does not identify you individually. You may opt out at any time via our cookie consent banner or by contacting us.
We do not currently use marketing or advertising cookies. If we introduce them in the future, we will update this policy and request your consent before setting them.
Your consent preferences are stored in your browser's local storage under the key cookie_consent. You may clear this at any time to reset your preferences.
We share your data with the following sub-processors to deliver the Service:
| Processor | Purpose | Data transferred |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | All personal data stored in the platform |
| Stripe | Payment processing, Stripe Connect payouts | Name, email, payment details, payout information |
| Resend | Transactional and blast email delivery | Name, email address, email content |
| MiniMax AI | AI writing assistant for event content generation | Text input provided to the AI assistant |
| Vercel | Web hosting and serverless function execution | Request data, IP addresses (for security) |
| Twilio (optional) | SMS and WhatsApp reminders (when enabled by organizer) | Phone number, reminder message content |
Each processor is bound by a Data Processing Agreement and must handle your data in accordance with GDPR requirements. We do not sell your personal data to third parties.
Eventually's AI writing assistant is powered by MiniMax AI. When you use the assistant to generate event descriptions, email templates, or other content:
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we use appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms. Supabase, Stripe, Resend, and Vercel are all covered by appropriate transfer mechanisms under GDPR Article 46.
We retain personal data for as long as necessary to provide the Service and comply with legal obligations:
We implement appropriate technical and organizational security measures to protect your personal data, including:
Despite these measures, no system is 100% secure. If you become aware of a security vulnerability, please report it responsibly to hello@eventually.one.
If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:
You have the right to request a copy of all personal data we hold about you, the purposes for which we process it, and the categories of data involved. We will provide this within 30 days of a verified request.
You have the right to request correction of inaccurate or incomplete personal data. You may update most account information directly in your profile settings. For other corrections, contact us at hello@eventually.one.
You may request deletion of your personal data where it is no longer necessary for the purposes collected, you have withdrawn consent, or you object to processing. Deletion requests are processed within 30 days. Note that some data may be retained where required by law (e.g., financial records for tax compliance) or to exercise or defend legal claims.
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV). You may request a data export from your account settings dashboard. All data exports are logged in our audit log.
You have the right to object to processing based on legitimate interests, including profiling. You may also object to direct marketing at any time. To object, contact us at hello@eventually.one.
You may request that we restrict processing of your data (i.e., store it but not use it) in certain circumstances, such as while we verify a rectification request or following an objection while we assess whether our legitimate grounds override yours.
We do not make solely automated decisions that produce legal or similarly significant effects about individuals. Our AI assistant generates content suggestions only - all decisions remain with you.
To exercise any of the rights above:
We may need to verify your identity before processing your request. We will respond within 30 days. If we cannot comply, we will explain why and inform you of your right to complain to a supervisory authority.
If you are in the EU/EEA and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us at hello@eventually.one and we will promptly delete the data.
Where we process your data based on consent (analytics cookies, marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent:
cookie_consent key in browser local storage and reload the page.When registering for an event, attendees are presented with a GDPR consent checkbox. This checkbox confirms that the attendee consents to the event organizer processing their registration data for the purposes of event management, check-in, and communications related to the event. The timestamp of consent is stored alongside the registration record. Organizers are responsible for handling attendee data in compliance with applicable data protection laws.
When you register for an event, your registration data (name, email, registration status, check-in status, and any custom form field responses) is accessible to the event organizer and their authorized team members. Organizers are independent data controllers for this data and are responsible for their own compliance with applicable privacy laws. Eventually acts as a data processor on behalf of organizers for event registration data.
If you are an event organizer using Eventually, you are a data controller for the personal data of your event attendees. You are responsible for:
Event pages may contain links to external websites (e.g., venue websites, sponsor pages). We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policy of any third-party site you visit.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the revised policy.
For any privacy-related questions, requests, or concerns, please contact:
Eventually Privacy TeamWe aim to respond to all privacy inquiries within 5 business days and to all formal GDPR requests within 30 calendar days.