Privacy policy
Last updated: 15 April 2026
JustOneEvent is committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR — Regulation EU 2016/679) and the amended French Data Protection Act.
1 Data controller
2 Data collected
2.1 Event registrations (public attendees)
| Data | Required | Purpose |
|---|---|---|
| Full name | Yes | Attendee identification, QR code |
| Email address | Yes | Sending the confirmation QR code, communications related to the event |
| Phone number | No | Optional contact by the organiser |
2.2 Organiser accounts
| Data | Required | Purpose |
|---|---|---|
| Full name | Yes | Account identification, display in the dashboard |
| Email address | Yes | Authentication, system notifications |
| Password (hashed) | Yes | Account access security (Argon2 algorithm) |
| Organisation name | No | Display on event pages |
2.3 Technical data
Connection data (server logs including IP address, timestamp, user-agent) may be collected automatically for security and technical diagnostic purposes. This data is not shared and is retained for a maximum of 12 months. A 2-letter ISO country code derived from your IP by our edge provider (Cloudflare or equivalent) or from your Stripe billing address may be stored in the user profile (`country_code` field) for internal product analytics (geographic distribution view in the admin panel). No precise coordinates or address are derived from the IP.
Answers to custom fields (collected by the organiser)
An event organiser can add extra questions to the registration form (label + type: free text, integer, single choice, multiple choices, checkbox). Your answers are visible in their dashboard and CSV export. The nature of these data depends on the questions the organiser asks ; the organiser is the sole controller (see our Terms). JustOneEvent applies the same minimisation and retention principles to these answers as to the standard fields. Free-text answers are automatically erased 36 months after the event (GDPR anonymisation) ; structured answers (numbers, checkboxes, chosen options) are kept as non-identifying aggregates. For group registrations (several people registered in a single submission), the organiser configures each field as either "for the group" (a single answer given by the leader, stored only on their registration) or "for each person" (each participant answers separately, with their answer stored on their own registration and anonymised 36 months independently).
2.5 Free-text note in the confirmation email (written by the organiser)
The organiser can add a free-text note (500 characters max) to their event ; it is included in the confirmation email sent to registrants, between the QR code and the cancellation link. This note is written and controlled by the organiser, who is solely responsible for it. To limit phishing risk, JustOneEvent automatically rejects any note containing links (URLs, email addresses, domain names) — useful links for the event (map, programme, payment) must be placed in the event's public description, which registrants can verify before signing up. This note follows the event's retention duration (see § 4).
3 Legal bases for processing
Contract performance (art. 6.1.b GDPR) — processing registrations and managing organiser accounts.
Consent (art. 6.1.a GDPR) — analytics cookies and optional marketing communications.
Legitimate interest (art. 6.1.f GDPR) — security logs, fraud prevention.
4 Retention periods
| Category | Duration |
|---|---|
| Event registration data | 3 years after the event date |
| Custom field answers | 36 months after the event (free text erased, structured data kept as aggregates). |
| Active organiser account | Duration of the contractual relationship |
| Inactive organiser account (no login) | 3 years after the last login (email warning 30 days before deletion) |
| Deleted account (archives) | 3 years (legal accounting obligations) |
| Technical logs | 12 months |
| Analytics cookies | 13 months maximum |
5 Recipients and subprocessors
Your data is processed by:
- JustOneEvent — internal team, restricted access limited to strictly necessary data.
- Microsoft Azure — application + database hosting (France Central region, data centres in Paris, France). GDPR data processor. Any transfer outside the EU is covered by the European Commission's Standard Contractual Clauses.
- SMTP provider — transactional sending of confirmation, reminder and QR-receipt emails. Headers (To, From) and email body transit via SMTP. No marketing email is delegated to it.
- Stripe Payments Europe Ltd. (Ireland) — payment processing for paid plans (Premium, Pro, Business). Fields sent on subscription: email, name, internal user id, chosen plan. Card numbers never transit through our servers (entered via Stripe Checkout). Stripe is data controller for banking operations (anti-fraud, PSP duties) and processor for the “subscription management” purpose. Stripe DPA: stripe.com/legal/dpa. Retention on Stripe side: 7 years (accounting).
- Microsoft Application Insights (Azure) — anonymous audience measurement, loaded only after consent via the cookie banner. Data collected: visited URL, duration, performance, JS errors. Anonymous per-session id, no third-party cookies. EU hosting, 90-day retention.
- db-ip.com (Belgium) — approximate IP geolocation (city, region, country) for the internal BZH Consulting administrator login alert. Sub-processor established in the European Union; HTTPS call. **No participant or Client IP address is ever sent** — only the IPs of administrators at login time.
No personal data is sold to third parties or shared for advertising purposes. Sub-processors operate within the EU; any residual transfer outside the EU performed by Microsoft is covered by the European Commission's Standard Contractual Clauses (Decision EU 2021/914).
6 Cookies
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
| token | Strictly necessary | Session | JWT authentication (httpOnly, secure) |
| cookie_consent | Functional | 12 months | Remembers your consent choice |
You can change your preferences at any time via the link at the bottom of the page.
7 Your rights
Under the GDPR, you have the following rights:
Right of access
Obtain a copy of your data
Right of rectification
Correct inaccurate data
Right to erasure
Request deletion of your data
Right to object
Object to certain processing
Right to restriction
Temporarily restrict processing
Right to portability
Export your data in JSON
Exercise your rights
Send your request to . We will respond within 30 days. If you consider that your rights are not being respected, you can contact the CNIL.
Organisers also have direct access via Settings → My personal data.
⚠ Protection of minors
JustOneEvent is not intended for people under 16. Organiser accounts are reserved for individuals with the legal capacity to enter into a contract.
For event registrations, organisers are responsible for collecting parental consent when the participant is under 16 (GDPR article 8). JustOneEvent does not collect age or birth date by default; if an organiser adds an optional “birth year” field, they alone bear responsibility for the lawfulness of that collection.
8 Data security
JustOneEvent implements the following technical and organisational measures:
- HTTPS (TLS) encryption of all communications
- Password hashing with Argon2 (algorithm resistant to brute-force attacks)
- JWT token authentication stored in httpOnly cookie (inaccessible from JavaScript)
- Hosted in France (Microsoft Azure, France Central region — Paris), restricted access to databases
9 Contact and DPO
For any question about the protection of your personal data or to exercise your rights, contact our Data Protection Officer (DPO):