Privacy Policy

1. Data Controller

The data controller responsible for your personal data is SpinUp, contactable at privacy@spinup.events. If you have any questions about this policy or how we handle your data, please contact us at that address.

2. Personal Data We Collect

We collect personal data in the following ways:

2.1 Account Registration

When you create an account we collect your name, email address, and (if you choose to provide one) a profile picture. Authentication is handled by our third-party identity provider, Clerk. We do not store passwords directly.

2.2 Organiser Profiles

If you create an organiser profile we additionally collect your organisation name, biography, logo, website URL, contact email address, and social media links. This information is displayed publicly on your organiser profile page and on event pages you create.

2.3 Event Registration & Ticketing

When you register for or purchase tickets to an event we collect your name, email address, and transaction details. Payment processing is handled by Stripe. We receive confirmation of payment but do not store full card numbers, CVVs, or other sensitive payment credentials on our servers.

2.4 Sponsorship & Support Purchases

If you purchase a support tier for an event we collect the same transaction data as ticketing, plus your chosen display preference (personal name, business name, or anonymous).

2.5 Slot Applications

If you apply for an open slot (e.g. speaker, performer, volunteer) we collect your name, email address, a short biography, and your application pitch. This information is shared with the event organiser for review purposes.

2.6 Uploaded Content

Images you upload (event headers, organiser logos, profile pictures) are stored in our cloud storage infrastructure. Files are associated with your account and the relevant event or profile.

2.7 Automatically Collected Data

When you use the Service we automatically collect technical data including your IP address, browser type, operating system, referring URL, pages visited, and timestamps. We use this data for security, analytics, and to improve the Service. We may use cookies or similar technologies — see Section 9 below.

3. Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Contract: Processing necessary to perform our contract with you — for example, creating your account, processing ticket purchases, and delivering the Service.
• Legitimate interests: Processing necessary for our legitimate interests, including improving the Service, preventing fraud, ensuring security, and conducting analytics. We balance these interests against your rights and freedoms.
• Legal obligation: Processing necessary to comply with UK law, including tax and financial reporting requirements.
• Consent: Where we rely on your consent (for example, optional marketing communications), you may withdraw consent at any time by contacting us or using the unsubscribe mechanism provided.

4. How We Use Your Data

• To create and manage your account
• To process event registrations, ticket purchases, and sponsorship payments
• To display your organiser profile and event pages publicly
• To show your name or avatar in attendee lists (where the organiser has enabled this)
• To process and review slot applications on behalf of organisers
• To send transactional emails (booking confirmations, receipts, event updates)
• To detect, prevent, and address fraud, abuse, and technical issues
• To improve, personalise, and develop the Service
• To comply with legal obligations

5. Data Sharing & Third Parties

We share personal data with the following categories of recipients:

5.1 Event Organisers

When you register for an event, purchase a ticket, or apply for a slot, your name and email address are shared with the event organiser so they can manage their event. Your display preference for sponsorship purchases is respected — if you choose "anonymous", your identity is not disclosed to other attendees.

5.2 Service Providers

We use the following third-party processors to deliver the Service:

• Clerk — authentication and identity management
• Stripe — payment processing (Stripe is PCI DSS Level 1 compliant)
• Cloudflare — CDN, DDoS protection, and image storage (R2)
• Railway — application hosting and database infrastructure
• Sentry — error monitoring (may receive anonymised technical data)

Each processor is bound by a data processing agreement and processes data only on our instructions.

5.3 Legal Requirements

We may disclose your data if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

6. International Transfers

Some of our service providers are based outside the United Kingdom. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs), EU Standard Contractual Clauses, or reliance on adequacy decisions by the UK Secretary of State. You may contact us for details of the specific safeguards applied to any particular transfer.

7. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy:

• Account data: Retained for the lifetime of your account. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
• Transaction records: Retained for a minimum of 6 years after the transaction date to comply with UK tax and accounting obligations (HMRC requirements).
• Event data: Event pages and associated registration data are retained for the lifetime of the organiser's account. Past events remain accessible as an archive.
• Technical logs: Automatically collected data is retained for up to 12 months and then deleted or aggregated.

8. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete data. You can update most information directly in your account settings.
• Right to erasure: You may request deletion of your personal data, subject to our legal retention obligations.
• Right to restriction: You may request that we restrict processing of your data in certain circumstances.
• Right to data portability: You may request a machine-readable copy of the personal data you provided to us.
• Right to object: You may object to processing based on legitimate interests, including profiling. You may also object to direct marketing at any time.
• Rights related to automated decision-making: We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@spinup.events. We will respond within one month. If your request is complex, we may extend this by a further two months and will inform you accordingly.

9. Cookies & Similar Technologies

We use the following categories of cookies:

• Strictly necessary cookies: Required for the Service to function, including authentication session cookies and CSRF protection tokens. These cannot be disabled.
• Functional cookies: Used to remember your preferences (e.g. view settings). These improve your experience but are not essential.
• Analytics cookies: Used to understand how visitors use the Service so we can improve it. We use privacy-respecting analytics and do not sell data to advertisers.

You can control cookies through your browser settings. Blocking strictly necessary cookies may affect the functionality of the Service. We do not use third-party advertising cookies or trackers.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest
• Access controls limiting data access to authorised personnel only
• Regular security reviews and dependency updates
• Secure authentication via our identity provider (Clerk)
• PCI DSS-compliant payment processing via Stripe

No method of transmission or storage is 100% secure. If you become aware of any security incident affecting your account, please contact us immediately.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13 without appropriate parental consent, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@spinup.events.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Where changes are significant, we may also notify you by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

We encourage you to contact us first so we can try to resolve your concern directly.

14. Contact Us

For any questions, requests, or concerns regarding this privacy policy or our data practices, please contact us: