Privacy Policy & GDPR Compliance

Last updated: March 2026

Quick Navigation

About This Policy
Data We Collect
How We Use Your Data
Legal Basis for Processing
Cookies & Tracking
Third Party Services
Data Retention
Your GDPR Rights
Security & Protection
Contact Us

1. About This Policy

This Privacy Policy describes how we collect, use, process, and protect your personal data through our event management platform. We are committed to transparency and compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Controller Roles: Hrknz Ltd is the data controller for platform-level processing (for example: account creation, authentication, platform security, billing records, and support operations). Individual event organisers using this platform are independent data controllers for event-specific processing (for example: event forms, selection/shortlisting decisions, participant communications, and event operations).

Important: Where an organiser determines the purpose and means of processing your event data, that organiser is responsible for GDPR compliance for that processing, including their legal basis, retention, and responses to data-subject requests.

2. Data We Collect

2.1 Account Registration Data

When you create an account, we collect:

Full name (first name, last name)
Email address
Password (hashed and encrypted)

2.2 Profile Information

Depending on your role(s), we may collect:

Competitor Profiles: Date of birth, emergency contact name and phone number
Volunteer Profiles: Date of birth, emergency contact name and phone number
Vendor Profiles: Business name, business type, business phone, website, and business description
Organiser Profiles: Organisation name, organisation description, and banking details (for payment processing)

2.3 Event Entry Data

When registering for events, we collect:

Event signup form responses (dynamic fields defined and controlled by the relevant event organiser)
Entry status (pending, confirmed, reserved, withdrawn)
Dietary requirements and accessibility needs
Payment information (processed securely via Stripe)

2.4 Payment Data

Payment processing is handled by Stripe. We collect:

Transaction amounts and status
Payment method type (card last 4 digits only)
Refund history

We do not store full credit card details. See Third Party Services for Stripe's privacy practices.

2.5 Communications & Notifications

We collect:

Email preferences and subscription status
Communication history with event organisers and support team
Support inquiries and responses

2.6 Technical Data

We automatically collect:

IP address and browser type
Session identifiers and activity logs
Pages visited and features used
Error reports and debugging information

3. How We Use Your Data

Account Management: Creating and maintaining your account, identity verification
Event Operations: Processing registrations, managing capacity and waitlists, coordinating with organisers
Payments: Processing fees, refunds, and financial reporting
Communications: Sending confirmations, updates, reminders, and important notices
Customer Support: Responding to inquiries and resolving issues
Legal Compliance: Fulfilling legal and regulatory obligations
Service Improvement: Analysing usage patterns to improve our platform (anonymised)
Fraud Prevention: Detecting and preventing unauthorised access

4. Legal Basis for Processing (GDPR)

We process your data based on the following GDPR legal bases:

Contract Fulfilment: Processing necessary to perform event registration services
Legitimate Interests: Platform security, fraud prevention, service improvement
Legal Obligation: Tax reporting, payment records, harmful content detection
Explicit Consent: Marketing communications, non-essential notifications (you can opt-out anytime)
Vital Interests: Health/safety information when necessary for event coordination

5. Cookies & Tracking Technologies

5.1 Essential Cookies

These cookies are necessary for the platform to function:

Cookie Name	Purpose	Duration
Session ID	User authentication and session management	2 hours of inactivity
CSRF Token	Security (cross-site request forgery prevention)	Session duration
Theme Preference	Remembering your light/dark mode preference	12 months

5.2 Optional Analytics Cookies

Currently not used. Any future analytics implementation will require separate consent.

5.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent login and core functionality.

6. Third Party Services & Data Sharing

6.1 Stripe Payments

Data Shared: Payment details, transaction amounts, account information

Purpose: Processing event registration fees and refunds

Privacy Policy: stripe.com/privacy

Stripe is certified under Privacy Shield and complies with GDPR.

6.2 Email Service Providers

Data Shared: Email addresses, event information, notification preferences

Purpose: Sending transactional emails (confirmations, updates, password resets)

Our email providers are GDPR-compliant and only process data on our behalf.

6.3 Event Organisers

Data Shared: Your entry information, form responses, profile details (as required for the event)

Purpose: Managing your participation, communicating event details, coordinating logistics

Controller Status: Event organisers act as independent data controllers for event-specific personal data they collect and use through the platform.

Responsibility Boundary: Organisers are responsible for their own privacy notices, lawful basis, retention schedules, and handling data-subject requests for organiser-controlled processing. We are not responsible for an organiser's independent processing decisions outside our direct platform operations.

Your Action: Please review the relevant organiser's privacy notice and contact that organiser directly for event-specific privacy queries.

6.4 No Unauthorised Sharing

We do not sell, trade, or otherwise transfer your personal data to third parties without your explicit consent, except as required by law or as described above.

7. Data Retention Periods

Data Type	Retention Period	Reason
Active Account Data	For duration of account + 12 months after deletion	Account recovery, legal/tax compliance
Event Entry Records	For 7 years	Tax and financial reporting requirements
Payment Records	For 7 years	Accounting, tax compliance, refund handling
Deleted Accounts	30 days (soft delete), then permanently	Recovery option, then complete removal
Support Communications	3 years	Dispute resolution, service improvement
Activity Logs	90 days	Security monitoring, fraud detection

8. Your GDPR Rights

Under GDPR, you have the following rights:

8.1 Right to Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days in a portable format.

8.2 Right to Rectification

You can correct inaccurate or incomplete personal data. Update your profile directly in account settings or contact us.

8.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your data, except where legal obligations require retention (e.g., tax records). Financial data will be anonymised rather than deleted.

8.4 Right to Restrict Processing

You can request that we limit how we use your data, except for essential processing.

8.5 Right to Data Portability

You can request your data in a structured, machine-readable format to transfer to another service.

8.6 Right to Object

You can object to processing for marketing, profiling, or other specific purposes (except where needed for contract fulfilment).

8.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time. This does not affect lawfulness of prior processing.

8.8 Exercising Your Rights

To exercise rights relating to platform-controlled processing, submit a written request to the contact address below with proof of identity. We will respond within applicable legal timeframes (typically within 30 days under GDPR).

For rights relating to organiser-controlled event processing, contact the relevant organiser directly as the independent controller for that processing.

9. Security & Data Protection Measures

We implement industry-standard security measures:

Encryption: Data in transit uses HTTPS/TLS encryption
Password Security: Passwords are hashed using strong algorithms
Session Management: Sessions timeout after 2 hours of inactivity
Access Controls: Only authorised personnel can access personal data
Vulnerability Testing: Regular security assessments and updates
Breach notification: We will notify affected individuals and authorities within 72 hours of detecting a data breach, as required by GDPR

Note: While we implement robust security measures, no system is 100% secure. Users are responsible for maintaining confidentiality of passwords and reporting suspicious activity immediately.

10. Contact Us

For privacy inquiries about platform-controlled processing, data subject requests, or GDPR rights related to our platform operations:

Data Protection Contact:

Hrknz Ltd
Email: loading...
Response time: Within 30 days

Event-specific requests: If your request concerns an organiser's event form, participant decisions, or organiser communications, contact the organiser directly as they are the independent controller for that processing.

Data Protection Authority

If you are unsatisfied with our handling of your data or have privacy concerns, you have the right to lodge a complaint with your national Data Protection Authority.

11. Policy Changes

We may update this policy to reflect changes in our practices, technology, or applicable laws. Material changes will be announced via email or notification on the platform. Your continued use of the service constitutes acceptance of updates.

This Privacy Policy was last updated in March 2026. If you have any questions, please contact us using the information provided above.