Eventually Docs
Admin GuideSecurity

Privacy & GDPR

How Eventually handles data protection and GDPR compliance

GDPR Compliance

Eventually is designed with GDPR compliance built in:

  • Every registration form includes a mandatory GDPR consent checkbox
  • Consent timestamp is stored in the database
  • Guests cannot register without explicit consent

Data Minimization

  • Only necessary data is collected (name, email, optional phone)
  • Custom form fields are configured per event — no unnecessary data collection

Data Export

  • Export all guest data via CSV from the Guests tab
  • All exports are logged in the audit trail
  • Guests can request their data by contacting you

Data Deletion

  • Cancel a guest's registration to remove their event data
  • Guest records can be deleted from the guest profile page
  • Deletion cascades to registration answers and related records

Email Tracking

  • Open tracking uses a 1x1 pixel (disclosed in privacy policy)
  • No third-party tracking without explicit pixel configuration
  • Phone numbers are redacted in server logs

Security Measures

  • All data encrypted in transit (HTTPS/TLS)
  • Database access controlled via Row Level Security (RLS)
  • All tables scoped by organization — cross-org data access is impossible
  • API keys use HMAC-SHA256 signing for webhooks
  • Stripe webhook signatures validated on every request
  • HTML content sanitized before storage and rendering (XSS prevention)

Audit Logs

Sensitive actions are logged:

  • Guest data exports
  • Registration status changes
  • Payment transactions
  • Team member changes

Billing & Plans

Understand Eventually's pricing plans and feature limits

Authentication

How to authenticate with the Eventually API

On this page

GDPR ComplianceConsent CollectionData MinimizationData ExportData DeletionEmail TrackingSecurity MeasuresAudit Logs