Gatheris.← Back to home

Legal

Privacy Policy

Last updated: April 2026

1. Introduction

Gatheris ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our event management platform and related services (the "Service"). It applies to organisers, attendees, and visitors.

This policy is written in accordance with the General Data Protection Regulation (GDPR) and applicable Greek and European Union data protection law.

2. Data Controller

Gatheris acts as the data controller for information collected through the platform. If you have questions about how your data is handled, you can contact us at hello@gatheris.io.

Where you use Gatheris to manage your own events, you act as a data controller in respect of your attendees' personal data, and Gatheris acts as your data processor.

3. Information We Collect

We collect the following categories of personal data:

  • Account data — name, email address, and password when you register
  • Organisation data — organisation name, billing address, and details of any one-off paid services purchased (Managed Setup, add-ons)
  • Event data — event titles, descriptions, dates, locations, and settings you create
  • Attendee data — names and email addresses of guests you invite or who register
  • Usage data — pages visited, actions taken within the Service, and device/browser information collected automatically
  • Communication data — records of emails sent through the Service (invitations, confirmations, reminders)

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

  • Contract performance — to provide the Service you have signed up for, including any paid Managed Setup work you have purchased
  • Legitimate interests — to improve and secure the Service, prevent fraud, and communicate service updates
  • Legal obligation — to comply with applicable law, including tax and financial regulations
  • Consent — where we ask for your explicit agreement (e.g. marketing communications)

5. How We Use Your Data

We use the data we collect to:

  • Create and manage your account and organisation
  • Deliver the core features of the Service (event creation, invitations, RSVPs, check-in)
  • Send transactional emails such as event invitations, confirmations, and reminders
  • Process one-off payments for Managed Setup and add-ons
  • Respond to support requests
  • Monitor and improve the reliability and security of the Service
  • Comply with legal obligations

We do not sell your personal data to third parties.

6. Cookies and Tracking

We use only technically necessary cookies to operate the Service — specifically, a session cookie to keep you logged in. We do not use advertising cookies, third-party tracking pixels, or analytics tools that send data to external services.

7. Data Sharing

We share personal data only with the following categories of recipients:

  • Infrastructure providers — cloud hosting and database services (Vercel, Supabase) under data processing agreements
  • Email delivery — transactional email providers (Resend) to deliver event communications
  • Payment processors — where applicable, to handle subscription billing
  • Legal authorities — when required by law or to protect our rights

All third-party processors are contractually bound to process data only on our instructions and in accordance with GDPR.

8. International Transfers

Our infrastructure providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

9. Data Retention

We retain different categories of personal data for different periods, following the principle of storage limitation:

  • Guest data (names, emails, phone numbers, RSVP responses for an event) is deleted 12 months after the event end date.
  • Sent-email records (operational copies of invitations, reminders, etc.) are deleted 12 months after sending.
  • Notifications are deleted 90 days after they are read, or 180 days after creation if never read.
  • Unsubscribe links (single-use tokens) expire 365 days after issuance; the underlying opt-out record is kept indefinitely so we never re-email a recipient who has unsubscribed.
  • Soft-deleted Managed Setup jobs are permanently removed 12 months after deletion.
  • Audit logs and admin action logs (records of who did what, for accountability and dispute resolution) are retained for 7 years, in line with Greek tax-record obligations.
  • Account and organisation data is retained for as long as your account is active and deleted within 30 days of account closure, unless you request earlier deletion or a legal obligation requires us to keep it longer.
  • Billing records may be retained for up to 7 years to comply with tax law.

Retention is enforced automatically by a daily process. You can ask for earlier deletion of your personal data at any time — see Section 10 (Your Rights).

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at hello@gatheris.io. We will respond within 30 days. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS), encrypted storage, access controls, and regular security reviews. No system is completely secure, and we cannot guarantee absolute security.

12. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice within the Service. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact

For any questions or requests relating to this Privacy Policy or your personal data, please contact us at hello@gatheris.io.

    Privacy Policy — Gatheris | Gatheris