Event Match Privacy Notice

Last updated: 12 July 2026

As YANHAK LTD, a private limited company incorporated in England and Wales (company no. 17176952), registered office 41 Luke Street, London, England, EC2A 4DP ("Data Controller" or "Company"), we attach importance to the protection of the personal data of our users who use the Event Match platform ("Platform"), under the UK GDPR and the EU GDPR. For data subjects resident in Turkey, additional provisions under Law No. 6698 on the Protection of Personal Data ("KVKK") are set out in Appendix A.

This Privacy Notice has been prepared to inform our users who register for the Platform, log in with their account, attend events, obtain an Event Match+ premium membership or a panel add-on (Organizer / Speaker / Venue), or subscribe to the weekly newsletter, about the processing of their personal data.

1. Data Controller

Company TitleYANHAK LTD
Company Number17176952 (registered in England and Wales)
Registered Office41 Luke Street, London, England, EC2A 4DP, United Kingdom
Contactcontact page or hello@eventmatch.co
Websitewww.eventmatch.co

2. Categories of Personal Data Processed

2.1. All Users (Attendee, Premium Member, Panel Owner)

Data CategoryDescription
IdentityFull name, profile photo (optional)
ContactEmail address, phone (optional)
ProfileCity preference, sector, areas of interest (tags), biography, social media links
AccountPassword (bcrypt hash), session information, Google OAuth connection (if you use it)
Membership StatusWhether Event Match+ is active, which panel add-ons you hold, subscription start/end dates
Event DataEvents you registered for, additional fields on the registration form (LinkedIn, company, etc.), participation history
Professional Goal Data (intent/offer)The "what I am looking for" (e.g. investment, co-founder, mentor) and "what I can offer" selections you declare during registration or from the profile screen, along with optional free-text notes. This data is processed only to produce person and event suggestions suited to you; it is not shared with third parties on a per-profile basis without your explicit consent. Goal data not updated for 12 months is anonymized.
Payment MetadataStripe order number, amount paid, subscription status (card number is not stored)

2.2. Newsletter Subscribers

  • Email address
  • Cities / countries you selected (subscription preferences)
  • Subscription and unsubscription dates
  • For users at the anonymous "lead" stage: email + city selection + IP address + 1-hour temporary retention period (for the reminder email; if registration is not completed, deleted after 7 days)

2.3. Speaker Panel Owners

  • Professional biography (AI-generated or manually written)
  • Areas of expertise (tags)
  • Past talk records and file links
  • LinkedIn verification information

2.4. Venue Panel Owners

  • Venue name, address, coordinates (lat/lng)
  • Capacity, venue type, equipment information
  • Photos (4-10)
  • Price and reservation conditions

2.5. Organizer Panel Owners

  • Company name, tax number (if any, for invoicing)
  • Event records they created
  • The list of attendees who registered for their events (in intermediary position)

2.6. Technical / Automatically Collected

  • IP address (for rate limiting and security)
  • Browser information, device type (user agent)
  • Cookies (for session and preference management)
  • Event click history (anonymous analytics)

3. Purposes of Processing Personal Data

  • Creating and managing your Platform account
  • Event discovery, registration and participation management
  • Providing Event Match+ premium membership and panel add-ons
  • Payment collection through Stripe infrastructure, invoice management
  • Sending the weekly newsletter and the Insider Brief exclusive to premium members
  • Event organizer-attendee, speaker-organizer, venue-organizer matches
  • Providing user support services
  • Improving Platform performance and protecting its security (rate limiting, DDoS protection)
  • Fulfilling legal obligations (tax and accounting, data protection law)

4. Legal Basis

We process your personal data on the following legal bases under Article 6(1) of the UK GDPR and the EU GDPR:

  • Performance of a contract (Article 6(1)(b)): For account, membership, payment and event registrations
  • Consent (Article 6(1)(a)): For newsletter subscription, marketing emails and the profile being publicly visible; you may withdraw consent at any time
  • Legitimate interests (Article 6(1)(f)): For security (rate limiting), fraud prevention and anonymous analytics
  • Legal obligation (Article 6(1)(c)): For tax and invoice records and statutory retention periods

5. Third-Party Service Providers

Event Match carries out technical integration with the following service providers:

ProviderPurposeData Location
SupabaseDatabase, authentication, file storageAWS Frankfurt (EU)
StripePayment processing, subscription management, invoicingEU + USA (PCI-DSS Level 1)
ResendTransactional and marketing emailsEU / USA
VercelWeb hosting, CDNFrankfurt (EU)
Google OAuthSocial login (if you use it)Global
Anthropic ClaudeAI biography generation (for the Speaker Panel)USA

All of our providers operate under data processing agreements (DPAs). Where personal data is transferred outside the UK or the EEA, we rely on an appropriate transfer mechanism: an adequacy decision / adequacy regulations where available, or otherwise Standard Contractual Clauses (SCCs) supplemented, for transfers from the UK, by the UK International Data Transfer Agreement (IDTA) or the UK Addendum.

6. Card and Payment Information

All credit/debit card information is processed by Stripe and never reaches the Platform servers. Stripe is PCI-DSS Level 1 certified. We store only the following payment metadata: order number, subscription identifier, amount paid, payment status (succeeded/failed), payment time. Card number, CVC and expiry date are not kept in the system.

7. Cookies

The Platform uses the following cookies:

  • Mandatory cookies: Session management (Supabase auth token), CSRF protection, language preference (NEXT_LOCALE)
  • Functional cookies: Filter and view preferences
  • Analytics cookies: Anonymous page views and performance measurement (aggregated/anonymous only)

No third-party advertising or tracking cookies are used.

8. Retention Periods

Data TypePeriodReason
Account and profileAs long as the account is active + 30 days after the account is deletedRefund and complaint periods
Event and subscription payments10 yearsUK Companies Act + tax obligation
Newsletter subscriptionAs long as you are subscribedPerformance of the service
Newsletter leads (anonymous)Maximum 7 days (if registration is not completed)One-time reminder email
Session cookiesUntil the end of the session (cleared automatically)Technical necessity
Professional goal data (intent/offer)12 months from the last update; anonymized thereafterKeeping matching suggestions current; separating stale goal data from the profile
Anonymous analytics12 monthsPerformance trend analysis

9. Data Subject Rights

Under the UK GDPR and the EU GDPR (Articles 15-22), you have the following rights:

  • Right of access: to obtain confirmation of, and access to, your personal data (Account Settings → Download my data)
  • Right to rectification: to have incomplete or inaccurate data corrected (Account Settings)
  • Right to erasure ("right to be forgotten"): to have your data deleted (Account Settings → Delete Account)
  • Right to restriction of processing
  • Right to data portability: to receive your data or have it transferred to another controller
  • Right to object to processing (including processing based on legitimate interests and direct marketing)
  • Right to withdraw consent at any time, where processing is based on consent
  • Rights in relation to automated decision-making and profiling
  • Right to lodge a complaint with a supervisory authority (see section 14)

10. Marketing Communication

You can turn off the following types of communication at any time from Account Settings → Notification Preferences:

  • Weekly city newsletter
  • Monthly Insider Brief (for Event Match+ members)
  • New event notifications (favorite city / sector)
  • Event reminders

Transactional emails such as account confirmation, payment receipt, password reset and event cancellation are mandatory and cannot be turned off.

11. Data Security

Event Match applies the following security measures:

  • SSL/TLS encryption (all traffic over HTTPS)
  • Storing password hashes with bcrypt (never plain text)
  • Row Level Security (RLS) at the database level
  • Rate limiting and DDoS protection
  • Stripe PCI-DSS Level 1 (for card data)
  • Service access logging
  • 3D Secure requirement (for card payments)

12. Children's Data

The Platform is intended for users aged 18 and over. It does not knowingly serve those under 18, nor does it collect their personal data. If we realize that we have collected the data of a user under 18, it is deleted immediately.

13. Data Breach Notification

In the event of a personal data breach that meets the notification threshold, we notify the UK Information Commissioner's Office (ICO), and any other competent supervisory authority, without undue delay and, where feasible, within 72 hours of becoming aware of it. Affected users are informed by email as soon as possible where the breach is likely to result in a high risk to their rights and freedoms.

14. Contact and Complaints

For your questions about this Privacy Notice or your personal data:

  • Web: contact page
  • Email: hello@eventmatch.co
  • Postal: YANHAK LTD, 41 Luke Street, London, England, EC2A 4DP, United Kingdom

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO), ico.org.uk. If you are in the EU, you may complain to the supervisory authority in your country of residence. We would, however, appreciate the chance to address your concerns first.

15. Changes

The Company reserves the right to update this Privacy Notice as it deems necessary. Registered users are notified by email of significant changes.

Appendix A — Additional term for users and companies resident in Turkey (KVKK)

This Appendix applies in addition to, and does not override or replace, the UK GDPR / EU GDPR main body of this Privacy Notice. For data subjects resident in Turkey, the members-only people directory also constitutes personal data protected under Law No. 6698 on the Protection of Personal Data ("KVKK"). Any unauthorized copying, scraping or extraction of the directory is also a violation of KVKK and may be reported to the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, kvkk.gov.tr). Requests to be removed from the directory may be made via the data removal form.