Event Match Privacy Notice
Last updated: 12 July 2026
As YANHAK LTD, a private limited company incorporated in England and Wales (company no. 17176952), registered office 41 Luke Street, London, England, EC2A 4DP ("Data Controller" or "Company"), we attach importance to the protection of the personal data of our users who use the Event Match platform ("Platform"), under the UK GDPR and the EU GDPR. For data subjects resident in Turkey, additional provisions under Law No. 6698 on the Protection of Personal Data ("KVKK") are set out in Appendix A.
This Privacy Notice has been prepared to inform our users who register for the Platform, log in with their account, attend events, obtain an Event Match+ premium membership or a panel add-on (Organizer / Speaker / Venue), or subscribe to the weekly newsletter, about the processing of their personal data.
1. Data Controller
| Company Title | YANHAK LTD |
| Company Number | 17176952 (registered in England and Wales) |
| Registered Office | 41 Luke Street, London, England, EC2A 4DP, United Kingdom |
| Contact | contact page or hello@eventmatch.co |
| Website | www.eventmatch.co |
2. Categories of Personal Data Processed
2.1. All Users (Attendee, Premium Member, Panel Owner)
| Data Category | Description |
|---|---|
| Identity | Full name, profile photo (optional) |
| Contact | Email address, phone (optional) |
| Profile | City preference, sector, areas of interest (tags), biography, social media links |
| Account | Password (bcrypt hash), session information, Google OAuth connection (if you use it) |
| Membership Status | Whether Event Match+ is active, which panel add-ons you hold, subscription start/end dates |
| Event Data | Events you registered for, additional fields on the registration form (LinkedIn, company, etc.), participation history |
| Professional Goal Data (intent/offer) | The "what I am looking for" (e.g. investment, co-founder, mentor) and "what I can offer" selections you declare during registration or from the profile screen, along with optional free-text notes. This data is processed only to produce person and event suggestions suited to you; it is not shared with third parties on a per-profile basis without your explicit consent. Goal data not updated for 12 months is anonymized. |
| Payment Metadata | Stripe order number, amount paid, subscription status (card number is not stored) |
2.2. Newsletter Subscribers
- Email address
- Cities / countries you selected (subscription preferences)
- Subscription and unsubscription dates
- For users at the anonymous "lead" stage: email + city selection + IP address + 1-hour temporary retention period (for the reminder email; if registration is not completed, deleted after 7 days)
2.3. Speaker Panel Owners
- Professional biography (AI-generated or manually written)
- Areas of expertise (tags)
- Past talk records and file links
- LinkedIn verification information
2.4. Venue Panel Owners
- Venue name, address, coordinates (lat/lng)
- Capacity, venue type, equipment information
- Photos (4-10)
- Price and reservation conditions
2.5. Organizer Panel Owners
- Company name, tax number (if any, for invoicing)
- Event records they created
- The list of attendees who registered for their events (in intermediary position)
2.6. Technical / Automatically Collected
- IP address (for rate limiting and security)
- Browser information, device type (user agent)
- Cookies (for session and preference management)
- Event click history (anonymous analytics)
3. Purposes of Processing Personal Data
- Creating and managing your Platform account
- Event discovery, registration and participation management
- Providing Event Match+ premium membership and panel add-ons
- Payment collection through Stripe infrastructure, invoice management
- Sending the weekly newsletter and the Insider Brief exclusive to premium members
- Event organizer-attendee, speaker-organizer, venue-organizer matches
- Providing user support services
- Improving Platform performance and protecting its security (rate limiting, DDoS protection)
- Fulfilling legal obligations (tax and accounting, data protection law)
4. Legal Basis
We process your personal data on the following legal bases under Article 6(1) of the UK GDPR and the EU GDPR:
- Performance of a contract (Article 6(1)(b)): For account, membership, payment and event registrations
- Consent (Article 6(1)(a)): For newsletter subscription, marketing emails and the profile being publicly visible; you may withdraw consent at any time
- Legitimate interests (Article 6(1)(f)): For security (rate limiting), fraud prevention and anonymous analytics
- Legal obligation (Article 6(1)(c)): For tax and invoice records and statutory retention periods
5. Third-Party Service Providers
Event Match carries out technical integration with the following service providers:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database, authentication, file storage | AWS Frankfurt (EU) |
| Stripe | Payment processing, subscription management, invoicing | EU + USA (PCI-DSS Level 1) |
| Resend | Transactional and marketing emails | EU / USA |
| Vercel | Web hosting, CDN | Frankfurt (EU) |
| Google OAuth | Social login (if you use it) | Global |
| Anthropic Claude | AI biography generation (for the Speaker Panel) | USA |
All of our providers operate under data processing agreements (DPAs). Where personal data is transferred outside the UK or the EEA, we rely on an appropriate transfer mechanism: an adequacy decision / adequacy regulations where available, or otherwise Standard Contractual Clauses (SCCs) supplemented, for transfers from the UK, by the UK International Data Transfer Agreement (IDTA) or the UK Addendum.
6. Card and Payment Information
All credit/debit card information is processed by Stripe and never reaches the Platform servers. Stripe is PCI-DSS Level 1 certified. We store only the following payment metadata: order number, subscription identifier, amount paid, payment status (succeeded/failed), payment time. Card number, CVC and expiry date are not kept in the system.
7. Cookies
The Platform uses the following cookies:
- Mandatory cookies: Session management (Supabase auth token), CSRF protection, language preference (NEXT_LOCALE)
- Functional cookies: Filter and view preferences
- Analytics cookies: Anonymous page views and performance measurement (aggregated/anonymous only)
No third-party advertising or tracking cookies are used.
8. Retention Periods
| Data Type | Period | Reason |
|---|---|---|
| Account and profile | As long as the account is active + 30 days after the account is deleted | Refund and complaint periods |
| Event and subscription payments | 10 years | UK Companies Act + tax obligation |
| Newsletter subscription | As long as you are subscribed | Performance of the service |
| Newsletter leads (anonymous) | Maximum 7 days (if registration is not completed) | One-time reminder email |
| Session cookies | Until the end of the session (cleared automatically) | Technical necessity |
| Professional goal data (intent/offer) | 12 months from the last update; anonymized thereafter | Keeping matching suggestions current; separating stale goal data from the profile |
| Anonymous analytics | 12 months | Performance trend analysis |
9. Data Subject Rights
Under the UK GDPR and the EU GDPR (Articles 15-22), you have the following rights:
- Right of access: to obtain confirmation of, and access to, your personal data (Account Settings → Download my data)
- Right to rectification: to have incomplete or inaccurate data corrected (Account Settings)
- Right to erasure ("right to be forgotten"): to have your data deleted (Account Settings → Delete Account)
- Right to restriction of processing
- Right to data portability: to receive your data or have it transferred to another controller
- Right to object to processing (including processing based on legitimate interests and direct marketing)
- Right to withdraw consent at any time, where processing is based on consent
- Rights in relation to automated decision-making and profiling
- Right to lodge a complaint with a supervisory authority (see section 14)
10. Marketing Communication
You can turn off the following types of communication at any time from Account Settings → Notification Preferences:
- Weekly city newsletter
- Monthly Insider Brief (for Event Match+ members)
- New event notifications (favorite city / sector)
- Event reminders
Transactional emails such as account confirmation, payment receipt, password reset and event cancellation are mandatory and cannot be turned off.
11. Data Security
Event Match applies the following security measures:
- SSL/TLS encryption (all traffic over HTTPS)
- Storing password hashes with bcrypt (never plain text)
- Row Level Security (RLS) at the database level
- Rate limiting and DDoS protection
- Stripe PCI-DSS Level 1 (for card data)
- Service access logging
- 3D Secure requirement (for card payments)
12. Children's Data
The Platform is intended for users aged 18 and over. It does not knowingly serve those under 18, nor does it collect their personal data. If we realize that we have collected the data of a user under 18, it is deleted immediately.
13. Data Breach Notification
In the event of a personal data breach that meets the notification threshold, we notify the UK Information Commissioner's Office (ICO), and any other competent supervisory authority, without undue delay and, where feasible, within 72 hours of becoming aware of it. Affected users are informed by email as soon as possible where the breach is likely to result in a high risk to their rights and freedoms.
14. Contact and Complaints
For your questions about this Privacy Notice or your personal data:
- Web: contact page
- Email: hello@eventmatch.co
- Postal: YANHAK LTD, 41 Luke Street, London, England, EC2A 4DP, United Kingdom
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO), ico.org.uk. If you are in the EU, you may complain to the supervisory authority in your country of residence. We would, however, appreciate the chance to address your concerns first.
15. Changes
The Company reserves the right to update this Privacy Notice as it deems necessary. Registered users are notified by email of significant changes.
Appendix A — Additional term for users and companies resident in Turkey (KVKK)
This Appendix applies in addition to, and does not override or replace, the UK GDPR / EU GDPR main body of this Privacy Notice. For data subjects resident in Turkey, the members-only people directory also constitutes personal data protected under Law No. 6698 on the Protection of Personal Data ("KVKK"). Any unauthorized copying, scraping or extraction of the directory is also a violation of KVKK and may be reported to the Turkish Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu, kvkk.gov.tr). Requests to be removed from the directory may be made via the data removal form.