Privacy Policy and Personal Data Protection
Last updated: October 22, 2025
Scope: European Union and African continent
Introduction
Keevent SARLU ("the Company") respects the fundamental rights of its users regarding personal data protection. This privacy policy outlines the principles and methods by which the Company collects, processes, stores, and protects personal data of its users.
This policy complies with the General Data Protection Regulation (EU) 2016/679 (GDPR), Directive 2002/58/EC concerning the processing of electronic communications data, as well as the Protection of Personal Information Act (POPIA) in South Africa and similar regulations applicable in African countries.
1. Data Controller
Note: For any questions regarding the processing of your personal data or to exercise your rights, please contact the Data Protection Officer.
2. Personal Data Collected
The Company collects the following categories of personal data from its users:
Identity Data
- First and last name
- Email address
- Phone number
- Date of birth
- Profile photo
- Residential address (if provided)
Financial and Payment Data
- Banking information (processed by certified third-party providers)
- Transaction and payment history
- Billing and delivery addresses
- Important: Credit card numbers are never stored by the Company
Technical and Usage Data
- Internet Protocol (IP) address
- Web browser type and version
- Operating system
- Pages viewed and visit duration
- Geographic location data (with explicit consent)
- Cookies and session identifiers
Event-Related Data
- Events created, viewed, or favorited
- Reservations made
- Tickets purchased or viewed
- Reviews and comments provided
- Referral codes used or generated
Sensitive Data (Limited Processing)
In exceptional circumstances and only if you voluntarily provide it for event creation:
- Sexual orientation or gender identity
- Political or religious beliefs
- Health-related information
This data is processed exclusively for the specific needs of your event and will never be used for other purposes.
3. Legal Basis for Processing
In accordance with Article 6 of the GDPR, the Company processes your personal data on the following legal bases:
Contract Performance (Article 6(1)b GDPR)
Processing necessary for the creation and management of your user account, execution of your ticket orders, and processing of your payments.
Explicit Consent (Article 6(1)a GDPR)
Use of non-essential cookies, newsletter subscription, behavioral marketing, and access to geolocation on mobile devices.
Legal Obligations (Article 6(1)c GDPR)
Compliance with tax, accounting obligations, fraud prevention and anti-money laundering, and compliance with applicable financial regulations.
Legitimate Interests (Article 6(1)f GDPR)
Continuous service improvement, behavioral analysis, fraud detection and prevention, data security maintenance, and user experience enhancement.
4. Data Processing Purposes
Your personal data is processed for the following purposes:
User Account Management
Creation, authentication, maintenance, and securing of your account, including password reset.
Financial Transaction Processing
Processing of ticket reservations, invoicing, refund management, and accounting reconciliation.
Communications and Support
Sending reservation confirmations, event updates, responses to your customer support requests. You can unsubscribe from marketing communications at any time.
Service Analysis and Improvement
Analysis of platform usage to identify trends and optimize user experience.
Security and Compliance
Detection and prevention of fraudulent activities, compliance with legal and regulatory obligations.
Content Recommendations
Event suggestions based on your location and preferences (with consent).
No Data Sale Policy
- Your data is never sold to commercial third parties
- Your information is never rented or loaned
- Your activity histories are only shared with your explicit consent
5. Recipients and Data Sharing
Your personal data may be shared with the following categories of recipients:
Technical Service Providers
Payment processors (Stripe, Orange Money, Moov Africa), cloud infrastructure providers, email services. All providers are bound by GDPR-compliant data processing agreements.
Event Organizers
If you have booked a ticket for an event, the organizer will receive your essential contact details (name, email address, phone number) to manage your reservation.
Public and Judicial Authorities
Your data may be disclosed if the Company is legally required to do so (judicial investigations, tax authorities, police authorities, regulatory authorities).
International Data Transfers
Data may be transferred to third countries within the EU or to countries offering an adequate level of protection. When this is not possible, appropriate safeguards are put in place (Standard Contractual Clauses, European Commission Adequacy Decisions).
6. Data Retention Period
The Company retains personal data for as long as necessary to achieve the purposes listed above and in accordance with applicable legal obligations.
| Data Category | Retention Period |
|---|---|
| Profile and Identity Data | During account lifetime + 3 calendar years after deletion |
| Payment and Billing Data | 7 years (legal and tax obligation) |
| Cookies and Tracking Identifiers | Maximum 13 months |
| Access Logs and IP Addresses | 90 days |
| Marketing and Newsletter Data | Until explicit withdrawal of consent |
7. Security and Protection Measures
The Company implements robust technical and organizational measures to protect your data against unauthorized access, modification, disclosure, or destruction:
SSL/TLS Encryption
All data exchanges are encrypted in transit according to industry standards.
Encryption at Rest
Sensitive data stored in databases is encrypted according to best practices.
Multi-Factor Authentication
Optional support for multi-factor authentication to strengthen account security.
Access Control
Only authorized staff have access to data, on a need-to-know basis.
Security Audits
Regular security audits and penetration testing conducted by independent third parties.
Incident Procedure
Data breach response plan with notification to affected parties in accordance with GDPR.
💳 PCI-DSS Compliance
Keevent uses Stripe, a payment service provider certified PCI-DSS Level 1 (the highest certification level). No credit card data is stored on Keevent servers. All payments are securely processed by Stripe, in compliance with the European DSP2 directive (Strong Customer Authentication). Event organizers in Europe use Stripe Connect Express to receive payments directly to their account, ensuring separation of financial flows and regulatory compliance.
PCI-DSS Compliance
Credit card payments are processed by Stripe, certified PCI-DSS Level 1. Keevent never stores credit card data on its servers.
8. Cookies and Tracking Technologies
Types of Cookies Used
Essential Cookies (Required)
Session management, authentication, CSRF security. Necessary for platform operation and cannot be disabled.
Analytics Cookies
Google Analytics to understand platform usage. Requires your explicit consent.
Marketing and Advertising Cookies
Personalized advertising via Meta Platforms and Google Ads. Subject to prior consent.
Functionality Cookies
Language preferences, display theme, interface customization. Requires consent.
Cookie Preference Management
- Withdraw your consent at any time via the cookie banner
- Modify your web browser privacy settings
- Use Google Analytics opt-out tool
9. Your GDPR Rights and Similar Rights
In accordance with GDPR and applicable data protection laws, you have the following rights, exercisable free of charge:
Right of Access (Article 15 GDPR)
You have the right to access all personal data that the Company holds about you.
Right to Rectification (Article 16 GDPR)
You may request correction or update of your data if it is inaccurate or incomplete.
Right to Erasure (Right to be Forgotten - Article 17 GDPR)
You may request deletion of your data, except where a legal, contractual, or regulatory obligation prevents it.
Right to Restriction of Processing (Article 18 GDPR)
You may request restriction of processing of your data under specific circumstances.
Right to Data Portability (Article 20 GDPR)
You have the right to receive your data in a structured, machine-readable format and transfer it to another data controller.
Right to Object (Article 21 GDPR)
You may object to processing of your data for direct marketing purposes, behavioral analysis, or based on legitimate interests.
Rights Related to Automated Decisions (Article 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing (profiling, scoring) that would produce legal effects or significantly affect you.
Right to Legal Recourse
You have the right to lodge a complaint with the competent data protection authority in your jurisdiction.
How to Exercise Your Rights?
To exercise any of these rights, send a written request accompanied by proof of identity to:
Response time: 30 days from receipt of your request (extendable by two months for complex requests).
10. Contact and Complaint Procedure
Data Protection Officer
Email address: dpo@keevent.com
Customer Support
Email address: privacy@keevent.com
Complaint Procedure
If you believe that the Company violates your data protection rights, you have the right to lodge a complaint with:
- In Europe: The national data protection authority in your country of residence
- In Africa: The local data protection authority (e.g., National Commission for Data Protection in Senegal, Information Regulator in South Africa)
11. Revisions and Modifications
The Company reserves the right to modify this privacy policy at any time. Substantial changes will be notified by email or via a prominent notice on the platform. Continued use of the platform after such changes constitutes your acceptance of the revised terms.
Last updated: October 22, 2025
This privacy policy applies to all users of the Keevent platform, regardless of their geographic location.