Privacy Policy

Effective date: [DATE — TO BE INSERTED ON PUBLICATION]

Last updated: [DATE — TO BE INSERTED ON PUBLICATION]

This Privacy Policy explains how I Will Be There ("IWBT", "the service", "we", "our", "us") collects, uses, and protects your personal data when you use iwillbethere.app. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the UK Data Protection Act 2018, and the UK Privacy and Electronic Communications Regulations (PECR).

1. Who is the data controller?

For the purposes of UK GDPR and EU GDPR, the data controller is:

Paul Barnard, trading as I Will Be There
Status: UK sole trader
Registered address: [REGISTERED ADDRESS — TO BE INSERTED]
ICO registration number: [ICO REGISTRATION — TO BE INSERTED AFTER REGISTRATION]
Data Subject Request contact: [email protected]

2. What personal data we collect

We collect only the data needed to operate the matchmaking and event-networking service.

Account data

Your name (display name)
Your email address
A hashed copy of your password (we never store passwords in plaintext)
Account creation date and last sign-in time

Per-event profile data

For each event you join, we collect what you choose to enter into your event profile:

Your name and company (for that event)
Your email (for that event — can differ from account email)
Your elevator pitch (up to 200 words)
Tags describing your interests and skills
Your availability — which days you'll attend the event, and which hours you're available for meetings each day
Your preferred meeting length

Meeting and request data

Meeting requests you send to others (recipient, message text, timestamp)
Meeting requests you receive (sender, message text, timestamp)
Confirmed meeting bookings (other attendee, date, time, length)
Meetings you've cancelled or replanned, with the reason you provided

Event data (organisers only)

If you create or manage corporate events, we additionally collect:

The event details you enter (name, code, dates, location, synopsis, tags)
The sponsor banner imagery you submit for review
Email allowance usage records

Technical data

Your IP address — temporarily logged by our hosting provider for security and abuse-prevention
Browser user agent — logged for the same purposes
Cookies and session storage — see our Cookie Policy for details

We do not collect: bank or payment card details directly (Stripe handles those if/when you make a purchase), government identifiers, or marketing-tracking pixels.

3. Why we collect it (lawful bases)

Under UK GDPR Article 6, every processing activity needs a lawful basis. Ours are:

Purpose	Lawful basis
Running your account (sign-in, profile, password reset)	Contract (Art. 6(1)(b))
Showing your profile to other attendees at events you've joined	Contract
Sending you transactional emails (meeting requests, confirmations, cancellations)	Contract
Logging IP addresses for security/abuse purposes	Legitimate interest (Art. 6(1)(f))
Retaining cancelled-meeting records for dispute resolution	Legitimate interest
Responding to subject access / deletion requests	Legal obligation (Art. 6(1)(c))

We do not currently process any data based on consent — meaning we don't run analytics, marketing tracking, or send marketing emails. If we ever introduce such processing, we will ask for your consent first.

4. Where your data is stored and processed

Primary data store — Cloudflare D1 (EU jurisdiction)

We use Cloudflare D1 (a serverless SQL database) for storing account, event, and meeting data. Our D1 database is configured with the eu jurisdiction setting at Cloudflare, which contractually guarantees that data is stored and processed within the European Union.

Cloudflare:

Is certified under the EU-US Data Privacy Framework for cross-border transfers
Maintains a Data Processing Agreement with us under their standard customer terms
Holds SOC 2 Type II and ISO 27001 certifications
Full privacy practices: cloudflare.com/privacypolicy

Transactional email — Resend (US, under DPF)

We use Resend (Resend Inc., USA) to deliver transactional emails (meeting requests, confirmations, cancellations). When we send you an email, your email address and the message content are processed by Resend.

Resend:

Is certified under the EU-US Data Privacy Framework and the UK Extension to the EU-US DPF
Includes Standard Contractual Clauses in their Data Processing Agreement (a second basis for lawful transfers)
Is SOC 2 compliant
Stores customer account data in the United States; emails sent to EU/UK recipients may be routed through their Ireland infrastructure but metadata and logs remain in the US
Privacy practices: resend.com/legal/privacy-policy

We have signed Resend's standard Data Processing Agreement.

Sub-processors — complete list

Processor	Purpose	Location	Transfer mechanism
Cloudflare, Inc.	Hosting, CDN, D1 database, Pages	EU jurisdiction	EU residency + DPF for any incidental transfers
Resend, Inc.	Transactional email delivery	United States	DPF + SCCs

We will update this list within 14 days of any change. Material changes will be reflected in a published version of this Privacy Policy with the "Last updated" date refreshed.

5. How long we keep your data (retention policy)

We retain data only as long as needed.

Data	Retention period
Active accounts	Until you delete the account
Inactive accounts (no sign-in for 36 months)	Automatically deleted
Cancelled meeting records	12 months from cancellation date, then deleted
Event records (organiser data)	24 months after the event end date, then deleted
Audit and security logs	24 months, then deleted
Database backups	30 days rolling — older backups overwritten
Email delivery logs (held by Resend)	Per Resend's retention — typically 30 days

When you delete your account, we erase your data from our primary database immediately. Backups continue to exist for up to 30 days before they roll off; we will not restore your data from backup once you've deleted it.

6. Your rights under UK GDPR / EU GDPR

You have the following rights regarding your personal data. To exercise any of them, email [email protected]. We respond within one calendar month.

Right to access (Article 15)

Request a copy of all personal data we hold about you. We provide this through the "Download my data" button on your account profile — instant download as a JSON file. No need to wait or pay.

Right to rectification (Article 16)

Correct any inaccurate data about you. Most data is editable directly in the app (your profile, your availability). For anything that isn't user-editable, email us.

Right to erasure / "right to be forgotten" (Article 17)

Delete your account through the "Delete my account" button on your account profile. The deletion is immediate from our primary database. Backups roll off within 30 days.

How erasure works in practice. When you delete your account, we hard-delete: your account row, sessions, authentication tokens, password reset tokens, notification view records, personal events you own with no other attendees, and personal event admin grants.

To preserve other users' record of meetings you participated in, your per-event attendee profile rows are anonymised in place (your name becomes "Deleted user", email and pitch are tombstoned) rather than deleted entirely. This is necessary because their booking records depend on yours; deleting them would silently corrupt the other party's history. Once anonymised, those rows no longer identify you and are no longer personal data under UK GDPR (Article 4 and Recital 26).

Bookings you participated in are marked as cancelled with reason "Account deleted by user" — the other party sees the cancellation rather than the meeting vanishing.

Right to restrict processing (Article 18)

Ask us to pause processing your data while we resolve a dispute about its accuracy or use. Email [email protected].

Right to data portability (Article 20)

The "Download my data" export is provided in JSON, a structured machine-readable format suitable for transferring to another service.

Right to object (Article 21)

Object to processing based on legitimate interest. Email [email protected]. We don't currently process any data for direct marketing.

Right not to be subject to automated decision-making (Article 22)

We don't make any automated decisions that have a legal or similarly significant effect on you. The "Find your synergies" feature ranks fellow attendees by compatibility for your information; it does not exclude anyone, restrict anyone's access, or make any decision about anyone.

Right to lodge a complaint

If you believe we have not handled your data correctly, complain to the supervisory authority in your country.

UK residents:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
ico.org.uk/make-a-complaint

EU residents: Complain to your local DPA. List at edpb.europa.eu.

7. Security

TLS encryption in transit (HTTPS everywhere)
Encryption at rest by Cloudflare and Resend
Password hashing (passwords never stored in plaintext)
Role-based access — organisers see attendees in their events; admins see system-wide data only for moderation purposes
Audit logging of all admin actions
Regular review of access permissions

If we ever experience a data breach that is likely to affect your rights and freedoms, we will:

Notify the ICO within 72 hours of becoming aware
Notify affected users without undue delay
Publish a notice on this page describing what happened, what data was affected, and what we're doing about it

8. Children

IWBT is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has signed up, email [email protected] and we will delete their data.

9. International users

If you are located outside the United Kingdom or the European Economic Area, you understand that your data will be transferred to and processed in the EU (Cloudflare D1 with eu jurisdiction) and to the United States (Resend sub-processing under DPF). By using the service, you consent to that transfer.

10. Changes to this policy

When we change this Privacy Policy:

We update the "Last updated" date at the top
We email all registered users to notify them of material changes at least 30 days before they take effect
We keep an archive of previous versions available on request

Minor non-material changes (typos, clarifying language) may be made without notice.

11. Contact

If anything in this policy is unclear, or you want to exercise a right, please email:

[email protected]

We aim to respond to all data subject requests within one calendar month, often sooner.