Privacy Policy

This Privacy Policy explains how Treffio ApS, CVR 42 02 16 79, Niels Ebbesens Vej 16, 1911 Frederiksberg C, Denmark (“Treffio”, “we”, “us” or “our”) processes Personal Data in connection with the Treffio platform — the website at treffio.com, the admin dashboard at admin.treffio.com, public event registration sites hosted on *.treffio.com, the mobile application at app.treffio.com and on iOS / Android, and any related services (together, the “Service”).

It applies to:

Visitors to our marketing website
Administrators who use the admin dashboard to create and manage events
Customers who subscribe to Treffio
Guests who register for or attend events that are managed in Treffio

1. Our roles

For some processing we are the controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (“GDPR”); for other processing we act as a processor for our Customers (Article 4(8) GDPR).

Processing	Controller	Processor
Marketing website analytics, contact-form submissions, demo requests	Treffio	—
Administrator account data (admin user identity, settings, billing)	Treffio	—
Guest data uploaded or generated by Customers in connection with their events	The Customer	Treffio
Operational metadata of the Service (logs, error reports, security events)	Treffio	—

Where we act as processor, our processing is governed by the Data Processing Agreement and the Customer is the controller. Guests should consult the privacy notice of the Customer running the event for information about that processing.

2. What we deliberately do not do

We want to be specific about practices we have deliberately chosen not to engage in, because they are widespread in our industry but, in our view, unnecessary for our Service:

No analytics. We do not use Google Analytics, Mixpanel, Amplitude, Posthog, Plausible, Fathom, Hotjar, Clarity, FullStory, or any other behavioral analytics or session-replay tool on the marketing website, the admin dashboard, registration pages, or the web app.
No marketing pixels. We do not run Meta Pixel, LinkedIn Insight Tag, Google Ads conversion pixels, or similar advertising tags.
No third-party chat widgets. We do not embed Intercom, Crisp, HubSpot, or similar.
No data sales. We do not sell, rent, or trade Personal Data.
No cross-context behavioral advertising. We do not build profiles of Users for advertising purposes.

If we ever change any of these practices, we will update this Privacy Policy first and provide notice in line with Section 14.

3. Personal Data we collect — Marketing website (treffio.com)

When you visit treffio.com, we collect:

Server logs: IP address, user-agent, requested URL, timestamp, response code, byte counts. Used to operate, secure, and troubleshoot the website. Retention: up to 90 days, then deleted.
Contact-form / demo-request data: name, company name, email address, phone number, and any free-text content you provide. Used to respond to your inquiry. Retention: up to 24 months from last contact, unless you become a Customer (in which case it is retained as part of the Customer relationship), or you ask us to delete it earlier.

The website itself does not set cookies. Fonts are currently loaded from fonts.googleapis.com and fonts.gstatic.com (Google), which transmits your IP address to Google in the United States. We are working on self-hosting fonts to remove this dependency.

4. Personal Data we collect — Admin dashboard (admin.treffio.com)

When you sign in as an Administrator, we collect:

Identity and account data: name, email address, optional phone number, profile avatar, language preference. Used for account creation, authentication, and basic personalization.
Authentication artifacts: one-time codes during login, session tokens issued on successful authentication. Tokens are stored in the browser’s localStorage (not in cookies); see the Cookie Policy.
Activity and audit data: actions you take in the admin dashboard, IP address, user-agent, timestamps, and the events / customers / records affected. Used for security, abuse prevention, and audit. Retention: up to 24 months.
Communications with us: support emails, in-app messages, and any free-text content you submit through support channels. Retention: up to 36 months from last contact.
Billing data (where applicable): invoicing details, VAT identifiers, billing contact, Order Form references, payment method tokens (we do not store full card numbers; those live with our payment processor). Retention: as required by Danish bookkeeping law (currently five years from the end of the financial year to which they relate).

Legal bases: contract performance (Article 6(1)(b) GDPR) for account creation, authentication, and provision of the Service; legitimate interests (Article 6(1)(f) GDPR) for security, abuse prevention, and product improvement; legal obligation (Article 6(1)(c) GDPR) for billing and bookkeeping records.

5. Personal Data we process — Guest data (when Treffio is processor)

When a Customer uses the admin dashboard to manage an event, that Customer is the controller of all guest-related Personal Data, and Treffio processes it solely on the Customer’s instructions under the Data Processing Agreement.

Categories typically include:

Identifiers: name, email address, phone number
Authentication / login material: one-time codes
Demographic and event-specific information: language preference, dietary restrictions, allergies, accessibility needs, transport preferences, role/title, organization
Registration responses: free-text and structured answers to questionnaires defined by the Customer
Communication metadata: delivery status, open / click events, bounce data
Attendance data: ticket scans, check-in times and locations
Financial data (for paid ticketing): transaction identifiers, amounts; payment-card details are processed directly by the payment processor and never reach our database
Photos or other content uploaded by the Customer or the Guest in connection with the event

Guests should consult the privacy notice of the Customer running their event for the purposes, lawful bases, and specific retention applicable to that processing.

5b. Optional AI-powered translation (OpenAI)

The admin dashboard offers an optional AI-powered text-translation feature backed by OpenAI. The feature is off by default and only sends data to OpenAI when an Administrator explicitly invokes it (for example, to translate an event title or description into another language).

When the feature is used:

only the free-text content the Administrator submits is transmitted (typically event configuration text — not, by design, identifiable guest data);
the integration is configured so that submitted text is not used to train OpenAI models, is not used for OpenAI’s analytics, and is not retained beyond what is necessary to return the translation;
OpenAI acts as a conditional sub-processor, engaged only on use of the feature, and is listed in the Subprocessor List accordingly.

If the feature is not used, no data is shared with OpenAI. Administrators should not paste identifiable guest data into translation prompts; the feature is intended for static event content.

6. Personal Data we process — Mobile application

The Treffio mobile applications (iOS, Android, and app.treffio.com) deliberately use a minimal SDK stack:

Push notifications are delivered via Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android and the web. Push tokens are stored on Treffio’s servers and used solely to deliver event notifications.
No crash reporting or telemetry SDKs are bundled. We do not currently use Firebase Crashlytics, Sentry, Bugsnag, or similar. If we add crash reporting in the future, we will update this Privacy Policy and the Subprocessor List before doing so.
No analytics or attribution SDKs are bundled. We do not use AppsFlyer, Adjust, Branch, Singular, Amplitude, Mixpanel, Posthog, Firebase Analytics, or similar.

7. Cookies and similar technologies

A complete description is in the Cookie Policy. In short:

The Service does not set tracking, analytics, or advertising cookies.
Authentication state in the admin dashboard and on registration pages is stored in localStorage rather than in cookies.
The Stripe payment SDK may set strictly-necessary cookies (__stripe_mid, __stripe_sid) to detect fraud during a payment session. These cookies are required to use the payment functionality and are not used for advertising.
We do not display a cookie consent banner because we do not use any consent-required cookies.

We share Personal Data with the following categories of recipients, only as necessary:

8.1 Subprocessors

We rely on a small set of trusted subprocessors to operate the Service. The current list is published in the Subprocessor List, with each entry’s name, purpose, location, and applicable transfer mechanism. Subprocessors are bound by data-protection terms no less protective than those that apply to us, and we remain responsible for their performance.

8.2 Customers

Where Treffio is a processor, the relevant data is accessible to the Customer (via the admin dashboard) and is shared at the Customer’s instruction.

8.3 Legal and safety

We may disclose Personal Data where required by law, court order, or a valid request from a competent authority, or where we believe disclosure is necessary to:

protect the safety of any person;
prevent or investigate suspected fraud, abuse, or illegal activity;
enforce our Terms and Conditions, License Terms, or AUP; or
defend Treffio against legal claims.

We push back on overbroad or unlawful requests where we have a reasonable basis to do so. Where lawful, we notify the affected Controller before disclosing data they have entrusted to us.

8.4 Business transitions

If Treffio is involved in a merger, acquisition, financing, reorganization, or sale of assets, Personal Data may be transferred as part of that transaction, subject to standard confidentiality and data-protection commitments.

9. International transfers

Most of our processing takes place inside the European Economic Area (EEA). For transparency, the following subprocessors process some or all data outside the EEA — primarily in the United States:

Resend (transactional email) — United States
Twilio (SMS) — United States
Stripe (payment processing) — Ireland for EU customers; United States and global infrastructure for processing
Google — Firebase Cloud Messaging (push notifications, Android and web) — United States
Apple — APNs (push notifications, iOS) — United States and Apple’s global infrastructure
Google — Fonts CDN (fonts.googleapis.com, fonts.gstatic.com) — United States. We are migrating to self-hosted fonts to remove this transfer.
unpkg / Cloudflare (one JavaScript library on treffio.com) — global CDN. We are migrating to bundle this library locally.
OpenAI — United States. This is a conditional sub-processor, engaged only when an Administrator explicitly invokes the optional AI translation feature in the admin dashboard. If the feature is not used, no data is sent to OpenAI.

All other subprocessors listed in the Subprocessor List process data within the EEA.

For every transfer outside the EEA to a country that is not subject to a European Commission adequacy decision, we rely on:

the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914; together with
supplementary measures appropriate to the risk, such as encryption in transit and at rest, and contractual restrictions on subprocessor access.

10. Retention

Specific retention periods per category are set out in Sections 3 to 6 above. As a general rule:

Operational logs and security events: up to 90 days
Audit / activity history in the admin dashboard: up to 24 months
Support and contact correspondence: up to 36 months from last contact
Billing and accounting records: as required by Danish bookkeeping law (currently five years)
Event Data (when Treffio is processor): by default, retained for 60 days after the relevant event has concluded, then deleted from the live Service, unless the Customer has configured a different retention or applicable law requires earlier deletion or longer retention
Backups: retained for the standard backup-rotation period and then deleted on rotation

If a longer retention is required by law (for example, for the establishment, exercise, or defense of legal claims), we will retain the relevant data only for that purpose and only for as long as needed.

11. Your rights

Subject to applicable law and reasonable verification of identity, you have the following rights regarding your Personal Data:

Right of access (Article 15 GDPR): obtain confirmation as to whether we process Personal Data about you and, if so, a copy of that data.
Right to rectification (Article 16): correct inaccurate or incomplete data.
Right to erasure (Article 17): have your Personal Data deleted, where the conditions are met.
Right to restriction of processing (Article 18): restrict processing in certain circumstances.
Right to data portability (Article 20): receive your Personal Data in a structured, commonly-used, machine-readable format and transmit it to another controller.
Right to object (Article 21): object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
Right to withdraw consent (Article 7(3)): where processing is based on consent, withdraw it at any time, without affecting the lawfulness of prior processing.
Right not to be subject to automated decision-making (Article 22): we do not currently make solely-automated decisions that produce legal or similarly significant effects.
Right to lodge a complaint with a supervisory authority — in Denmark, the Danish Data Protection Agency (Datatilsynet, www.datatilsynet.dk).

To exercise any of these rights, contact us at [email protected].

If you are a Guest of an event managed by a Customer of Treffio, please direct your request to the Customer in the first instance, since they are the controller of that data. We will assist them in fulfilling your request.

12. Marketing and post-event communications

12.1 Marketing emails from Treffio

We send marketing communications about Treffio (for example product updates, event newsletters, invitations to webinars) only to people who have given prior consent or who have an existing customer relationship with us under applicable opt-in rules. Every marketing email contains a clear unsubscribe link. Unsubscribing from marketing does not affect operational and transactional communications.

12.2 Communications about your event

If you are a Guest, the operational communications you receive about your event (invitations, confirmations, reminders, ticketing, post-event materials) are sent on behalf of, and at the instruction of, the Customer who is running the event. Opt-out and unsubscribe requests for those communications are handled within the Service and apply to that event.

12.3 Strictly transactional post-event messages

After an event has ended, you may continue to receive strictly transactional service messages related to that event for a reasonable period — for example, evaluation surveys, certificates, photos, materials from speakers, or operational follow-ups requested by the event organizer. These are not marketing and do not require separate marketing consent. Each such message contains a clear way to opt out of further post-event communications.

13. Security

We implement and maintain technical and organizational measures appropriate to the risk of the processing, including encryption in transit (TLS 1.2 or higher) and at rest, role-based access control with least-privilege defaults, multi-factor authentication for personnel with production access, periodic backups, monitoring and alerting, and a documented incident-response process. A summary is provided in Annex II of the Data Processing Agreement.

In the event of a Personal Data Breach affecting your data, we will:

notify the controller (where Treffio is processor) without undue delay and in any event within 72 hours of becoming aware;
where we are the controller and the breach is likely to result in a risk to your rights and freedoms, notify the supervisory authority within 72 hours;
where the breach is likely to result in a high risk, notify affected individuals without undue delay; and
take appropriate steps to contain, investigate, and remediate the breach.

14. Children

The Service is not directed to children under 16. We do not knowingly collect Personal Data from children under 16 without parental consent. If you believe we have collected such data, please contact us at [email protected] and we will delete it.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified through the admin dashboard, by email to Customers, and (where appropriate) by a banner on treffio.com. The version and effective date are shown at the top of this document. Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

16. Contact

For privacy-related questions, requests, or complaints:

Treffio ApS — Data Protection Niels Ebbesens Vej 16 1911 Frederiksberg C Denmark Email: [email protected] CVR: 42 02 16 79

You also have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet Carl Jacobsens Vej 35 2500 Valby Denmark www.datatilsynet.dk