Version v1.0 — Effective 10 April 2026

Privacy Policy

How EntryLog collects, stores and protects personal data — as controller of Customer accounts, and as processor of Attendee data on behalf of Organizers.

Provider
Michal Král
Business ID
07526521
Seat
Bohuslava Martinů 1559
258 01 Vlašim, Czech Republic
Registered in
Trade Licensing Register
Contact
info@entrylog.eu

Privacy Policy

Provider: Michal Král
Business ID (IČO): 07526521
Registered seat: Bohuslava Martinů 1559, 258 01 Vlašim, Czech Republic
Registered in: Živnostenský rejstřík (Trade Licensing Register)
Contact: info@entrylog.eu
Version: v1.0 — 10 April 2026
Effective date: 10 April 2026

1. Identity of the Controller and Processor

Michal Král (Business ID: 07526521, registered seat: Bohuslava Martinů 1559, 258 01 Vlašim, Czech Republic), hereinafter the "Provider", operates the EntryLog platform at entrylog.eu.

With respect to personal data of Customers (Organizers and their users), the Provider acts as data controller under Article 4(7) of Regulation (EU) 2016/679 (the "GDPR").

With respect to personal data of Attendees, the Provider acts as data processor on behalf of the Organizer (who is the data controller). The terms of such processing are governed by the Data Processing Agreement (DPA), which is incorporated into the Terms of Service.

The Provider does not employ a formal Data Protection Officer under Article 37 GDPR, as the Provider does not meet the thresholds in Article 37(1).

For privacy-related requests, contact: info@entrylog.eu, attention: Michal Král.

2. Scope of This Policy

This Privacy Policy applies to:

  • All Customers of EntryLog, whether Business Customers or Consumers, who register an Account or use the Service, as defined in the Terms of Service;
  • All users invited to an Organization by the Organizer (team members, collaborators, scanner operators);
  • All Attendees whose personal data is processed through EntryLog by an Organizer.

This policy describes how personal data is collected, processed, retained, and protected. It forms an integral part of the Terms of Service.

3. Categories of Personal Data Processed

3.1 Personal Data of Customers (Organizers and their users)

The Provider collects and processes the following categories of personal data:

  • Identity: name, email address, phone number (if provided)
  • Authentication: password (hashed), API tokens, magic login tokens
  • Account administration: role, organization membership, team assignments, billing address, business name and IČO (for Business Customers)
  • Activity and security: login timestamps, IP addresses, activity logs (e.g., list imports, email sends, check-ins), device information
  • Billing: name, address, IČO (for Business Customers), VAT ID (if applicable), payment method selection (Stripe or invoice), invoices and payment records

3.2 Personal Data of Attendees

The Provider processes the following categories of personal data on behalf of the Organizer:

  • Identity and contact: name, email address, and any custom fields defined by the Organizer (e.g., company, dietary restrictions, accessibility requirements, feedback responses)
  • Event participation: check-in status and timestamp, attendance state (invited, registered, attended, declined)
  • Communication: email delivery status (sent, delivered, bounced, complained, opened)
  • Technical identifiers: unique hash/token used in the Attendee Pass URL, QR code image
  • Feedback: responses to organizer-authored feedback surveys (may be submitted anonymously)

3.3 Technical Data

The Provider collects:

  • Server logs: IP addresses, user agents, HTTP requests, timestamps
  • Real-time infrastructure: Mercure subscription tokens used for live updates during check-in
  • PWA cache: service worker metadata on the Attendee Pass
  • Error tracking: error and exception logs via Sentry (EU region)
  • Cookies and storage: see the Cookie Policy for details on localStorage and cookies

Note: Organizers may upload custom fields containing special categories of data (e.g., health conditions, dietary restrictions). This is the Organizer's responsibility. The Organizer must have a lawful basis under GDPR Article 9 and must disclose this processing to Attendees. The Provider processes such data only as the Organizer's processor.

4. Purposes and Legal Bases

4.1 Processing of Customer (Organizer) Personal Data

Legal basis: Article 6(1)(b) GDPR (contract performance) and Article 6(1)(f) GDPR (legitimate interest).

The Provider processes Customer personal data for the following purposes:

  1. Account management: registering and maintaining the Account, managing team members and user roles, storing authentication credentials, resetting passwords, enabling API access.
  2. Service delivery: processing Activations, sending transactional emails (payment confirmations, password resets, magic login links), enabling the core functionality of the Platform.
  3. Billing and payment: issuing invoices, tracking payment status, sending payment reminders, calculating default interest on overdue invoices, exercising late-payment remedies (suspension, revocation of pay-by-invoice option).
  4. Security and fraud prevention: detecting unauthorized access, rate limiting, CAPTCHA challenges, investigating suspicious activity, protecting the Platform from abuse.
  5. Compliance: retaining billing records for 10 years as required by Act No. 563/1991 Coll. (Accounting Act) and Act No. 235/2004 Coll. (VAT Act).
  6. Legitimate business interests: improving the Platform, analyzing usage patterns, investigating complaints, enforcing the Terms of Service and Acceptable Use Policy.

4.2 Processing of Attendee Personal Data

Legal basis: Article 6(1)(b) GDPR (contract performance on behalf of the Organizer) and as determined by the Organizer's lawful basis.

The Provider processes Attendee personal data exclusively as the Organizer's data processor. The Organizer is responsible for establishing a lawful basis under Article 6 GDPR for each Attendee record. The Provider does not verify the lawful basis and relies on the Organizer's warranty in the Terms of Service.

Attendee data is processed for the following purposes (all under the Organizer's instruction):

  1. Event management: storing attendee lists, maintaining attendance records, enabling check-in via QR code scanning.
  2. Communication: sending transactional emails (registration confirmations, ticket delivery, check-in confirmations), sending organizer-authored campaign emails and reminders, managing email suppression lists and bounces.
  3. Feedback collection: capturing attendee feedback and survey responses.
  4. Reporting: generating statistics and reports for the Organizer about event attendance, email engagement, and feedback.

4.3 Processing of Technical Data

Legal basis: Article 6(1)(f) GDPR (legitimate interest in platform security and operation).

Technical data is processed for:

  1. Service operation: debugging, error monitoring, performance optimization, real-time updates.
  2. Security: detecting attacks, preventing misuse, enforcing rate limits.
  3. Legal compliance: maintaining logs for 12 months as required by applicable law.

5. Data Retention Periods

All personal data is retained only as long as necessary for the stated purpose. The following retention periods apply:

5.1 Organizer Account Data

  • Active account: retained indefinitely while the Account is active.
  • Deleted account: retained for 30 days in soft-delete state for recovery purposes.
  • Hard-delete: all Organizer personal data is permanently deleted from the primary database after 30 days.
  • Backups: residual copies may remain in encrypted database backups for up to 90 days from deletion.
  • Invoices: retained for 10 years from issuance under Act No. 563/1991 Coll. (Accounting Act).

5.2 Attendee Data

  • During active event: retained until the event ends.
  • After event ends: retained for 12 months, then anonymized or deleted.
  • Deleted event: data is deleted along with the event, subject to the email delivery logs below.
  • Check-in logs: retained for 24 months.
  • Email delivery logs: retained for 12 months.

5.3 Activity and Audit Logs

  • Activity logs, login history, API token usage: retained for 12 months.
  • Account action logs (list imports, email sends, etc.): retained for 12 months.

5.4 Feedback Submissions

  • Feedback responses: retained until the Organizer deletes them or the Account is permanently closed.

5.5 Invoices and Billing Records

  • Retention: 10 years from issuance, in accordance with Act No. 563/1991 Coll. (Accounting Act) and Act No. 235/2004 Coll. (VAT Act).
  • Cannot be deleted: This retention period is mandatory and cannot be shortened or overridden by user request. The lawful basis is Article 17(3)(b) GDPR (data must be retained to comply with a legal obligation).

5.6 Anonymized and Aggregate Data

  • Indefinite retention: Anonymized aggregate statistics (e.g., event counts, attendance rates, email open rates) containing no personal data may be retained without time limit.

6. Recipients and Sub-Processors

6.1 Sub-processors

The Provider engages the sub-processors listed below to deliver the Service. This list is complete and authoritative as of the effective date of this Privacy Policy; any change is notified in accordance with § 6.1.3 below.

6.1.1 Sub-processors used by the EntryLog application (app.entrylog.eu):

Sub-processor Operator Jurisdiction Purpose Transfer mechanism
Stripe Stripe Payments Europe Ltd. Ireland (EU) Payment processing for Activation Fees. Card data is handled exclusively by Stripe and never reaches EntryLog infrastructure. Intra-EU processing; no transfer outside the EEA for primary processing. Stripe's standard Data Processing Addendum applies.
MailerSend MailerLite Ltd. Ireland (EU) Delivery of transactional emails and Email Campaigns. Intra-EU processing; MailerSend's standard Data Processing Addendum applies, including SCCs for any onward transfers to its US affiliates.
Cloudflare R2 Cloudflare, Inc. United States (parent); EU storage region enforced Storage of uploaded files, attachments, and generated assets. Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, incorporated by reference through Cloudflare's Data Processing Addendum.
Cloudflare Turnstile Cloudflare, Inc. United States (parent) CAPTCHA and bot-protection challenges on login and registration pages (strictly necessary for security). Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, incorporated by reference through Cloudflare's Data Processing Addendum.
Sentry Functional Software, Inc. EU region (Frankfurt, sentry.io/eu) Error and exception monitoring. Uses sessionStorage only; sets no cookies. Processing within the EU region; no SCCs required.

6.1.2 Sub-processors used by the EntryLog landing page (entrylog.eu):

Sub-processor Operator Jurisdiction Purpose Transfer mechanism
Umami Cloud Umami Software, Inc. United States Cookieless web analytics. No cookies are set; processing is exempt from consent under EDPB and CNIL guidance on strictly necessary audience measurement. Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, incorporated by reference through Umami's Data Processing Addendum.
Mailchimp The Rocket Science Group LLC (Intuit) United States Newsletter subscription management, via a first-party server-to-server API call from the EntryLog backend. Mailchimp does not load any scripts, pixels, or cookies on the landing page. Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, incorporated by reference through Mailchimp's Data Processing Addendum.

6.1.3 Changes to sub-processors. The Provider notifies Customers of the addition, replacement, or removal of any sub-processor at least thirty (30) days in advance by email to the registered contact on the Account, together with a republication of this Privacy Policy reflecting the change. A Customer who objects to a new sub-processor on reasonable data-protection grounds may terminate the Contract without penalty before the change takes effect, as set out in the Data Processing Agreement.

6.2 Attendee Data Recipients

Attendee personal data is shared with sub-processors only as necessary to deliver the Service (e.g., MailerSend for email delivery, Stripe for payment processing if applicable, Cloudflare R2 for attachment storage). Attendee data is not shared with third parties for marketing or other purposes beyond the scope of the Service without the Attendee's explicit consent.

6.3 Law Enforcement and Legal Process

The Provider may disclose personal data if required by applicable law, including court orders, regulatory investigations, or requests from law enforcement. To the extent permitted by law, the Provider will notify the affected data subject before disclosing personal data.

7. International Transfers

7.1 No International Transfers for Primary Data

All EntryLog production data (application servers, primary database, backups) is stored within the European Union, in the Czech Republic. There are no international transfers of personal data outside the EEA for primary storage.

7.2 Transfers to Sub-Processors

Some sub-processors are based in the United States (Cloudflare, Umami Cloud, Mailchimp, Stripe). The Provider has ensured that these sub-processors implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): Cloudflare (R2 and Turnstile), Umami Cloud, and Mailchimp all operate under SCCs referencing Regulation (EU) 2016/679.
  • EU adequacy decisions: where applicable.
  • Contractual guarantees: each sub-processor's Data Processing Agreement, published on their website, includes commitments consistent with GDPR.

The transfer mechanism applicable to each sub-processor is stated directly in the table in § 6.1 above.

8. Security

The Provider implements industry-standard technical and organizational measures to protect personal data, including TLS encryption in transit, encryption at rest, strict access controls, and regular security updates.

However, no method of transmission or storage is entirely secure. The Provider cannot guarantee absolute security and is not responsible for unauthorized access resulting from the Customer's failure to secure their own authentication credentials.

For the complete Data Processing Agreement (DPA), which details technical and organizational measures (TOMs) in greater detail, see the DPA at /dpa.

9. Your Rights as a Data Subject

9.1 Right of Access

You have the right to request access to the personal data the Provider holds about you. To exercise this right, send a request by email to info@entrylog.eu, attention: Michal Král. The Provider will provide a copy of your personal data within 30 days.

9.2 Right to Rectification

If any personal data is inaccurate or incomplete, you have the right to request that it be corrected or completed. You can update much of your personal data directly in your Account settings.

9.3 Right to Erasure ("Right to be Forgotten")

You have the right to request erasure of personal data in certain circumstances, including when the data is no longer necessary for the purpose it was collected, or when you withdraw consent. This right is subject to exceptions, including:

  • Billing records: Invoices and accounting records cannot be deleted earlier than 10 years from issuance, due to Act No. 563/1991 Coll. (Accounting Act).
  • Legal obligations: Data retained due to mandatory legal requirements cannot be erased.

To request erasure, contact info@entrylog.eu, attention: Michal Král.

9.4 Right to Restrict Processing

You have the right to request that the Provider restrict processing of your personal data pending resolution of a dispute. While processing is restricted, the data will be retained but not actively used.

9.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly-used, and machine-readable format (e.g., CSV or PDF) and to transmit it to another controller. To request portability, contact info@entrylog.eu, attention: Michal Král.

9.6 Right to Object

You have the right to object to processing of your personal data for legitimate interest purposes. If you object, the Provider will no longer process your data for that purpose unless the Provider demonstrates a compelling legitimate interest that overrides your rights.

9.7 Right to Withdraw Consent

If the Provider's processing is based on your consent (e.g., marketing email subscriptions), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

9.8 Right to Lodge a Complaint

If you believe the Provider has violated your privacy rights, you have the right to lodge a complaint with the Czech authority for personal data protection:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27
170 00 Praha 7
Czech Republic
www.uoou.cz

You also have the right to lodge a complaint with the supervisory authority in your country of residence.

10. Breach Notification

10.1 Notification to the Data Protection Authority (ÚOOÚ)

If the Provider becomes aware of a personal data breach (as defined in Article 4(12) GDPR) that results in a risk to rights and freedoms, the Provider will notify the Czech Data Protection Authority (ÚOOÚ) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in risk.

10.2 Notification to Affected Data Subjects

If the breach is likely to result in a high risk to rights and freedoms, the Provider will notify affected data subjects without undue delay in accordance with Article 34 GDPR.

10.3 Notification to Organizer Customers

The Provider maintains a contractual commitment (in the DPA) to notify Organizer customers of any known or suspected personal data breach without undue delay and in any event within 72 hours of becoming aware, so that the Organizer can fulfill its own obligations under Articles 33 and 34 GDPR.

10.4 Breach Register

The Provider maintains an internal register of all personal data breaches, regardless of whether notification was required, as required by Article 33(5) GDPR.

11. Contact and Data Subject Rights Requests

For all privacy-related requests, including requests to exercise your rights (access, rectification, erasure, portability, objection), please contact:

Michal Král
Email: info@entrylog.eu
Address: Bohuslava Martinů 1559, 258 01 Vlašim, Czech Republic

The Provider aims to respond to all rights requests within 30 days. If the request is complex, the Provider may extend the response period to 60 days and will notify you.

12. Children

The EntryLog Service is not directed to individuals under the age of 18. You must be at least 18 years old to register an Account or use the Service. If you are under 18, please do not register an Account or submit personal data to the Provider. If the Provider becomes aware that personal data of a person under 18 has been collected without appropriate consent, the Provider will take steps to delete such data as quickly as possible.

13. Changes to This Privacy Policy

The Provider may update this Privacy Policy from time to time to reflect changes in data processing practices, legal requirements, or other factors. The current version, together with its effective date and version string, is published at entrylog.eu/legal/privacy-policy.

If the Provider makes any material change to this policy, the Provider will notify affected Customers by email to the registered contact on the Account. Continued use of the Service after a material change takes effect constitutes acceptance of the updated policy.

Purely editorial or clarifying changes may take effect immediately without individual notice.

14. Applicable Law and Jurisdiction

This Privacy Policy is governed by the laws of the Czech Republic, in particular Act No. 89/2012 Coll., the Civil Code, and Regulation (EU) 2016/679 (GDPR).

For questions or disputes regarding data protection, you may contact the supervisory authority in the Czech Republic (ÚOOÚ) or in your country of residence.