Privacy Policy

Effective date: 1 January 2026

This Privacy Policy applies to ConfFlow websites, web applications, mobile applications, event landing pages, administration tools, APIs, support channels, and related services operated under the ConfFlow brand (the Services).

1. Who we are

The Services are provided by BHS Group s.r.o., a company incorporated in the Czech Republic (the Provider). Registered office: Petrovická 18, 100 00 Praha 10, Czech Republic, company ID: 26963051, VAT ID: CZ26963051 and contact: events@confflow.com.

2. Our role under data protection law

For data relating to our own website, customer accounts, billing, product administration, support, security, and communication with customers, the Provider acts as a data controller.

For event data, registration data, attendee data, abstract submissions, orders, tickets, and other content entered into ConfFlow by an organization using the platform, the relevant organization is usually the data controller and the Provider acts as its data processor. In that case, we process personal data on behalf of the organization and in accordance with its instructions and the applicable data processing agreement.

Event organizers may publish their own event pages, forms, ticketing flows, policies, and communications using ConfFlow. Their privacy notices and legal terms may apply in addition to this Privacy Policy.

3. Personal data we process

Depending on how the Services are used, we may process the following categories of data:

• account data, such as name, email address, organization, role, and login details;
• organization and billing data, such as company details, invoicing data, tax details;
• payment data processed through Stripe or other payment providers;
• event and attendee data entered by organizations or users;
• order, ticket, registration, check-in, abstract, sponsor, exhibitor, and agenda data;
• attendee messaging data, chat requests, direct messages, message previews, reports, block settings, safety-filter metadata, moderation actions, and networking profile content where these features are enabled;
• mobile push notification tokens, notification preferences, delivery metadata, and notification content such as sender names and short message previews;
• support messages and other communications with us;
• technical data, such as IP address, device data, browser data, logs, and identifiers;
• security, diagnostics, crash, and performance data;
• cookie and similar technology data, where used.

4. Why we process personal data

We process personal data to:

• provide, operate, maintain, and secure the Services;
• create and manage customer, administrator, and user accounts;
• enable organizations to create event pages, registrations, ticketing, and check-in flows;
• provide attendee messaging, chat request, networking, notification, reporting, blocking, and moderation features where enabled;
• process subscriptions, billing, invoices, and payments;
• provide customer support and respond to requests;
• monitor service performance, prevent abuse, moderate reported content, and troubleshoot errors;
• send service, security, and administrative communications;
• comply with legal, tax, accounting, and regulatory obligations;
• improve the Services and develop new features.

5. Legal bases

Where the GDPR applies and the Provider acts as a controller, we rely on the following legal bases:

• Contract performance, where processing is necessary to provide the Services, administer accounts, or process customer subscriptions.
• Legal obligation, where processing is required for tax, accounting, consumer, company, security, or regulatory compliance.
• Legitimate interests, including service security, fraud prevention, customer support, product improvement, and business administration.
• Consent, where required, for example for certain optional communications or non-essential cookies.

6. Payments

ConfFlow may use Stripe to process subscriptions, platform fees, and other payments for the Services. Stripe processes payment data according to its own terms and privacy documentation. We do not store full payment card numbers on our servers.

If an organization sells event registrations, tickets, sponsorships, accommodation, or similar items through an event page, the organization is responsible for the legal basis, customer relationship, tax treatment, refunds, cancellation terms, and any privacy information required for that sale unless we expressly agree otherwise in writing.

7. Sharing personal data

We may share personal data with:

• hosting, database, authentication, storage, and infrastructure providers;
• payment providers, including Stripe;
• email, push notification, support, analytics, security, and diagnostics providers, including platform notification services such as Apple Push Notification service, Firebase Cloud Messaging, or Expo Push Service where applicable;
• professional advisers, auditors, accountants, and legal advisers;
• public authorities where required by law;
• organizations that use ConfFlow, where data relates to their event or account.

We require processors that handle personal data on our behalf to provide appropriate confidentiality, security, and data protection commitments.

8. International transfers

Some service providers may process personal data outside the European Economic Area. Where required, we use appropriate safeguards such as adequacy decisions, standard contractual clauses, contractual protections, and technical and organizational measures.

9. Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, including to provide the Services, meet contractual obligations, comply with legal, tax, and accounting requirements, resolve disputes, enforce agreements, and maintain security.

Event data controlled by organizations may be retained according to the relevant organization's instructions, retention settings, and legal obligations.

Reports, moderation records, block settings, and related safety records may be retained as needed to protect users, investigate abuse, enforce terms, and document moderation actions. Users can also contact us about abuse, safety, or support issues at events@confflow.com.

10. Security

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. No online service can be guaranteed to be completely secure, but we work to maintain security appropriate to the nature of the data and the risks involved.

11. Your rights

Where the GDPR applies, you may have the right to request access, correction, deletion, restriction, objection, portability, and information about how your personal data is processed. Where processing is based on consent, you may withdraw consent at any time.

To exercise your rights, contact us at events@confflow.com. If your request concerns data controlled by an event organizer, we may direct you to that organization or assist it in handling your request.

You also have the right to lodge a complaint with a supervisory authority. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection.

12. Cookies

We may use cookies and similar technologies to operate the Services, remember settings, secure sessions, analyze usage, and improve the product. Where required by law, we will ask for consent before using non-essential cookies.

13. Children's data

The Services are not intended for children unless an organization uses ConfFlow for an event where it has the required legal basis, consents, and safeguards. Organizations are responsible for ensuring that any child-related event data is collected and processed lawfully.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version will be available on this page. If changes are material, we may notify customers through the Services or by email.

15. Related documents

Please also review our Terms of Service.