Legal & Privacy

Last Updated: April 2026

This Data Processing Addendum ("DPA") forms part of the Plexevent Terms of Service and applies where Plexevent processes personal data on behalf of a customer.

This DPA is intended to comply with Article 28 of the General Data Protection Regulation (GDPR).

1. Definitions

For the purposes of this DPA:

Controller

The customer (event organizer) who determines the purposes and means of processing personal data.

Processor

Plexevent, operated by Christos Yelasis, which processes personal data on behalf of the Controller.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on personal data, including collection, storage, use, transmission, or deletion.

2. Scope of Processing

Plexevent provides software infrastructure that allows customers to manage event-related information.

Processing activities may include:

• storing guest lists
• sending invitations
• managing RSVP responses
• recording poll responses
• collecting Q&A submissions
• managing event interaction data

Plexevent processes personal data only to provide the Service and in accordance with the customer's instructions.

3. Categories of Personal Data

Personal data processed may include:

Guest Data

• name
• email address
• phone number (optional)

User Account Data

• name
• email address
• company name (optional)
• phone number (optional)

Event Interaction Data

• RSVP responses
• poll answers
• Q&A submissions

Technical Data

• IP address
• device information
• session data

4. Categories of Data Subjects

Personal data may relate to:

• event organizers
• event participants
• invited guests
• platform users

5. Customer Responsibilities (VERY IMPORTANT)

The customer (Controller) is solely responsible for:

• ensuring a valid legal basis for processing personal data
• obtaining any required consent from guests or participants
• providing required notices to data subjects
• ensuring that data uploaded to Plexevent complies with applicable laws

Plexevent does not verify the legality of customer-provided data.

 The customer is fully responsible for the content and legality of all personal data processed through the platform.

Plexevent does not monitor, verify, or validate the legality of data processed by customers.

6. Instructions from the Controller

Plexevent processes personal data only:

• in accordance with the customer's instructions
• as necessary to provide the Service
• in accordance with the Terms of Service and this DPA

7. Security Measures

Plexevent implements appropriate technical and organizational measures to protect personal data.

These may include:

• HTTPS encryption
• password hashing
• role-based access control
• secure infrastructure
• database backups
• restricted administrative access

These measures are designed to protect against:

• unauthorized access
• loss
• alteration
• disclosure

8. Confidentiality

Plexevent personnel are subject to confidentiality obligations.

Access to personal data is limited to authorized personnel required to operate, maintain, or support the platform.

9. Subprocessors

Plexevent may engage subprocessors to support the Service.

These may include:

• AWS (infrastructure)
• Hostinger (hosting and email)
• Stripe (payment processing – independent controller)
• Google Analytics
• Meta Pixel
• Hotjar / Microsoft Clarity

Subprocessors process data in accordance with applicable data protection laws.

10. International Data Transfers

Where personal data is transferred outside the EEA, Plexevent ensures appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)
• equivalent legal mechanisms

11. Data Subject Rights

Plexevent will assist the customer, where reasonably possible, in responding to data subject requests, including:

• access
• rectification
• deletion
• portability
• restriction of processing

 The customer remains responsible for handling such requests.

12. Data Breach Notification

If Plexevent becomes aware of a personal data breach affecting customer data, Plexevent will notify the customer without undue delay.

Notification will include available relevant information.

Plexevent is not responsible for breaches caused by:

• customer actions
• third-party services
• external attacks beyond reasonable control

13. Data Retention and Deletion

Personal data is retained only as necessary to provide the Service.

inactive accounts may be deleted after 365 days

after account cancellation, data export may be available for 1 day

after this period, data may be permanently deleted

14. Audits and Compliance

Customers may request reasonable information regarding Plexevent's compliance with this DPA.

Such requests must:

• be reasonable
• not disrupt normal operations
• not require access to confidential internal systems

15. Limitation of Responsibility

Plexevent acts solely as a data processor and is not responsible for:

• the legality of data collected by customers
• how customers use the platform
• customer compliance with applicable laws

16. Governing Law

This DPA is governed by the laws of the Republic of Cyprus.

17. Relationship to Terms of Service

This DPA forms part of the Plexevent Terms of Service.

In case of conflict, this DPA prevails for data protection matters.