Privacy Notice

1. Introduction

This Privacy Notice contains information about how Personal Data is Processed by Agorify AB, incorporated, and registered in Sweden with company registration number 559179-4150, whose registered office is at Kompassbacken 14, 16 433 Stockholm.

Agorify AB is hereinafter referred to as "Agorify" and referred to as "we", "our", "us". References to "you" or "your" refer to the Data Subject whose Personal Data we Process.

This Privacy Notice applies to Users of our Services and it contains information about, among other things:

  • how we Process Personal Data;
  • which Personal Data we Process;
  • the purpose and legal basis of the Processing;
  • where the Personal Data is stored;
  • to whom Personal Data may be shared;
  • what rights the Data Subject has according to the GDPR; and
  • other information about our Processing of Personal Data.

Our Processing of Personal Data takes place in accordance with the information specified in this Privacy Notice, and we always comply with applicable laws and regulations regarding the Processing of Personal Data, such as GDPR and SCC where applicable. In some cases, we may provide additional data protection notices specific to services/products, or procedures. Such notices should be read in conjunction with this Privacy Notice.

This Privacy Notice covers all types of Personal Data, in both structured and unstructured data.

We review the content of this Privacy Notice when necessary and at least once a year, to ensure that the information is correct and up-to-date. The latest version is always published on our website.

The contents of this Privacy Notice may be updated from time to time, without prior notice. For example, if it is necessary to clarify something, due to changed or new legislation or if our Processing of Personal Data changes. You are responsible for reading the contents of the applicable Privacy Notice and keeping up to date on any changes. We will provide notice to you in accordance with applicable law if we make material changes. The applicable version is always published on our Website.

This Privacy Notice may be written/published in other language versions. The English version shall always prevail in the event of any conflict and/or confusion between the versions.

2. Definitions

The following terms used in this Privacy Notice shall have the meanings set forth below, both when expressed in the plural and the singular:

“Controller” refers to the person/entity who determines the purpose of a particular Processing of Personal Data and how the Processing is to be carried out. Natural persons, legal persons, authorities, institutions or other bodies may be Personal Data Controllers.

“Data Subject” means the natural person who can be identified through the Personal Data.

“Event” means an event facilitated by or hosted on the Platform, such as hybrid events, online events and/or onsite events.

“Event Data” is (a) any Personal Data registered within the Host Account by the Host and/or its Team Members; (b) any Personal Data contained in speaker bios and/or other materials submitted by Host in the course of creating or during an Event; and (c) any Personal Data embedded in event recordings, participant chat transcripts and/or other Host event related content.

“GDPR” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

“Participant Data” is any Personal Data relating to individuals in the creation of an Agorify account (or other means of access) to attend or engage with an Event through the Service.

“Personal Data” includes all data that, directly or indirectly, alone or together with other data, can be linked to an identified or identifiable physical living person. Common examples of Personal Data are: name, telephone number, address, email address, user ID.

“Processing” refers to everything that is made with Personal Data, automated or otherwise. Processing can take place through an individual measure or through a combination of different measures. Examples of common Processes of Personal Data are storage, erasure, sharing, usage, registration, copying, collection, organization, adjustment, destruction, etc.

“Processor” refers to the party who Processes Personal Data on behalf of a Personal Data Controller, according to the Controller's instructions.

“SCC” refers to Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or later updated version.

“Service” includes the services and products which are stated in an Order or otherwise provided by Agorify, for example a Subscription Plan and any additional features or functionality such as Add-Ons, ticketing, check-in & badge printing, event app, and/or lead retrieval, and may also include the Platform. Third-party Services are expressly excluded.

“Team Member” includes the Host’s employees or consultants who use the Services on behalf of the Host, and those of the Host’s third-party vendors and sponsors, who the Host authorizes to use and access the Host’s Organization, including but not limited to the Host’s event managers and/or moderators.

“Third-party” refers to someone other than the Personal Data Controller (and the persons who are authorized to Process the Personal Data), the Data Subject or the Personal Data Processor (and the persons who are authorized to Process the Personal Data). A Third-party may be a legal person or a natural person, institution, authority or other body.

“User” refers to an individual using the Services.

Any other GDPR-related terms not defined herein shall have the same meaning in this Privacy Notice as set forth in Article 4 of the GDPR.

3. Personal Data Controller and Personal Data Processor

We are the Controller regarding all Processing of Personal Data that is performed by us or on our behalf, insofar as we determine the means and purpose of the Processing (according to the principle of liability).

However, we may also Process Personal on behalf of the Host and according to the Host's instructions. In such cases, we Process Personal Data in our role as Processor and the Host is the Controller. We have entered into a data processing agreement (DPA) with the Host, which regulates our Processing of Personal Data as a Processor.

We are the Processor, and the Host is the Controller for Personal Data, in for example the following situations:

  • When the Host and/or Team Members registers Personal Data in the Service. The Host is responsible for ensuring that all Personal Data that its Team Members Processes within the Service are accurate and that the Processing is made in accordance with applicable data protection regulation. The Host is also responsible for supplying information about its Processing of Personal Data to the Data Subjects in question. We may also register Personal Data belonging to a Data Subject according to the Host’s instructions, for example in accordance with a support matter.

  • When the Host or its Team Members requests support for the Service from us, which means that the Processing of Personal Data within the support case takes place in accordance with the Host's instructions.

The Host and its Team Members must comply with all at any time applicable data protection legislation when using the Services, and the Host is responsible for its Team Member’s use of the Services.

Unless otherwise stated in this Privacy Notice, we are the Controller for the Processing described.

Third-party websites, applications, and integrations

If you provide information to us through a Third-party website or platform, the information you provide may be collected separately by such Third-party that provides that website or platform. Such information is subject to the Third-party's privacy notices and terms. This means, among other things, that the privacy settings you have made on the Third-party website or platform do not affect our processing of data that we collect directly via our services/platforms/websites.

There may be links in our Services/platforms/websites that lead to other Third-party websites, applications, content, or other integrations, which may allow such Third-parties to collect or share Personal Data about you. We do not control or own such Third-party websites, applications, content or other integrations and we are not responsible for the Processing of Personal Data carried out by anyone else or for the privacy rules, notices, or terms of such Third-parties. This also applies if you access or use Third-party services or integrations provided by an event organizer, advertiser, sponsor, or any other party who participates in an event.

For these reasons, we would like to encourage you to pay attention when you leave our services/platforms/websites and to request details of and read the privacy notices and terms of such Third-parties, who may collect and Process Personal Data belonging to you.

4. How we access Personal Data that we Process

We may access, collect and Process your Personal Data when you for example:

  • enter into an agreement with us,
  • create an account to the Platform,
  • interact with an Event,
  • contact us or give us feedback,
  • enter a survey or promotion,
  • request marketing to be sent to you,
  • use and access our Services,
  • provide any Personal Data through our Services,
  • in-person events and on our website.

We may also Process your Personal Data if it is provided to us by someone else, for example:

  • the Host or its Team Members,
  • Third-party service providers which you have linked your use of the Services, such as social media accounts or single-sign-on services,
  • your employer,
  • the Host, Organizer or sponsor of an event that you have registered to attend to,
  • payment vendors,
  • advertising networks,
  • analytics providers,
  • our business partners.

The information which we receive from such Third-parties depends on your and our respective relationships with the Third-party and their policies.

5. Categories of Personal Data that we Process

In accordance with the principle of data minimization, we only process Personal Data in our capacity as a Controller that is adequate, necessary, and relevant to fulfill the purposes for which it was collected.

We mainly Process the categories of Personal Data listed below:

  • Identity: first name, last name, username (e-mail address), password, image, title, age and gender. Audio-visual content which you appear in as you interact or contribute with an event may also be Processed by us. If we for some reason request that you verify your identity, we may also Process your government issued ID provided to us.
  • Contact: email address, telephone number, home address.
  • Transaction: details about services and/or products you have used or accessed through the Services and payments that you have made, including the payment service provider, card type, card expiration and the last four digits of the card number.
  • Technical: IP-address (which is only used in order to provide the Service to the User in question and is only stored in the data-logs), login data, hardware information, time zone location and setting, browser type and version, operating system and other technology on the devices used to access the Services, such as information regarding activated microphone and/or camera.
  • Profile: username (e-mail), password, preferences/settings, feedback, country, employer, job title, biography, survey responses and purchases or orders made by you, linked social media accounts.
  • Usage: information about how the Service is used, meta data such as length of visit, pattern, frequency and timing of use, navigation paths, page views, and page interaction information such as clicks, mouse-overs, scrolling and/or mouse tracking.
  • Marketing: preferences in receiving marketing from us.
  • Communication: communication preferences.
  • User generated content: refers to data as a result of your interactions with the Services, such as videos, event materials, messaging, chats and data that is submitted by you as part of an event. It also covers any Personal Data which is provided to us by the User, such as information provided in custom fields in the Platform created according to the Host’s instructions.
  • Other Personal Data: any other Personal Data that is provided to us, such as those that are registered in the Platform by the User or that is provided to us in a message. No part of the Services is directed to children and we do not knowingly process Personal Data from children. We will take steps to remove collected Personal Data from a child from our systems, if we become aware that such data has been collected from a child without verification of parental consent.

7. Legal basis and purpose for our Processing of Personal Data

In accordance with the principle of purpose limitation, we only Process Personal Data in our capacity as Controller for special, explicitly stated, and justified purposes. In addition, all Processing is legal in accordance with the provisions of the GDPR.

We Process Personal Data primarily with the support of one of the following legal bases:

  • Contract: means Processing of your Personal Data where it is necessary for the performance of a contract to which you are a party or to conduct processing at your request before entering such a contract, for example the performance of our agreement with you to make the Services available.
  • Consent: means Processing of your Personal Data based on your active and voluntarily given consent to it.
  • Legitimate interest: means our business interests in conducting and managing our business to enable us to provide you and our customers the best service/product and a secure experience. We consider any potential impact on you, both positive and negative, your rights and interests, before we Process your Personal Data on this legal basis. When a Processing of Personal Data is conducted by us based on legitimate interest as the legal basis, our assessment is that the Processing does not constitute an infringement of your right to privacy and integrity. We have come to this conclusion, after having made a balance between on the one hand what the Processing in question means for your interests and right to privacy, and on the other hand the legitimate interest in the Processing in question (our and/or a Third-party’s legitimate interest).
  • Legal obligation: means Processing of your Personal Data where it is necessary for compliance with a legal obligation.

You may have to provide your Personal Data to be able to enter into an agreement with us, get the services you have ordered or to comply with legal or contractual obligations. In some cases, it is optional for you to provide your Personal Data. However, if you do not provide your Personal Data, for instance, we might not be able to provide the requested services or support. Unless otherwise stated, you will not suffer any negative legal repercussions if you do not provide your Personal Data.

When data Processing is based on your consent, you have the right to withdraw the consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal.

Below you can read more about the legal basis and purpose of our Processing of Personal Data that we conduct in our capacity of Controller. Where appropriate, we have also identified what our legitimate interests are.

1) When you visit the Website and/or use the Platform:

Our Website and Platform uses cookies. The use of non-necessary cookies takes place only if you give your consent to it. Legal basis for the Processing of Personal Data: Consent.

In our Cookie Notice, you can read more information about how we use cookies on the Website and Platform and how you can manage the storage of cookies. The Cookie Notice is published on the Website and on the Platform.

2) When you contact us through email, telephone or social media:

We Process your Personal Data that we get access to when you contact us through email, telephone or social media (such as Facebook, Instagram, LinkedIn, Twitter etc.) such as your name, telephone number, email, company name, username, and the message content.

The purpose of the Processing is to enable us to know who we are talking to and to stay connected in the matter. We have concluded that both we and you have a legitimate interest in the Personal Data being Processed by us for the purpose stated above. The provision of Personal Data for the purpose stated above is not a statutory or contractual requirement, and you are not obliged to provide the Personal Data, but the possible consequences of failure to provide your Personal Data that we request and/or need in order to respond to you, is that we may not be able to provide you with the support or Platform that you request. Legal basis for the Processing of Personal Data: Legitimate interest.

If we Process Personal Data as part of a support related case in the capacity of a Processor, the Processing takes place in accordance with the instructions given by the Host that is the Controller, and the Data Processing Agreement that we have entered with the Host. We will get access to all Personal Data that appears in connection with the support related matter in question, and all information that the User provides to us and that is registered within the Host Account that the User belongs to. The possible consequences of failure to provide the Personal Data is that we can not provide support to the User in accordance with the service agreement. Legal basis for the Processing of Personal Data: Contract.

3) When you contact us through the contact form on the Website:

You can contact us by sending us a message through the contact forms available on the Website. We then get access to the following categories of Personal Data: first name, last name, company name, work email, telephone number and any other Personal Data that you include in the message. The provision of first name, last name, company name, work email is mandatory in the contact form, in order for the message in question to be sent to us. However, the provision of your Personal Data through the contact form is not a statutory or contractual requirement or a requirement necessary to enter into a contract with us, and you are not obliged to provide the Personal Data. However, the possible consequences of not providing such information are that the message will not be able to be sent to us. Before the message is sent to us, you give your active consent to our Processing of your Personal Data in accordance with the above, by ticking a checkbox for approval. Legal basis for the Processing of Personal Data: Consent.

4) When we contact you regarding the Service or an Event that you attend

We use your email address when we need to contact you regarding the Service or an Event that you attend. If you forget your password or need to verify your account, we may send you an automatic verification email or password reset email to the email address you provided. These automated emails are an important part of ensuring the security of your account and preventing unauthorized access. When you purchase a ticket through our platform, we will send you an order confirmation email to your registered email address. This email will include important information about your purchase, such as the date and time of the Event, the ticket price, and any other relevant details. Additionally, Host’s may choose to send you Event invitations or tickets directly through our system. In these cases, we will use your registered email address to send you the invitation or ticket, so it's important to keep your email up-to-date and check it regularly. Legal basis for the Processing of Personal Data: Contract.

5) When you receive newsletters from us:

You can consent to receive newsletters from us by providing your active consent for us to Process your email address in order to send you newsletters. Providing your email address to us for this purpose is voluntary, which means that it is not a legal or contractual requirement or a requirement necessary to enter into a contract with us, and you are under no obligation to provide your email mailing address, but the possible consequences of not providing your email address to us is that we will not send you our newsletters. To deliver relevant advertisements and content to you through email (newsletters), on the legal basis of your consent thereto, we process the following types of data: first name, last name, company/employer, e-mail address. Legal basis for the Personal Data Processing: Consent. Legal basis for the Processing of Personal Data: Consent. We can send newsletters to your email address that you have previously provided to us, for example in connection with the conclusion of an agreement with us. The Processing of your email address then takes place for marketing purposes, to send you information about our business and our Services, which we believe may be of interest to you. According to our assessment, both we and you have a legitimate interest in the Personal Data being Processed for the purpose stated above. Processing is necessary for a purpose related to our legitimate interest in direct marketing of our Services. Our assessment is that the Processing in question does not infringe your fundamental rights and freedoms. Legal basis for the above-mentioned Processing: Legitimate interest.

Unsubscribe from newsletters You can cancel your subscription of our newsletters at any time by clicking on the unsubscribe link in the newsletter and thereby withdraw your consent. If you withdraw your consent, we will not continue to send you newsletters. If you unsubscribe from the newsletters, you will be removed from the email list of recipients of the newsletters, but your email address will remain in the database with a block for receiving newsletters. The purpose of this is to ensure that you do not receive any more newsletters from us. In our assessment, both we and you have a legitimate interest in the Personal Data being Processed for this purpose. The Processing is necessary for a purpose related to a legitimate interest, and that your interest in the protection of your Personal Data is not outweighed. Our assessment is that the Processing in question does not infringe your fundamental rights and freedoms. Legal basis for the Processing of Personal Data: Legitimate interest. If you want your email address to be deleted from the block list as well, you can contact our support by email and request this. You are hereby informed that if your email address is deleted from the block list, it means that you can receive newsletters from us again if you or someone else registers your email address to receive newsletters again.

6) When a Host completes a purchase of our Services:

When a Host completes a purchase of our Services, we get access to Personal Data that is provided to us in connection with the purchase process. The Host must provide the following Personal Data and information in connection with the purchase being completed: the Host's signatory/contact person's name, e-mail address, and the Host's company name, registration number, VAT-number and other billing information. The provision of the above-mentioned information in connection with the purchase is necessary for us to Process, for us and the Host to be able to enter into the purchase agreement, and for us to be able to charge for the purchased Service. The possible consequences of such information not being provided to us is that we will not be able to enter into the agreement or fulfill the agreement. The payment for our Service can be made online through the payment service provider that we use. We want to make it clear that when you use the payment service provider to conduct the payment, you are also accepting their terms and privacy policy. We do not have access to any of your payment information or details, as this information is directly processed by the payment service provider. Legal basis for the Processing of Personal Data: Contract.

7) When a User completes a purchase of Event tickets through the Platform:

Participants can purchase Event tickets from the Host and make payment for the tickets directly to the Host through the payment service provider that we use within our Platform. When a Participant makes a payment to the Host through the payment service provided from within the Platform, the payment information will be processed by the payment service provider, which uses industry-standard encryption and security measures to ensure that the payment information is protected and secure. To manage charges and payments fees and to verify your identity and details of your credit card account or payment method the following types of data are Processed: first name, last name, e-mail and information within the category Transaction (as stated above in section 5). We log information about which Participants have purchased Event Tickets to provide our Service to the Participant according to our Terms of Use and to provide the Service to the Host in accordance with our Terms of Service, e-mail the order confirmation to the Participant, validation of Event Tickets etc. Legal basis for the above mentioned Processing of Personal Data: Contract.

8) When we register a User account

To register a Host as a User of the Platform and to provide access to the Services, the following categories of data are Processed: first name, last name, company name, e-mail, IP-address, login data, hardware information, time zone location and setting, browser type and version, operating system, password. To register a Team Member as a User of the Platform and to provide access to the Services, the following categories of data are Processed: first name, last name, connected Host, e-mail, IP-address, login data, hardware information, time zone location and setting, browser type and version, operating system, password. To register a Participant as a User of the Platform and to provide access to the Services, the following categories of data are Processed: first name, last name, connected Host, e-mail, IP-address, login data, hardware information, time zone location and setting, browser type and version, operating system, password. We also Process other data in our capacity of a Processor regarding the Participant, that is provided to us by the Host or its Team Members. The Processing is necessary for the performance of a contract, such as the Terms of Service and/or Terms of Use. Legal basis for the Processing of Personal Data: Contract.

9) When we manage our relationship with you

We may investigate complaints and in such cases data within the following categories (as defined above in section 5) may be Processed: Identity, Contact, Profile, Marketing and Communications. The Processing is made based on our legitimate interest to provide a secure and reliable Service, assess how Users use the Services and to keep our records updated. Legal basis for the Processing of Personal Data: Legitimate interest. We may ask you to take a survey or leave a review and in such cases data within the following categories (as defined above in section 5) may be Processed: Identity, Contact, Profile, Marketing and Communications. The Processing is made based on our legitimate interest to grow and develop our business, assess how users use the Services and to keep our records updated. Legal basis for the Processing of Personal Data: Consent. If we are obliged by applicable law to notify you about changes to our Privacy Notice or terms, data within the following categories (as defined above in section 5) may be Processed: Identity, Contact, Transaction and Communications. The Processing is necessary to comply with a legal obligation. Legal basis for the Processing of Personal Data: Legal obligation.

10) For management and security reasons

We process different types of data to protect and administer our business and our Services, for example to conduct: support, troubleshooting, system maintenance, data analysis, testing, development / service improvement / analysis, reporting and hosting of data, enforcing our terms and guidelines. Data within the following categories (as defined above in section 5) may be Processed: Identity, Contact, Technical, Profile, Usage, User generated content. We have concluded that we have a legitimate interest in the Personal Data being Processed for the purposes stated above in order for us to run our business, develop/improve/analyze our products/services, provide administration, network security etc. and that our legitimate interest does not constitute an infringement of your right to privacy and integrity. Legal basis for the Processing of Personal Data: Legitimate interest. If the Processing is made to comply with legal and/or regulatory obligations, the Processing is necessary to comply with a legal obligation and the legal basis for the Processing of Personal Data is: Legal obligation.

11) When we have a legal obligation to the Processing:

If law, court, or authority decision obliges us to Process certain Personal Data, the Processing takes place on the basis of a Legal obligation as a legal basis. In such cases, the Processing takes place only to the extent that it is necessary for us to fulfill our legal obligations and then we only process the necessary Personal Data, for as long as the law requires it (in accordance with the principle of storage limitation). The Processing is made due to statutory provisions. For example, we store invoices, receipts, and other accounting documents that we are obliged to Process in accordance with current legislation, such as the Swedish Accounting Act (1999:1078) and in accordance with the Swedish Tax Agency's requirements. Accounting documents, invoices and vouchers may in some cases contain Personal Data, such as name, address, order information and any other contact information regarding the Host and/or the Host’s signatory, contact person, employee etc. Such Personal Data is stored for as long as the law requires it. Legal basis for the Personal Data Processing: Legal obligation.

12) Other purposes for our Processing of Personal Data

Based on our legitimate interest, we may process Personal Data to: protect our rights and property, make recommendations or suggestions to you about events or other services available through the Platform that may be of interest to you, ensure the technical functionality of the Service, use data analytics to improve our marketing, products/services, partner and user relationships and experiences, collect anonymous statistics, performance measurements, etc. regarding the Platform. We have concluded that we have a legitimate interest to keep our Services and Platform updated and relevant, to develop our business, products, and services.

7. Storage location and international transfers

We strive to store all Personal Data that we Process within the EU/EEA-area, to ensure compliance with the principle of integrity and confidentiality. However if there is a need to transfer Personal Data to a country outside the EU/EEA, we shall ensure that such a storage site ensures an adequate level of protection in accordance with the provisions of the GDPR and SCC.

8. Data retention

Personal Data that we Process will be retained for as long as they are reasonably necessary to fulfill the purposes for which they were collected, including for satisfying any legal obligations, such as any tax, accounting, regulatory or reporting requirements.

We also use up to 60 days of backup data storage after the termination of the Main Agreement, or for as long as we are required to retain the Personal Data contained in Event Data.

When the Personal Data no longer needs to be retained, it is either erased, de-identified or anonymized, in accordance with the principle of storage limitation.

Invoices, receipts, and other accounting documents that we Process as a Controller, are stored for up to seven (7) years after payment has been made for the Platform. They may contain identification information and contact information. These are stored for us to be able to manage any complaint matters and to be able to match a payment against an invoice while we are obliged to store such accounting documentation in accordance with current legislation.

If a claim can be made against our company, we can store the relevant Personal Data until the statutory limitation period has expired. In the event of an existing dispute, relevant Personal Data is stored until the dispute has been settled.

When we Process Personal Data as a Processor, that belongs to the Host, its employees, and/or Participants, it is the Host that decides for how long such Personal Data shall be stored in the Platform. Terms regarding the storage duration and erasure of such Personal Data is regulated in the Data Processing Agreement that we have entered with the Host.

9. Disclosure of Personal Data

We may disclose Personal Data to the recipients stated below, to achieve the purposes, set out in the section 6 above regarding “Legal basis and purpose for our Processing of Personal Data”.

Legal authorities: Personal Data may be disclosed to legal authorities in *response to legal inquiries or if necessary, to prevent, detect, prevent, or *investigate criminal activity and to protect our interests and our property.

Service providers: We may also disclose Personal Data to engaged service *providers, for example to:

  • safeguard our legal interests,
  • fulfill our contractual and legal obligations,
  • detect and prevent technical, operational or safety problems, and
  • provide, improve, and maintain the Platforms (software maintenance).

Examples of service providers that we engage in their capacity as our Processors are developers, IT and system administrators, providers of our cloud services, billing system, consultants etc. Before we disclose any Personal Data to such service providers, we enter into a data processing agreement with them in accordance with the provisions of the GDPR (alternatively SCC if the Personal Data Processor is in a country outside the EU/EEA-area). This is made to ensure a secure and correct Processing of the Personal Data.

Sponsors exhibitors: The Host may choose to activate the feature to share Participants' Personal Data with sponsors exhibitors, and also choose which Personal Data to share (at minimum, first name, last name, and email will be shared). The decision to activate this feature and what data to share is entirely up to the Host. The Host must ensure that Participants are fully informed about the data sharing feature, including what Personal Data will be shared and with whom. Additionally, Participants must be given the option to opt-out of this data sharing if they do not wish to have their Personal Data shared with sponsors. This should be communicated by the Host clearly and prominently to Participants before they register for the event. Moreover, the Host should make sure that sponsors who receive Participants' Personal Data comply with applicable data protection laws and regulations and use the data only for the purposes for which it was shared. It is the Host's responsibility to ensure that the data sharing is done securely and that Participants' Personal Data is protected throughout the process.

Other Third parties: We may disclose Personal Data to legal advisors, bankers, external consultants, and partners, in accordance with applicable privacy laws, if it is made for us to comply with legal obligations or in order to fulfill our legitimate interest.

In connection with or during negotiations of a transfer of company assets, merger, sale, financing or acquisition of all or part of our business, we may disclose your Personal Data to the Third-parties engaged in the business transaction.

Your email address will also be disclosed to the Host whose event you attend when you accept an Event invite.

Our disclosure of Personal Data in our capacity as a Processor, is regulated by the Data Processing Agreement entered with the Controller in question.

10. Technical and organizational security measures

We implement appropriate technical and organizational security measures with a focus on the integrity of the Data Subjects. The measures are intended to protect against intrusion, abuse, loss, destruction, and other changes that may pose a risk to privacy (according to the principle of privacy and confidentiality). Below are examples of some security measures we take and implement:

Organizational security measures

  • All our employees have undertaken an obligation to observe confidentiality regarding Personal Data that is Processed within the performance of the work.
  • A contact person for Personal Data matters has been appointed, who also responds directly to the company's board.
  • We limit access to your Personal Data to those employees, contractors, agents, and other Third parties who have a business need to know.

Technical security measures

  • Access to databases, IT systems and parts of the IT infrastructure and network requires a password.
  • Processes have been established to assign, monitor, and control access rights regarding access to databases, IT systems and parts of the IT infrastructure and network.
  • Natural persons who are authorized to Process Personal Data are granted the minimum access rights unless additional authorizations are necessary for the performance of the work.

11. Data Subjects' rights according to GDPR

Data subjects have, under certain circumstances, the following rights under the GDPR in relation to their Personal Data:

Right to information: You have the right to receive information about our Processing of your Personal Data, such as our collection and use of the Personal Data. This Privacy Notice has been established to provide you with the information about our Processing of Personal Data. In addition, you have the right to receive information about the Processing upon request. In some cases, we will also inform you if there is a Personal Data breach that affects your Personal Data.

Right of access: You have the right to information about whether we Process your Personal Data or not, as well as the right to access your Personal Data that we Process and information about how the Personal Data is used. If we Process your Personal Data, you have the right to receive a copy of the Processed Personal Data in the form of a compilation of the Personal Data that we Process about you. You also have the right to receive information about, among other things: which categories of Personal Data we Process, the purpose of the Processing, the duration of the Processing, how we have collected the Personal Data, who has received the Personal Data, etc. The purpose of the compilation is for you to be able to check the legality and accuracy of the information. However, this does not mean that you have the right to obtain the actual documents that contain the Processed Personal Data.

  • Exemption from the right of access: There may be situations where the disclosure of certain information would entail disadvantages for other persons, that other legislation or other exceptions prevent the disclosure of certain information or extract from the records of Processing activities. In such situations, we may not disclose the information in question and there may therefore be Personal Data and/or other information about you that you do not have the right to access.

Right to rectification: We are responsible for ensuring that Personal Data that we Process is accurate and updated over time. However, Personal Data may be incorrect or incomplete. If we were to process Personal Data about you that is incorrect or incomplete, you have the right to contact us to have your Personal Data rectified. After we have corrected the information, we will notify you of this, if it is not proved to be impossible or would involve excessive effort.

Right to erasure: We will erase your Personal Data at your request if the data is no longer needed for the purposes for which it was collected. This is also called the "right to be forgotten". In addition, there are more occasions when we erase your Personal Data that we Process. For example, when they are no longer necessary for the purpose for which they were collected, when the legal basis is consent and you revoke the consent, in your objection to direct marketing, if the Processing is not legal, etc. When we erase the Personal Data at your request, we will inform you after the deletion has been performed, provided that it is not proved to be impossible or would involve excessive effort.

  • Exemption from the right to deletion: However, we have the right to continue to Process your Personal Data, and thus not delete the Personal Data despite your request, if the Processing is necessary to: a) satisfy the right to freedom of expression and freedom of information, b) to fulfill a legal obligation, c) to perform a task carried out in the public interest or in the exercise of official authority, d) to defend, establish or assert legal claims, e) archiving purposes of public interest or statistical, historical or scientific purposes, or f) for reasons of public interest in the field of public health.

Right to limitation of Processing: In some cases, you have the right to demand that our Processing of your Personal Data shall be limited. This means that the Personal Data may only be Processed in the future for certain limited purposes. An example of when this right is applicable to you is if your Personal Data that we Process is incorrect and you ask us to rectify it, you may request that our Processing of the Personal Data in question shall be limited until the accuracy of the data has been investigated.

Right to transfer your Personal Data: In some cases, you might have the right to request that we transfer your Personal Data that we Process to you or any other Third-party. This right is also called the right to "data portability". We hereby inform you that this right only applies if the Processing of Personal Data is performed automatically, and only if our Processing takes place to implement an agreement in which you are a party to a contract or based on your consent. Also, the transfer of Personal Data to another company only takes place if it is technically possible. If you have the right to data portability, we will at your request to move your Personal Data, provide your Personal Data in a structured, commonly used, machine-readable format.

Right to object: You have the right to object when your Personal Data is Processed to perform a task of public interest, as part of the exercise of authority or when it is Processed after a balancing of interest has been made. If you object to our Processing according to this right, we will cease the Processing, unless our interest outweighs your interests, rights, and freedoms. If this is the case, we will inform you about the balance of interests we have made and our interests. However, if we Process Your Personal Data for the purpose of performing direct marketing on the legal basis of legitimate interest, you have an absolute right to request that we discontinue the Processing of your Personal Data for that purpose. In such cases, we will also inform you when we have deleted the Personal Data, if you request it.

Rights regarding automated decision-making, including profiling: In short, automated decisions are about Processing that is automatic, for example through algorithms, where Personal Data is Processed to assess and analyze a person's personal characteristics. Automated decisions can have legal consequences for the Data Subject or affect the Data Subject in other significant ways, and if this happens, the Data Subject has the right not to be the subject of the automated decision. If an automated decision has been made, with or without profiling, you have the right to have the automated decision reviewed or to challenge it. We do not conduct any form of automated decisions, with or without profiling.

12. How to exercise the rights

You are welcome to contact us through the contact information listed below, if you would like to invoke any of the above rights in your capacity of a Data Subject, regarding your Personal Data that we Process as Controller.

Exercising the rights is free of charge, provided that your requests are not exaggerated, repeated or unfounded. In such cases, we have the right to charge a reasonable fee to process your request or the right to refuse the execution of your request.

Before we process or respond to your request, we may request additional information from you if it is necessary to enable us to verify your identity.

13. Questions or complaints

If you have any questions about this Privacy Notice or our privacy practice, or if you are dissatisfied with our Processing of your Personal Data, you are always welcomed to contact us. Below are our company and contact information:

Company: Agorify AB Reg. no: 559179-4150 Email: support@agorify.com Postal address: Kompassbacken 14, 16433 Stockholm.

You also have the right to contact and/or to submit a complaint regarding our Processing of your Personal Data to our lead EU Supervisory Authority: The Swedish Authority for Privacy Protection. Name: Integritetsskyddsmyndigheten (IMY).

Phone: 08-657 61 00. Email: imy@imy.se. Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm.

You may also direct your complaint or concern to your local data protection authority.

You can find the different EU Member States Supervisory Authorities through the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en