Privacy Policy

• Identity Data including full name, username or similar identifier, date of birth, gender, job title, and company/organisation name and registration details
• Contact Data including email address, physical/registered addresses, social media contact details, and telephone numbers
• Financial Data including bank account details, third-party payment provider information, and payment card details (which we do not store but only provide to our authorised third-party payment service provider under contract with us)
• Transaction Data including details about payments to and from you, contracts, contractual terms, contract fees, subscriptions, invoices, and other details of products and services you have obtained from us
• Technical Data including internet protocol address/es, your login data, browser type and version, time zone setting and location, cookies, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Platform
• Profile Data including your Platform username and password, event preferences, matchmaking profile information, feedback, ratings, and reviews
• Usage Data including information about how you use our Platform, events, and Services
• Marketing and Communications Data including your preferences in receiving notices and marketing from us and your communication preferences

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel Platform access or Services you have with us, but we will notify you if this is the case at the time.

We use different methods to collect data from and about you, including through direct interactions when you:

• Use our Platform Services
• Use our Platform
• Contract with us as an Organiser
• Register for or participate in an event as a Delegate or Exhibitor
• Complete online profile information
• Request information to be sent to you
• Give us feedback

We may also receive data about you from third parties and publicly available sources, including:

• Google — search information provider, based in California, United States
• LinkedIn — professional networking platform, based in California, United States
• Meta Platforms, Inc. (Facebook/WhatsApp) — based in California, United States, for WhatsApp-based communications
• Amazon Web Services, Inc. (AWS) — based in the United States, for transactional email delivery via AWS Simple Email Service (SES)
• Identity and access management services, based in the United States

We will only use your personal data when the law allows us to and for legitimate reasons. Most commonly, we will use your personal data in the following circumstances:

• Where we have your express consent to do so
• Where we need to consult with you or perform on the Services contract we are about to enter into or have entered into with you
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
• Where we need to comply with a legal or regulatory obligation

We may have to share your personal data with the parties set out below for the purposes set out in the table above:

• Internal Third Parties as set out in the Glossary
• External Third Parties as set out in the Glossary
• Specific third parties listed in the table in Section 4.1
• Third parties to whom we may choose to sell, transfer, or merge parts of our organisation or our assets. If a change happens to our organisation, then the new owners may use your personal data in the same way as set out in this Privacy Policy

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and standards.

The Platform may make use of "cookies" to automatically collect information and data through the standard operation of Internet servers. Cookies are small text files a website can use to recognise repeat users, facilitate the user's on-going access to and use of a website, and allow a website to track usage behaviour and compile aggregate data to improve functionality.

The type of information collected by cookies is not used to personally identify you. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to deny or accept the cookie feature. Please note that cookies may be necessary to provide you with certain features available on our Platform, and if you disable cookies you may not be able to use those features. If you do not disable cookies, you are deemed to consent to our use of any personal information collected using those cookies, subject to the provisions of this Policy.

We share your personal data within Firehouse Technologies, and this may involve transferring and processing your data outside of South Africa, including to countries in the European Economic Area and the United States.

Our primary infrastructure provider is Render.com, whose servers are located in the EU (Frankfurt, Germany). This means your data is primarily processed within the EU, providing a high level of data protection consistent with GDPR standards. Transactional and event-related emails are sent via AWS Simple Email Service (SES), operated by Amazon Web Services, Inc. in the United States. WhatsApp-based communications are facilitated via Meta Platforms, Inc., also based in the United States.

Whenever we transfer your personal data out of South Africa or the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will always have a contract in place covering the processing of data and service-provision between the parties
• Where we use certain service providers, we may use specific Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent contracts which give personal data the same protection it has in South Africa or the EEA
• Where applicable, we rely on adequacy decisions, the EU–US Data Privacy Framework, or other recognised transfer mechanisms

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed. These measures include:

• Industry-standard OWASP security practices applied to our application development
• Encrypted data and files at rest and in transit (TLS 1.2+ for all data in transit)
• Hosting on Render.com, a SOC 2 Type II and ISO 27001 certified infrastructure provider, in the EU (Frankfurt)
• Cloudflare WAF (Web Application Firewall) providing DDoS protection and traffic filtering
• Sentry application monitoring for real-time error detection and anomaly alerting
• Multi-factor authentication (MFA) required for all infrastructure access
• Role-based access control (RBAC) within the EspressoMeetup Platform, with per-event permission scoping
• Annual security reviews and ongoing dependency vulnerability scanning in our CI/CD pipeline

In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a legitimate need to know. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including the purpose of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, any other applicable law requiring us to retain the data, and whether we can achieve those purposes through other means. Details of retention periods for different aspects of your personal data are available from us by contacting us.

In some circumstances you can ask us to delete your data. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Under certain circumstances, you have rights under data protection laws in relation to your personal data where we are the relevant "Responsible Party" (or "Data Controller"). Please contact us to find out more about, or to exercise, these rights:

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. We try to respond to all legitimate requests within one month.