Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

Data Protection Officer

A Data Protection Officer is not required under Art. 37 GDPR based on our current processing activities. For data protection inquiries, contact us at info@dbc-germany.com.

2. Personal data we collect

Account data

Email address, first name, last name, phone number (optional), date of birth (optional), and postal address (optional).

Ticketing data

Buyer information, attendee title, first name, last name, email address, and ticket salutation preferences.

Newsletter data

Email address, consent timestamp, and the IP address at the time of double-opt-in confirmation (as proof of consent).

Payment data

Payments are processed by Stripe Payments Europe, Ltd. We never receive or store your full card number, CVC, or bank details. We receive only the confirmation of payment success, transaction reference, and billing metadata.

Technical data (server logs)

IP address, browser user-agent string, page requested, timestamp. Retained for 30 days, then automatically deleted.

Cookies

See our Cookie Policy for a detailed list.

3. Purposes and legal bases for processing

4. Recipients and service providers (data processors)

We share personal data only with the following categories of service providers, each bound by a data processing agreement (DPA) or equivalent contractual safeguards:

We do not sell, share, or otherwise disclose personal data to event sponsors, exhibitors, or other third parties for their own marketing purposes. Sponsors receive only aggregated, anonymized statistics (e.g., total attendance count).

5. International data transfers

Where personal data is transferred to countries outside the European Economic Area (EEA), we ensure adequate safeguards are in place, including EU-US Data Privacy Framework certification and/or Standard Contractual Clauses (SCCs) adopted by the European Commission. The specific safeguard for each provider is listed in Section 4 above. You may request a copy of the relevant SCCs by contacting info@dbc-germany.com.

6. Data retention

• Account data: retained until you delete your account, plus a 30-day soft-deletion period for recovery.
• Ticket and order records: retained for the duration of the event plus 10 years to comply with German tax record-keeping obligations (§ 147 AO).
• Newsletter subscription: retained until you unsubscribe; your email is then placed on a 3-year suppression list (to honor your unsubscribe request), after which it is fully deleted.
• Server logs: 30 days, then automatically purged.
• Consent records (double-opt-in proof, cookie consent choices): retained for the duration of the processing they authorize plus 3 years (statute of limitations).

7. Your rights

Under the GDPR and applicable national laws, you have the following rights with respect to your personal data:

• Right of access (Art. 15 GDPR): obtain confirmation of whether your data is processed and a copy of that data.
• Right to rectification (Art. 16 GDPR): correct inaccurate data or complete incomplete data.
• Right to erasure ("right to be forgotten") (Art. 17 GDPR): request deletion of your data where no legal retention obligation applies.
• Right to restriction of processing (Art. 18 GDPR): request that processing be limited while a dispute is resolved.
• Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at info@dbc-germany.com or use the self-service options in your account settings.

Right to lodge a complaint with a supervisory authority:

• Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), or the state authority for North Rhine-Westphalia (LDI NRW).
• France: Commission Nationale de l'Informatique et des Libertés (CNIL).
• United Kingdom: Information Commissioner's Office (ICO).
• South Africa: Information Regulator (POPIA).
• Nigeria: National Information Technology Development Agency (NITDA).
• United States: your state Attorney General.

8. Children's privacy

Our services are not directed at children under 16 years of age. Persons under 16 may not create an account. Children under 16 may attend events only when accompanied by a guardian who holds a valid adult ticket. The guardian manages any ticket purchases on their own account. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us at info@dbc-germany.com and we will promptly delete it.

9. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you (Art. 22 GDPR).

10. California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:

• Right to know: what personal information we collect, use, disclose, and sell (we do not sell).
• Right to delete: request deletion of your personal information.
• Right to correct: request correction of inaccurate personal information.
• Right to limit use of sensitive personal information: we do not use sensitive PI for purposes beyond what is necessary to provide our services.
• Right to non-discrimination: we will not discriminate against you for exercising your rights.

We do not sell or share personal information for cross-context behavioral advertising. No opt-out of sale or sharing is required because we do not engage in these practices.

To submit a verifiable consumer request, contact info@dbc-germany.com or use the contact form. You may designate an authorized agent to make a request on your behalf.

We do not offer financial incentives related to the collection, sale, or deletion of personal information.

11. United Kingdom addendum

If you are a UK resident, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply in addition to or in place of the EU GDPR as appropriate. Your rights under Section 7 above are equally available under UK law. The supervisory authority is the Information Commissioner's Office (ICO): ico.org.uk. As we maintain an establishment in the EU, no separate UK representative under Art. 27 UK GDPR is required.

12. South Africa — POPIA addendum

If you are a data subject in South Africa, the Protection of Personal Information Act (POPIA) applies. Our Information Officer is:

— — info@dbc-germany.com

You may lodge a complaint with the Information Regulator of South Africa: inforegulator.org.za.

13. Nigeria — NDPR addendum

If you are a data subject in Nigeria, the Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA) apply. Our Data Protection Compliance Officer is:

— — info@dbc-germany.com

All lawful bases for processing and cross-border transfer disclosures described in this policy apply equally under the NDPR/NDPA framework.

14. Democratic Republic of the Congo

Data subjects in the Democratic Republic of the Congo benefit from the protections of Loi n° 020/2020 (telecommunications law) and emerging data protection legislation. We apply EU-grade data protection standards globally. If you believe your rights have been infringed, please contact us at info@dbc-germany.com.

15. Changes to this privacy policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via an in-app banner and, where possible, by email. The date of the last update is shown below.

16. Contact

For any data protection inquiries, contact us at: info@dbc-germany.com
DBC Germany (UG)
Germany

Last updated: April 19, 2026