Privacy Policy
Last updated: June 2025
VITE_LEGAL_COMPANY_NAME, VITE_LEGAL_COMPANY_ADDRESS, VITE_LEGAL_COMPANY_EMAIL, VITE_LEGAL_PRIVACY_EMAIL, VITE_LEGAL_COUNTRY1. Who We Are
BoothGator is a trade show lead capture platform operated by [Company Name — not configured] (see Imprint for full details). We are the data controller for personal data collected through our platform.
Contact: [Privacy Email — not configured]
2. Data We Collect
2.1 Account holders (exhibitors)
- Full name and work email address
- Company name and domain (used for multi-tenant grouping)
- Session data (stored in our database, not your browser beyond a session cookie)
- Billing information (processed directly by Stripe — we do not store card numbers)
2.2 Visitors (trade show attendees)
- Name, email address, and any custom fields configured by the exhibitor in their lead form
- Game interaction data (e.g. prize won)
- Timestamp and QR code token of the interaction
2.3 Automatically collected data
- Server logs (IP address, browser user-agent, request timestamps) retained for 30 days for security and debugging
- Strictly necessary session cookies (see our Cookie Policy)
3. Why We Collect Your Data & Legal Basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the platform to account holders | Performance of a contract (6(1)(b)) |
| Processing payments | Performance of a contract (6(1)(b)) |
| Visitor lead capture on behalf of exhibitors | Legitimate interest of the exhibitor (6(1)(f)) or consent collected by exhibitor |
| Sending transactional emails (email verification, password reset) | Performance of a contract (6(1)(b)) |
| Security, fraud prevention, and server logs | Legitimate interest (6(1)(f)) |
| Legal compliance (invoices, tax records) | Legal obligation (6(1)(c)) |
4. Data Retention
- Account data: Retained for the duration of your account plus 3 years after deletion for legal/tax purposes.
- Visitor lead data: Retained until the exhibitor deletes it or their account is closed, up to a maximum of 5 years.
- Server logs: 30 days.
- Session data: Expires on browser session close or after 30 days of inactivity.
- Billing records: 10 years (legal/tax obligation).
5. Sub-processors & Third Parties
| Provider | Purpose | Location |
|---|---|---|
| Replit | Hosting & infrastructure | USA (SCCs) |
| Stripe | Payment processing | USA (SCCs) |
| Resend | Transactional email delivery | USA (SCCs) |
| Neon / PostgreSQL | Database | EU / USA (SCCs) |
SCCs = Standard Contractual Clauses (EU transfer mechanism).
6. Your Rights
If you are in the EU/EEA or UK, you have the following rights under GDPR:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate data.
- Erasure: Request deletion of your data ("right to be forgotten").
- Restriction: Ask us to restrict processing while a dispute is resolved.
- Portability: Receive your data in a machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw at any time.
To exercise any right, email [Privacy Email — not configured]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
7. Data Security
We use industry-standard security measures including TLS encryption in transit, encrypted storage, and access controls. Passwords are hashed using bcrypt. Payment card data is never stored on our servers.
8. Cookies
We use only strictly necessary session cookies. See our Cookie Policy for details.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify account holders of material changes via email. Continued use of the platform after the effective date constitutes acceptance.