Privacy Policy

Summitware BV (“we”, “us”, “our”) operates the following websites and services: summitware.be, registration.town, and slideshow.city (together, the “Services”). This Privacy Policy explains what personal data we process, why, and how you can exercise your rights.

1. Scope and Roles

For customers using our products to run events, our customer is typically the data controller, and Summitware BV is the data processor. For our own websites and direct communications, Summitware acts as the controller.

2. Data We Process

  • Client Data (processor role): attendee and organizer information provided by our customers through Registration Town or Slideshow City. We process this under our Data Processing Addendum (DPA) and the customer’s instructions.
  • Account & Contact Data (controller role): name, email, company, billing details, and support messages when you interact with us.
  • Usage Data: device information, IP address, pages visited, timestamps, and diagnostics to secure and improve the Services.
  • Cookies & local storage: see our Cookie Policy for details and choices.

3. Sources

We collect data directly from you, from our customers (when they use our products), from automated means (logs, cookies as configured), and from limited third-party service providers acting on our behalf.

4. How We Use Personal Data

  • Provide, operate, and secure Registration Town and Slideshow City.
  • Deliver customer support and communicate service changes.
  • Process payments and manage subscriptions or invoices.
  • Improve and troubleshoot the Services, including performance analytics (if enabled).

5. AI-Powered Assistant

We offer an optional AI-powered assistant to help users query and navigate the Services. We take privacy seriously and design this feature to minimize data sharing:

  • Tool-Only Context: The assistant receives only the minimum necessary context to form a query (for example, available filters, field names, or your current view), not underlying records or full datasets.
  • No training / stateless configuration: We configure our AI providers (such as OpenAI or Anthropic) not to train on your inputs and not to retain them beyond transient processing required to deliver the response. Where a provider maintains short-lived logs for abuse prevention or diagnostics, we select the zero- or limited-retention options when available.
  • Summitware conversation storage: We store AI assistant conversation metadata and prompts/responses for 30 days for audit, abuse prevention, and support, after which they are deleted unless required for security or legal reasons.
  • Controller controls: Project owners can disable the AI assistant. When disabled, no assistant traffic is sent to model providers.

Note: AI-generated output can be inaccurate or incomplete. Users should verify important results before relying on them.

  • Performance of a contract (Art. 6(1)(b) GDPR): operating our products for signed-up customers and their users.
  • Legitimate interests (Art. 6(1)(f) GDPR): securing, monitoring, and improving the Services; providing the AI assistant when enabled by the controller, with strong minimization safeguards.
  • Consent (Art. 6(1)(a) GDPR): optional analytics or cookies not strictly necessary.
  • Legal obligation (Art. 6(1)(c) GDPR): compliance with tax, accounting, and regulatory duties.

7. Retention

  • Client Data: retained for the duration of the customer agreement and deleted or returned per our DPA and customer instructions.
  • AI assistant logs: retained for 30 days as described above.
  • Account/billing data: retained as required by law (e.g., tax and accounting) and then deleted or anonymized.

8. International Transfers

Where personal data is transferred outside the EEA/UK (for example, to model or infrastructure providers), we use appropriate safeguards such as the EU/UK Standard Contractual Clauses and equivalent mechanisms. See our Sub-processor List for details.

9. Sub-Processors

We engage carefully selected sub-processors to support the Services (hosting, email delivery, payments, AI model inference). Each is bound by written agreements with data protection obligations at least as protective as this Policy and our DPA. The current list and safeguards are available at /legal/subprocessors. We provide advance notice of changes as described there.

10. Security

We implement technical and organizational measures appropriate to risk, including encryption in transit, encryption at rest for databases and backups, access controls with least privilege and MFA, logging and monitoring, regular backups, and incident response. Additional details are in Annex III of our DPA.

11. Your Rights

Subject to law, you may request access, rectification, erasure, restriction, or portability of your personal data, and object to certain processing. When we act as processor, please direct requests to the relevant controller (our customer). We assist controllers in responding to requests as required by GDPR.

12. Children

Our Services are not directed to children under 16. If you believe we have collected personal data from a child without appropriate consent, contact us and we will take steps to delete such data.

13. Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. Material updates will be highlighted within the Services. The “Last updated” date shows the latest revision.

14. Contact

Questions or requests can be sent to privacy@summitware.be or by mail to: Summitware BV, Sint-Pietersnieuwstraat 158/201, 9000 Ghent, Belgium.

Related documents: Terms of Service · Data Processing Addendum · Cookie Policy · Imprint