Privacy Policy

Summitware BV (“we”, “us”, “our”) operates the following websites and services: summitware.be, registration.town, and slideshow.city (together, the “Services”). This Privacy Policy explains what personal data we process, why, and how you can exercise your rights.

1. Scope and Roles

For customers using our products to run events, our customer is typically the data controller, and Summitware BV is the data processor. For our own websites and direct communications, Summitware acts as the controller.

2. Data We Process

  • Client Data (processor role): attendee and organizer information provided by our customers through Registration Town or Slideshow City. We process this under our Data Processing Addendum (DPA) and the customer’s instructions.
  • Account & Contact Data (controller role): name, email, company, billing details, and support messages when you interact with us.
  • Usage Data: device information, IP address, pages visited, timestamps, and diagnostics to secure and improve the Services.
  • Cookies & local storage: see our Cookie Policy for details and choices.

3. Sources

We collect data directly from you, from our customers (when they use our products), from automated means (logs, cookies as configured), and from limited third-party service providers acting on our behalf.

4. How We Use Personal Data

  • Provide, operate, and secure Registration Town and Slideshow City.
  • Deliver customer support and communicate service changes.
  • Process payments and manage subscriptions or invoices.
  • Improve and troubleshoot the Services, including performance analytics (if enabled).

5. AI-Powered Assistant

We offer an optional AI-powered assistant to help users query and navigate the Services. We take privacy seriously and design this feature to minimize data sharing:

  • Tool-Only Context: The assistant receives only the minimum necessary context to form a query (for example, available filters, field names, or your current view), not underlying records or full datasets.
  • No training / stateless configuration: We configure our AI providers (such as OpenAI or Anthropic) not to train on your inputs and not to retain them beyond transient processing required to deliver the response. Where a provider maintains short-lived logs for abuse prevention or diagnostics, we select the zero- or limited-retention options when available.
  • Summitware conversation storage: We store AI assistant conversation metadata and prompts/responses for 30 days for audit, abuse prevention, and support, after which they are deleted unless required for security or legal reasons.
  • Controller controls: Project owners can disable the AI assistant. When disabled, no assistant traffic is sent to model providers.

Note: AI-generated output can be inaccurate or incomplete. Users should verify important results before relying on them.

6. Stripe Integration

Clients provide their Stripe secret key to Summitware during onboarding. The key is stored encrypted and used exclusively to process payments through the client’s own Stripe account on their behalf. It is never used for any other purpose. Keys are deleted upon account termination.

7. Calendar Integration (OAuth)

Registration Town offers an optional calendar sync feature that allows speakers and presenters to connect their Google or Microsoft account so that session assignments are automatically reflected in their calendar. This feature is entirely user-initiated and can be disconnected at any time.

  • Data collected: When you connect your account, we receive an OAuth access token (and, where applicable, a refresh token) scoped to the minimum calendar permissions required — creating, reading, and updating calendar events. We do not request access to email, contacts, or other account data.
  • How it is used: Tokens are used solely to create and update calendar events corresponding to your session assignments within Registration Town. No other operations are performed on your calendar or account.
  • Sharing: Calendar data is exchanged only with the respective provider’s API (Google Calendar API or Microsoft Graph API) to perform the sync. We do not share OAuth tokens or calendar data with any other third party.
  • Retention and deletion: OAuth tokens are stored securely and encrypted at rest. Tokens are deleted when you disconnect the calendar integration or when your speaker/presenter record is removed from the event. You can also revoke access at any time through your Google Account settings or Microsoft Account settings.
  • No advertising, profiling, or training: Calendar data and OAuth tokens are never used for advertising, user profiling, or AI model training.

8. QuickBooks Online Integration (OAuth)

Clients can connect their QuickBooks Online account via OAuth to enable invoice sync. OAuth tokens are stored encrypted, used solely to create and update invoices in the client’s QuickBooks account, and deleted on disconnect or account termination. Speakers and attendees are not involved in this integration.

  • Performance of a contract (Art. 6(1)(b) GDPR): operating our products for signed-up customers and their users.
  • Legitimate interests (Art. 6(1)(f) GDPR): securing, monitoring, and improving the Services; providing the AI assistant when enabled by the controller, with strong minimization safeguards.
  • Consent (Art. 6(1)(a) GDPR): optional analytics or cookies not strictly necessary; connecting a calendar account or QuickBooks Online account via OAuth; providing a Stripe secret key for payment processing configuration.
  • Legal obligation (Art. 6(1)(c) GDPR): compliance with tax, accounting, and regulatory duties.

10. Retention

  • Client Data: retained for the duration of the customer agreement and deleted or returned per our DPA and customer instructions.
  • AI assistant logs: retained for 30 days as described above.
  • OAuth tokens (calendar integration): deleted when the user disconnects the integration or when the associated speaker/presenter record is removed.
  • Stripe secret keys: deleted upon account termination or when the client requests removal.
  • OAuth tokens (QuickBooks Online): deleted on disconnect or account termination.
  • Account/billing data: retained as required by law (e.g., tax and accounting) and then deleted or anonymized.

11. International Transfers

Where personal data is transferred outside the EEA/UK (for example, to model or infrastructure providers), we use appropriate safeguards such as the EU/UK Standard Contractual Clauses and equivalent mechanisms. See our Sub-processor List for details.

12. Sub-Processors

We engage carefully selected sub-processors to support the Services (hosting, email delivery, payments, AI model inference). Each is bound by written agreements with data protection obligations at least as protective as this Policy and our DPA. The current list and safeguards are available at /legal/subprocessors. We provide advance notice of changes as described there.

13. Security

We implement technical and organizational measures appropriate to risk, including encryption in transit, encryption at rest for databases and backups, access controls with least privilege and MFA, logging and monitoring, regular backups, and incident response. Additional details are in Annex III of our DPA.

14. Your Rights

Subject to law, you may request access, rectification, erasure, restriction, or portability of your personal data, and object to certain processing. When we act as processor, please direct requests to the relevant controller (our customer). We assist controllers in responding to requests as required by GDPR.

15. Children

Our Services are not directed to children under 16. If you believe we have collected personal data from a child without appropriate consent, contact us and we will take steps to delete such data.

16. Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. Material updates will be highlighted within the Services. The “Last updated” date shows the latest revision.

17. Contact

Questions or requests can be sent to privacy@summitware.be or by mail to: Summitware BV, Sint-Pietersnieuwstraat 158/201, 9000 Ghent, Belgium.

Related documents: Terms of Service · Data Processing Addendum · Cookie Policy · Imprint