Privacy Policy — EventPass WTC 2026

1. Data Controller

The Data Controller responsible for the processing of your personal data is:

2. Scope of This Policy

This Privacy Policy is provided pursuant to Article 13 of Regulation (EU) 2016/679 (the "GDPR") and describes how personal data is collected and processed through the EventPass WTC 2026 mobile application (hereinafter "the App"), developed for the World Tech Conference 2026.

The App is available for Android and iOS devices and enables registered users to access their digital event pass, browse the event programme, interact with other attendees, and receive notifications.

3. Personal Data Collected

3.1 Authentication Data

• Email address: used for login via a one-time password (OTP) sent by email. No password is stored.
• JWT token: stored locally on the device to maintain the user session.

3.2 User Profile Data

• First name, last name, company, and job title.
• This data is initially sourced from ticket purchase records and can be updated by the user within the App.

3.3 Ticket / Pass Data

• Digital event pass with QR code.
• Ticket type, validity status, and associated attendee information.

3.4 Networking Directory & Visibility Consent

• Users who have given their consent (via the "NetworkingConsent" flag on their ticket) appear in the attendees directory, visible to other consenting users.
• Data displayed in the directory: name, company, job title, and biography.

3.5 Chat / Messaging

• Direct (one-to-one) messages between attendees.
• Messages are stored on the server and include: message content, conversation history, and read timestamps.

3.6 Saved Sessions (My Session)

• Users can bookmark programme sessions to their personal agenda. This data is associated with the user's account.

3.7 Push Notifications (Firebase Cloud Messaging)

• FCM token: a technical device identifier stored on the server to deliver push notifications.
• Users can enable or disable push notifications at any time from their profile settings.
• Push notifications are currently active on Android devices only.

3.8 Event Content

• Programme sessions, speakers, information pages, exhibitor booths, and floor maps.
• This content is public and does not involve the processing of personal data.

4. Data NOT Collected

The App does not collect or process the following categories of data:

5. Purposes and Legal Basis for Processing

Purpose	Legal Basis (GDPR)	Data Processed
Authentication and App access	Art. 6(1)(b) — Performance of a contract	Email, JWT token
Digital pass delivery and event services	Art. 6(1)(b) — Performance of a contract	Profile, ticket data, QR code
Networking directory among attendees	Art. 6(1)(a) — Consent	Name, company, job title, biography
Messaging between attendees	Art. 6(1)(b) — Performance of a contract	Messages, chat history
Push notifications	Art. 6(1)(a) — Consent	FCM device token
Personal agenda (saved sessions)	Art. 6(1)(b) — Performance of a contract	Session bookmarks
Compliance with legal obligations	Art. 6(1)(c) — Legal obligation	Data required by law

6. Methods of Processing

Personal data is processed using electronic tools and with organisational and logical methods strictly related to the purposes described above. Appropriate technical and organisational measures are adopted to ensure the security and confidentiality of data, in accordance with Article 32 of the GDPR.

Access to data is restricted to personnel authorised by the Data Controller and to the data processors identified in Section 7 below.

7. Third-Party Services and Data Processors

To deliver its services, the App relies on the following third-party providers, appointed as data processors pursuant to Article 28 of the GDPR:

Service	Provider	Purpose	Data Processed	Location
Server infrastructure	Microsoft Azure	Hosting and data storage	All App data	European Union
OTP email delivery	Azure Communication Services (ACS)	Sending OTP codes by email	Email address	European Union
Push notifications	Firebase Cloud Messaging (FCM) — Google	Delivering push notifications to devices	FCM device token	EU / USA (Google Cloud)*

* For Firebase Cloud Messaging, Google LLC acts as a data processor. The transfer of data to the United States is governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission and/or the EU-U.S. Data Privacy Framework, where applicable. The data transferred is limited to the technical device token and does not include personally identifiable information.

Note: Stripe (payment processing) is not used within the mobile App. Payments are handled exclusively on the web-based ticketing platform, which is subject to its own privacy policy.

8. Data Transfers Outside the EU

Personal data is processed and stored on servers located within the European Union (Microsoft Azure, EU region).

The only transfer outside the EU concerns FCM tokens processed by Google LLC for the Firebase Cloud Messaging service. This transfer is carried out in compliance with the safeguards provided by Chapter V of the GDPR, through Standard Contractual Clauses and/or adherence to the EU-U.S. Data Privacy Framework.

9. Data Retention Period

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected:

Data Category	Retention Period
Authentication and profile data	For the duration of the event plus a reasonable post-event period for administrative purposes
Ticket / pass data	For the duration of the event and the necessary post-event period
Chat messages	For the duration of the event; deleted after the event concludes
FCM tokens	Until the user disables notifications, uninstalls the App, or the event concludes
Networking directory	For the duration of the event; removed at its conclusion
Saved sessions	For the duration of the event and the necessary post-event period

At the end of the retention period, data is deleted or irreversibly anonymised.

10. Your Rights as a Data Subject

Under Articles 15–22 of the GDPR, you have the right to:

1. Access (Art. 15) — obtain confirmation of whether your personal data is being processed and access such data.
2. Rectification (Art. 16) — request the correction of inaccurate data or the completion of incomplete data.
3. Erasure (Art. 17) — request the deletion of your personal data, where permitted by law.
4. Restriction (Art. 18) — request the restriction of processing under certain circumstances.
5. Data Portability (Art. 20) — receive your data in a structured, commonly used, and machine-readable format.
6. Objection (Art. 21) — object to the processing of your personal data.
7. Withdrawal of Consent — withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact:

The Data Controller undertakes to respond to requests within 30 days of receipt, as required by Article 12(3) of the GDPR.

11. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

12. Data Security

The Data Controller implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, including:

• Encrypted communications (HTTPS/TLS)
• JWT token-based authentication with time-limited validity
• Data access restricted to authorised personnel
• Server infrastructure hosted in certified data centres (Microsoft Azure, EU region)
• No password storage (OTP-based authentication)

13. Changes to This Privacy Policy

The Data Controller reserves the right to amend this Privacy Policy at any time. Any changes will be communicated through the App or published on the dedicated web page. You are encouraged to review this Privacy Policy periodically for any updates.

The date of the last update is indicated at the top of this document.

14. Contact Information

For any questions regarding this Privacy Policy or the processing of your personal data, you may contact the Data Controller at:

© 2026 Micromegas Comunicazione S.r.l. — All rights reserved.