PRIVACY POLICY

1.1 Who we are

This Privacy Policy applies to personal data processed by Entryvent Tickets Selling (“Entryvent”, “we”, “us”), a Sole Establishment registered in Dubai, United Arab Emirates under trade licence number 1467049, with registered office at Suite 907, Dusseldorf Business Point, Al Barsha 1, Dubai, UAE.

1.2 What this Policy covers

This Policy explains how Entryvent collects, uses, shares, and protects personal data when you:

• Create an Account on Centra, our event management platform, as an Organiser, internal user, or external user
• Register for, attend, or interact with an Event powered by Centra
• Visit our website at entryvent.com or use our mobile applications
• Communicate with us by email, phone, chat, or social media

1.3 What this Policy does not cover

• Personal data processed by Organisers using Centra. Each Organiser is the controller of their Attendee data and has their own privacy policy. See Section 15 for additional information for Attendees.
• Personal data processed by third-party services we integrate with (such as Network International for payment processing). These providers have their own privacy policies, linked at Section 7.
• Personal data processed by Entryvent Event Management (Dubai trade licence number 1290957) in connection with professional event organisation, DTCM permit assistance, event collaterals, and venue services. These services are governed by separate agreements and have their own privacy notice.
• Personal data of our employees, contractors, or job applicants. A separate notice applies.

1.4 Applicable laws

This Policy is designed to comply with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (“UAE PDPL”) and its implementing regulations, the EU General Data Protection Regulation (“GDPR”) where it applies to EU residents, and other applicable data protection laws.

The following terms have the same meaning as in our Organiser Terms of Service (entryvent.com/terms):

Term	Meaning
Account	An Organiser account on Centra, Personal or Business.
Attendee	Any person who registers for, purchases a ticket to, or attends an Event powered by the Service.
Centra	Entryvent’s web-based event management platform.
Controller	The party that determines the purposes and means of processing personal data, as defined under UAE PDPL.
DPA	The Data Processing Addendum at entryvent.com/dpa, which forms part of the Organiser Terms.
Event	An event published on Centra by an Organiser.
External user	A user invited by an Organiser to access their Account, including Exhibitor Manager, Stakeholder, and Onsite staff.
Organiser	A user who creates an Account on Centra to publish, manage, or sell access to Events.
Personal Data	Any information relating to an identified or identifiable natural person.
Processing	Any operation performed on personal data, as defined under UAE PDPL.
Processor	The party that processes personal data on behalf of a Controller.
Service	The Centra platform together with related Entryvent products and websites.
Sub-processor	A third party engaged by Entryvent to process personal data on the Organiser’s behalf.

For clarity: Entryvent is a platform that facilitates Organisers’ Events. We do not control or operate Events. However, when an Organiser uses Centra, Entryvent makes decisions about Organiser account data, such as what to collect, how long to retain it, and what cookies to set on our website. In data protection law, this makes us the “controller” of Organiser account data. The term “controller” is a legal term for who decides how data is handled; it does not mean we control the Event.

3.1 When Entryvent is a Controller

Entryvent is the data controller for personal data we collect about:

• Organisers (account holders, including Owners, Administrators, and Members)
• External users invited to an Account (Exhibitor Manager, Stakeholder, Onsite staff) for the limited account data we hold about them as users of the Service
• Attendees who interact with us directly, separately from event-specific registration data, which is governed by Section 3.2
• Visitors to our website and marketing prospects
• Users who contact our support, sales, or account management teams

For these categories of data, Sections 4 to 13 of this Policy apply.

3.2 When Entryvent is a Processor

Entryvent acts as a data processor for personal data that Organisers collect from their Attendees and use Centra to manage. Examples include attendee names, contact details, ticket data, registration form responses, and check-in records.

For this category, the Organiser is the data controller and decides what data is collected, why, and how long it is kept. Entryvent processes this data only on the Organiser’s instructions and in accordance with our Data Processing Addendum (DPA), available at entryvent.com/dpa.

Attendees who want to know how their personal data is used should contact the Organiser of the Event they registered for. Section 15 below provides additional information specific to Attendees.

4.1 Account and identity data

• Name, job title, role within company
• Email address, phone number, business address
• Password (stored as a salted hash; we never store passwords in plain text)
• Account preferences, language, timezone, notification settings

4.2 Company data

• Company name, trade licence number, TRN (for VAT-registered Organisers)
• Billing address and the bank account configured in your Company Profile for EPG payouts
• Logo, organiser page content, social media links

4.3 Usage data

• Pages visited, features used, login history, device and browser information, IP address, approximate location derived from IP
• Click events, search queries within the platform, time spent in the application

4.4 Communications

• Support tickets, emails to and from Entryvent, chat transcripts, recorded sales calls (where permitted by law)

4.5 Marketing and prospect data

• Names, business email addresses, job titles, and company information of business prospects we identify through commercial lists, sales research, and publicly available business sources
• Records of marketing emails sent and engagement (opens, clicks, unsubscribes)
• Marketing preferences and opt-out requests

How we use this data is set out in Section 13.

4.6 Special category data

Entryvent does not deliberately collect special category data (such as health, religion, sexual orientation, political opinions) about Organisers or other users for whom we are the controller. Where such data is incidentally collected, we treat it under the safeguards in Section 14.6.

4.7 Data we receive from social sign-in providers

You can create an Account by signing in with Google or Facebook instead of by creating a password. Where you do this, the relevant provider shares specific personal data with us, which we use solely to create and operate your Account. The data we receive is:

• Your name and email address associated with that provider’s account
• Your profile picture, where you have one
• A unique identifier assigned by the provider, used to link your Centra Account to your sign-in with that provider on future logins

We do not receive your password for the provider, your contacts, your posts, your activity on the provider’s platform, or any data beyond what is necessary to authenticate and create your Account. The provider may show you a consent screen during sign-in describing the data being shared, and you can revoke Entryvent’s access at any time through your settings on the relevant provider.

You are bound by these Terms and our Privacy Policy regardless of whether you signed in with email, Google, or Facebook. Where you sign in with Google or Facebook, you tick the same acceptance box for the Organiser Terms (or Attendee Terms, as applicable), our Privacy Policy, our Community Guidelines, and (for Organisers) our Data Processing Addendum before your Account is created.

Entryvent does not make solely automated decisions that produce legal effects or significantly affect Organisers. We use analytics in limited ways: to detect potential fraud, to recommend features within the platform, and to generate aggregated insights about platform usage.

You have the right to object to processing based on legitimate interests, including any profiling, by contacting us at privacy@entryvent.com.

We share personal data with third parties only in the limited circumstances set out below. Entryvent does not sell or rent your personal data to third parties for their own marketing or commercial purposes.

7.1 Service providers and sub-processors

We share personal data with a small number of third-party service providers that help us operate Centra. Our current sub-processors are:

Sub-processor	Function	Region
Amazon Web Services (AWS)	Hosting infrastructure (compute, storage, database) and transactional email delivery (Amazon Simple Email Service)	Singapore
Network International	Payment processing for the Entryvent Payment Gateway (see Section 7.2)	United Arab Emirates
Stripe	Payment processing where Organisers configure their own gateway (see Section 7.2)	International (US-headquartered)
Mailchimp (Intuit)	Marketing email delivery to prospects and Organisers (see Section 13)	United States
Google Analytics	Visitor analytics on Organiser Event pages, surfaced to Organisers as audit visibility into who visits their pages	Google global infrastructure

We do not use separate customer support tools or third-party data analytics platforms beyond those listed above.

We notify Organisers in advance of any new sub-processor as set out in our DPA. The cross-border transfer mechanism for each sub-processor is described in Section 8.

7.2 Payment processors

Payments through the Entryvent Payment Gateway (EPG) are processed by Network International (UAE), our payment processor partner. Where Organisers configure their own gateway (such as Stripe), payments are processed by that gateway directly. Payment card data is collected and held by these processors, not by Entryvent. Their use of your data is governed by their own privacy policies.

7.3 DTCM permit holders

Where you create an Event in Dubai that requires DTCM compliance, Centra provides export tools that the Organiser uses to extract Attendee data and transfer it to the holder of the DTCM permit. The permit holder then submits the data to the Dubai Department of Tourism and Commerce Marketing as part of their regulatory obligations.

Entryvent does not submit data to DTCM directly. Entryvent provides the export tools; the Organiser is responsible for the transfer to the permit holder; the permit holder is responsible for the submission to DTCM. Each step is described in Section 13 of our Organiser Terms.

7.4 Government authorities and law enforcement

We may disclose personal data to government authorities, courts, or law enforcement when required by valid legal process or to comply with law.

7.5 Professional advisors

We may share personal data with our auditors, lawyers, accountants, insurers, and consultants under confidentiality obligations and only as needed for them to provide their services.

7.6 Corporate transactions

In the event of a merger, acquisition, sale of assets, or similar corporate transaction, personal data may be transferred to the buyer or successor. We will give you notice and ensure your data continues to be protected.

7.7 External users invited by an Organiser

An Organiser may invite external users to participate in their Event, including Exhibitor Managers, Stakeholders, and Onsite staff. The Organiser, not Entryvent, decides who to invite and what permissions to grant. Once invited, those external users act in their own capacity within the permissions configured. The data role of each external user type is set out in our Organiser Terms (Section 19.6) and in our DPA. In particular:

• An Exhibitor Manager typically performs three distinct activities, all as an independent controller of the relevant data:
  • Ticket assignment — the Exhibitor Manager distributes tickets to their own contacts; those contacts then register on Centra, and the registration data is visible to the Exhibitor Manager for their own commercial purposes (such as guest list management and follow-up)
  • Lead scan configuration — the Exhibitor Manager configures their own lead scan setup, defining the questions they want to capture about leads at their booth; what they ask is their commercial decision, not the Organiser’s
  • Lead capture — the Exhibitor Manager scans Attendee badges and collects responses to their configured questions

  Across all three activities, the Exhibitor Manager has their own data protection obligations to the Attendees concerned, governed by their own privacy policy.

• Onsite staff handling registration or scanning at an Event act as a sub-processor of the Organiser, not of Entryvent. They process data on the Organiser’s instructions and have no independent purpose for accessing Attendee data.
• A Stakeholder has visibility into aggregate Event information only and does not access personal data of individual Attendees.

Entryvent is not party to the Organiser’s decision to invite an external user, nor to the data-handling decisions those external users make in their own commercial interest.

We apply technical and organisational measures appropriate to the risk of processing, including:

• Personal data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256
• Passwords are stored as salted hashes
• Access to personal data is restricted to staff who need it, with role-based access control and audit logs

We follow security practices aligned with industry standards

10.1 Internal access controls

Access to Organiser and Attendee personal data within Centra is strictly limited to a small number of authorised Entryvent personnel who require it to operate the Service or to provide support that the Organiser has requested. All authorised personnel are subject to a binding internal access policy that:

• Prohibits downloading, copying, exporting, or sharing Organiser or Attendee personal data outside the Service, except at the Organiser’s express direction or as required by law
• Requires confidentiality obligations as a condition of access
• Logs all access for audit purposes
• Reviews access permissions on an ongoing basis and removes access promptly when it is no longer required

10.2 Personal data breaches

If we become aware of a personal data breach affecting your data, we will:

• Notify the UAE Data Office (or other applicable supervisory authority) without undue delay and within 72 hours of becoming aware, where required by law
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Maintain a record of all data breaches affecting personal data we process

You have the following rights regarding personal data held about you. For data where Entryvent is the controller (Section 3.1), Entryvent will respond to your request directly. For data where Entryvent is a processor on the Organiser’s behalf (Section 3.2), the Organiser is responsible for responding; we will support them under our DPA.

• Right of access: Request a copy of the personal data we hold about you
• Right of rectification: Request correction of inaccurate or incomplete data
• Right of erasure: Request deletion of your data where it is no longer necessary, where you withdraw consent, where the processing is unlawful, or where required by law
• Right to restrict processing: Request that we limit how we use your data while a question about it is resolved
• Right to data portability: Request a copy of your data in a structured, machine-readable format and have it transferred to another controller where technically feasible
• Right to object: Object to processing based on legitimate interests, including direct marketing and profiling
• Right to withdraw consent: Where we rely on your consent, withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing
• Right not to be subject to solely automated decisions: Where solely automated decisions produce legal or significant effects, request human review
• Right to lodge a complaint: Lodge a complaint with the UAE Data Office or another competent supervisory authority

11.1 How to exercise your rights

Email privacy@entryvent.com with a clear description of your request. We will:

• Acknowledge your request promptly
• Verify your identity to protect your data
• Respond within 30 days, extendable by up to 60 days for complex requests with notice to you
• Provide the first request in any 12-month period free of charge; we may charge a reasonable fee for repeated or excessive requests
• Where we decline a request, explain why and inform you of your right to complain to the supervisory authority

Centra and the entryvent.com website use cookies and similar technologies to operate the Service, remember your preferences, and analyse usage. Cookies are categorised as:

• Strictly necessary cookies (login, security, session) — always on, no consent required
• Functional cookies (language, preferences) — opt-in
• Analytics cookies (Google Analytics, used by Organisers to see who visits their Event pages) — opt-in

You can manage cookie preferences through our cookie banner or in your account settings.

This Section covers how Entryvent communicates with Organisers and prospects for marketing purposes. It does not cover communications between Organisers and their Attendees, which are governed by each Organiser’s own privacy notice.13.1 What we send

We send marketing communications to:

• Prospective Organisers — business contacts we identify through commercial lists, sales research, and publicly available business sources, where we believe Centra is relevant to their event management needs
• Existing Organisers — product updates, feature announcements, event-industry insights, and information about our Service

13.2 Legal basis

Our legal basis for marketing communications is legitimate interests under UAE PDPL Article 5 and (where applicable) GDPR Article 6(1)(f), specifically our interest in identifying business prospects and informing existing customers about our Service. We balance this interest against your reasonable expectations and rights, and we honour all opt-out requests promptly.

Where consent is the appropriate legal basis (for example, where local law requires opt-in for cold marketing), we obtain it before sending.

13.3 Your right to opt out

Every marketing email we send contains an unsubscribe link. You can also opt out at any time by emailing contact@entryvent.com. Once you opt out, we will stop sending marketing communications to you and retain a record of your opt-out for audit purposes (see Section 9).

13.4 Centra is not a marketing platform

Centra is an event registration and management platform, not a marketing email tool. Organisers cannot use Centra to upload contact lists and send promotional or marketing emails to people who have not registered for their Events. Communications that Organisers send through Centra to their registered Attendees (such as confirmations, reminders, and Event updates) are transactional and operational, not marketing.

14.1 What we do with Attendee data (Event registration)As processor for Event-specific registration data, Entryvent handles Attendee data only on the Organiser’s instructions and only as needed to provide the Centra Service. This includes:

• Storing registration form responses
• Processing ticket purchases and payments
• Sending Event communications on behalf of the Organiser
• Recording check-ins and scan data at the Event
• Generating reports for the Organiser

14.2 Attendee account data

If you create your own account on entryvent.com to manage your bookings across multiple Events (separate from registering for a specific Event), Entryvent is the controller for that account data. This includes your login credentials, saved payment methods (where applicable), and the history of bookings across the platform. The controller sections of this Policy (Sections 4 to 13) apply to that data.

14.3 Data accessed by exhibitors at Events

Where you attend an Event with exhibitors, an exhibitor may obtain your personal data through one or more of the following ways:

• Assigned tickets — if your ticket was issued to you by an exhibitor (rather than directly by the Organiser), that exhibitor sees the registration data you provide when redeeming the ticket
• Lead scan at the booth — if you allow an exhibitor to scan your badge at their booth, that exhibitor captures your contact data and any responses to questions they have configured

In each case, the exhibitor becomes an independent controller of your data and uses it for their own marketing, sales, and follow-up purposes, governed by their own privacy policy. The exhibitor decides what data to capture and how to use it, not Entryvent and not the Organiser. The Organiser of the Event is responsible for disclosing this sharing in their Attendee privacy notice and ensuring you have a lawful basis (such as consent) for it.

To exercise your rights regarding data held by an exhibitor (such as access, correction, or deletion), contact the exhibitor directly.

14.4 Your rights as an Attendee

To exercise your rights regarding Event-specific registration data, contact the Organiser of the Event you registered for. They are the data controller and will respond to your request.

To exercise your rights regarding data held by an exhibitor (whether obtained through an assigned ticket or a lead scan at their booth), contact the exhibitor directly. They are the controller of that data.

To exercise your rights regarding your entryvent.com account data, contact us at privacy@entryvent.com. We are the controller for that data.

If you cannot identify or reach the Organiser of an Event, contact us at privacy@entryvent.com and we will help you connect with them.

14.5 Data Processing Addendum

The full terms of our processing relationship with Organisers are in our Data Processing Addendum, available at entryvent.com/dpa.

14.6 Special category data at Events

Some Events on Centra collect data that requires additional safeguards under UAE PDPL Article 6 and GDPR Article 9, including:

• Health-related data (medical specialty, accessibility needs, dietary requirements that may reveal religion or health)
• Religious or political affiliations
• Other data classified as sensitive under applicable law

Where Organisers process such data through Centra:

• The Organiser is responsible for obtaining explicit consent or another lawful basis under UAE PDPL Article 6 / GDPR Article 9
• We apply enhanced security and access controls to data processed on the Organiser’s behalf
• We retain such data only for the period the Organiser specifies
• We require Organisers to flag such data when configuring their registration forms

Centra is intended for use by professional event organisers and adult Attendees. We do not knowingly collect personal data from individuals under 16 years of age. If an Event collects data from minors (such as a youth conference), the Organiser must have appropriate parental consent and additional safeguards in place. If you believe we have collected data from a minor in error, contact us at privacy@entryvent.com and we will delete it.

We may update this Privacy Policy from time to time.

• For minor changes (clarifications, formatting), we update the version number and “Last updated” date at the top of this Policy
• For material changes (data we collect, how we use it, who we share it with, your rights), we notify you at least 30 days in advance by email and in-product notification before the changes take effect

Previous versions of this Policy are kept in our internal archive and are available on request to support@entryvent.com.

11 May 2026