1. Data
| info@klipmeet.com | |
| Website | https://klipmeet.com |
Until the entity is formally incorporated, the individual founder acts as the data controller for all purposes under EU Regulation 2016/679 (GDPR) and Spain's Organic Law 3/2018 (LOPDGDD).
2. Data Protection Officer
KlipMeet is not currently required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR, as it does not carry out large-scale processing of special categories of data or systematic large-scale monitoring of individuals.
For any privacy-related enquiries, please contact us at: info@klipmeet.com (subject: Data Protection).
3. Personal Data Processing Activities
3.1 Account Registration and Authentication
Data processed: name, email address, password (stored as a bcrypt hash), profile image (optional), IP address, User-Agent string (browser and device).
Purpose: Creating and managing user accounts; authenticating access to the platform; verifying email addresses; enabling password resets; account security.
Legal basis: Performance of a contract to which the data subject is party (Art. 6(1)(b) GDPR). Technical session data (IP, User-Agent) is processed under our legitimate interest in ensuring service security (Art. 6(1)(f) GDPR).
Retention: While the account remains active. Upon deletion, data is removed within 30 days, unless legal retention obligations apply. Session logs (IP) are retained for a maximum of 12 months.
3.2 Google OAuth Authentication
Data processed: email address, name and profile image URL from Google; OAuth access and refresh tokens (stored encrypted).
Purpose: Enabling authentication via the user's Google account as an alternative to password-based registration.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR); the user voluntarily initiates the OAuth flow. Implicit consent within the OAuth process (Art. 6(1)(a) GDPR).
Third party involved: Google LLC (see Section 4). Profile data is transmitted from Google's servers to KlipMeet at the time of authentication.
Retention: While the Google account remains linked. Tokens are deleted when the user unlinks their Google account or deletes their KlipMeet profile.
3.3 User Profile
Data processed: name, profile image, biography (optional), geographic location at city/region/country level (optional), preferred language.
Purpose: Personalising the user experience; displaying profile information to other members of the same group.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for basic profile data. User consent (Art. 6(1)(a) GDPR) for optional fields (bio, location, image), which may be withdrawn at any time from profile settings without affecting the lawfulness of prior processing.
Retention: While the account remains active. Optional data is deleted immediately when removed by the user.
3.4 Group and Organisation Management
Data processed: group information (name, type, description, website, phone, contact email, photo, location); user membership status (pending/active/rejected); organiser role.
Purpose: Enabling the creation and management of organisations on the platform (parent-teacher associations, associations, companies, groups); managing member access to group events.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
Retention: While the group is active. Group deletion is logical (soft delete); membership data is retained until the group is permanently deleted or upon the data subject's request.
3.5 Event Management and Attendance Tracking
Data processed: event name, date, description, venue details (name, address, geographic coordinates); user RSVP status (pending/confirmed/denied); attendance record.
Purpose: Creating, publishing and managing events; managing attendance confirmations (RSVP); controlling physical access via QR code scanning; sending confirmations and reminders.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
Retention: Attendance history is retained while the user account remains active.
3.6 Attendee and Dependent Data
Data processed: attendee or dependent name, associated group, optional custom fields defined by the organiser (e.g., school year, membership number), and the linked parent/guardian user ID for dependents.
Purpose: Enabling organisers to manage attendee lists; enabling offline access control via the mobile PWA application.
Legal basis: Performance of the contract with the user (organiser or parent/guardian) who enters the data (Art. 6(1)(b) GDPR). Minor data is entered exclusively by registered parents or legal guardians who consent on behalf of the minor within the framework of their contractual relationship with KlipMeet.
Minors: KlipMeet sets the minimum age for direct registration at 14 years, in accordance with Spain's LOPDGDD (Art. 7). Data relating to children under 14 is managed exclusively by their parents or legal guardians registered on the platform, who are solely responsible for such processing.
Special categories: KlipMeet does not request or process special categories of data (health data, ethnic origin, political opinions, biometric data, etc.). Custom group fields are configured by organisers, who are responsible for their content.
Retention: While the attendee remains active on the organiser's platform. Organisers may delete attendees at any time.
3.7 Email Communications
Data processed: email address, user name, referenced event or group data, QR code (encodes only the user's internal identifier).
Purpose: Sending transactional service notifications: registration confirmation, email verification, password reset, event attendance confirmation, event reminders (24 hours before), new event notifications within groups, group invitations, membership request outcomes (approval or rejection).
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for transactional communications. Legitimate interest (Art. 6(1)(f) GDPR) for event reminders sent to users who have already confirmed attendance. No unsolicited commercial communications are sent without prior consent, in compliance with Spain's LSSI-CE (Art. 21).
Preferences: Users can manage their notification preferences from their profile settings.
Retention: A log of notification type and send date is retained while the account is active to prevent duplicates and manage preferences. Email content is not stored on KlipMeet's servers.
3.8 Cookies and Tracking Technologies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
session_token | Strictly necessary | Maintaining the authenticated user session | Session duration |
i18n_redirected | Strictly necessary | Remembering the user's language preference | 1 year |
KlipMeet does not use advertising cookies, third-party analytics, or behavioural tracking technologies. All cookies used are strictly technical and necessary for the operation of the service. Strictly necessary cookies do not require prior consent under applicable EU and Spanish law.
3.9 Offline Mobile Application (PWA)
The KlipMeet mobile app (app.klipmeet.com) stores data locally on the user's device using the browser's IndexedDB technology. This data includes attendee lists, events and attendance records synchronised from the server.
This data resides solely on the user's device and is not transmitted to third parties from the device. Synchronisation is performed exclusively via encrypted HTTPS connections with KlipMeet's servers. Users can delete this local data at any time from their browser settings.
4. Recipients of Data (Data Processors)
KlipMeet may share data with the following data processors, with whom it maintains Data Processing Agreements (DPAs) ensuring GDPR compliance:
| Provider | Country | Service | Safeguards |
|---|---|---|---|
| Vercel Inc. | USA | Web and app hosting (klipmeet.com, app.klipmeet.com) | EU-US Data Privacy Framework (certified); DPA |
| Plus Five Five, Inc. (Resend) | USA | Transactional email delivery | EU-US DPF + EU Standard Contractual Clauses 2021/914; DPA |
| Google LLC | USA | OAuth authentication (Google Sign-In) | EU-US DPF; Google Workspace DPA |
| [VPS PROVIDER] | [COUNTRY] | API server hosting (api.klipmeet.com) | [DPA or applicable regime] |
KlipMeet does not sell or disclose personal data to third parties for advertising or commercial purposes.
Group organisers have access to their members' and attendees' data for group management purposes. KlipMeet does not control the use organisers make of that data outside the platform environment.
5. International Data Transfers
Providers established in the United States are subject to one or more of the following safeguard mechanisms recognised by the European Commission:
- EU-U.S. Data Privacy Framework (EU-US DPF): Vercel Inc., Google LLC and Plus Five Five, Inc. (Resend) are certified under the EU-US DPF, recognised as providing an adequate level of protection by the European Commission's Adequacy Decision of 10 July 2023.
- Standard Contractual Clauses (SCCs): As an additional or alternative safeguard, KlipMeet relies on the EU standard contractual clauses adopted by Commission Implementing Decision 2021/914/EU.
6. Data Subject Rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Obtain confirmation of processing and access your personal data |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure / Right to be forgotten (Art. 17) | Request deletion when data is no longer necessary for its original purpose |
| Restriction of processing (Art. 18) | Request temporary suspension of processing in certain circumstances |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
| Withdrawal of consent | Withdraw consent at any time without retroactive effect on prior processing |
How to exercise your rights: In writing, attaching a copy of your identity document, to: info@klipmeet.com (subject: GDPR Rights Request). Many data actions can also be performed directly within your profile settings on the platform.
Response time: Within 1 month of receipt, extendable to 3 months for complex cases, with prior notification to you.
Right to lodge a complaint: You have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD), C/ Jorge Juan, 6, 28001 Madrid, Spain — or with the supervisory authority of your country of residence within the EU.
7. Security Measures
KlipMeet applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including:
- All communications encrypted via TLS/HTTPS
- Passwords stored as bcrypt hashes (one-way function)
- Session cookies with
HttpOnly,SecureandSameSite=Laxattributes - Role-based access control (user / administrator)
- Database access restricted to authorised personnel
- Account suspension and session revocation mechanisms
- Single-use, time-limited email verification and password reset tokens (24 h and 1 h respectively)
In the event of a personal data breach affecting your data, KlipMeet will comply with the notification obligations set out in Articles 33 and 34 of the GDPR.
8. Changes to This Policy
KlipMeet reserves the right to amend this privacy policy to reflect regulatory changes or new platform features. In the event of material changes, registered users will be notified by email or via a prominent notice on the platform in advance.
The current version will always be available at: https://klipmeet.com/privacy-en
9. Governing Law and Jurisdiction
This policy is governed by EU Regulation 2016/679 (GDPR), Spain's Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE). Any disputes relating to privacy shall be resolved before the courts having jurisdiction under applicable consumer protection legislation.