NEUROEVENTS
Privacy Policy
1. Data Controller
In compliance with Regulation (EU) 2016/679 (GDPR), the following information about the data controller is provided:
| Legal name | BABUMGA SL |
|---|---|
| Tax ID (NIF) | B67696914 |
| Registered address | Calle Infanta Carlota 16, 28210, Valdemorillo, Madrid, Spain |
| Contact email | hello@neuroevents.app |
| Brand | NeuroEvents |
BABUMGA SL operates the NeuroEvents platform (hub.neuroevents.app) and the website neuroevents.app under said brand.
2. Data we collect and purposes
2.1 Organiser data (registered users)
When you register on the platform, we collect:
- Full name — user identification
- Organisation — professional context
- Email address — authentication and service communications
Legal basis: performance of a contract (Art. 6.1.b GDPR).
We do not store credit card details, billing information or payment data. Billing details (legal name, tax ID, billing address) and payments are collected and managed entirely by Stripe Inc. during the checkout process. Stripe acts as a data processor under its own security standards (PCI DSS Level 1). NeuroEvents does not store or have direct access to this data.
2.2 Event attendee data
Organisers enter their event attendee lists into the platform. This data is processed in two distinct technical layers:
Layer 1 — Attendee list (identifiable personal data):
- Full name
- Email address
- Assigned group or room (optional)
This data is stored in plain text and is visible exclusively to the organiser who owns the event. The organiser acts as the data controller for their attendees' data; NeuroEvents acts as the data processor (Art. 28 GDPR).
Legal basis: legitimate interest of the organiser in evaluating the effectiveness of their event (Art. 6.1.f GDPR).
Layer 2 — Questionnaire responses (pseudonymised data):
Attendee responses are stored linked to a pseudonymous identifier generated via SHA-256 cryptographic hash (email address combined with a unique event identifier and a random salt). The result is an irreversible alphanumeric code that cannot be used to reconstruct the original email. Responses are stored linked only to this identifier. The original email address does not persist alongside responses in the database.
2.3 Field observer data
Observers are individuals designated by the organiser to record behavioural observations during the event. We collect: email address, assigned room or block, and a temporary access token (expires when the event ends). This data is accessible exclusively to the organiser who owns the event.
Legal basis: performance of a contract between the organiser and their collaborators (Art. 6.1.b GDPR).
2.4 AI-powered report generation
Aggregated and pseudonymised questionnaire data is sent to the Anthropic API (Claude) to generate automated diagnostic reports. Transmitted data includes aggregated scores per agenda block, agenda alerts, and anonymised field observations. No directly identifiable data is transmitted (no names or email addresses of attendees).
3. Data processors
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database, authentication, storage | EU — Ireland | EU-based servers. DPA in place. |
| Vercel Inc. | Platform web hosting | Global CDN with EU nodes | SCCs (EU Decision 2021/914) |
| Resend Inc. | Transactional emails | USA | SCCs (EU Decision 2021/914) |
| Anthropic PBC | AI report generation (pseudonymised data) | USA | SCCs (EU Decision 2021/914). Aggregated data only. |
| Stripe Inc. | Payment processing and billing | USA | SCCs (EU Decision 2021/914) + PCI DSS Level 1 |
4. International data transfers
Some of our data processors have servers located outside the European Economic Area (EEA), specifically in the United States. In such cases, transfers are carried out under the Standard Contractual Clauses (SCCs) approved by the European Commission through Implementing Decision (EU) 2021/914 of 4 June 2021.
5. Data retention
| Data type | Retention period | Legal basis |
|---|---|---|
| Active organiser account | Duration of the contractual relationship | Contract performance |
| Organiser data after account deletion | 4 years | Tax obligations |
| Attendee list (name + email) | 2 years from the event date | Legitimate interest |
| Pseudonymised responses | 2 years from the event date | Legitimate interest |
| Observer data | 2 years from the event date | Legitimate interest |
| Access tokens | Expiry + 30 days | Technical security |
| Authentication logs | 12 months | Technical security |
| Payment and billing data | 5 years (managed by Stripe) | Tax obligations |
Once retention periods expire, data is securely deleted or irreversibly anonymised.
6. Security measures
In compliance with Art. 32 GDPR, we implement the following technical and organisational measures:
- Encryption in transit: all communications via HTTPS/TLS.
- Pseudonymisation: attendee responses stored linked to an irreversible SHA-256 hash.
- Access control: Row Level Security (RLS) in the database — each organiser can only access their own data.
- Secure authentication via JWT tokens.
- HTTP security headers deployed.
- Backups retained for 30 days.
- Cascading deletion when an account is deleted.
7. Your rights
Under the GDPR (Arts. 15–22), you have the right to: access, rectification, erasure, restriction of processing, data portability, and objection.
To exercise your rights: send an email to hello@neuroevents.app with the subject line "GDPR rights request", specifying which right you wish to exercise and providing a copy of your ID document.
Response time: one month from receipt of the request, extendable by a further two months in cases of particular complexity. You will be informed within the first month (Art. 12.3 GDPR).
The platform provides a self-service account deletion mechanism from the Settings section (Art. 17 GDPR). Deleting your account removes all directly identifiable personal data in a cascading process.
Complaints: you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es, or with your local supervisory authority.
8. Changes to this policy
We reserve the right to update this policy. Significant changes will be notified to registered users by email with a minimum of 30 days' notice.
Last updated: April 2026