GDPR Compliance

Wave Events is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR).

Our Commitment to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing personal data of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland.

Wave Events has implemented robust measures to ensure compliance with GDPR requirements, protecting the rights and freedoms of data subjects while enabling our clients to meet their own compliance obligations.

Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Right of Access

You have the right to request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

Right to Restriction of Processing

You have the right to request that we limit the processing of your personal data in certain circumstances.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time.

Legal Bases for Processing

We process personal data under the following legal bases:

Consent: When you have given explicit consent for specific processing activities, such as receiving marketing communications.
Contract: When processing is necessary to perform our contract with you or to take steps at your request before entering into a contract.
Legal Obligation: When processing is necessary to comply with applicable laws and regulations.
Legitimate Interests: When processing is necessary for our legitimate business interests, provided your rights do not override those interests.

International Data Transfers

Wave Events, Inc. is based in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the United States or other countries, we implement appropriate safeguards to ensure your data remains protected.

Transfer Mechanisms

Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses for transfers to countries without an adequacy decision.
UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or the UK Addendum to the EU SCCs.
Swiss Transborder Data Flow Agreement: We comply with Swiss data protection requirements for transfers from Switzerland.
Supplementary Measures: We implement additional technical and organizational measures as needed, including encryption and access controls.

Data Processing Agreement

For clients who are data controllers under GDPR, we offer a Data Processing Agreement (DPA) that outlines:

The nature and purpose of processing
Categories of personal data processed
Our obligations as a data processor
Security measures we implement
Sub-processor arrangements
Data subject rights assistance
Breach notification procedures
Data deletion and return procedures

To request a copy of our DPA, please contact privacy@wave.events.

Sub-Processors

We use carefully selected sub-processors to help deliver our services. All sub-processors are bound by data processing agreements that require them to protect your data in accordance with GDPR requirements.

We maintain a list of our sub-processors and will notify clients of any changes, providing an opportunity to object to new sub-processors.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

Providing our services to you
Complying with legal obligations
Resolving disputes
Enforcing our agreements

When data is no longer needed, we securely delete or anonymize it.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Notify affected data subjects without undue delay when the breach is likely to result in a high risk
Notify our clients (as data controllers) promptly so they can fulfill their own notification obligations

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at:

privacy@wave.events

We will respond to your request within 30 days. In some cases, we may need to verify your identity before processing your request.

If you are an End User attending an event, your data may be controlled by the event organizer (our Client). In such cases, please contact the event organizer directly, or we can help redirect your request.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. You may contact:

The supervisory authority in your country of residence
The supervisory authority in the country where the alleged violation occurred
The supervisory authority where Wave Events has an establishment

Contact Our Privacy Team

For any questions about our GDPR compliance or to exercise your rights:

Wave Events, Inc.
Email: privacy@wave.events
General inquiries: hello@wave.events

Lawfulness & Transparency

Purpose Limitation

Data Minimization

Accuracy

Security

Accountability