Privacy policy

1. INTRODUCTION

This Privacy Policy explains how Cluborado OÜ (registry code 17445114), registered at Sepapaja tn 6, Tallinn, Estonia (“Cluborado”, “Company”, “we”, “us”, or “our”), collects, uses, discloses, and protects personal data when you access or use the Cluborado platform, website, mobile applications, and related services (collectively, the “Service”).

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), Cluborado OÜ acts as the Data Controller.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. CATEGORIES OF PERSONAL DATA COLLECTED

We collect personal data in the following categories:

2.1 Information You Provide Directly

Account Registration:
• Email address
• Full name (mandatory for venue accounts; optional for guests)
• Encrypted password (for email/password accounts)
• Phone number (optional)
• City and country
• Account type (guest or venue)

OAuth Sign-In (Google / Apple):
When signing in through third-party providers, we may receive:
• Email address
• Full name
• Provider-specific user identifier
• Authentication metadata

We do not receive or store third-party account passwords.

Profile and Platform Usage:
• Favorite venues and events
• Language preference
• Subscription tier (if applicable)

Venue Account Information:
• Venue name and address
• City and country
• Contact details
• Venue descriptions, photos, and galleries
• Genres, opening hours, and policies
• Social media links

Event and Booking Data:
• Event details (name, date, time, description, media)
• Artist information
• Table configurations
• External booking links
• Guest name and phone number if voluntarily provided for venue communication

2.2 Information Collected Automatically

When you access the Service, we may automatically collect:

• IP address
• Device type and browser information
• Operating system
• Access timestamps
• Pages visited and session duration
• Referring URLs

This information is used primarily for security, operational integrity, and performance monitoring.

3. LEGAL BASIS FOR PROCESSING (GDPR)

Where applicable under GDPR, we process personal data based on:

• Performance of a contract (account creation and platform functionality)
• Legitimate interests (platform security, fraud prevention, service improvement)
• Legal obligations (regulatory compliance)
• Consent (where required, including optional marketing communications)

Users may withdraw consent at any time where processing is based on consent.

4. PURPOSES OF PROCESSING

We process personal data to:

• Create and manage accounts
• Authenticate users
• Operate and maintain platform functionality
• Facilitate guest–venue informational exchange
• Communicate important service-related notices
• Respond to inquiries and support requests
• Enforce Terms of Service
• Detect fraud, abuse, or security threats
• Improve user experience and platform performance

5. INFORMATION SHARING AND DISCLOSURE

5.1 With Venues

When a guest submits booking-related information, limited details (such as name and phone number, if provided) may be shared directly with the relevant venue.

Venues do not receive:
• Account passwords
• Full account profiles
• Email credentials

5.2 Service Providers

We may share data with trusted third-party processors who assist with:

• Cloud hosting and infrastructure
• Database management
• Authentication services
• Customer support
• Payment processing for venue subscriptions

All processors are contractually bound to protect personal data and process it solely under our instructions.

5.3 Legal Disclosure

We may disclose personal data if required to:

• Comply with applicable laws or court orders
• Respond to lawful governmental requests
• Protect rights, safety, or property
• Prevent fraud or unlawful activity

5.4 Business Transfers

In the event of a merger, acquisition, or asset transfer, personal data may be transferred as part of the transaction, subject to applicable legal safeguards.

5.5 No Sale of Personal Data

We do not sell personal data to third parties.

6. INTERNATIONAL DATA TRANSFERS

Personal data may be processed outside your country of residence. Where transfers occur outside the European Economic Area (EEA), we ensure appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Contractual obligations ensuring equivalent data protection standards

7. DATA RETENTION

We retain personal data only for as long as necessary for the purposes described in this Policy, including:

• Account data: retained while account is active
• Deleted accounts: personal data removed within 30 days unless legally required otherwise
• Booking records: retained as necessary for operational or legal compliance
• Aggregated or anonymized data: may be retained indefinitely

Retention periods may be extended where required by law or for dispute resolution.

8. DATA SECURITY

We implement appropriate technical and organizational security measures, including:

• Encrypted password storage
• HTTPS encryption
• Access controls and authentication safeguards
• System monitoring and risk assessment

No system is completely secure. Users are responsible for safeguarding account credentials.

9. YOUR RIGHTS

Subject to applicable law, you may have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure (“right to be forgotten”)
• Restrict processing
• Object to processing based on legitimate interests
• Data portability
• Withdraw consent (where applicable)

Requests may be submitted to [email protected]. We aim to respond within 30 days.

EU residents may lodge complaints with their local Data Protection Authority.

10. COOKIES

We use limited cookies necessary for:

• Authentication
• Security
• Interface preferences

We do not use advertising or behavioral tracking cookies.

Third-party providers (such as authentication services or payment processors) may use cookies within their own domains.

Users may manage cookies via browser settings; disabling essential cookies may impair functionality.

11. CHILDREN’S DATA

The Service is intended for individuals aged 18 or older. We do not knowingly collect personal data from minors. If we become aware of such collection, we will take appropriate steps to delete the data.

12. THIRD-PARTY LINKS

The Service may contain links to external websites. We are not responsible for their privacy practices. Users should review third-party privacy policies separately.

13. AUTOMATED DECISION-MAKING

Cluborado does not engage in automated decision-making or profiling that produces legal or similarly significant effects.

14. POLICY CHANGES

We reserve the right to update this Privacy Policy at any time. Material changes will be communicated through the Service or via email where appropriate.

Continued use of the Service constitutes acceptance of the updated Policy.

15. CONTACT INFORMATION

Data Controller:

Cluborado OÜ
Registry Code: 17445114
Registered Address: Sepapaja tn 6, Tallinn, Estonia
Email: [email protected]

We aim to respond to privacy-related inquiries within 30 days.