PrivacyDraft notice
Privacy policy.
How guest data is handled for Publicis Sweden 100 on 25 September 2026. Publicis Sweden AB is the controller.
Policy sectionWho is responsible
Policy section
Who is responsible
- Controller
- Publicis Sweden AB decides why guest data is processed for Publicis Sweden 100.
- Processor
- Kehitys provides hosting, invitation tokens, RSVP tooling, event operations screens, audit logging, and support.
- Contact
- Privacy requests are handled through the event host team until Publicis publishes the final controller privacy mailbox.
Policy sectionWhat we process
Policy section
What we process
- Invite list
- Name, email, company/title where supplied, invite status, and token delivery metadata.
- RSVP
- Attendance choice, dietary/allergy information, accessibility needs, plus-one details when enabled, and photo consent.Allergy and accessibility fields can include sensitive personal data.
- Operations
- Check-in status, module claims such as bar or wardrobe, email send status, and minimal audit metadata.
Policy sectionWhy we process it
Policy section
Why we process it
- Invitation
- To deliver the save-the-date and let invited guests reach their personal event surface.
- Event operations
- To plan attendance, handle access needs, run check-in, and keep operational records.
- Legal basis
- Contract/legitimate interest for event administration, explicit consent where optional sensitive fields are submitted, and legal obligation for required compliance records.
Policy sectionWhere data goes
Policy section
Where data goes
- Platform
- Tenant-isolated Postgres, Specific Storage, Specific Secrets, and Temporal workflow runtime.
- Resend is the selected email vendor; EU sending region is planned, while account data and logs are handled under SCCs.
- No sale
- Guest data is not sold, shared across tenants, or used for cross-tenant profiling.
Policy sectionRetention and rights
Policy section
Retention and rights
- Retention
- RSVP and operational guest data follows the Publicis retention window; current platform default is 12 months after the event unless the signed DPA says otherwise.
- Audit records
- Minimal audit metadata is retained where needed for security, legal defence, and processor accountability.
- Rights
- Guests can request access, correction, restriction, portability, objection, and erasure where legally available.