GDPR Compliance
Last updated: March 11, 2026
Wéini is committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page explains our compliance measures and how you can exercise your data rights.
Data Controller
Cirql, the company behind the Wéini platform, is the data controller responsible for your personal data. For any data protection inquiries, you can contact our Data Protection Officer at:
Legal Basis for Processing
- Consent (Art. 6(1)(a)): We process your data for marketing communications only with your explicit, separately recorded consent.
- Contract (Art. 6(1)(b)): Processing necessary for account creation, event registration, and ticket management.
- Legitimate Interest (Art. 6(1)(f)): Platform security, fraud prevention, and service improvement.
- Legal Obligation (Art. 6(1)(c)): Compliance with financial regulations and audit requirements.
Consent Management
We take consent seriously. Our platform implements the following consent mechanisms:
- Explicit, opt-in consent — never pre-checked or assumed
- Every consent action is timestamped and recorded
- IP address is logged at the time of consent for verification
- You can withdraw GDPR consent at any time via your account or the API
- Marketing consent is tracked separately from GDPR consent — you can opt out of marketing without affecting your account
Your Data Rights
Right of Access
Request a complete copy of all personal data we hold about you, exported in JSON or CSV format.
Right to Rectification
Update or correct your personal information at any time through your account settings.
Right to Erasure
Request permanent deletion of your account and data. We anonymize first, then permanently delete after a 30-day grace period.
Right to Portability
Download all your data in machine-readable formats (JSON/CSV) including profile, tickets, organizations, and audit logs.
Right to Restrict
Withdraw your consent to stop data processing. You can do this at any time without affecting your core account.
Right to Object
Object to marketing communications at any time. Marketing consent is independent from your GDPR consent.
Data Export
You can request a full export of your personal data at any time:
- Available in JSON and CSV formats
- Includes: personal profile, organizations, memberships, tickets, and audit logs
- Export files are available for 7 days, then automatically deleted for security
Account Deletion
When you request account deletion, the following process is followed to protect your data:
- Personal data is anonymized (names, email, IP addresses replaced with placeholder values)
- All active authentication tokens are immediately revoked
- A 30-day grace period allows for recovery if needed
- After 30 days, anonymized records are permanently deleted from all systems
Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | While account is active |
| Anonymized accounts | 30 days, then permanently deleted |
| Audit logs | 365 days |
| Data exports | 7 days |
Audit Logging (Art. 30)
All processing activities related to your personal data are logged in a comprehensive audit trail. You can view your personal audit log at any time. Tracked actions include:
- Consent given and withdrawn (GDPR and marketing separately)
- Data export requests
- Account deletion and anonymization
- Data access events
International Data Transfers
Our platform is hosted in the European Union. When we use third-party services (such as Stripe or Google Analytics) that may process data outside the EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.
Contact & Complaints
For any questions about our GDPR compliance or to exercise your data rights, contact our Data Protection Officer:
You also have the right to lodge a complaint with the Luxembourg data protection authority (CNPD — Commission nationale pour la protection des données) if you believe your rights have been violated.