Wéini

Privacy Policy

Last updated: March 11, 2026

Cirql ("we", "us", or "our") provides the Wéini event platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services. We are committed to complying with the General Data Protection Regulation (GDPR) and applicable Luxembourg data protection laws.

1. Data We Collect

When you create an account or use our platform, we collect the following personal data:

  • First name and last name
  • Email address
  • Password (securely hashed — we never store plaintext passwords)
  • IP address (recorded at registration and when giving consent)
  • Avatar image (optional)
  • Payment information (processed by Stripe — we store only a Stripe customer ID, not card details)

We also automatically collect:

  • Browser user agent for audit logging
  • Timestamps of your activity (registration, consent, logins)
  • Usage data via Google Analytics (anonymized)

2. How We Use Your Data

  • Create and manage your account
  • Process event registrations and issue tickets with encrypted QR codes
  • Facilitate payments through Stripe
  • Maintain security and prevent fraud
  • Comply with legal obligations and GDPR audit requirements
  • Send marketing communications (only with your explicit consent)

3. Third-Party Services

We share data with the following third-party processors:

  • Stripe — Payment processing. Stripe receives your payment details directly and is an independent data controller. See Stripe's privacy policy.
  • Google Analytics — Website analytics. Collects anonymized usage data to help us improve the platform.
  • Google AdSense — Advertising. May use cookies to display relevant ads.

Each third-party service operates under its own privacy policy and data protection practices.

4. Data Security

  • Passwords are securely hashed using industry-standard algorithms before storage
  • Ticket QR codes are encrypted with application-level encryption
  • Authentication uses secure, encrypted tokens that are never exposed in URLs
  • All GDPR-related actions are logged in a tamper-evident audit trail

5. Data Retention

  • Active account data: retained while your account is active
  • Anonymized accounts: permanently deleted after 30 days
  • Audit logs: retained for 365 days, then automatically cleaned up
  • Data exports: available for download for 7 days, then deleted

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of your data in JSON or CSV format
  • Right to rectification — update your profile information at any time
  • Right to erasure — request deletion. Your data is anonymized and then permanently removed after a grace period
  • Right to data portability — export your data in machine-readable formats
  • Right to restrict processing — withdraw your consent at any time
  • Right to object — opt out of marketing communications independently from GDPR consent

You can exercise these rights directly in your account settings or by contacting us.

7. Contact Us

For any privacy-related questions, data requests, or concerns, contact our Data Protection Officer:

[email protected]