On Deen Group Ltd. (trading as “Ondean”) – Data Privacy Policy

Version 0.3 – 11 May 2025

1  Introduction

On Deen Group Ltd. (trading as “Ondean”, "Company", "we", "our", "us"; UK Company No. 15865779) provides a cloud‑based event‑management application (the "Service") to organisers and attendees worldwide. We are committed to protecting your privacy and handling personal data in accordance with:

• United Kingdom GDPR (UK GDPR) & Data Protection Act 2018
• EU General Data Protection Regulation 2016/679 (EU GDPR)
• Relevant United States state privacy laws (e.g., CCPA / CPRA)
• Applicable privacy regimes in the Middle East & Asia‑Pacific

This Policy explains what data we collect, why, how long we keep it, where we process it, and what rights are available to you.

2  Scope

This Policy applies to all personal data processed when you:

• register for or use the Service,
• visit our websites or mobile apps,
• receive e‑mails, push notifications, or in‑app messages from us, or
• otherwise interact with Ondean online or offline.

We do not knowingly collect information from children under 16 (EU/UK) or 13 (US). If you believe we have done so, please notify us immediately so we can delete the data.

3  Data We Collect & Retain

Category	Typical Fields	Source	Lawful Basis*	Retention**
Account / Contact	Name, e‑mail, phone, organisation, password hash	Provided by user	Contract; Consent	Account lifetime + 6 yrs (HMRC legal/tax)
Payment	Tokenised card data, billing address, last 4 digits, transaction ID	Payment processor	Contract; Legal obligation	7 yrs (financial regulations)
Location (optional)	GPS coordinates, city, venue check‑in time	Mobile device	Consent	30 days (aggregated or anonymised thereafter)

* See Section 4 for details on lawful bases.
** Retention periods follow UK event‑industry norms & HMRC guidance.

4  Purposes & Lawful Bases of Processing

1. Account creation & authentication – enable registration and secure sign‑in (Contract).
2. Ticketing & payments – process purchases, refunds, invoicing (Contract; Legal obligation).
3. Event check‑in & safety – verify attendance, manage capacity, comply with fire‑code or public‑health regulations (Legitimate interest; Legal obligation).
4. Service optimisation & security – analyse usage, prevent fraud, secure our infrastructure (Legitimate interest).
5. Marketing (optional) – send newsletters or event recommendations only with your explicit opt‑in consent (Consent; you may unsubscribe at any time).

5  Data Sharing & International Transfers

We never sell personal data. Limited sharing occurs with:

• Cloud hosting & support – Amazon Web Services (AWS) EU‑West‑2 (London) primary region; fallback disaster‑recovery replicas in AWS us‑east‑1 safeguarded by UK International Data Transfer Agreement (IDTA) & EU Standard Contractual Clauses (SCCs).
• Payment processing – Stripe Payments UK Ltd. Processes card data under PCI‑DSS.
• Analytics & error monitoring – first‑party, pseudonymised; no raw personal data shared.

All vendors are bound by written Data Processing Agreements that mirror this Policy. Cross‑border transfers employ one or more safeguards: adequacy decisions, SCCs, IDTA, or explicit consent.

6  Security Measures & Breach Notification

• TLS 1.3 encryption in transit; AES‑256 encryption at rest.
• Zero‑knowledge password hashes (bcrypt, work factor 12).
• Role‑based access control & least‑privilege IAM.
• Quarterly penetration tests; continuous security monitoring.
• Data‑flow mapping & threat‑modelling per Livraga (2017) privacy‑engineering framework.
• Breach notification: we will notify the UK ICO and/or relevant supervisory authority within 72 hours of becoming aware of a personal‑data breach, and affected users without undue delay when required by law.

7  Retention & Deletion

We retain personal data only for as long as necessary for the purposes in Section 4 or to meet statutory obligations. When retention periods expire, data is securely erased or irreversibly anonymised. You may request earlier erasure unless we must keep the data (e.g., for accounting or legal claims).

8  Your Rights

Depending on your jurisdiction, you may:

1. Access – obtain a copy of your personal data.
2. Rectify – correct inaccurate or incomplete data.
3. Erase – request deletion (“right to be forgotten”).
4. Restrict – limit processing under certain conditions.
5. Portability – receive data in a structured, machine‑readable format.
6. Object – to processing based on legitimate interest or for direct marketing.
7. Withdraw Consent – at any time, without affecting prior lawful processing.
8. Lodge a Complaint – with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

Submit requests by e‑mail to mbz@ondeen.app. We respond within 30 days.

9  Cookies & Tracking Technologies

We use only:

• Strictly‑necessary cookies – essential for site functionality.
• First‑party analytics cookies – anonymous, aggregated usage statistics.

A detailed Cookie Notice appears on first visit with granular consent controls.

10  Automated Decision‑Making & Profiling

Ondean does not engage in automated decision‑making that produces legal or similarly significant effects on individuals. Profiling is limited to non‑intrusive segmentation for service usage analytics.

11  Changes to This Policy

We may update this Policy to reflect legal, technical, or business changes. Material changes will be announced 30 days in advance via e‑mail and in‑app notice. The “Version” field at the top indicates the most recent revision.

12  Contact & EU Representative

Data Protection Officer (DPO)
On Deen Group Ltd. (trading as Ondean)
Company No. 15865779
1 Tech Way, London EC2A 4AA, United Kingdom
📧 mbz@ondeen.app

Where required, our appointed EU representative under Article 27 GDPR is:
Privacy Trust Services BV, Nieuwezijds Voorburgwal 104, 1012 SG Amsterdam, Netherlands (eu‑rep@privacytrust.eu**)

If you have questions about this Policy or your privacy, please contact our DPO.

© 2025 On Deen Group Ltd. All rights reserved.