How we handle your data.

a. Account Information

• Authentication Data: JWT tokens, Google OAuth information, and session data
• Profile Information: Name, email, profile picture, preferences, and role-based access control data
• Two-Factor Authentication: QR codes and 2FA setup information for enhanced security
• Social Connections: Information from connected Google accounts

b. Event & Booking Information

• Event Details: Event names, descriptions, locations, schedules, and capacity information
• Guest Data: RSVP responses, attendance records, and guest preferences
• Vendor Bookings: Service requests, vendor applications, job postings, and booking confirmations
• Location Data: Venue information from Google Maps integration and geolocation data (with permission)
• QR Codes: Information stored in QR codes for event access and check-in

c. Vendor Marketplace Data

• Vendor Profile: Business name, service types, availability, hourly/day rates, packages, and location
• Portfolio Content: Gallery images, video embeds, and descriptions uploaded to showcase services
• Enquiries & Leads: Messages from organisers, event details, response times, and conversion metrics
• Quotes: Pricing proposals, line items, terms, validity dates, and acceptance/rejection status
• Vendor Bookings: Confirmed jobs, event dates, special requests, and completion status
• Earnings Data: Revenue, platform commissions, payout history, and Stripe Connect account details
• Reviews & Ratings: Customer reviews, star ratings, and review responses
• Subscription Data: Subscription tier, billing cycle, and feature entitlements

d. Virtual Event & Communication Data

• Stream Video Data: Video and audio content from Stream.io virtual events
• Real-time Communication: WebSocket messages, chat data, and presence information
• Email Communications: Nodemailer-sent notifications and marketing communications
• SMS Messages: Twilio-sent SMS notifications and verification codes
• Push Notifications: Real-time notifications and alerts

e. AI Analytics & Forecasting Data

• Vendor Analytics: Performance metrics, completion rates, ratings, and response times
• Revenue Forecasting: Historical booking data, seasonal patterns, and predictive analytics
• Market Insights: Demand trends, pricing analysis, and competitive benchmarking
• AI Usage Tracking: OpenAI API usage, token consumption, and cost analytics
• Business Recommendations: AI-generated insights and optimization suggestions

f. Payment and Financial Information

• Stripe Express Dashboard: If you connect your Stripe account, we facilitate secure access to your Stripe Express Dashboard for managing payouts. BashBop does not store your Stripe login credentials or sensitive payment data; all payment processing is handled directly by Stripe.
• Fee Calculations: Service fees, payment processing fees, and currency conversion data
• Transaction Records: Payment history, booking confirmations, and financial audit trails
• Currency Data: XE.com API currency conversion rates and multi-currency support

We process your personal information based on the following legal grounds:

• Contract Performance: To provide our event management and vendor marketplace services
• Legitimate Interest: To improve our services, prevent fraud, ensure platform security, and provide AI-powered analytics
• Consent: For marketing communications, AI analytics, and certain optional features (withdrawable at any time)
• Legal Obligation: To comply with financial regulations, audit requirements, and applicable laws

We may share your information with:

• Event Organisers & Vendors: When you register for events or book services, relevant information is shared with organisers and vendors
• Service Providers: Third-party vendors who help us operate our platform:
  • Stripe for payment processing and Express Dashboard access
  • Stream.io for virtual events and real-time communication
  • Google for maps, OAuth authentication, and location services
  • OpenAI for AI analytics and business recommendations
  • Twilio for SMS notifications and communication
  • AWS S3 for secure file storage and image processing
  • XE.com for currency conversion services
• Legal Authorities: When required by law or to protect our rights and safety
• Business Transfers: In connection with mergers, acquisitions, or sale of assets (with notice to you)

We never sell your personal information to third parties for marketing purposes.

We retain your personal information for as long as necessary to:

• Provide our services to you
• Comply with legal obligations and financial regulations
• Resolve disputes and enforce our agreements
• Maintain audit trails for compliance purposes

Specific retention periods:

• Account Information: Until account deletion, then up to 30 days for backup systems
• Event Data: 7 years for events with financial transactions, 3 years for free events
• Payment Data: As required by financial regulations (typically 7 years)
• AI Analytics Data: 3 years for analytics and forecasting purposes
• Vendor Booking Data: 5 years for business analytics and dispute resolution
• Marketing Data: Until you unsubscribe or 3 years of inactivity
• Audit Logs: 7 years for compliance and security monitoring

Depending on your location, you may have the following rights regarding your personal information:

Universal Rights

• Access: Request copies of your personal information
• Rectification: Request correction of inaccurate information
• Deletion: Request deletion of your personal information
• Portability: Request transfer of your data to another service

GDPR Rights (UK/EU)

• Restriction: Request limitation of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Automated Decision-Making: Opt-out of automated profiling and AI analytics

CCPA Rights (California)

• Know: Right to know what personal information is collected
• Opt-Out: Right to opt-out of sale of personal information
• Non-Discrimination: Right not to be discriminated against for exercising privacy rights

To exercise these rights, contact us at [email protected] or through your account settings.

We use cookies and similar tracking technologies to enhance your experience:

Essential Cookies

• JWT authentication and session management
• CSRF protection and security validation
• Load balancing and performance optimization
• Redis session caching for improved performance

Functional Cookies

• Remember your preferences and settings
• Language and timezone settings
• Accessibility features and user interface preferences
• Two-factor authentication settings

Analytics Cookies

• Understand how you use our platform
• Improve our services and user experience
• Measure the effectiveness of our features
• Track AI usage and cost analytics

You can control cookies through your browser settings, though some features may not work properly if essential cookies are disabled.

Your personal information may be transferred and processed in countries other than your own. We ensure appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries deemed adequate by relevant authorities
• Standard Contractual Clauses: EU-approved contracts for international transfers
• Binding Corporate Rules: Internal rules for multinational companies
• Certification Schemes: Privacy frameworks like Privacy Shield successors

Our third-party service providers (Stripe, Stream.io, Google, OpenAI, etc.) maintain their own data protection standards and certifications.

We implement comprehensive security measures to protect your personal information and continually update our practices to meet evolving security challenges:

Technical Safeguards

• End-to-end encryption for data in transit (TLS 1.3)
• AES-256 encryption for data at rest in PostgreSQL and Redis
• JWT-based multi-factor authentication for account access
• Enhanced CSRF protection with dual-validation strategy
• Regular security audits and penetration testing
• Real-time threat monitoring and intrusion detection
• Automated vulnerability scanning and patching
• Helmet security headers and request compression

Organizational Safeguards

• Role-based access control and principle of least privilege
• Regular mandatory employee training on data protection
• Comprehensive incident response and breach notification procedures
• Quarterly compliance assessments and security reviews
• Vendor security assessment program for third-party services
• Dedicated security team monitoring for emerging threats
• Audit logging for all financial transactions and sensitive operations

Industry Standards

• SOC 2 Type II compliance
• ISO 27001 information security management
• PCI DSS for payment processing through Stripe
• GDPR, CCPA, and NDPR compliance
• Financial audit trail requirements

Our platform is not intended for children under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

For events that may include minors, event organisers are responsible for obtaining appropriate parental consent and ensuring compliance with applicable child protection laws.

We may update this Privacy Policy from time to time. When we make changes, we will:

• Post the updated policy on our website
• Update the "Last Updated" date
• Notify you via email for material changes
• Provide notice through our platform

Your continued use of our platform after changes take effect constitutes acceptance of the updated policy.

For questions about this Privacy Policy or to exercise your privacy rights, contact us at:

Data Protection Authorities

You have the right to lodge a complaint with your local data protection authority:

• UK: Information Commissioner's Office (ico.org.uk)
• EU: Your national data protection authority
• US: State Attorney General or FTC
• Australia: Office of the Australian Information Commissioner (oaic.gov.au)
• Nigeria: Nigeria Data Protection Commission