Legal & privacy

Data processing terms

The baseline processing commitments that apply when an organiser uploads guest information.

Last updated: 13 July 2026

Operator detail pendingThe operator’s full legal name and service address must be added before paid public launch. Questions and privacy requests can already be sent to info@simpleseatfinder.com.

Roles and instructions

The organiser is the controller for its event guest data and Simple Seat Finder is the processor. We process that data only to provide, secure, support and delete the service according to the organiser’s use of the product and these documented terms, unless law requires otherwise.

People and data covered

Data subjects are event guests, organiser staff and invited team members. Data may include names, seating assignments, RSVP status, tags, notes and optional dietary information. Processing includes import, storage, organisation, lookup, export and deletion for the duration of the account or event retention period.

Confidentiality and security

Access is limited to authorised personnel and providers bound by confidentiality. Technical measures include encrypted transport, Supabase row-level security, restricted privileged functions, exact-name public lookup, hashed rate-limit logs, deployment checks and deletion controls.

Sub-processors

Current core sub-processors are Supabase, Railway, Stripe and Resend. We may replace or add a provider needed to operate the service, provided equivalent data-protection obligations apply. Customers may object on reasonable data-protection grounds by contacting us promptly after notice of a material change.

International transfers

The primary database is hosted in London. A provider or its sub-processors may process limited information elsewhere. Where required, transfers must use an applicable adequacy decision, contractual safeguards or another lawful transfer mechanism.

Assistance, incidents and requests

Taking account of the service and information available, we will reasonably assist the organiser with data-subject requests, security incidents, assessments and regulator enquiries. We will notify the organiser without undue delay after becoming aware of a personal-data breach affecting its guest data.

Deletion and return

Organisers can export event information and delete archived events. Archived events are automatically deleted after 90 days and eligible account deletion removes solo-workspace data. Limited information may remain in provider backups until normal backup expiry or where law requires retention.

Audit information

We will provide information reasonably necessary to demonstrate these obligations. Any additional audit must be proportionate, protect other customers and system security, use existing independent reports first, and be arranged with reasonable notice.