Privacy Policy

Last updated: May 28, 2026

This Privacy Policy describes how EventFlow Pty Ltd ('EventFlow', 'we', 'us', or 'our') collects, uses, discloses, and protects personal information. It applies to our website and to the EventFlow platform, a client planning portal that venues and their clients use to coordinate events.

We have voluntarily adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act) and handle personal information to that standard. The APPs govern the way in which we collect, use, disclose, store, secure and dispose of personal information.

A copy of the Australian Privacy Principles may be obtained from the Office of the Australian Information Commissioner at https://www.oaic.gov.au/.
By creating an account or otherwise using the EventFlow platform, you acknowledge that you have read and understood this Privacy Policy.


Who this policy applies to
The EventFlow platform is used by two types of users:

  • Clients - the organisation that holds an EventFlow subscription (typically a venue).

  • End-Customers - individuals invited into the platform to collaborate on an event, whether by a Client or by another End-Customer, such as a Client's or End-Customer's customers, partners, and/or vendors.

EventFlow is a collaborative platform. The Client and the End-Customers it works with both contribute content to plan and manage events, and authorised users may invite further users to collaborate. The Client owns and is responsible for its event workspace and the users it and its End-Customers bring into it, and EventFlow processes the content in that workspace on the Client's instructions to deliver the service (see "Our role" below). Individuals who wish to access, correct, or delete information relating to a Client's event should contact the relevant Client in the first instance.


Our role
EventFlow handles personal information in two distinct roles:

  • As a processor. For the content that Clients and their End-Customers add to the platform to plan and manage events, the Client is responsible for that content and EventFlow processes it solely to deliver the service on the Client's instructions.

  • As a controller. For a limited set of information used to run our business — account administration, billing, and product analytics — EventFlow determines how that information is handled and does so in accordance with this policy.


What we collect and why
At a high level, we handle:

  • information used to set up and manage user accounts;

  • the content that Clients and their End-Customers add to the platform to plan and manage events;

  • billing information used to administer subscriptions; and

  • limited, pseudonymised information about how the platform is used.

We handle personal information for the primary purpose of providing and improving our services and communicating with our customers, and for related secondary purposes that you would reasonably expect. Information is collected in a number of ways, including directly from you, from other users you collaborate with, through your use of the platform and website, and from cookies and analytics. The platform's features evolve over time; this policy describes how we handle information generally, rather than every individual field or feature.


Sensitive information
Sensitive information is defined in the Privacy Act to include information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade or professional memberships, criminal record, or health.


Some information added to the platform may constitute sensitive information. Where it does, we treat it as sensitive, rely on the consent obtained by the Client for its collection, and use it only to deliver the service. We otherwise collect sensitive information only where you consent, or where the collection is required or authorised by law, and use it only:

  • for the primary purpose for which it was obtained;

  • for a directly related secondary purpose you would reasonably expect; or

  • with your consent, or where required or authorised by law.


Cookies, analytics, and AI
We use cookies and similar technologies to operate the website and platform and to understand how they are used. Our product analytics rely on pseudonymised identifiers and are not used to directly identify you.
We do not sell personal information. Any AI assistant features within the platform are made available only where enabled and disclosed; personal information is not used to train third-party AI models.


Disclosure of personal information
We may disclose personal information:

  • to the Client who owns the relevant event, and to users that Client authorises;

  • to the service providers we engage to operate the platform (see below);

  • where you consent to the disclosure; or

  • where required or authorised by law.

We engage the following service providers (sub-processors) to deliver the platform: Neon, Vercel, Cloudinary, Resend, Intercom, PostHog, Stripe, Ably, Inngest, and Amazon Web Services.

Each provider handles personal information under its own privacy terms. We may add or remove sub-processors from time to time, where this policy will be updated.


Data location and overseas disclosure
The content added to the platform to plan and manage events is stored and processed in Australia (Sydney). A limited number of the providers listed above process limited personal information overseas, solely to deliver specific functions such as email delivery, media hosting, customer support, payments, and pseudonymised analytics. Before disclosing personal information to an overseas recipient, we take reasonable steps under APP 8 to ensure it is handled consistently with the Australian Privacy Principles, including through contractual protections.


Security of personal information
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These steps include:

  • encryption of data in transit and at rest;

  • role-based access controls, with access limited to authorised personnel;

  • multi-factor authentication on administrative accounts;

  • dedicated management of secrets and credentials, which are not stored in our code;

  • logical separation of each Client's data within our platform; and

  • logging of authentication events and of data export and download actions.

No method of transmission or storage is completely secure, and while we take reasonable steps to protect personal information, we cannot guarantee absolute security.


Data breaches
We maintain an incident response process. If a data breach occurs that is likely to affect personal information, we will assess it and, where required, notify affected Clients and any relevant individuals or regulators as soon as reasonably practicable, and cooperate with affected Clients in meeting their obligations under the Notifiable Data Breaches scheme.


Retention and deletion

  • Client platform data — on termination of a Client's agreement, we will return and/or delete the content in the Client's workspace within a reasonable period, ordinarily within 30 days, subject to the terms of the relevant agreement. A structured export may be made available on request prior to deletion.

  • Our business records — billing and financial records of which EventFlow is the controller are retained for approximately 7 years, as required by Australian law.

When personal information is no longer needed for the purpose for which it was collected, and we are not required to retain it, we take reasonable steps to destroy or de-identify it.


Access and correction
You may request access to the personal information we hold about you, and ask us to update or correct it, subject to certain exceptions. End-Customers should direct requests relating to a Client's event to that Client, and we will assist the Client in responding. To make a request, please contact us in writing. We do not charge a fee to make a request but may charge a reasonable administrative fee for providing a copy. We may require identification before releasing information.


Keeping information accurate
We take reasonable steps to ensure the personal information we hold is accurate, complete, and up to date. If your information changes or is inaccurate, please let us know so we can update our records.


Changes to this policy
This policy may change from time to time. The current version is always available on our website, and the "Last updated" date above reflects the most recent change.


Complaints and enquiries
If you have any questions or complaints about this Privacy Policy or how we handle personal information, please contact us at hello@eventflow.com.au or via our contact page.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner at https://www.oaic.gov.au/.