Last updated: April 2026.
This policy explains how Scangate processes personal data in line with the UK/EU GDPR framework and applicable national law.
Scangate, whose full identity and contact details are given in the legal notice, is the controller for account data and service operation. For data entered on a public event registration form (guests), the event organiser is also a controller for that event’s purposes; for questions about guest data, contact the relevant organiser.
Organiser account: name, email, country, language, technical identifiers. Events: name, date, location, capacity, categories, status. Online registrations: name, email, phone, party size, optional participant names, registration status. Check-in: timestamp of scan. Payments: Stripe transaction identifiers and plan tier (card numbers are not stored on our servers).
Performance of a contract or pre-contract steps for account creation and service delivery. Legitimate interests for security, abuse prevention and service improvement, balanced against your rights. Legal obligations where applicable. For guests, processing is mainly based on pre-contract/contract steps with the organiser and, where required, your consent for specific communications.
Run accounts and events, enable public registration, send QR codes and transactional email, operate check-in, process plan payments, provide support and meet legal obligations.
Database and authentication: Supabase (EU region as configured in the project). Payments: Stripe. Transactional email: Resend or SMTP depending on configuration. The Scangate web application runs on a dedicated VPS located in Germany, operated by the publisher. These providers process data on our instructions under GDPR-compliant terms.
Application servers for Scangate are in Germany (dedicated VPS). Supabase stores project data in the European Union (configured EU region). Some features (e.g. Stripe, email) may involve transfers outside the EU/EEA; where that happens, appropriate safeguards such as Standard Contractual Clauses apply.
Where data is transferred to countries without an adequacy decision, we rely on GDPR mechanisms (including Standard Contractual Clauses) and vendor documentation.
Event and guest data are kept only as long as needed to run the event, then deleted or anonymised per configured schedules (default: deletion 90 days after the event date unless law or evidence requires longer). Account data is kept while the account is active, then removed within reasonable technical delays after deletion.
You may request access, rectification, erasure, restriction, objection, portability where applicable, and withdraw consent where processing is consent-based. Contact: hello@scangate.app. You may lodge a complaint with your local supervisory authority (in the UK: ICO at ico.org.uk).
We do not sell your personal data. There is no broad advertising profiling; processing is limited to delivering the event product.
Strictly necessary cookies for authentication and core site operation. No third-party advertising cookies in the standard product.
Contact hello@scangate.app for any privacy question. If unresolved, you may contact your data protection supervisory authority.
The product is aimed at professional or association organisers. Public registration is not directed at children without parental consent where required by law.
We apply appropriate technical and organisational measures (encryption in transit, access control, data minimisation). This policy may be updated; see the date at the top of the page.