Privacy Policy

The data controller responsible for processing your personal data is:

We have not appointed a Data Protection Officer (DPO) — our processing does not meet the thresholds in GDPR Art. 37. You can reach the controller directly at the email above.

When you buy a ticket, we collect:

• Name and email address
• Country and dance role / level (optional, for the attendee mix)
• Payment details — handled directly by Stripe; we never see or store your card number
• QR ticket code and Wallet pass identifiers

When you sign in with Google or Apple (for the attendee account, admin tools, or onboarding wizard), we receive from the provider:

• Email address
• Display name and profile picture (where the provider returns them)
• A signed authentication token, stored in a session cookie

If you opt in to the attendee directory or social features, we additionally store:

• The profile fields you choose to share (city, dance level, social handles, and an optional profile photo — visible only to people you connect with)
• Your connections, pending connection requests (incoming and outgoing), connection invite links, and the sessions you star on the schedule
• In-app notifications you receive (e.g. “X wants to connect”), which include the display name of the attendee who triggered them
• Push-notification subscription tokens (where you grant push permission)
• Photos and captions you upload to the Photo Wall, and the photos you like there

Technical data we process automatically when you visit the site:

• IP address — used briefly for rate-limiting, fraud prevention, and abuse logs
• Browser, device type, and operating system (from request headers)
• Service-worker installation and PWA install events
• Anonymous traffic counts via Vercel Analytics — no cross-site tracking

• Issue your ticket, deliver the Apple/Google Wallet pass, and verify it on entry
• Send event communications: schedule updates, city guide, urgent notices during the event
• Operate the admin and onboarding tools used to run the festival
• Protect the site from abuse (rate-limiting, fraud detection, session revocation)
• Power optional social features (attendee directory, connections, push alerts) — only with your opt-in
• Comply with Norwegian accounting and tax obligations

• Contract performance (Art. 6(1)(b)) — issuing tickets and delivering the event you paid for.
• Consent (Art. 6(1)(a)) — optional features (attendee directory, push notifications, marketing emails). You can withdraw consent at any time without affecting prior lawful processing.
• Legitimate interest (Art. 6(1)(f)) — site security, fraud prevention, anonymous traffic measurement.
• Legal obligation (Art. 6(1)(c)) — Norwegian bookkeeping law (bokføringsloven) requires us to retain payment records.

We share specific data with the processors below. Each is bound by a data-processing agreement (DPA) where required. International transfers outside the EEA rely on Standard Contractual Clauses (SCCs) and, where available, the EU-US Data Privacy Framework.

• Stripe Payments Europe Ltd. (Ireland, with US sub-processors) — payment processing. stripe.com/privacy
• Google Ireland Ltd. — OAuth sign-in (admin, onboarding, and attendee accounts) and Google Wallet pass delivery. policies.google.com/privacy
• Apple Distribution International Ltd. — OAuth sign-in and Apple Wallet pass delivery. apple.com/legal/privacy
• Vercel Inc. (USA) — website hosting, privacy-friendly analytics, and Blob storage for uploaded images. vercel.com/legal/privacy-policy
• Upstash Inc. (with EU data residency) — Redis storage for live event data (rate limits, schedule patches, attendee directory). upstash.com/trust/privacy-policy
• MET Norway — weather data for the event page. No personal data is sent to MET; the call is server-to-server.
• hCaptcha (Intuition Machines, Inc.) (USA) — anti-abuse CAPTCHA on anonymous posts to the Lost & Found board. Receives your IP address and a challenge token. hcaptcha.com/privacy

• Ticket and payment records: 5 years after the financial year ends (Norwegian bookkeeping law). This legal obligation overrides erasure requests for these specific records.
• Sign-in session tokens: up to 30 days (rolling — the session refreshes while you stay signed in; signing out ends it immediately)
• Attendee-directory profile data, connections, and starred sessions: deleted automatically about one month after the event (by 8 July 2026)
• Photo Wall posts (image + caption) and your photo likes: removed when you delete your data; the wall itself is cleared within about a week of the event
• In-app notifications: auto-expire about a week after they arrive, and are removed when you delete your data
• Push-notification tokens: until you revoke push permission, uninstall the app, or delete your data (whichever comes first)
• Waitlist sign-ups: removed when you delete your data, otherwise cleared after the event
• Onboarding submissions (organizer/partner content): 12 months after your last edit, then automatically deleted
• Anonymous traffic data (Vercel Analytics): only loaded if you accept analytics cookies; aggregated only, no per-user retention

You may request earlier deletion at any time — see Section 7.

You have the following rights regarding your personal data:

• Access — receive a copy of the data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion (subject to retention obligations)
• Restriction — limit how we process your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — at any time, without affecting prior lawful processing

To exercise any of these rights, email hello@nordicbachata.no. We respond within 30 days.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

We use a small number of cookies and storage entries — all either essential or based on legitimate interest:

• authjs.session-token — admin / onboarding / attendee OAuth session (essential)
• Service-worker cache — offline schedule and event data (essential, no personal data)
• Vercel Analytics — anonymous aggregate traffic (no cross-site tracking; loaded only after you accept)
• Vercel Speed Insights — anonymous Core Web Vitals performance metrics (no cookies; loaded only after you accept)

We do not use advertising or third-party tracking cookies.

We protect your data with TLS encryption in transit, rate-limiting against abuse, Argon2id-hashed credentials for any break-glass paths, signed and rotated session tokens, and strict role-based access control. Session revocation is enforced on every privileged action.

No system is perfectly secure. If a breach affects you, we will notify you within 72 hours per GDPR Art. 33–34 and inform the Norwegian Data Protection Authority.

This event and website are intended for adults (18+) and minors attending with a guardian. We do not knowingly collect personal data from children under 13. If you believe a child has provided data, email us and we will delete it.

Some of our processors are based in or transfer data to the United States (Stripe, Google, Apple, Vercel). These transfers rely on the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. You can request copies of the relevant transfer safeguards at hello@nordicbachata.no.

We may update this policy as our practices evolve. The “Last updated” date at the top reflects the most recent change. We will notify ticket holders by email of material changes at least 14 days before they take effect.

For privacy questions or to exercise your rights, contact:

hello@nordicbachata.no