Privacy Policy

NetWorks is a speed networking platform that connects professionals through intelligently matched meetings at events and conferences. NetWorks is operated by ExpoPlatform Limited.

This Privacy Policy explains how ExpoPlatform Limited ("we", "us", "ExpoPlatform") collects, uses, shares and protects personal data when you use the NetWorks website (networksevents.com) (the "Website") and/or the NetWorks speed networking platform (the "Platform").

This policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679), the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, "TTDSG"), and other applicable data protection and privacy laws.

If you are participating in a networking session organised by a third-party event organiser, that organiser may also provide their own privacy notice explaining how they use your data for the event. This policy explains ExpoPlatform's processing and how controller/processor roles work.

1. Who We Are

ExpoPlatform Limited
Company number: 8709065
Registered office: 28 Chesterton Road, Cambridge, CB4 3AZ, United Kingdom

NetWorks is a product of ExpoPlatform Limited.

Data Protection Officer (appointed under Article 37 UK GDPR / Article 37 EU GDPR / §38 BDSG): gdpr@expoplatform.com

Support: support@expoplatform.com

Marketing opt-out enquiries: marketing@expoplatform.com

2. Key Definitions

"Organiser" means a professional event organiser, association, conference host, or other business customer that uses the Platform to run speed networking sessions at their events.

"Attendee" means an individual who participates in a networking session on the Platform, or who uses the Website.

"Networking Session" means a structured speed networking event configured by an Organiser on the Platform.

"Personal data" means any information relating to an identified or identifiable natural person (Article 4(1) UK GDPR / EU GDPR).

"Controller", "Processor" and "Joint Controllers" have the meanings given in Article 4(7), 4(8) and Article 26 of the UK GDPR / EU GDPR respectively.

"Special category data" means personal data as defined in Article 9(1) EU GDPR / UK GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.

3. Our Roles: Controller, Processor, and When They Apply

ExpoPlatform can act as:

• a processor (processing personal data on behalf of an Organiser under Article 28 UK GDPR / EU GDPR);
• a controller (processing personal data for our own purposes under Article 4(7) UK GDPR / EU GDPR); or
• in limited cases, a controller alongside an Organiser where each party determines the purposes and means of its own processing activities independently.

3.1 When ExpoPlatform is a processor (Organiser is controller)

When an Organiser deploys the Platform to run a Networking Session, the Organiser typically decides which participants are uploaded, what personal data is collected, and how it is used for the event. In those cases, ExpoPlatform processes personal data on behalf of the Organiser to provide the Platform, in line with the Organiser's instructions and a written data processing agreement that meets the requirements of Article 28(3) UK GDPR / EU GDPR.

3.2 When ExpoPlatform is a controller

ExpoPlatform acts as a controller (Article 4(7)) when we process personal data for our own purposes, including:

• operating, maintaining, supporting and securing the Website and Platform;
• preventing fraud, abuse and security incidents;
• running the matching algorithm and optimising meeting schedules;
• improving the Platform (including using pseudonymous usage metrics and statistics);
• providing customer support; and
• communicating with Attendees about their Networking Sessions (meeting confirmations, reminders, and session updates).

3.3 When an Organiser is a controller and ExpoPlatform is also a controller (independent purposes)

Even where an Organiser is the controller for event data, ExpoPlatform may independently process certain data as a controller for its own limited purposes (for example: security logs, fraud prevention, service integrity, matching optimisation, and platform improvement). In this scenario, each party acts as an independent controller with respect to its own processing purposes, and each is responsible for complying with its own obligations under applicable data protection law.

3.4 Joint controller arrangements (Article 26 UK GDPR / EU GDPR)

We aim to structure processing so that responsibilities are clear (for example: Organiser as controller and ExpoPlatform as processor; or each party as an independent controller for its own purposes).

If, in a specific context, ExpoPlatform and an Organiser jointly determine the purposes and means of a processing activity within the meaning of Article 26 UK GDPR / EU GDPR, we will enter into a written joint controller arrangement before the relevant processing begins. That arrangement will set out:

• each party's respective responsibilities for compliance, including obligations under Articles 12–14 (transparency and information), Articles 15–22 (data subject rights), and Article 32 (security);
• which party is the contact point for data subjects;
• the allocation of liability between the parties; and
• how the essence of the arrangement will be made available to data subjects.

The essence of any such arrangement will be made available to data subjects on request or through an appropriate notice.

4. If You Are an Organiser (Our Business Customer)

If you are an Organiser or work for an Organiser, we process your personal data as a controller for the following purposes and lawful bases:

• set up accounts and access — Article 6(1)(b) EU GDPR / UK GDPR (performance of a contract);
• manage contracts, billing, renewals and service delivery — Article 6(1)(b) (performance of a contract);
• provide training, support and customer success — Article 6(1)(f) (legitimate interests: ensuring effective use of the Platform);
• communicate service updates, security notices and operational messages — Article 6(1)(f) (legitimate interests: keeping you informed of matters affecting your use of the Platform); and
• carry out B2B marketing where permitted (see section 17) — Article 6(1)(f) (legitimate interests) and/or consent under Article 6(1)(a) where required by local law.

Typical data: name, work email, work phone number, organisation, role/permissions, communications, support tickets, and (if relevant) invoices/receipts and payment status.

5. If You Are an Attendee (Participant in a Networking Session)

5.1 Organiser as controller

If you participate in a Networking Session, the Organiser who set up the session is typically the controller (Article 4(7)) for personal data they uploaded or collected to run the event (for example: your name, email, company, job title, and participation details).

You should refer to the Organiser's privacy notice for details of their processing, and contact the Organiser to exercise rights relating to Organiser-controlled event data.

5.2 ExpoPlatform as controller in the networking context (limited purposes)

ExpoPlatform may process certain data as a controller for limited purposes such as:

• ensuring Platform security and integrity;
• troubleshooting, service monitoring and support;
• fraud prevention and abuse detection;
• running the matching algorithm (see section 8);
• sending you communications about your Networking Session (meeting schedules, reminders, confirmations); and
• improving the Platform using pseudonymous usage metrics/statistics.

5.3 How the Organiser provides your data to us (Article 14 compliance)

Your Organiser may upload your personal data (such as name, email, company, job title, and interests) to the Platform to set up a Networking Session. Where we receive personal data from the Organiser (rather than directly from you), we will actively provide you with the information required by Article 14 UK GDPR / EU GDPR. We do this by:

• including a clear reference to this Privacy Policy (with a direct link) in the first communication we send to you (for example, in the meeting schedule notification or session invitation email); and
• in any event, within one month of receiving the data, whichever is sooner.

This ensures that the information is proactively delivered to you and not merely passively available.

5.4 Visibility to other participants

The Platform supports professional networking. Depending on the Organiser's configuration and your session settings:

• other participants in the same Networking Session may see your name, company, job title and interests;
• your matched meeting partners will see your profile and meeting schedule; and
• your match votes and preferences are not visible to other participants.

5.5 Special category data

We do not intentionally collect special category data (Article 9(1) UK GDPR / EU GDPR) through the Platform. If an Organiser collects such data (for example, dietary requirements or accessibility needs for the event), the Organiser is the controller for that data and ExpoPlatform processes it only as a processor on the Organiser's documented instructions, with the Organiser responsible for identifying the applicable Article 9(2) exception.

6. Personal Data We Collect

Depending on your relationship with us, we may collect:

6.1 Data you provide

• account/profile data (name, email, phone, company, job title, photo, biography, interests, networking preferences);
• networking preferences (topics of interest, types of connections sought, availability, meeting preferences);
• session activity (match votes, meeting feedback, ratings);
• communications (enquiries, support requests, survey responses); and
• consent preferences (marketing preferences, cookie preferences).

6.2 Data we collect automatically

• device and technical data (device type, OS, browser, language/timezone, IP address, identifiers);
• usage and log data (feature usage, session activity, clicks/interactions, errors, security logs, authentication events); and
• cookies and similar technologies (see section 16).

6.3 Data we receive from others

• from Organisers (participant data for a specific Networking Session, including name, email, company, job title, interests);
• from integrations/partners if you connect accounts or tools.

Where we receive personal data about you from an Organiser or other third party rather than directly from you, we will actively provide this policy to you in accordance with section 5.3.

7. How We Use Personal Data and Our Lawful Bases

We use personal data for the purposes below. For each purpose, we identify the specific lawful basis under Article 6(1) UK GDPR / EU GDPR and, where we rely on legitimate interests (Article 6(1)(f)), we set out the interest pursued, why the processing is necessary for that interest, and why it does not override the data subject's interests, rights and freedoms.

7.1 Provide the Platform and services

Purpose: create and manage accounts and access; provide platform functionality and customer support; send essential service communications (meeting schedules, reminders, session updates).

Lawful basis (where you have a direct contractual relationship with us): Article 6(1)(b) — performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Lawful basis (where the Organiser has the contractual relationship and you are a participant): Article 6(1)(f) — legitimate interests.

Legitimate interests balancing test:

• Interest pursued: delivering the Platform service that the Organiser has contracted for and that the Attendee has been enrolled in, including providing account access, platform functionality, and session-related communications.
• Necessity: this processing is necessary because without it, the Attendee cannot participate in the Networking Session or receive their meeting schedule.
• Balancing: we consider that Attendees' rights and freedoms are not overridden because: (i) the data processed is limited to professional profile information and session activity; (ii) the processing is directly related to the purpose for which the data was provided (participation in a networking session); (iii) Attendees are informed of the processing through this policy; and (iv) the processing does not involve profiling with legal or similarly significant effects.

7.2 Run the matching algorithm

Purpose: analyse attendee profiles, interests and preferences to create optimised meeting schedules.

Lawful basis: Article 6(1)(f) — legitimate interests.

Legitimate interests balancing test:

• Interest pursued: providing the core speed networking service by generating optimised meeting matches, which is the fundamental purpose of the Platform.
• Necessity: the matching algorithm is essential to the Platform's function. Without it, meetings cannot be intelligently scheduled, and the service's core value proposition cannot be delivered.
• Balancing: we consider that Attendees' rights and freedoms are not overridden because: (i) the algorithm uses only professional profile data (company, job title, industry) and preferences that Attendees have expressly stated; (ii) Attendees can vote on matches and provide feedback, retaining meaningful human involvement; (iii) the outputs are meeting suggestions, not binding decisions; (iv) no special category data is used; (v) a Data Protection Impact Assessment has been conducted (see section 14); and (vi) Attendees have the right to object and to request meaningful information about the algorithm's logic (see section 8.4).

See section 8 for further detail on the algorithm and automated decision-making.

7.3 Security, fraud prevention and service integrity

Purpose: monitor, detect and prevent abuse, fraud and security incidents; maintain audit logs and investigate technical issues.

Lawful basis: Article 6(1)(f) — legitimate interests (to protect the Platform, Organisers and Attendees from security threats and misuse); and Article 6(1)(c) — compliance with a legal obligation (where required by law, for example under network security or data breach notification requirements).

Legitimate interests balancing test:

• Interest pursued: protecting the Platform, our business, and all users from fraud, abuse, and security incidents.
• Necessity: security monitoring and audit logs are essential to detect and respond to threats. Without them, we cannot maintain the integrity of the Platform.
• Balancing: we consider that data subjects' rights are not overridden because: (i) the data used for security purposes (primarily logs, IP addresses, authentication events) is limited to what is necessary; (ii) security data is not used for marketing or profiling; (iii) retention periods are defined and limited (see section 11); and (iv) there is a strong expectation that a professional platform will maintain reasonable security.

7.4 Platform analytics and improvement

Purpose: analyse Platform performance and usage trends; improve product functionality and user experience; train and improve the matching algorithm.

Lawful basis: Article 6(1)(f) — legitimate interests.

Legitimate interests balancing test:

• Interest pursued: continuously improving the Platform to deliver a better service to Organisers and Attendees.
• Necessity: analytics and improvement require analysis of usage patterns to identify issues, opportunities, and areas for enhancement.
• Balancing: we consider that data subjects' rights are not overridden because: (i) we use pseudonymous or aggregated data wherever possible, minimising identifiability; (ii) analytics do not result in decisions about individual users; (iii) no special category data is used; and (iv) data subjects can object to this processing under Article 21.

7.5 Communications

Purpose: send Attendees meeting confirmations, schedule changes, reminders and session-related updates.

Lawful basis: Article 6(1)(f) — legitimate interests.

Legitimate interests balancing test:

• Interest pursued: ensuring Attendees are informed of their meeting schedule and any changes, which is necessary for the functioning of the Networking Session.
• Necessity: without these communications, Attendees would not know when and whom to meet, rendering the service unusable.
• Balancing: we consider that data subjects' rights are not overridden because: (i) these communications are strictly limited to session-related information; (ii) they are reasonably expected by anyone participating in a scheduled networking session; (iii) they do not contain marketing content; and (iv) Attendees can contact us to adjust communication preferences.

7.6 Marketing

Purpose: B2B marketing to Organisers and business contacts. Lawful basis: see section 17.

7.7 If you choose not to provide data

Some personal data is necessary to provide services (for example, an email address to create an account and receive your meeting schedule; interests and preferences to enable the matching algorithm). If you do not provide required information, we may not be able to include you in the Networking Session or provide the relevant service.

8. The Matching Algorithm and Automated Decision-Making

8.1 How the matching algorithm works

The Platform uses a hybrid approach combining rule-based logic and algorithmic optimisation to match Attendees into meeting slots. The algorithm considers:

• your stated interests and networking preferences;
• your professional profile (such as company, job title, industry);
• session configuration set by the Organiser (number of meetings, duration, participant groups); and
• scheduling constraints and optimisation goals.

8.2 What data the algorithm uses

The algorithm processes:

• profile data (name, company, job title, industry);
• stated interests and networking preferences;
• match votes and feedback from Attendees (where available); and
• session parameters configured by the Organiser.

No special category data (Article 9(1)) is used by the algorithm.

8.3 Automated decision-making and Article 22 UK GDPR / EU GDPR

The matching algorithm generates meeting suggestions and optimised schedules. We do not consider that this processing constitutes "solely automated decision-making" producing "legal effects" or "similarly significant effects" within the meaning of Article 22(1) UK GDPR / EU GDPR, for the following reasons:

• the process is not solely automated: Organisers configure session parameters and can adjust configurations; Attendees can vote on matches and provide feedback; and Organisers retain the ability to override or modify the generated schedule;
• the outputs are meeting suggestions rather than binding decisions: no contractual, legal, financial, or access-related consequences flow automatically from the matching;
• the matching relates to professional networking opportunities, not to decisions that determine access to services, financial outcomes, or other matters with legal or similarly significant effect on individuals.

However, recognising that the interpretation of "similarly significant effects" varies across EU member states (and that some supervisory authorities take a broader view), we adopt a precautionary approach and provide the following safeguards regardless of whether Article 22 strictly applies:

8.4 Your rights regarding the algorithm

Regardless of the Article 22 classification, you have the right to:

• request meaningful information about the logic involved in the matching, including the main factors and weighting principles the algorithm uses (Article 13(2)(f) / Article 14(2)(g));
• express your view about the matching outcomes and have your concerns considered by a human reviewer;
• request human intervention in reviewing your match results;
• contest the matching outcome if you believe it is unfair or inaccurate; and
• object to the profiling under Article 21(1) UK GDPR / EU GDPR.

To exercise any of these rights, contact gdpr@expoplatform.com or your Organiser.

9. Sharing and Disclosures

We may share personal data with:

9.1 Organisers

• participant data and meeting activity as determined by the Organiser;
• aggregated session analytics and statistics (such as attendance rates, meeting completion rates).

9.2 Other Attendees within a Networking Session

Where the Organiser has enabled a Networking Session, other participants may see your professional profile and matched meeting details (subject to session configuration).

9.3 Service providers (processors)

We use service providers to help us operate the Website and Platform (for example: hosting and infrastructure, email delivery, analytics, security tooling, customer support systems, and CRM/sales tooling).

These providers process personal data on our behalf under data processing agreements that meet the requirements of Article 28 UK GDPR / EU GDPR.

Our current service providers include, but are not limited to:

• Google – authentication services (Single Sign-On) and CAPTCHA protection
• Amazon Web Services (AWS) – cloud hosting and infrastructure
• Microsoft – authentication services (Single Sign-On)
• Stripe – payment processing
• Xero – invoicing and accounting related to payments

9.4 Professional advisors

We may share personal data with our professional advisors (for example, legal, accounting, insurance), who are bound by professional confidentiality obligations. Lawful basis: Article 6(1)(f) — legitimate interests (obtaining professional advice).

9.5 Legal and corporate disclosures

We may disclose personal data where required by law (Article 6(1)(c) — legal obligation), to protect rights and safety (Article 6(1)(f) — legitimate interests), or in connection with a business transaction (e.g., merger, acquisition, asset sale — Article 6(1)(f), with appropriate safeguards including confidentiality agreements).

We do not sell personal data.

10. International Transfers

We are a UK company and primarily host and process Platform data in the EU (Ireland).

However, personal data may be accessed or processed outside the UK/EEA in some cases, including:

• where we use suppliers or systems that operate globally; and/or
• where authorised staff (including staff located outside the UK/EEA) access systems to provide support, security operations, or administration.

10.1 Transfer safeguards

Where we transfer personal data outside the UK/EEA to countries that have not received an adequacy decision from the UK Government or the European Commission, we ensure the transfer is lawful by using one or more of the following mechanisms:

• EU Standard Contractual Clauses (SCCs) adopted under Article 46(2)(c) EU GDPR;
• UK International Data Transfer Agreement (IDTA);
• UK Addendum to EU Standard Contractual Clauses.

10.2 Transfer impact assessments

In accordance with the requirements set out by the Court of Justice of the European Union in Schrems II (Case C-311/18) and subsequent guidance from the European Data Protection Board (EDPB) and German supervisory authorities, we conduct transfer impact assessments before transferring personal data to third countries. These assessments evaluate:

• the laws and practices of the destination country (including government surveillance and access powers);
• whether the transfer mechanism (e.g., SCCs) provides essentially equivalent protection in practice; and
• what supplementary technical and organisational measures are necessary, which may include encryption in transit and at rest, pseudonymisation, access controls, and data minimisation.

10.3 Supplementary measures

Where a transfer impact assessment identifies that the standard transfer mechanism alone does not provide essentially equivalent protection, we implement supplementary measures including (as appropriate): strong encryption, strict access controls, data minimisation, pseudonymisation before transfer, and contractual commitments regarding government access requests.

You can contact gdpr@expoplatform.com for more information about specific transfer safeguards, our transfer impact assessments, or copies of the relevant transfer mechanisms.

11. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, in accordance with the data minimisation principle (Article 5(1)(e) UK GDPR / EU GDPR) and considering legal, accounting, security, dispute resolution, and contractual requirements.

Retention periods and justifications:

• Operational and security logs (access logs, authentication events, error logs): up to 2 years — justified by our legitimate interest in maintaining security, investigating incidents, and supporting contractual obligations under our service agreements.
• Event/networking session data (Attendee profiles, meeting schedules, match results): retention is determined by the Organiser (controller), subject to the Organiser's own retention policies and legal basis. Where ExpoPlatform retains copies for its own controller purposes (e.g., algorithm improvement using pseudonymous data), we retain only pseudonymous or aggregated data and delete identifiable copies within 12 months of the session, unless a longer period is required by law.
• Organiser CRM and business contact data: up to 3 years from last meaningful engagement — justified by our legitimate interest in maintaining business relationships and the typical duration of commercial cycles in the events industry.
• Financial and billing records: up to 7 years — justified by legal obligation (UK Companies Act 2006, HMRC requirements, and equivalent requirements under German tax law (Abgabenordnung §147)).
• Inactivity: Attendee accounts will be deleted after 3 years of inactivity.

When personal data is no longer required, we securely delete or irreversibly anonymise it using methods appropriate to the data type and storage medium.

12. Security

We use appropriate technical and organisational measures to protect personal data (Article 32 UK GDPR / EU GDPR), including:

• ISO 27001 certification (verifiable via the UKAS website);
• encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
• role-based access controls;
• multi-factor authentication for administrative access;
• regular penetration testing and vulnerability assessments;
• incident response and breach management procedures; and
• staff training on data protection and information security.

However, transmission of information over the internet is not completely secure and we cannot guarantee the security of data transmitted to or through the Platform/Website.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 UK GDPR / EU GDPR.

Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected individuals without undue delay (Article 34), unless an exception applies (for example, where appropriate technical measures render the data unintelligible to unauthorised persons).

Where we are acting as a processor on behalf of an Organiser, we will notify the Organiser of the breach without undue delay (Article 33(2)) so that they can fulfil their own notification obligations.

Where users are located in Germany, we will additionally comply with any notification requirements under §65 BDSG.

14. Data Protection Impact Assessments

Where processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 35 UK GDPR / EU GDPR), we carry out Data Protection Impact Assessments (DPIAs) before the processing begins.

We have conducted a DPIA for the matching algorithm, covering: the systematic description of the processing; assessment of necessity and proportionality; assessment of the risks to rights and freedoms; and the measures envisaged to address those risks. The DPIA is reviewed periodically and whenever significant changes are made to the algorithm.

A summary of the DPIA findings and the measures adopted is available on request from gdpr@expoplatform.com.

15. Records of Processing Activities

We maintain Records of Processing Activities (ROPA) as required by Article 30 UK GDPR / EU GDPR and §30 BDSG. These records include: the name and contact details of the controller and DPO; the purposes of processing; categories of data subjects and personal data; categories of recipients; details of international transfers and safeguards; retention periods; and a description of technical and organisational security measures. These records are available for inspection by supervisory authorities on request.

16. Cookies and Similar Technologies

16.1 What we use

We use cookies and similar technologies on the Website to:

• ensure the site works (strictly necessary cookies),
• remember preferences (functional cookies),
• measure and improve performance (analytics cookies), and
• understand how visitors interact with content (analytics cookies).

16.2 Consent requirements

In accordance with TTDSG §25 (Germany), the EU ePrivacy Directive (2002/58/EC as amended), and UK PECR, we obtain your prior, informed, and freely given consent before storing or accessing any non-essential cookies or similar technologies on your device.

This means:

• no non-essential cookies are set until you have actively consented;
• consent is obtained through a clear, affirmative action (e.g., clicking "Accept" on the cookie banner) — pre-ticked boxes do not constitute valid consent (in line with the CJEU ruling in Planet49, Case C-673/17);
• refusing non-essential cookies is as easy as accepting them (the "Reject" or equivalent option is presented with equal prominence to the "Accept" option);
• you can withdraw consent at any time using the cookie settings tool available on our Website; and
• strictly necessary cookies (which are essential for the Website to function) do not require consent.

16.3 Managing preferences

You can change your cookie preferences at any time using the cookie controls available on our Website or through your browser settings.

17. Marketing

17.1 B2B marketing only

ExpoPlatform may send B2B marketing communications to Organisers and business contacts. We do not send B2C marketing communications to Attendees.

17.2 Lawful basis for marketing

We recognise that the rules governing electronic direct marketing vary by jurisdiction. We apply the following framework:

• UK: We rely on Article 6(1)(f) UK GDPR (legitimate interests) for B2B marketing to corporate email addresses where there is a relevant business relationship. Where we have obtained contact details in the course of a sale or negotiation of a sale and the communication relates to similar products or services, we may also rely on the "soft opt-in" under Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR).
• Germany and EU: For recipients in Germany, we comply with TTDSG §7 and §7a UWG (Gesetz gegen den unlauteren Wettbewerb). Where prior explicit consent is required under applicable German or EU law for electronic direct marketing (including email), we will obtain that consent before sending marketing communications. Where a pre-existing business relationship permits marketing under applicable law, we rely on it within the constraints of that law.
• General: For all other jurisdictions, we comply with the local implementation of the ePrivacy Directive (2002/58/EC) and any applicable national marketing rules.

17.3 Opt-out

Every marketing message includes an easy, free-of-charge opt-out mechanism. We will honour opt-out requests without delay and in any event within 5 business days.

You can opt out of ExpoPlatform marketing at any time:

• using unsubscribe links in our messages; or
• by contacting marketing@expoplatform.com.

Organisers may send their own event communications under their own privacy notices; please contact the Organiser to manage those preferences.

18. Children / Under-16s

The Website and Platform are intended for business professionals and are not directed at individuals under the age of 16. This threshold is consistent with Article 8(1) EU GDPR and the age of digital consent set by Germany under Article 8(1).

If you are under 16, you should not use the Platform unless you have the consent of your parent or holder of parental responsibility.

If we become aware that we have collected personal data from a child under 16 without valid parental consent, we will take steps to delete that data without undue delay.

19. Links to Third-Party Websites

The Platform or Website may contain links to third-party websites. Those third parties have their own privacy policies and we are not responsible for their practices.

20. Account Deletion

20.1 Organiser-controlled data

If you participated in a Networking Session organised by a third party, the Organiser is the controller for the data they uploaded and collected. Please contact the Organiser to request deletion of that data.

20.2 ExpoPlatform-controlled data

For data that ExpoPlatform controls (for example: your website account, security logs, or direct communications with us), you can request deletion by contacting gdpr@expoplatform.com.

Some data may need to be retained to comply with legal obligations (for example, financial records under tax law, or security logs for a limited period for fraud prevention). We will inform you of any applicable retention obligations when responding to your request.

21. Your Rights

Under the UK GDPR, EU GDPR and BDSG, you may have the following rights (subject to applicable conditions and exceptions):

• access (Article 15) — the right to obtain confirmation of whether your data is being processed and, if so, access to the data and supplementary information;
• rectification (Article 16) — the right to have inaccurate data corrected and incomplete data completed;
• erasure (Article 17) — the right to request deletion of your data in certain circumstances;
• restriction (Article 18) — the right to restrict processing in certain circumstances;
• data portability (Article 20) — the right to receive your data in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit it to another controller;
• objection (Article 21) — the right to object to processing based on legitimate interests (including profiling) or to processing for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing without exception;
• rights related to automated decision-making (Article 22) — see section 8.4; and
• withdrawal of consent (Article 7(3)) — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Under §34 BDSG, you also have the right to request information about data stored in scoring or credit-related databases (to the extent applicable).

Who to contact:

• Organiser-controlled event/session data: contact the Organiser.
• ExpoPlatform-controlled data (Website, Platform security logs, matching algorithm data): contact gdpr@expoplatform.com.

We will respond to verified requests within one month (extendable by up to two further months for complex or numerous requests, with notification to you of the extension and the reasons for it, in accordance with Article 12(3)).

We do not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive (Article 12(5)).

22. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Where changes are material, we will notify affected individuals by email or through the Platform where practicable, and will clearly indicate what has changed.

23. US State Privacy Rights

If you are a resident of a US state with applicable consumer privacy legislation (for example, the California Consumer Privacy Act / CPRA, the Virginia CDPA, or the Colorado Privacy Act), you may have additional rights, including:

• the right to know what personal information we collect and how it is used;
• the right to request correction of inaccurate personal information;
• the right to request deletion of your personal information;
• the right to opt out of the sale or sharing of personal information (we do not sell personal data);
• the right to non-discrimination for exercising your rights; and
• the right to data portability.

To exercise any of these rights, please contact gdpr@expoplatform.com.

We will verify your identity before fulfilling requests. You may designate an authorised agent to make a request on your behalf.

24. Contact Us and Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority. Depending on your location, this may include:

UK — Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

Germany — your competent state data protection authority (Landesdatenschutzbeauftragte/r). A list of German state supervisory authorities is available at: bfdi.bund.de. You may also contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI) where applicable.

EU — your local supervisory authority under Article 77 EU GDPR. A list of EU data protection authorities is available at: edpb.europa.eu.