Introduction

Welcome to FFAIR Ltd. This Privacy Policy explains how we collect, use, share and protect your personal data when you use our website, platform and related services. It applies to all users of ffair.io and any other FFAIR operated services. By using our services, you agree to the practices described in this Privacy Policy.

1. Who we are

FFAIR Ltd is registered in England and Wales, Company No. 11858071. Our registered address is Knoll House, Knoll Road, Camberley, Surrey, GU15 3SY.

For the purposes of UK GDPR and the Data Protection Act 2018, FFAIR Ltd is the data controller for personal data we collect directly through our platform and website. Where event organisers collect data from exhibitors through the platform, the organiser is the data controller and FFAIR acts as the data processor, see section 4A.

2. Data we collect

Personal identification information: Name, email address, phone number, company details and job title.

Account information: Login credentials, stored in hashed form, account preferences and activity within the platform.

Payment information: Billing details and transaction records. FFAIR does not store or process full payment card numbers. All card data is handled exclusively by Stripe Payments Europe Ltd under their PCI-DSS compliant environment.

Technical information: IP address, browser type, operating system, time zone and usage data collected through cookies and log files.

Device information: Details about the device and browser you use, including referring and exit pages.

Order information: Billing details, products or services ordered and purchase history.

Communications: Any correspondence, support queries or feedback you send to us.

Client information via task list: Event organisers may collect information from exhibitors through task lists they configure within the platform. The organiser determines the type of information collected and the lawful basis for doing so. FFAIR processes this data solely under the organiser's instructions as a data processor.

3. How we use your data

We use personal data to: provide, operate and maintain our services; process orders and manage billing; improve and enhance the user experience; communicate updates, service information and support messages; detect, prevent and address security or fraud related issues; and comply with legal or regulatory obligations.

We do not use personal data for automated decision making or profiling that produces legal or similarly significant effects on individuals. Where automated processing is used, for example, in fraud detection or performance analytics, it supports human decision making only and does not produce decisions with significant impact on users.

4. Legal basis for processing

Under UK GDPR, we process personal data on the following grounds:

Performance of a contract: For example, providing platform access and processing orders.

Legitimate interests: For example, improving our services, ensuring platform security and preventing fraud. We have assessed that our legitimate interests are not overridden by the rights and interests of the individuals concerned.

Compliance with legal obligations: For example, retaining financial records as required by law.

Consent: Where we rely on consent, for example, for direct marketing communications, you may withdraw consent at any time by contacting dpo@ffair.io.

4A. Roles of controller and processor

For most event related data, the event organiser is the data controller and FFAIR is the data processor. FFAIR processes such data only on the organiser's instructions and under a signed Data Processing Agreement.

For data FFAIR collects directly from platform users, such as account and billing information, FFAIR is the data controller.

4B. Data residency

FFAIR stores and processes personal data within the UK and EU. Our primary hosting is Amazon Web Services, AWS, in eu-north-1, Stockholm, Sweden, and Google Cloud Platform, GCP, in europe-west2, London, UK. No personal data is stored or processed outside the UK or EU without appropriate international transfer safeguards in place.

5. Data sharing and sub-processors

We do not sell, rent or trade personal data. We share data only where necessary to deliver our services. All third party service providers who process personal data on our behalf are engaged as sub-processors under written, GDPR compliant Data Processing Agreements.

Our current sub-processors are:

Amazon Web Services, AWS
Purpose: Cloud hosting and data storage
Scope: Platform and website
Location: EU, Stockholm

Google Cloud Platform, GCP
Purpose: Backups, logging and monitoring
Scope: Platform
Location: EU, London

Stripe Payments Europe Ltd
Purpose: Payment processing
Scope: Platform
Location: EU/UK

HubSpot
Purpose: CRM, organiser and prospect contact data
Scope: Platform/CRM only
Location: US, using SCCs/IDTA

SendGrid, Twilio
Purpose: Transactional email delivery
Scope: Platform
Location: US/EU, using SCCs/IDTA

Datadog
Purpose: Application performance monitoring and logging
Scope: Platform only
Location: US/EU, using SCCs/IDTA

ReelFlow
Purpose: Video content delivery
Scope: Website only, no personal data processed
Location: Please confirm location

UserGuiding
Purpose: In-app release notes and user surveys
Scope: Platform
Location: US, using SCCs/IDTA

Frill
Purpose: Feature request collection
Scope: Platform
Location: Canada/US, using SCCs/IDTA

Google Workspace
Purpose: Internal email and productivity, no client personal data
Scope: Internal only
Location: EU/UK

Atlassian, Jira/Confluence
Purpose: Internal project management, employee data only
Scope: Internal only
Location: EU/US, using SCCs/IDTA

International transfers marked SCCs/IDTA above are made under appropriate UK Standard Contractual Clauses or International Data Transfer Agreements. We will notify organiser customers of any material changes to our sub-processor list in advance, giving reasonable opportunity to object. A full and up to date sub-processor register is available on request by emailing dpo@ffair.io.

5A. Legal and regulatory disclosure

We may disclose personal data to law enforcement, regulators or courts where required by law, or to protect the rights, property or safety of FFAIR, our clients or others.

6. Data retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy or as required by law.

Event and exhibitor data
Retention period: Up to 24 months after the end of the organiser’s licence term

User account data
Retention period: While the user’s organisation holds an active licence

Financial and order records
Retention period: 6 years, UK statutory accounting requirement

Support correspondence
Retention period: 3 years from last interaction

System and access logs
Retention period: Up to 90 days, extended where required for security investigations

Marketing and consent records
Retention period: Until consent is withdrawn, plus 1 year

Earlier deletion can be requested at any time by contacting dpo@ffair.io, subject to any overriding legal obligation to retain the data.

7. Your rights

Under UK GDPR, you have the right to: access your personal data; correct inaccurate or incomplete data; request deletion of your data; restrict processing in certain circumstances; request data portability; object to processing based on legitimate interests or for direct marketing; and not be subject to solely automated decision making with significant legal or similar effects.

We may decline certain requests where permitted by UK GDPR Schedule 2. To exercise any of your rights, please contact dpo@ffair.io. We will respond within one calendar month of receiving your request. There is no charge for making a request.

8. Cookies

Our website currently uses only strictly necessary cookies required to operate the platform and website securely. We do not use advertising or behavioural tracking cookies. We intend to introduce a Consent Management Platform, CMP, in the near future to allow users to manage optional cookie preferences; this policy will be updated before any non-essential cookies are introduced. For full details of the cookies we currently use, please refer to our Cookie Policy at ffair.io/cookie.

9. Data security

We use appropriate technical and organisational measures to protect personal data, including: encryption of data in transit, TLS, and at rest, AES-256; role-based access controls and the principle of least privilege; multi-factor authentication for platform and administrative access; annual penetration testing by an independent third party; regular vulnerability assessments and patch management; and audit logging of access to personal data.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay where required.

10. Data protection contact

FFAIR is registered with the Information Commissioner's Office: ICO Registration No. ZB033445.

For all data protection enquiries, including exercising your rights, requesting a Data Processing Agreement, or raising a concern, please contact:

Data Protection Lead: Adam Jones, CEO
Email: dpo@ffair.io

Post: FFAIR Limited, Knoll House, Knoll Road, Camberley, Surrey, GU15 3SY

If you have concerns that we cannot resolve, you have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

11. Updates to this policy

We may update this Privacy Policy to reflect changes in our services, legal obligations or best practice. The "Last Updated" date at the top of this page will reflect when it was last revised. Significant changes will be communicated by email or a notice on our website. We review this policy at least annually.