Convention Master Privacy Notice Template

Effective date: [Insert date] Event: [Insert event name] Event organizer: [Insert legal organization name] Privacy contact: [Insert email/contact person]

This privacy notice explains what personal information may be collected, used, stored, or disclosed through the Convention Master registration and event management system.

Convention Master is a configurable event registration platform. Not every event uses every feature. This notice includes sections for information that Convention Master can support. The event organizer should include only the sections that apply to this event’s actual configuration and practices.

1. Who is responsible for your information

The event organizer is responsible for deciding what information is collected for this event, why it is collected, how long it is kept, and who may access it.

Convention Master may be used by the event organizer, authorized event staff, registration staff, finance staff, volunteers, system administrators, and approved service providers to operate the event.

2. Information we may collect

Depending on the event’s configuration, we may collect or store the following categories of information.

2.1 Account and identity information

Convention Master requires basic account and identity information to create and manage attendee registrations. This may include:

• registration or account number
• legal name
• preferred name
• fan name, badge name, or display name
• date of birth or age-related information, where required for registration, age verification, membership rules, or event policy
• language or locale preference
• account status, duplicate account links, or account merge information

We use this information to create and manage registrations, issue memberships or badges, verify identity or age where required, reduce duplicate records, and administer the event.

2.2 Contact information

We may collect contact information, including:

• email address
• phone number
• mailing or shipping address
• city, province/state, postal/ZIP code, and country
• contact name or alternate contact information where provided

We use this information to communicate with attendees, manage registrations, provide support, send confirmations or receipts, handle shipping or mailing where applicable, and administer event services.

Include this section if the event collects email, phone, mailing address, shipping address, emergency contact information, or other contact details.

2.3 Login and authentication information

Convention Master uses login and authentication information to protect attendee, kiosk, and staff access to the system. This may include:

• username
• salted password hash or other authentication credential
• password reset token or reset request information
• account activation, deactivation, or expiry status
• login, logout, password reset, or authentication timestamps
• IP address associated with login, reset, kiosk, or security activity
• one-time passcodes or email verification codes, if enabled
• security question and answer, if enabled

We use this information to secure accounts, authenticate users, prevent unauthorized access, support account recovery, operate kiosks and staff tools, and investigate suspicious activity.

2.4 Registration, membership, and attendance records

We may collect or generate information about your relationship to the event, including:

• event attendance record
• membership type or registration level
• registration status
• check-in or badge pickup status
• registration creation or update timestamps
• payment hold or registration hold status
• linked memberships or related registrations
• badge display code or badge printing status

We use this information to confirm your registration, issue badges, manage admission, administer memberships, and operate event registration services.

2.5 Payment, purchase, and financial information

We may collect or store information related to event payments and purchases, including:

• products or memberships purchased
• account charges, credits, refunds, and balance information
• payment amount, date, time, method, and status
• payment processor transaction IDs or reference numbers
• cashier or staff member who processed a payment
• payment notes or refund notes
• voucher, coupon, or comp information
• invoice information
• cheque or payout information, where applicable

Where credit card or online payment processing is used, payments may be processed by a third-party payment provider. Convention Master may store payment references, status messages, transaction IDs, and limited card-related details such as card type or last four digits where provided by the payment gateway. Convention Master should not be used to store full credit card numbers unless specifically configured and legally/compliantly authorized.

We use this information to process payments, issue receipts, maintain financial records, reconcile accounts, prevent fraud, process refunds, and support accounting requirements.

2.6 Agreements, waivers, consent records, and signatures

We may collect records showing that you reviewed or agreed to event terms, waivers, policies, or other agreements. This may include:

• agreement version
• agreement text
• name of signatory
• signature image or electronic signature
• contact information included with the agreement
• timestamp of agreement
• witness or staff member
• invalidation or correction notes

We use this information to confirm consent, maintain event records, enforce event policies, administer waivers, and document required acknowledgements.

Include this section if the event uses electronic waivers, signed agreements, parental/guardian consent, artist/dealer agreements, code of conduct acknowledgements, or other consent records.

2.7 Badge, RFID, kiosk, and check-in records

If enabled, we may collect or generate badge and check-in information, including:

• badge print status
• badge printer or workstation information
• badge image or badge design information
• RFID tag or badge identifier
• badge tap or scan timestamp
• kiosk activity
• check-in or pickup activity
• staff member or device involved in the action
• IP address, device identifier, or location associated with kiosks or badge readers

We use this information to issue badges, prevent duplicate badge use, support secure check-in, operate kiosks, manage access control where enabled, troubleshoot devices, and investigate registration or badge issues.

Include this section if the event uses badge printing, RFID badges, badge readers, badge taps, self-serve kiosks, pickup kiosks, check-in tracking, or device-based registration workflows.

2.8 Communications and email history

We may collect or store communication records, including:

• email address
• recipient and sender names
• email subject and body
• attachments
• delivery method and send status
• email template used
• one-time passcodes or email verification codes, if enabled

We use this information to send confirmations, receipts, event updates, registration notices, password resets, one-time codes, and other event-related communications.

Include this section if the event sends emails, stores email history, uses templates, sends receipts, sends mass email, uses OTP login, or attaches documents to email.

2.9 Custom forms, surveys, questions, and event-defined information

Convention Master allows event organizers to create custom fields, forms, surveys, application questions, and data collection tools. These are not all default Convention Master fields. The specific information collected depends on the questions, forms, modules, and workflows enabled by the event organizer.

Event-defined questions may be used for registration, volunteer coordination, accessibility planning, art show applications, dealer or vendor applications, programming, surveys, operational planning, or other event administration purposes.

Depending on the event’s configuration and the questions asked, event-defined information may include:

• custom registration answers
• accessibility or accommodation requests
• dietary information, where requested by the event
• emergency contact information, where requested by the event
• volunteer availability or preferences
• art show, artist, dealer, vendor, or programming application answers
• demographic, preference, or survey responses, where requested by the event
• free-text responses
• uploaded or attached supporting information
• other event-specific information requested by the organizer

We use event-defined information for the purpose stated at the time of collection, for the purpose reasonably implied by the question or form, or as reasonably required to administer the event.

Because these fields are configured by the event organizer, attendees should review the wording of each form or question before submitting information. Event organizers should avoid requesting sensitive personal information unless it is necessary for a defined event purpose.

2.10 Staff notes, support records, and operational logs

Authorized staff may create notes, support records, audit logs, or operational history related to an attendee account. These records may include:

• staff notes
• account comments
• registration issue notes
• payment or refund notes
• support requests
• cashier activity
• changelog entries showing old and new values
• audit logs showing staff actions
• deletion, correction, or invalidation notes
• crash or error logs related to registration activity

We use this information to provide support, correct errors, administer registration, investigate disputes, prevent fraud or abuse, maintain audit trails, and operate the event.

Include this section if the event allows staff notes, registration notes, account comments, cashier logs, support logs, change history, audit logging, or operational troubleshooting.

2.11 Volunteer, programming, schedule, and hosted activity information

If the event uses volunteer, programming, schedule, or activity management features, we may collect or store:

• volunteer status
• volunteer job title or assignment
• arrival and departure times
• volunteer hours
• activity host information
• schedule entries linked to a registrant
• public or private display names for hosts or panelists
• staff member who created or updated the schedule record

We use this information to schedule volunteers, manage staffing, publish event programming, track volunteer work, and administer hosted activities.

Include this section if the event uses volunteer tracking, panels, hosts, event schedule tools, programming systems, or staff scheduling.

2.12 Art show, artist, dealer, vendor, and marketplace information

If the event uses art show, dealer, vendor, or marketplace features, we may collect or store:

• artist, dealer, vendor, or applicant identity
• business name
• tax number or business registration information, where required
• application answers
• application status
• approval or rejection notes
• item descriptions
• artwork titles, media, dimensions, locations, and sale status
• bids, bidder identifiers, and bid amounts
• check-in/check-out records
• payout, cheque, or settlement information
• special requests or operational needs

We use this information to process applications, assign space, manage sales, administer bids, process payouts, communicate decisions, and operate art show, dealer, vendor, or marketplace services.

Include this section if the event uses art show, artist alley, dealer room, vendor applications, marketplace features, bidding, sales tracking, or payout tools.

2.13 Linked accounts and relationship records

We may collect or store relationships between accounts, including:

• linked registrations
• parent/guardian or dependent relationships
• group, household, assistant, agent, or shared account links
• confirmation tokens
• comments related to a link
• staff member who created or confirmed the relationship

We use this information to administer linked memberships, family or guardian workflows, group registrations, art show/dealer agents, shared responsibilities, or other event-specific relationships.

Include this section if the event uses linked accounts, parent/guardian workflows, group registrations, dependent memberships, art show agents, or relationship-based permissions.

2.14 Security, abuse prevention, and technical information

We may collect technical and security-related information, including:

• IP address
• browser or device information where available
• login attempt records
• brute-force prevention records
• timestamps of activity
• kiosk or terminal identifiers
• API access logs
• access tokens or device credentials
• error logs and crash reports

We use this information to secure the system, prevent abuse, troubleshoot errors, investigate suspicious activity, maintain system integrity, and protect attendees, staff, and the event.

Include this section if the event uses online registration, logins, kiosks, payment terminals, badge readers, APIs, access control, or system logging.

3. Why we use personal information

We may use personal information for the following purposes:

• creating and managing registrations
• issuing memberships, badges, and credentials
• verifying identity, age, eligibility, or account status
• processing payments, refunds, vouchers, invoices, or payouts
• communicating with attendees
• operating registration desks, kiosks, badge pickup, and check-in
• managing volunteers, programming, art show, dealers, vendors, or marketplace activity
• documenting consent, waivers, agreements, and policy acknowledgements
• providing attendee support
• maintaining accurate financial and operational records
• preventing fraud, abuse, duplicate registrations, or unauthorized access
• enforcing event policies
• complying with legal, accounting, insurance, or safety obligations
• troubleshooting and improving event operations

4. Who may access personal information

Personal information may be accessed by authorized people only as needed for event operations. This may include:

• registration staff
• cashier or finance staff
• event administrators
• volunteer coordinators
• art show, dealer, vendor, or programming staff
• security or safety staff, where applicable
• system administrators
• approved service providers

Access should be limited based on role, event need, and system permissions.

5. Third-party services and external requests

The event may use third-party services to operate registration, payments, email, hosting, backups, badge printing, accounting, analytics, or other event functions.

Depending on the event configuration, personal information may be processed by services such as:

• payment processors
• email providers
• web hosting providers
• database or backup providers
• badge printing or hardware vendors
• accounting or financial systems
• other approved event service providers

Third-party providers are expected to use information only for the services they provide to the event, subject to their own terms, privacy policies, and legal obligations.

Convention Master itself is designed to minimize unnecessary external browser requests. The standard Convention Master interface does not rely on externally hosted JavaScript libraries, externally hosted CSS libraries, advertising networks, or Google Analytics. Required application libraries are served from the Convention Master server rather than loaded from public content delivery networks.

This design supports privacy and offline operation by reducing the number of outside services contacted when using the registration system. However, third-party services may still be contacted when an enabled event feature requires them, such as payment processing, email delivery, hosted infrastructure, backups, or other services configured by the event organizer or system administrator.

Event-specific providers: [List providers here]

6. Retention

Convention Master may retain registration, membership, payment, communication, audit, and operational records for long periods of time unless the event organizer or system administrator deletes, anonymizes, archives, or otherwise removes them.

The event organizer is responsible for deciding how long personal information is kept, what information should be retained, and when information should be deleted or minimized. Convention Master may provide access to historical event records so that the event organizer can review past registrations, membership history, attendance statistics, accounting records, support history, and operational records.

Some records may be kept longer than others. For example:

• financial records may be retained for accounting, reconciliation, tax, audit, or fraud-prevention purposes
• membership, attendance, and registration records may be retained for historical reporting, trend analysis, eligibility review, or future event administration
• contact information may be retained for event communications, future registration support, account administration, marketing where permitted, or emergency communications
• agreement and waiver records may be retained for legal, insurance, dispute-resolution, or policy-enforcement purposes
• staff notes, changelogs, and audit logs may be retained to investigate disputes, registration issues, security concerns, account changes, or policy matters
• temporary verification records, reset tokens, one-time passcodes, and similar security records should generally be retained for a shorter period
• raw or highly sensitive records should be deleted, minimized, or restricted when they are no longer required for a defined event purpose

At this time, Convention Master may not automatically enforce all retention periods for every type of record. Retention practices may depend on the event organizer’s policies, system configuration, manual administrative action, backups, and legal or operational requirements.

Event-specific retention rules: [Insert retention schedule, if any]

7. Safeguards

The event organizer, system administrators, and hosting provider, where applicable, use reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, use, disclosure, alteration, or loss.

Where Convention Master is hosted by the Convention Master maintainers or Civet Solutions, hosting and server administration are provided on a best-effort basis unless a separate written agreement says otherwise. Where an event organizer hosts its own Convention Master installation, the event organizer or its IT provider is responsible for the hosting environment, server maintenance, backups, and related infrastructure security.

Safeguards may include:

• permission-based access controls for staff and administrative functions
• password-protected attendee, kiosk, and staff accounts
• salted password hashes or other protected authentication credentials
• logging and audit trails for selected system and staff actions
• encrypted connections where supported by the deployment
• restricted staff access based on operational need
• user-interface privacy controls that hide selected personal fields unless needed for a specific task
• logging of selected staff actions that reveal hidden personal information, where supported
• separation between Convention Master records and third-party payment processing systems
• payment gateway references instead of full payment card handling where supported
• brute-force protection that can block or delay repeated failed login or security requests from the same IP address
• password-encrypted database export tools where used by the event organizer or system administrator
• backups and recovery controls
• server, database, and application maintenance by the responsible system administrator or hosting provider
• deletion, minimization, or access restriction of information when no longer required, where supported by system configuration and event policy

Convention Master includes security features intended to reduce unauthorized access, including login protections, permission-based staff access, audit records, privacy reveal controls, and brute-force protection for repeated failed requests. These protections help deter automated guessing, abusive login attempts, and unnecessary casual viewing of personal information, but they do not eliminate all security risk.

Convention Master permissions may control broad areas of system access, such as whether a staff member can view registration records or use administrative tools. These permissions may not provide separate field-level controls for every type of personal information. Event organizers should only grant access to staff who need it for their event role.

Convention Master may also limit casual viewing of selected personal information within the user interface. Some fields, such as date of birth, age-related information, addresses, and phone numbers, may be hidden behind privacy controls unless the information is needed for the task being performed. For example, a cashier or registration staff member may be shown age or birthdate information during a check-in or identity-verification workflow when that information is required for the task, while the same information may be hidden during general registration browsing.

Where supported, staff actions that reveal selected personal information may be logged for accountability. These controls are intended to reduce unnecessary exposure of personal information while still allowing authorized staff to perform legitimate event duties.

No system can guarantee absolute security. The effectiveness of safeguards depends on the event organizer’s configuration, hosting environment, staff practices, software maintenance, access controls, backups, and operational procedures.

8. Access, correction, deletion, and de-identification requests

You may contact the event organizer to request access to personal information associated with your registration, or to request correction of inaccurate information.

You may also request deletion or removal of personal information. Deletion requests will be reviewed by the event organizer and may be limited where information must be retained for legal, accounting, insurance, dispute resolution, security, fraud-prevention, historical reporting, or legitimate event administration purposes.

Convention Master may not provide an automated deletion process for every type of record. Where full deletion is not available or not appropriate, the event organizer may instead remove, minimize, anonymize, or de-identify personal information where reasonably possible. For example, this may include removing address, phone, date of birth, contact details, and other personal fields, while retaining non-identifying historical registration, membership, payment, accounting, or audit records.

Convention Master may also allow an account to be marked with a future purge date. This can help identify records intended for later deletion or cleanup when supported by event policy, system configuration, or future purge tools.

Requests may not result in immediate removal from backups, audit logs, financial records, agreement records, or other records that the event organizer is required or permitted to retain.

Privacy requests should be sent to:

Privacy contact: [Insert email/contact person]

9. Children, minors, parents, and guardians

If the event allows minors to register or attend, the event may collect information needed to administer minor registrations, parent or guardian consent, age verification, emergency contact, or related safety requirements.

This may include:

• date of birth or age category
• parent or guardian name
• parent or guardian contact information
• signed consent or waiver records
• linked parent/guardian account information
• notes required to administer the minor’s registration safely

Include this section if the event allows minors, requires parental/guardian consent, collects date of birth, performs age checks, or has youth attendance workflows.

10. Sensitive information and free-text fields

Some event features may allow attendees or staff to enter free-text information. Free-text fields can sometimes contain sensitive personal information, even when the field was not specifically designed for that purpose.

Attendees should avoid providing unnecessary sensitive information unless it is requested and relevant to the event service being used. Staff should only record information that is necessary, appropriate, and related to event administration.

Sensitive or free-text information may include accessibility requests, dietary information, medical or safety notes, incident-related notes, application responses, or support details.

Include this section if the event uses staff notes, custom questions, surveys, application forms, accessibility requests, dealer/art show applications, incident notes, or support records.

11. Changes to this notice

This notice may be updated from time to time. If the event’s collection or use of personal information changes materially, the event organizer should update this notice and make the updated version available.

Current version: [Insert version/date]

12. Contact

Questions, requests, or complaints about this privacy notice or the handling of personal information should be directed to:

Event organizer: [Insert organization name] Privacy contact: [Insert contact name/title] Email: [Insert email] Mailing address: [Insert address, if applicable]