Privacy Policy

1. Introduction and Data Controller

This Privacy Policy explains how Molnx (molnx.cloud), operating the EventStuffer platform, collects, uses, stores, and protects your personal data. Molnx is the data controller within the meaning of the EU General Data Protection Regulation (GDPR). We are committed to protecting your privacy and processing your data lawfully, fairly, and transparently.

2. Information We Collect

We collect information you provide directly to us and information generated through your use of the Platform:

• Account Information — Full name, email address, phone number, and hashed password. For Staff: date of birth for age verification.
• Staff Profile Data — Profile photos (up to 10), biography, tagline, service types, skills, languages, physical attributes (height, age), hourly/daily rates, location (city, country), availability calendar, and portfolio items (photos, videos, descriptions).
• Booking and Event Data — Event details (date, time, duration, location, service type), special requests, booking codes, booking status history, and cancellation records.
• Payment and Financial Data — Transaction amounts, platform fees, Staff earnings, payout records, tip amounts, and invoice data. Payment card details are processed and stored exclusively by Stripe and are never stored on our servers.
• Communications and Messaging — Messages exchanged through the Platform's messaging system (including group chats), support tickets, dispute filings, and review/rating content.
• Safety and Location Data — Safety check-in/check-out timestamps and locations during events, emergency contact information, and incident reports.
• Verification Documents — Identity verification documents (government-issued ID, proof of address), background check results, and verification status.
• Technical and Usage Data — IP address, browser type, device information, pages visited, access times, referral URLs, and cookies (see our Cookie Policy).

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal grounds:

• Contract performance (Art. 6(1)(b)): Processing necessary to fulfil our service agreement with you (account management, bookings, payments, messaging).
• Legitimate interest (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, and analytics.
• Legal obligation (Art. 6(1)(c)): Tax record-keeping, regulatory compliance, and responding to legal requests.
• Consent (Art. 6(1)(a)): Marketing communications, analytics cookies, and optional push notifications. You may withdraw consent at any time.

4. How We Use Your Information

We use your information for the following purposes:

• Process bookings, escrow payments, payouts, refunds, and tips
• Facilitate real-time communication between Clients and Staff via messaging and group chat
• Verify identity, process background checks, and prevent fraud
• Send transactional notifications (booking confirmations, reminders, payment receipts, safety alerts)
• Operate the safety check-in/check-out system and overdue checkout alerts
• Generate recommendations and search results based on preferences and location
• Produce earnings summaries, invoices, and tax documents for Staff
• Enforce our Terms of Service and moderate content (reviews, messages, photos)
• Improve the Platform through aggregated, anonymised analytics
• Comply with legal and regulatory obligations

5. Information Sharing and Third Parties

We share your information only in the following circumstances and with the following parties:

• With Other Platform Users — Staff profile information (name, photos, skills, ratings, reviews, availability) is visible to Clients. Client first name and event details are shared with booked Staff. Full contact details are never shared between parties.
• Service Providers — Stripe (payment processing and escrow), AWS S3 (photo and document storage), SMTP provider (transactional email), Sentry (error monitoring), and any background check provider. All service providers are contractually bound to process data only as instructed.
• Legal Requirements — When required by law, court order, or regulatory authority, or to protect the rights, safety, or property of our users or Molnx.
• With Your Consent — When you have given explicit prior permission for a specific sharing purpose.

6. Data Security

We implement comprehensive technical and organisational measures to protect your information:

• TLS/SSL encryption for all data in transit between your browser and our servers
• Passwords hashed with bcrypt; sensitive data encrypted at rest
• Two-factor authentication (TOTP) required for administrator accounts with backup codes
• Per-request CSRF tokens and Content Security Policy (CSP) with nonces
• Rate limiting (global, per-route, per-user) and account lockout after repeated failed login attempts
• Regular security audits, dependency updates, and access controls
• Magic byte validation on all file uploads to prevent spoofed file types

7. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). You can initiate this from your account settings.
• Right to data portability (Art. 20): Export your data in a machine-readable format (JSON). Available from your account settings under GDPR Data Export.
• Right to restrict processing (Art. 18): Request limitation of data processing in certain circumstances.
• Right to object (Art. 21): Object to data processing based on our legitimate interests.
• Right to withdraw consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: File a complaint with your local data protection authority.

8. Cookies and Tracking

We use cookies to enhance your experience. For full details on the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

• Essential cookies for session management, authentication, and CSRF protection
• Functional cookies for language preferences and age verification
• Analytics cookies (only with your explicit consent)
• Third-party cookies set by Stripe for payment security

Cookie Policy →

9. Data Retention

We retain your data according to the following schedule: Active account data is retained as long as your account exists. After account deletion, we anonymise or delete personal data within 30 days, except where longer retention is required by law (e.g., financial records are retained for 10 years under German tax law, HGB/AO). Verification documents are deleted within 90 days of account closure. Aggregated, anonymised analytics data may be retained indefinitely.

10. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (for example, to service providers in the United States), we ensure adequate protection through EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

11. Automated Decision-Making

The Platform uses automated processes for search ranking, recommendation generation, and fraud risk scoring. These processes do not produce legally binding decisions. You have the right to request human review of any automated decision that significantly affects you.

12. Children's Privacy

EventStuffer is not intended for and does not knowingly collect personal data from individuals under 18 years of age. Age verification is enforced upon first access. If we become aware that we have collected data from a minor, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email or platform notification at least 14 days before taking effect. The date of the most recent revision is indicated at the top of this page.

14. Data Protection Officer and Contact

For any privacy-related questions, to exercise your GDPR rights, or to contact our data protection team:

Operator: Molnx (molnx.cloud)
Email Address: privacy@eventstuffer.com

You also have the right to lodge a complaint with your local data protection supervisory authority.