Privacy Policy

What We Collect

Important: Our services are designed for general use and minimise the collection of personal data. While you do not need an account, some applications process data necessary for their function (such as names or IBANs in Paid!) that may be considered personal data under GDPR. We process this data only as strictly necessary to perform the service. Each application processes different data:

• Paid! — Payment details (name, IBAN, amount, communication) are sent to our server to generate QR codes. The data is kept only in memory during processing and is never stored on disk.
• Involved! — Words, poll answers, feedback, and uploaded files (such as PDF presentations) submitted during events are stored on our servers and automatically deleted after one month of inactivity.
• Drive! — Files you upload are stored on our servers. Do not upload files containing personal information.
• Matched! — Group names, member names, team preferences, distribution results, and the full content of any uploaded Excel file are stored on our servers. Data is linked to group codes, not personal accounts. Do not include personal data in your Excel file — all columns are stored and returned when you download the file back, even if they are not used by the application.
• Booked! — Calendar names, bookings, and object descriptions are stored on our servers. Data is linked to calendar codes, not personal accounts.

How We Use Your Data

Data you provide is used solely to deliver the specific service you are using. We also use essential cookies and local storage to remember your language, theme preference, and — only if you opt in — saved payment details (Paid!) or application preferences. We do not use your data for advertising, profiling, or any purpose beyond operating the service.

We process your data based on Contractual Necessity (to provide the service you requested) and our Legitimate Interest in maintaining the security and functionality of the platform (Article 6 GDPR).

Data Storage and Retention

• Paid! — No server-side storage. Favourites are saved in your browser's local storage only if you choose.
• Involved! — Event data is automatically deleted after one month of inactivity.
• Drive!, Matched!, Booked! — Data is stored on our servers for as long as the resource (file, group, or calendar) exists. You can delete it at any time from within the application.

Cookies and Local Storage

We use only essential cookies and local storage — no tracking, no analytics, no advertising.

• cookie_consent — remembers your cookie choice
• language — stores your preferred language
• PHPSESSID — maintains your session while using our applications
• theme (local storage) — stores your light/dark mode preference
• payment_details (local storage, Paid! only) — stores saved payment favourites, only if you choose

You can clear all this data at any time through your browser settings.

Third-Party Services

We do not use any external analytics, advertising, or data processing services. No personal data is shared with third parties.

This website is hosted by LWS (Ligne Web Services), a French hosting provider. All servers are located in France, meaning your data is stored exclusively within the European Union. No data is transferred outside of the European Economic Area (EEA). You can consult their privacy policy at www.lws.fr/cgv-lws.php.

Security and Encryption

We protect your data with multiple layers of security:

• HTTPS Encryption — All data transmitted between your browser and our servers is encrypted using TLS.
• Encryption at Rest — Sensitive data stored on our servers is encrypted using AES-256-GCM, an industry-standard symmetric encryption algorithm. This applies to database columns containing names, descriptions, preferences, and file contents in configured folders. The encryption key is stored securely on the server and is never transmitted.
• Password Protection — Where password protection is used, passwords are stored as bcrypt hashes (not reversible) and cannot be linked to any personal account.
• Local Storage — Data stored in your browser's local storage remains under your control and can be cleared at any time.

Important: Despite our security measures, you should not upload or input personally identifiable information (PII) or sensitive personal data on this website. Our services are designed for general use and aim to minimise the collection of personal data. Some data you provide (such as names or IBANs) may constitute personal data under GDPR, but it is processed only as strictly necessary. Any data you provide is linked only to anonymous codes (event codes, group codes, calendar codes) and not to personal accounts.

Your Rights under GDPR

Under the General Data Protection Regulation you have the right to access, rectify, erase, restrict processing, port, and object to the processing of your data. Since we process minimal data and do not maintain personal accounts, most of these rights are automatically fulfilled. You can delete your data directly within each application, or contact us to request erasure.

You also have the right to lodge a complaint with a supervisory authority, such as the APD (Autorité de protection des données / Gegevensbeschermingsautoriteit, Belgium — www.autoriteprotectiondonnees.be), if you believe your data has been mishandled.

Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

Contact

The Data Controller for this website is Xavier Dubois.

If you have questions about this policy, wish to exercise your data protection rights, or need to report a privacy concern, please use our contact form. You can also reach us by opening an issue on GitHub.