Privacy Policy
Effective Date: 26.05.2026
Last Updated: 26.05.2026
1. Who we are
Cadas AS (Norwegian org. no. 926 572 229) operates Evenero at www.evenero.com, event.evenero.com, and app.evenero.com. For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Norwegian Personal Data Act, Cadas AS is the data controller for the personal data processed through Evenero.
Cadas AS
Bogstadveien 27B, 0355 Oslo, Norway
Email: post@evenero.com
2. What data we process
- Account data: email address and (optional) display name when you create an Evenero account.
- Payment data: handled entirely by Stripe. We never see or store full card details. We receive transaction status, amount, currency, and the email you provided to Stripe.
- Print orders (Gelato): when you order printed products we collect your name, shipping address, phone (optional) and email. These are required to fulfil and ship the order.
- Event media: photos and videos uploaded by you or your event participants. Uploaded media is stored in your event and shared as you configure it.
- Support correspondence: messages you send to us and the metadata around them.
- Technical data: IP address, browser and device information, and request logs, for security, abuse prevention, and operating the service.
- Cookies and similar technologies: see our Cookie Policy.
3. Why we process it and on what legal basis
Providing the Evenero service
Legal basis: contract (GDPR Art. 6(1)(b)). Includes account creation, media storage and sharing, event management, and customer support.
Processing payments and fulfilling print orders
Legal basis: contract. For Gelato print orders, only the data required for production and shipping is shared with our print partner.
Bookkeeping and tax records
Legal basis: legal obligation (GDPR Art. 6(1)(c)) — the Norwegian Bookkeeping Act requires us to retain transaction records for 5 years.
Fraud prevention, security, and abuse mitigation
Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — protecting our service, customers, and partners.
Analytics (Google Analytics 4)
Legal basis: consent (GDPR Art. 6(1)(a)). Only active if you accept the Analytics category in the cookie banner.
Advertising attribution (Meta and Google Ads)
Legal basis: consent. The Meta Pixel and our server-side Meta Conversions API only fire when you accept the Marketing category. Google's Consent Mode v2 (Advanced) is active so Google receives only modelled, cookieless data when consent is denied.
4. Who receives your data
We use the following data processors. Each is bound by a Data Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF).
Google Cloud Platform
Role: Application hosting, database, file storage
Location: EU (europe-north1)
Safeguard: Data Processing Addendum
Vercel
Role: Frontend hosting and cookieless analytics
Location: US (with EU regional infrastructure)
Safeguard: DPA + Standard Contractual Clauses (SCCs)
Stripe
Role: Payment processing
Location: US / Ireland
Safeguard: DPA + SCCs / EU-US Data Privacy Framework (DPF)
Mailgun
Role: Transactional email delivery
Location: US / EU
Safeguard: DPA + SCCs / DPF
Gelato
Role: Print order fulfilment (only when you order printed products)
Location: EEA
Safeguard: DPA
Google (Analytics + Ads)
Role: Traffic analytics and advertising attribution
Location: US
Safeguard: DPA + SCCs / DPF — used only with your consent
Meta
Role: Advertising attribution (Pixel and Conversions API)
Location: US
Safeguard: DPA + SCCs / DPF — used only with your consent
Canva
Role: Embedded design content where applicable
Location: AU / US
Safeguard: DPA + SCCs
hCaptcha (Intuition Machines)
Role: Bot protection on forms
Location: US
Safeguard: DPA + SCCs
CookieHub
Role: Cookie consent management
Location: Iceland (EEA)
Safeguard: DPA
5. International transfers
Our application data is hosted in the EU (Google Cloud, europe-north1 / Finland). Some of the processors listed above are based in the United States. Where data is transferred outside the EEA we rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses to ensure an adequate level of protection.
6. How long we keep data
Account data (email, profile)
While the account is active, then deleted within 30 days of a deletion request
Event media (photos, videos)
Minimum 24 months from event activation, or until you delete the event — whichever is longer
Payment records
5 years (Norwegian Bookkeeping Act / Bokføringsloven)
Print order details
5 years (Bookkeeping Act) — name and shipping address required for fulfilment
Support correspondence
2 years from the last interaction
Analytics data (GA4)
14 months
Server and security logs
90 days
When the retention period ends, data is either permanently deleted or anonymised so it can no longer be linked to an individual.
7. Your rights
Under GDPR you have the right to:
- Access — receive a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion when the data is no longer necessary.
- Restriction — ask us to limit processing in certain circumstances.
- Objection — object to processing based on legitimate interest, including profiling.
- Portability — receive your data in a machine-readable format.
- Withdraw consent — at any time, for processing that relies on consent (analytics, marketing). You can change your cookie choices via the CookieHub icon in the bottom-left of every page.
- Lodge a complaint — with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority.
To exercise any of these rights, email post@evenero.com. We will respond within 30 days.
8. Children
Evenero is intended for users aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.
9. Security
We use HTTPS in transit, encryption at rest for our database and media storage, role-based access controls, and regular security updates. While no system can guarantee absolute security, we work to keep your data safe and notify affected users without undue delay in the event of a breach as required by GDPR.
10. Changes to this policy
We may update this Privacy Policy when our processing or tooling changes. Material changes will be highlighted on the Site. The "Effective Date" at the top of this page always reflects the latest version.
11. Contact us
For any privacy question or to exercise your rights:
Cadas AS
Bogstadveien 27B, 0355 Oslo, Norway
Email: post@evenero.com