Privacy Policy

    Effective Date: 26.05.2026

    Last Updated: 26.05.2026

    1. Who we are

    Cadas AS (Norwegian org. no. 926 572 229) operates Evenero at www.evenero.com, event.evenero.com, and app.evenero.com. For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Norwegian Personal Data Act, Cadas AS is the data controller for the personal data processed through Evenero.

    Cadas AS

    Bogstadveien 27B, 0355 Oslo, Norway

    Email: post@evenero.com

    2. What data we process

    • Account data: email address and (optional) display name when you create an Evenero account.
    • Payment data: handled entirely by Stripe. We never see or store full card details. We receive transaction status, amount, currency, and the email you provided to Stripe.
    • Print orders (Gelato): when you order printed products we collect your name, shipping address, phone (optional) and email. These are required to fulfil and ship the order.
    • Event media: photos and videos uploaded by you or your event participants. Uploaded media is stored in your event and shared as you configure it.
    • Support correspondence: messages you send to us and the metadata around them.
    • Technical data: IP address, browser and device information, and request logs, for security, abuse prevention, and operating the service.
    • Cookies and similar technologies: see our Cookie Policy.

    3. Why we process it and on what legal basis

    Providing the Evenero service

    Legal basis: contract (GDPR Art. 6(1)(b)). Includes account creation, media storage and sharing, event management, and customer support.

    Processing payments and fulfilling print orders

    Legal basis: contract. For Gelato print orders, only the data required for production and shipping is shared with our print partner.

    Bookkeeping and tax records

    Legal basis: legal obligation (GDPR Art. 6(1)(c)) — the Norwegian Bookkeeping Act requires us to retain transaction records for 5 years.

    Fraud prevention, security, and abuse mitigation

    Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — protecting our service, customers, and partners.

    Analytics (Google Analytics 4)

    Legal basis: consent (GDPR Art. 6(1)(a)). Only active if you accept the Analytics category in the cookie banner.

    Advertising attribution (Meta and Google Ads)

    Legal basis: consent. The Meta Pixel and our server-side Meta Conversions API only fire when you accept the Marketing category. Google's Consent Mode v2 (Advanced) is active so Google receives only modelled, cookieless data when consent is denied.

    4. Who receives your data

    We use the following data processors. Each is bound by a Data Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF).

    Google Cloud Platform

    Role: Application hosting, database, file storage

    Location: EU (europe-north1)

    Safeguard: Data Processing Addendum

    Vercel

    Role: Frontend hosting and cookieless analytics

    Location: US (with EU regional infrastructure)

    Safeguard: DPA + Standard Contractual Clauses (SCCs)

    Stripe

    Role: Payment processing

    Location: US / Ireland

    Safeguard: DPA + SCCs / EU-US Data Privacy Framework (DPF)

    Mailgun

    Role: Transactional email delivery

    Location: US / EU

    Safeguard: DPA + SCCs / DPF

    Gelato

    Role: Print order fulfilment (only when you order printed products)

    Location: EEA

    Safeguard: DPA

    Google (Analytics + Ads)

    Role: Traffic analytics and advertising attribution

    Location: US

    Safeguard: DPA + SCCs / DPF — used only with your consent

    Meta

    Role: Advertising attribution (Pixel and Conversions API)

    Location: US

    Safeguard: DPA + SCCs / DPF — used only with your consent

    Canva

    Role: Embedded design content where applicable

    Location: AU / US

    Safeguard: DPA + SCCs

    hCaptcha (Intuition Machines)

    Role: Bot protection on forms

    Location: US

    Safeguard: DPA + SCCs

    CookieHub

    Role: Cookie consent management

    Location: Iceland (EEA)

    Safeguard: DPA

    5. International transfers

    Our application data is hosted in the EU (Google Cloud, europe-north1 / Finland). Some of the processors listed above are based in the United States. Where data is transferred outside the EEA we rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses to ensure an adequate level of protection.

    6. How long we keep data

    Account data (email, profile)

    While the account is active, then deleted within 30 days of a deletion request

    Event media (photos, videos)

    Minimum 24 months from event activation, or until you delete the event — whichever is longer

    Payment records

    5 years (Norwegian Bookkeeping Act / Bokføringsloven)

    Print order details

    5 years (Bookkeeping Act) — name and shipping address required for fulfilment

    Support correspondence

    2 years from the last interaction

    Analytics data (GA4)

    14 months

    Server and security logs

    90 days

    When the retention period ends, data is either permanently deleted or anonymised so it can no longer be linked to an individual.

    7. Your rights

    Under GDPR you have the right to:

    • Access — receive a copy of the personal data we hold about you.
    • Rectification — correct inaccurate or incomplete data.
    • Erasure ("right to be forgotten") — request deletion when the data is no longer necessary.
    • Restriction — ask us to limit processing in certain circumstances.
    • Objection — object to processing based on legitimate interest, including profiling.
    • Portability — receive your data in a machine-readable format.
    • Withdraw consent — at any time, for processing that relies on consent (analytics, marketing). You can change your cookie choices via the CookieHub icon in the bottom-left of every page.
    • Lodge a complaint — with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority.

    To exercise any of these rights, email post@evenero.com. We will respond within 30 days.

    8. Children

    Evenero is intended for users aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.

    9. Security

    We use HTTPS in transit, encryption at rest for our database and media storage, role-based access controls, and regular security updates. While no system can guarantee absolute security, we work to keep your data safe and notify affected users without undue delay in the event of a breach as required by GDPR.

    10. Changes to this policy

    We may update this Privacy Policy when our processing or tooling changes. Material changes will be highlighted on the Site. The "Effective Date" at the top of this page always reflects the latest version.

    11. Contact us

    For any privacy question or to exercise your rights:

    Cadas AS

    Bogstadveien 27B, 0355 Oslo, Norway

    Email: post@evenero.com