Privacy Policy
Last updated: 17 May 2026 · Version 1.0
1. Controller
The data controller for personal data processed through the Pulln platform is Pulln ("we", "us", "our"), operating the event management platform at pulln.io. For questions or requests, contact us at privacy@pulln.io.
2. Data we collect and why
We collect only the minimum personal data needed to manage event invitations and RSVPs.
| Data category | Examples | Legal basis |
|---|---|---|
| Identity & contact | First name, last name, email address, phone number | Performance of contract (GDPR Art. 6(1)(b)) |
| RSVP preferences | Attendance status, sub-event selections | Performance of contract (Art. 6(1)(b)) |
| Health data - dietary | Dietary restrictions, allergies | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)). Required for catering safety. |
| Guardian details (minors) | Guardian name and email, consent timestamp | Legal obligation (Art. 6(1)(c)) + Art. 8 (child consent, Sweden threshold: age 13) |
| Consent records | Hashed IP, UTC timestamp, consent text version | Legal obligation - GDPR Art. 7 accountability |
| Technical / session | Hashed IP address, Supabase session cookie | Legitimate interests (Art. 6(1)(f)) - security and fraud prevention |
| Error diagnostics | Browser/OS version, stack traces (PII-scrubbed before transmission) | Legitimate interests (Art. 6(1)(f)) - service stability and bug resolution |
3. Data retention
We retain personal data for as long as necessary to manage the event. Automatically:
- All identifying fields (name, email, phone, dietary information) are permanently nulled 30 days after the event ends by an automated nightly job.
- UUIDs and audit rows are kept indefinitely for referential integrity.
- Consent log rows are kept for 3 years (GDPR accountability requirement).
4. Your rights
Under the GDPR you have the right to:
- Access - receive a copy of the personal data we hold about you.
- Rectification - correct inaccurate data.
- Erasure - request deletion of your data (right to be forgotten).
- Restriction - ask us to limit how we use your data.
- Portability - receive your data in a structured, machine-readable format.
- Withdraw consent - at any time, where processing is based on consent. Withdrawal does not affect past processing.
To exercise any right, email privacy@pulln.io with the subject line "Data Subject Request". We will respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.
5. Sub-processors
We share personal data only with the following processors, each bound by a Data Processing Agreement (GDPR Art. 28):
| Processor | Purpose | Region |
|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt) |
| Vercel | Application hosting and CDN | EU-West (Dublin) |
| Cloudinary | Image and media optimisation | EU |
| Resend | Transactional email delivery | EU |
| Sentry | Error monitoring (PII-scrubbed) | EU (Frankfurt) |
Note on Sentry: Error monitoring is initialised automatically to maintain service stability (legitimate interest, Art. 6(1)(f)). All events are scrubbed of names, email addresses, phone numbers, and IP addresses before leaving your device. Session replay is permanently disabled. Sentry processes data exclusively in its EU (Frankfurt) region under a Data Processing Agreement.
6. Cookies
We use strictly necessary cookies and, with your consent, optional functional cookies. See our Cookie Policy for the full list.
7. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be notified to confirmed guests by email.