Privacy Policy

Last updated: 2026-05-02

Contents

Who we are
Information we collect
How we use your information
Legal bases we rely on
When and how we share information
Sub-processors and service providers
Cookies, sessions, and tracking
How we protect your information
How long we keep your information
Your rights and choices
International transfers
Children
Third-party links and event content
Changes to this policy
Contact us

1. Who we are

This Privacy Policy describes how Attendout ("Attendout", "we", "us", "our") collects, uses, and shares information about you when you visit attendout.com, sign up for an account, register for an event, sell tickets, or otherwise use our services (collectively, the "Service").

Attendout is an event management and ticketing platform headquartered in Nigeria. By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Information we collect

2.1 Information you give us directly

Account information: first name, last name, email address, phone number, password (stored as a one-way hash), profile photo, and optional bio or social links.
Event registration: name, email, phone number, and any custom fields the event organizer chooses to collect (for example: company, place of residence, dietary preferences, role).
Event creation: the event details, images, descriptions, ticket plans, branding, and any text or media you upload as an organizer.
Payment information: when you pay or get paid, you provide payment details (card, bank transfer, USSD, mobile money) directly to our payment processors. We receive a payment reference and amount; we do not store your full card number, CVV, or PIN.
Withdrawal information (organizers): bank name, account number, account name, and a self-set withdrawal PIN (stored as a one-way hash).
Lobby messages and feedback: the content of messages you send to or receive from event organizers, and any star ratings or written feedback you submit.
Customer support: any information you provide when you contact us.

2.2 Information we collect automatically

Device and connection data: IP address, browser type, operating system, referring URL, and approximate location derived from your IP.
Usage data: pages and features you use, buttons you tap, events you view, the time and duration of visits, and similar telemetry.
Session and authentication tokens: a session cookie (PHPSESSID) and a long-lived authentication token (JWT) used to keep you signed in.
Push notification subscriptions: a unique subscription identifier issued by your browser when you opt in to web push notifications.
Check-in and attendance records: when an event organizer scans your QR ticket, we record the time and status of the check-in.

2.3 Information from other sources

Sign-in providers: if you sign in with Google, we receive your basic profile (name, email, profile picture) from Google.
Event organizers and agents: if someone registers you for an event or transfers a ticket to you, we receive the registration information they entered on your behalf.
Payment processors: we receive transaction status, settlement amounts, and reference numbers from our payment partners.

3. How we use your information

We use the information we collect to:

Operate the Service - create and manage your account, process registrations, issue QR tickets, run check-in, calculate settlements, and pay out organizers.
Process payments and prevent fraud or unauthorized transactions.
Communicate with you - send transactional emails (registration confirmations, ticket transfers, password resets, OTPs), event-update broadcasts from organizers, and feedback or messaging notifications.
Send push notifications when you've opted in.
Provide customer support and respond to your requests.
Improve and develop new features, including by analysing usage patterns and feature performance.
Generate aggregated, de-identified statistics for product, business, and marketing purposes.
Power optional AI features (for example, Cylox AI, which extracts event details from a flyer image you upload). When you use these features, the relevant content is sent to our AI provider (see Section 6).
Enforce our Terms, investigate suspected misuse, and comply with our legal obligations.

We do not sell your personal information.

4. Legal bases we rely on

Where applicable law (including the Nigeria Data Protection Regulation and Nigeria Data Protection Act, the EU/UK GDPR for users in those regions, and similar regimes) requires a legal basis, we rely on:

Performance of a contract - to provide the Service you've signed up for.
Legitimate interests - to operate, secure, and improve the Service, prevent fraud, and communicate with you about the Service. We balance these interests against your rights.
Consent - for push notifications, certain marketing emails where required, optional AI features, and any other use that legally requires consent. You can withdraw consent at any time without affecting prior processing.
Legal obligation - to comply with tax, accounting, anti-fraud, and other laws.

We share information in the following situations and only to the extent necessary:

With event organizers: when you register for an event, the organizer of that event receives your registration details (name, email, phone, custom fields, attendance status, and the contents of any lobby messages or feedback you send to them) so they can run their event and communicate with you. You should review the organizer's own privacy practices before sharing additional information with them.
With other attendees (when you opt in): if you turn on networking on a specific event lobby and choose to share your contact details, those details become visible to other attendees of that event in the lobby. You can switch this off at any time.
With our service providers (sub-processors): we use vetted third parties to operate the Service. They process your information on our instructions under written agreements. See Section 6.
For legal reasons: if we are required to do so by law, court order, or other lawful request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
In a corporate transaction: if Attendout is involved in a merger, acquisition, financing, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will tell you before your information becomes subject to a different policy.
With your consent: any other sharing we ask you to authorise.

We do not rent, sell, or trade your personal information to advertisers.

6. Sub-processors and service providers

The following categories of third parties help us run the Service. Each of them processes only the information needed for their function:

Flutterwave

Primary payment processor for ticket purchases, agent payments, and organizer payouts (cards, bank transfer, USSD, QR, mobile money).

Paystack

Secondary payment processor used for select verification flows.

Flow Finance

Automated bookkeeping - records invoices, payments, and debits for our financial reporting.

Microsoft Azure

Cloud hosting for our application servers and primary database.

Amazon Web Services (S3)

Storage for event images, profile photos, and other media.

Google (OAuth + Gmail SMTP)

Optional sign-in via Google; transactional email delivery via Gmail SMTP.

OpenAI

Powers Cylox AI flyer-to-event extraction. Only triggered when you upload a flyer to the AI tool.

Web Push services

Browser-vendor push services (Apple, Google, Mozilla) deliver push notifications you've opted in to.

We may add, remove, or replace sub-processors as our Service evolves. For the most current list, contact us at the email below.

7. Cookies, sessions, and tracking

We use a small number of cookies and similar technologies:

Strictly necessary: the PHPSESSID session cookie and the access_token authentication cookie keep you signed in and protect your account. These are set with the Secure, HttpOnly, and SameSite=Lax attributes.
Functional: we use your browser's local storage and small client-side flags (for example, to remember whether you've dismissed a banner, opted out of a push prompt, or collapsed a section) so the interface behaves the way you set it.
Analytics: we collect first-party usage analytics (FTrack and similar internal tools) to understand how features are used. This data is generally aggregated; where we link it to your account it is treated as personal data under this policy.

You can clear cookies and local storage at any time using your browser settings. Doing so will sign you out and reset your in-app preferences.

8. How we protect your information

We use technical and organisational measures designed to protect your information, including:

HTTPS/TLS for all browser-to-server traffic, with HSTS enabled.
Hashed passwords and withdrawal PINs (we never store these in plain text).
Authenticated encryption (AES-256-GCM with per-event derived keys) for the contents of attendee-to-organizer lobby messages.
Encrypted, URL-safe tokens for guest-friendly links so we don't expose raw identifiers in shared URLs.
Role-based access controls inside the platform (event owners, delegates, agents, attendees) and gated super-admin tooling for sensitive operations.
Modern HTTP security headers (HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
A rate-limited email queue to reduce the risk of abuse.
Backups of the primary database, kept for operational continuity.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work to keep our defences current and we monitor for incidents. If a breach affects you and the law requires notification, we will notify you and the appropriate regulator without undue delay.

9. How long we keep your information

We keep your information for as long as your account is active and for as long as we need it to run the Service or comply with law. Specifically:

Account records and registrations - kept while your account is active.
Financial records (invoices, payouts) - kept for at least the period required by Nigerian tax and accounting law (currently a minimum of six years from the end of the relevant financial year).
Lobby messages and feedback - kept while the related event exists; retained encrypted until deleted by an organizer or the account owner.
Backups - retained for a limited rolling window for disaster recovery; entries you delete will eventually age out of backups.

When we no longer need your information, we delete it or de-identify it.

10. Your rights and choices

Depending on where you live, you may have the following rights:

Access - request a copy of the personal information we hold about you.
Correction - ask us to update or correct inaccurate information. You can update most profile fields directly in your dashboard.
Deletion - ask us to delete your account and personal information, subject to our legal and accounting obligations.
Restriction or objection - ask us to limit how we process your information or object to certain processing.
Portability - ask for a machine-readable copy of information you've provided.
Withdraw consent - where we rely on consent, withdraw it at any time.
Lodge a complaint - with your local data-protection authority (in Nigeria, the Nigeria Data Protection Commission - NDPC).

To exercise these rights, email us at privacy@attendout.com. We may need to verify your identity before acting on a request, and we may decline or limit a request where we are legally permitted to do so.

11. International transfers

Attendout is operated from Nigeria but our service providers may process your information in other countries (including the United States and the European Union) where they are based. Where information is transferred internationally, we rely on safeguards such as the providers' own certifications, standard contractual clauses, or other lawful transfer mechanisms.

12. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact us and we will take appropriate steps to delete it.

13. Third-party links and event content

Event pages, organizer broadcasts, and ticket emails may include links to third-party websites or services. We are not responsible for the privacy practices of those third parties. Event organizers are independent of Attendout - they are responsible for the content of their events and for how they use information about their attendees once it has been shared with them.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will revise the "Last updated" date at the top of this page and, where appropriate, notify you by email or in-app notice before the changes take effect. Your continued use of the Service after the effective date means you accept the updated policy.

15. Contact us

If you have questions about this Privacy Policy or how we handle your information, contact us at:

Email: privacy@attendout.com
General contact: attendout.com/contact

For complaints, you may also contact the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.