EventMates Privacy Policy
Effective date: 10.07.2026 · Version: 1.1
1. Controller and contacts
The personal‑data controller is Individual Entrepreneur Maksim Muratov, registered in Georgia; identification (registration) number 345665336, registration date 30.09.2022, registering authority — LEPL National Agency of Public Registry; legal address: Georgia, Batumi, Zhiuli Shartava avenue, N 32, apartment N87.
Contact for data‑related matters (including data‑subject requests and complaints): rnd.develop@gmail.com.
This Policy covers the "EventMates" Telegram Mini App, related Telegram bots and the Service backend.
2. What data we process
2.1. Data from Telegram (on authentication):
- Telegram account ID;
- username
@username; - language setting (
language_code); - profile photo link;
- Telegram profile bio, where available.
2.2. Profile data (provided by the User):
- name;
- e‑mail;
- phone number;
- photo (link);
- "about" text;
- professional data: field of activity, "what I'm looking for";
- links (LinkedIn, public link);
- time zone;
- startup info (name, description).
2.3. Data generated by the Service automatically (derived):
- structured fields extracted by AI from the profile text (field of activity, skills, short summary, goals — including in different languages);
- vector representations (embeddings) of the profile for semantic search and matching;
- recommendations, compatibility summaries and first‑message templates.
2.4. Usage data:
- search queries;
- the fact and context of starting a conversation (who, with whom, from which screen, in which event);
- contact‑disclosure events;
- event participation, statuses, check‑in marks;
- poll answers, ratings and text feedback about events.
2.5. Data when using specific features:
- images uploaded at registration/check‑in desk (text recognition — name, e‑mail);
- audio, when using voice input (transcription to text).
2.6. Ticket‑payment data (for paid events): payment amount and currency, transaction status and identifier, the payer's identifier with the payment provider. The Operator does not collect or store full card details — they are entered on the payment provider's side and processed by it.
2.7. Technical data: operation logs, diagnostic data, request identifiers (for reliability and security).
3. Purposes and legal bases
| Purpose | Legal basis (Georgian law / GDPR) |
|---|---|
| Registration, authentication, providing functionality | performance of the contract (offer) — Art. 6(1)(b) |
| People matching, search, recommendations, embeddings, AI processing | consent — Art. 6(1)(a) / legitimate interest — Art. 6(1)(f) |
| Transfer to AI provider (incl. cross‑border) | consent — Art. 6(1)(a) |
| Service‑related notifications | performance of the contract — Art. 6(1)(b) |
| Collecting and accounting for paid‑event ticket payments | performance of the contract — Art. 6(1)(b); tax/accounting requirements — Art. 6(1)(c) |
| Marketing messages | separate consent — Art. 6(1)(a) |
| Analytics, service improvement, security | legitimate interest — Art. 6(1)(f) |
| Record‑keeping, dispute resolution, legal compliance | legal requirement / legitimate interest — Art. 6(1)(c)/(f) |
Withdrawal of consent does not affect the lawfulness of processing before withdrawal and does not stop processing that has another legal basis.
4. Data sources
Data is obtained: (1) directly from the User; (2) from the Telegram platform on authentication; (3) generated by the Service through use (derived data, analytics).
5. Who receives the data
To operate the Service, data is shared with the following categories of recipients (processors):
| Recipient | Purpose | What is shared | Where |
|---|---|---|---|
| OpenAI (AI provider) | profile structuring, embeddings, search, recommendations, message generation, image/audio recognition | profile text, search queries, and — when those features are used — images and audio | USA (cross‑border) |
| Telegram | authentication, delivery of notifications | Telegram ID, notification content | per Telegram's policy |
| Hosting/DB provider (Render.com) | data storage and processing | all Service data | Frankfurt, Germany (EU/EEA) |
| Monitoring provider (Elastic/OpenTelemetry) | technical observability, diagnostics | logs and technical data | EU (per provider configuration) |
Payment provider (acquiring) [name — to be filled in] | collecting paid‑event ticket payments | data needed to process the payment: amount, currency, transaction identifier; card details are entered on the provider's side | [jurisdiction — to be filled in] |
Data is not sold to third parties. Disclosure to public authorities occurs only in the cases and manner provided by law.
6. Cross‑border transfer and storage location
6.1. Primary storage and processing take place in a data centre in Frankfurt (Germany, EU/EEA). Certain data is transferred outside the EEA — primarily to the AI provider (OpenAI) in the USA; such cross‑border transfer is based on the User's consent and (for EU/EEA subjects) appropriate safeguards (see 6.2).
6.2. For EU/EEA Users: cross‑border transfer to third countries (in particular to the AI provider in the USA) is based on appropriate mechanisms — consent and/or Standard Contractual Clauses (SCC) with recipients.
7. AI processing
7.1. The Service uses AI to structure profiles, build embeddings, run semantic search, generate recommendations and message templates, and — where those features are used — recognize text in images and transcribe audio.
7.2. For this, data (including profile text and search queries) is transferred to the AI provider. Outputs are informational and may be inaccurate (see the Terms of Use).
7.3. The Service does not make automated decisions producing legal or similarly significant effects for the User without human involvement.
8. Retention periods
8.1. Profile data is stored until the User deletes their profile or the Service ceases to be provided.
8.2. On profile deletion, the following are deleted: the profile, its embeddings, and event‑participation records.
8.3. The following are retained in anonymized/limited form for up to 12 months after deletion for record‑keeping, security and anonymized analytics (conversation‑start events, event feedback). Records needed to defend against legal claims and to comply with the law (including the deletion record) are kept until the limitation period expires — generally 3 years. Technical logs are kept for up to 90 days. Payment and accounting records for ticket sales are kept for the periods required by Georgian tax and accounting law. This data is not used to identify the User after deletion.
9. Data‑subject rights
9.1. Under Georgian law (Law of Georgia on Personal Data Protection — applies as the Operator is registered in Georgia) the User may: obtain information about the processing; require rectification, update, blocking, erasure or destruction of data; withdraw consent; lodge a complaint with the Personal Data Protection Service of Georgia.
9.2. Under GDPR (for subjects in the EU/EEA) the User has the rights to: access (Art. 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), withdrawal of consent (7), and to lodge a complaint with a supervisory authority.
9.3. How to exercise rights:
- delete the profile and related data — via the Service (profile‑deletion feature);
- withdraw consent / submit another request — at rnd.develop@gmail.com. A response is provided within the periods set by applicable law.
10. Security
10.1. The Operator applies legal, organizational and technical safeguards: secure authentication via signed Telegram data with replay protection, access control, request‑rate limiting, hashing of organizer account passwords, and secure connections.
10.2. No method of transmission or storage is absolutely secure. In the event of a breach posing a risk to data subjects' rights, the Operator notifies the competent authority and (where necessary) the subjects within the periods set by law.
11. Minors
The Service is not intended for individuals below the age stated in the Terms of Use. The Operator does not knowingly collect such individuals' data; if identified, the data is deleted.
12. Cookies and similar technologies
The Service runs inside Telegram and does not use third‑party advertising cookies. It uses technical means needed for operation (e.g. session/auth tokens) and anonymized product analytics.
13. Changes to this Policy
The Operator may update this Policy. The current version is published in the Service with its date. Material changes are communicated additionally.
14. Requests and complaints
For any data‑processing matters and to exercise rights: rnd.develop@gmail.com. Supervisory authorities: Personal Data Protection Service of Georgia — personaldata.ge; for the EU/EEA — the data‑protection authority of the User's country of residence.