Back to registrationPYPO

Privacy Policy

Last updated: 05/12/2026

Introduction

PYPO is operated by PYPO, a Brazilian company. This notice covers personal data PYPO processes as controller for the Service. When an agency uses PYPO to run an event, that agency is normally the controller for its guests and must give those data subjects its own privacy notice.

Information We Collect

We collect three categories of data: agency staff account data such as signup, billing, profile, and marketing opt-in details; event guest data that agencies collect and enter while PYPO acts as processor; and audit logs used for authentication, authorization, security, and abuse prevention.

How We Use Your Information

We process agency staff data to deliver the Service under GDPR Art. 6(1)(b) and LGPD Art. 7-V, secure the platform under GDPR Art. 6(1)(f) and LGPD Art. 7-IX, and meet billing and tax obligations under GDPR Art. 6(1)(c) and LGPD Art. 7-II. Dietary, accessibility, or other GDPR Art. 9 / LGPD Art. 11 data is controller-provided by agencies under their separate lawful basis.

Information Sharing

We use the sub-processors listed at /legal/sub-processors to host, secure, monitor, email, and bill for the Service. We do not sell personal data. Where international transfers are required, we rely on applicable Data Privacy Framework certifications, Standard Contractual Clauses, or equivalent transfer safeguards.

Sub-processors

Data Security

We maintain technical and organizational measures including encryption in transit and at rest, MFA for privileged access, audit logging, least-privilege access, role-based authorization, and EU-resident production infrastructure.

Data Retention

Active tenant data is retained while the account is active. Event, contact, billing, audit, and support records follow the retention design in PYPO-512 Track A. Terminated tenants receive a 90-day grace period before hard deletion by the automated retention job; renewal before the grace period ends cancels deletion.

Your Rights

Depending on where you are located, you may have LGPD rights to confirmation, access, correction, anonymization, blocking, deletion, portability, information about sharing, information about denying consent, and review of automated decisions, plus GDPR rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Resource-level export and delete controls are available in the relevant app areas where implemented. You can also contact privacy@pypo.events; processor-side requests received from event guests are forwarded to the responsible agency within 7 days.

Cookies and Tracking

We use strictly necessary cookies only, including Supabase authentication cookies beginning with sb-, NEXT_LOCALE for language preference, and CSRF/session-protection cookies. Vercel Analytics is cookieless. We do not use marketing cookies or an analytics consent banner.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify account owners of material changes by email and will update the Last updated date shown on this page.

Representative

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:

European Union (EU)

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/pypo-events-privacy

Contact

If you have questions about this Privacy Policy or want to contact our Encarregado/Data Protection Officer, please contact dpo@pypo.events.

Terms of ServicePrivacy PolicyData Processing AgreementSub-processors
© 2026 PYPO