Spekta Privacy Policy

1. Who We Are

Spekta (“we”, “us”, “our”) is a SaaS platform that aggregates ticketing data from multiple providers — including Eventbrite, Weezevent, TicketTailor, and 20+ others — and makes it queryable in plain language via an AI-powered interface and an MCP-compatible API. We help event organizers understand their revenue, attendance, and conversion performance across all their platforms in one place.

Spekta is the data controller for the personal data described in this policy. Questions or requests may be directed to contact@welkom.eu.

2. Data We Collect

• Name and email address (provided at sign-up or via magic-link authentication).
• Company / organisation name (optional, provided by you).
• Billing contact email (may differ from login email).

• API keys, OAuth2 tokens, or other authentication credentials you choose to connect for each ticketing provider.
• These credentials are encrypted at rest with AES-256-CBC before being stored (see Section 8).
• We never log or expose raw credentials in plaintext outside of the encrypted credential store.

• Event names, dates, venues, and capacities.
• Ticket types, quantities sold, and revenue figures.
• Attendee records (name, email, ticket type) — only if your connected provider surfaces them and you have the right to access them as the event organiser.
• Provider-reported conversion metrics.

• Pages visited, features used, and queries submitted — collected via PostHog (see Section 5).
• Browser type, OS, and approximate location (country/city level from IP address).
• Core Web Vitals and unhandled JavaScript errors for product performance monitoring.

• Subscription plan and billing status — we receive this from Stripe.
• We never see, store, or process raw card details. All payment processing is handled entirely by Stripe.

3. How We Use Your Data

We use the data we collect for the following purposes:

• Service delivery. Authenticating your account, syncing data from your ticketing providers, answering your queries, and generating analytics.
• Transactional emails. Sending login links, sync notifications, billing receipts, and service alerts.
• Product improvement. Understanding how users interact with features so we can improve the product — aggregated and pseudonymised where possible.
• Security and fraud prevention. Detecting abnormal usage patterns, rate-limiting abuse, and protecting your data.
• Legal and compliance. Fulfilling our legal obligations, responding to lawful requests from authorities.

We do not sell your personal data to third parties. We do not use your data to train AI models. We do not share attendee data with any party other than the ticketing providers you connect.

Our lawful basis under GDPR is: performance of a contract (providing the service you signed up for), legitimate interests (product analytics, security), and legal obligation where applicable.

4. Data Retention

• Event and ticket data synced from providers is retained for as long as your account is active. You may delete individual synced datasets from your Providers page at any time.
• Account information is retained for the duration of your subscription plus 30 days to allow re-activation, then permanently deleted.
• On account closure, all personal data (account info, provider credentials, synced event data) is deleted within 30 days, except where we are required to retain it by law (e.g. billing records for tax purposes — retained for 7 years).
• Analytics events (PostHog) are retained for 12 months on a rolling basis.
• Server logs containing IP addresses are retained for 90 days.

5. Third-Party Services

All sub-processors are bound by data processing agreements (DPAs) and are required to process data only on our instructions. We select sub-processors that offer adequate data protection guarantees.

6. Your Rights (GDPR)

If you are based in the European Economic Area (EEA), the UK, or another jurisdiction with equivalent data protection law, you have the following rights:

• Right of access. You can request a copy of the personal data we hold about you.
• Right to rectification. You can ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”). You can ask us to delete your data, subject to legal retention requirements.
• Right to data portability. You can request your data in a structured, machine-readable format (JSON or CSV).
• Right to object. You can object to processing based on legitimate interests, including profiling.
• Right to restrict processing. You can ask us to pause processing while a dispute is resolved.
• Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at contact@welkom.eu. We will respond within 30 days. We may ask you to verify your identity before processing the request.

You also have the right to lodge a complaint with your national data protection authority (e.g. CNIL in France, ICO in the UK, or the relevant EEA supervisory authority).

7. Cookies

We use a minimal set of cookies:

You can disable non-essential cookies by adjusting your browser settings. Disabling the session cookie will prevent you from logging in. Disabling PostHog cookies means we will not be able to count your visits in our analytics.

8. Data Security

• All data is transmitted over HTTPS/TLS — we enforce HTTPS-only and set HSTS headers.
• Ticketing provider credentials (API keys, OAuth tokens) are encrypted at rest using AES-256-CBC with a key derived via scrypt before being stored in our database.
• Our database is hosted on dedicated infrastructure with network-level access controls. No public access to the database port.
• Application secrets (encryption keys, database URLs) are stored as environment variables and never committed to source code.
• Access to production infrastructure is limited to authorised personnel only.
• We have an incident response process. In the event of a data breach that affects you, we will notify you within 72 hours as required by GDPR Article 33.

No method of transmission over the internet is 100% secure. We implement industry-standard security measures and will continue to improve them as best practices evolve.

9. Children

Spekta is a professional SaaS tool intended for business users. It is not directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us at contact@welkom.eu and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

• We will update the "Last updated" date at the top of this page.
• For material changes, we will send a notification email to all registered users at least 14 days before the change takes effect.
• Continued use of Spekta after the effective date constitutes acceptance of the updated policy.

We encourage you to review this page periodically. Previous versions of this policy are available on request.

11. Contact Us

For any privacy-related questions, requests, or complaints, contact us at:

We aim to respond to all privacy requests within 30 calendar days.