Privacy Policy

Contact and Identity Data:

• Email address, first name, last name
• Phone number (if provided)
• Business name and trading details

Business and Trading Data:

• Business address and contact details
• Stall information (size, power requirements, product types)
• Photos and descriptions of your products/stalls
• Insurance and certification documents
• VAT registration details (if applicable)

Festival Application Data:

• Festival applications and their status
• Application notes and internal tracking data
• Deadline and calendar information
• Application forms and submitted documents
• Festival booking confirmations

Staff and Team Management Data:

• Staff member names, email addresses, and phone numbers
• Staff role assignments and responsibilities
• Stall allocation and scheduling information
• Staff availability and working preferences

Technical and Usage Data:

• IP address, browser type, device information
• Login times and platform usage patterns
• Cookies and similar tracking technologies

We process your personal data under the following legal bases:

Contract Performance (Article 6(1)(b) UK GDPR):

• Processing your name, email, and business details to provide the FestyFlow service
• Managing your festival applications and tracking deadlines
• Storing and organizing your business documents, including insurance and certification documents
• Managing staff data and stall allocations for festival operations

Legitimate Interest (Article 6(1)(f) UK GDPR):

• Using IP addresses and technical data for fraud prevention and platform security
• Analyzing usage patterns to improve our service
• B2B direct marketing to individuals acting in a professional capacity within the festival trading and events sector, where we have a reasonable expectation of relevance for our business software and services

Consent (Article 6(1)(a) UK GDPR):

• Sending marketing and promotional communications
• Using non-essential cookies for analytics

Legal Obligation (Article 6(1)(c) UK GDPR):

• Retaining financial records for tax and accounting purposes
• Complying with data protection and other legal requirements

Lawful Basis for B2B Marketing:

We process business contact data under the lawful basis of "Legitimate Interest" (Article 6(1)(f) UK GDPR) for B2B direct marketing purposes.

Our Legitimate Interest:

Our legitimate interest is the marketing and sale of our business software and services (specifically festival trader management tools) to individuals acting in a professional capacity within the festival trading and events sector, where we have a reasonable expectation of relevance based on their business activities.

Source of B2B Contact Data:

We obtain business contact data from the following sources:

• Publicly available sources, such as company websites and public business directories
• Professional networking sites and industry publications
• Business contacts who have provided their details through professional interactions
• Industry events and trade shows where business cards or contact details were exchanged
• Referrals from existing business contacts within the festival trading and events sector

All B2B contact data is obtained strictly for legitimate business-to-business direct marketing purposes and relates specifically to individuals operating within the festival trading and events industry.

Your Right to Object:

You have the absolute right to object to this processing at any time. If you object to receiving B2B marketing communications from us, we will immediately cease processing your data for direct marketing purposes. You can object by:

• Using the unsubscribe link in any marketing email
• Emailing us directly at privacy@festyflow.com
• Contacting us through any of the methods listed in this policy

Note that all B2B direct marketing emails also comply with PECR by including a clear sender identity and a one-click unsubscribe mechanism.

B2B Data Retention:

We retain B2B contact data for a maximum of 12 months from initial contact, or until an objection is received, whichever is sooner. If you do not engage with our communications or opt-in to our services within this period, your data will be automatically deleted.

We use your personal data for the following purposes:

• Service Provision: To provide and maintain the FestyFlow platform, manage your account, process festival applications, and coordinate staff assignments
• Communication: To send service updates, deadline reminders, and respond to your inquiries
• Marketing: To send promotional communications about new features and services (with your consent)
• Platform Improvement: To analyze usage patterns and improve our service functionality
• Security: To detect and prevent fraud, abuse, and security incidents
• Legal Compliance: To comply with legal obligations and protect our rights

Current Data Sharing Policy:

We do not currently share your personal data with third parties, including festival organizers, service providers, or other external parties. All your data remains securely stored within our platform and is used solely to provide the FestyFlow service to you.

Future Data Sharing:

Should we need to share data with third-party service providers in the future (such as cloud hosting providers, email services, or payment processors), we will:

• Update this Privacy Policy with clear details about any data sharing
• Ensure all service providers are contractually bound to protect your data
• Only share data that is necessary for the specific service being provided
• Notify you of any significant changes to our data sharing practices

Data Sales:

We do not sell, rent, or trade your personal data to any third parties, and we never will.

We retain your personal data for the following periods:

Active Account Data: For the duration of your active account

Closed Account Data: For 12 months after account closure, then anonymized or deleted

Staff Data: For the duration of your active account, deleted within 30 days of staff removal or account closure

Festival Application Records: For 5 years after festival completion to enable historical business analysis, allow you to reference previous applications when planning future festival seasons, and support dispute resolution

Financial Records: For 7 years as required by UK tax law

Marketing Data: Until you withdraw consent or 3 years of inactivity

Legal Claims: Until the expiry of applicable limitation periods

We regularly review our retention periods and delete data that is no longer necessary.

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15): Request a copy of the personal data we hold about you

Right to Rectification (Article 16): Request correction of inaccurate or incomplete data

Right to Erasure (Article 17): Request deletion of your personal data in certain circumstances

Right to Restrict Processing (Article 18): Request limitation of how we use your data

Right to Data Portability (Article 20): Request transfer of your data in a machine-readable format

Right to Object (Article 21): Object to processing based on legitimate interests or for marketing

Right to Withdraw Consent: Withdraw consent for processing where consent is the legal basis

How to Exercise Your Rights:

To exercise any of these rights, contact us at privacy@festyflow.com. We will respond within one month of receiving your request. You may also lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data properly.