Privacy Policy
seeU Events · Effective date: 01.03.2026
CU Development GmbH, FN 610752 s, Grazer Straße 62, 8111 Gratwein Straßengel (hereinafter also referred to as the "Operator" or "seeU") operates mobile apps for Android and iOS as well as a web platform under the brand name "seeU Events". The Operator, as the controller within the meaning of the General Data Protection Regulation (GDPR), determines the purpose and means of data processing and is ultimately responsible for ensuring that data processing is carried out in compliance with applicable laws.
This Privacy Policy supplements our Terms of Service, which govern the use of the seeU services. Both documents are available to our Users at all times in their complete and current version on our website at www.seeu.events. In the event of ambiguity, the respectively applicable statutory provisions shall apply.
1. Preamble
Users who use the seeU platform entrust the Operator with personal data. Personal data is any type of information that can be directly or indirectly associated with a natural person or a company. This includes, among others, name, address, email address, date of birth, and biometric data. Additionally, IP addresses, location data, device identifiers, or information about usage behavior may be considered personal data.
This Privacy Policy supplements the Terms of Service and applies to the use of the seeU services and the utilization of the services offered therein. The Privacy Policy that is retrievable online at the time of a User's specific visit or specific use of services shall apply.
2. Data Collection and Processing
The Operator collects data in connection with registration and the subsequent use of the seeU services. Personal data is collected in the following ways:
2.1 Data Provided by the User
When the User creates their account or performs activities as a registered User, they share information about themselves with the Operator. Personal data in this category is actively communicated by the User, for example by completing registration, contacting support, providing feedback, creating events, uploading media, or updating their profile.
2.1.1 Registration and Authentication
Registration on seeU is performed via one of the following authentication methods:
(a) Email Authentication: Users receive either a magic link or a one-time password (OTP) sent to their email address to verify their identity.
(b) Google Sign-In: Users may register and log in using their existing Google account. In this case, seeU receives the User's name, email address, and profile picture from Google.
(c) Apple Sign-In: Users may register and log in using their existing Apple ID. In this case, seeU receives the User's name and email address from Apple. Apple may provide a private relay email address if the User chooses to hide their actual email.
Regardless of the authentication method used, the email address associated with the account must be truthful, complete, and kept up to date. seeU does not receive or store passwords from third-party authentication providers.
2.1.2 Profile Data
Upon registration and during profile completion, the following categories of personal data may be collected:
(a) Identity Data: Email address, first name, last name, display name, date of birth, gender.
(b) Profile Data: Avatar image, biographical description, hometown (country, city), interest and category preferences.
(c) Host Business Data (for Hosts only): Business type (individual, company, non-profit, government entity), business name, business address, VAT identification number (UID).
2.2 Data Collected During Use of Services
When using the seeU services and carrying out activities, the User transmits data that is stored by the Operator to identify the User and ensure the smooth provision of services. The Operator also stores information when the User contacts support. The following categories of data are collected during use:
2.2.1 Technical and Device Information
The Operator collects information about the User's device, including operating system type (Android/iOS), device type (mobile/tablet/desktop), app version, and browser information. This data is used for compatibility, analytics, and to adapt services to the User's device.
2.2.2 Usage and Behavioral Data
The Operator records User activities, such as event views, event likes, profile visits, last online timestamps, event attendance history, and interactions with media (likes, comments). This information is used to prevent misuse and fraud, to improve the services, and to provide the User with personalized content, recommendations, and information.
2.2.3 Location Data
When using seeU, the Operator collects the User's location based on GPS coordinates, provided the User has granted location permissions on their device. Location data is collected in the following cases:
- When browsing events, to display events near the User.
- When using the search function, to provide location-based results.
- When creating an Event Mode, to make it discoverable for nearby Users.
- When specifying a hometown in the User profile.
- Continuously during active Event Mode participation, to enable the real-time location map feature for connected Users.
Outside of Event Mode, seeU does not perform continuous background location tracking. Users may share their location with other Users through a voluntary, opt-in system with three levels: deactivated (default), all connections, or selected connections. Location sharing is subject to a reciprocity principle: a User's location is visible to another User only when both have activated sharing for each other. Location data older than 24 hours is not displayed to other Users.
2.2.4 Financial and Payment Data
When purchasing tickets or receiving payouts as a Host, the following financial data is processed through the external payment service provider: payment card last 4 digits, card country, transaction amounts, payment status, and payment timeline. For Hosts receiving payouts, additionally: bank account details and business information. Full card numbers and sensitive payment credentials are never stored by seeU; these are handled exclusively by the payment service provider in compliance with PCI DSS standards.
2.2.5 Biometric Data (Face Recognition)
seeU offers an optional face recognition feature. Biometric data is collected only with the User's express, informed consent. The following biometric data is collected upon enrollment:
- A selfie image uploaded by the User, stored on seeU's servers.
- A mathematical face model (face embedding) generated by an external service provider and stored in their database.
- A technical identifier assigned by the external service provider linking the face model to the User's account.
- A confidence score indicating the quality of the enrolled face.
When photos are uploaded during Event Modes, faces in those photos are automatically detected and compared against enrolled Users' face models using a similarity threshold of 80%. Matches are stored as face match records. Faces of non-enrolled Users are detected but not matched to any identity.
The User may withdraw consent and delete all biometric data at any time via the App settings. Upon withdrawal, the selfie image, face embedding, and all face match records are irrevocably deleted. Biometric data processing is carried out by an external service provider based in the United States (see Section 7 for details on data transfers).
2.2.6 Social and Connection Data
When Users establish connections with other Users (via QR code, NFC, invitation link, contact invitation, or photo connect), the following data is stored: connection identifier, connection method, associated chat room, timestamp, and (for photo-based connections) the connection photo. Following relationships (User follows Host) and profile visit records are also stored.
2.2.7 Chat and Messaging Data
Messages sent through the platform's chat functions are stored as follows: Direct messages, group chats, and broadcast messages are encrypted using symmetric encryption (PGP) with per-room encryption keys managed by seeU. Event Mode chats are stored in plaintext (unencrypted). Message metadata (timestamp, sender, message type) is stored alongside the content. Deleted messages are soft-deleted: the content is removed but metadata may persist for technical and legal reasons. Read receipts are tracked per message.
2.2.8 Media Data
Photos and videos uploaded during Event Modes are stored on the platform's servers. Metadata is recorded for each upload, including media type (photo/video), dimensions, file size, duration (for videos), and capture timestamp. Published media are stored in publicly accessible storage systems. Users are advised that media may be technically accessible outside the App (see Terms of Service, Section 13.3).
2.2.9 Notification Data
To deliver push notifications, the Operator stores Firebase Cloud Messaging (FCM) device tokens associated with the User's account. Notification content and delivery status may be temporarily stored for delivery purposes.
2.3 Data Collected Automatically
Certain data is collected implicitly or automatically during use of the services:
- GPS coordinates captured during event browsing (with location permissions granted).
- Last online timestamps.
- Event view and like counts.
- Face detection on uploaded media (for enrolled Users only).
- Automated content moderation checks on images and text.
3. Purpose of Data Processing
The Operator uses the User's data for the following purposes:
3.1 Provision of Services. Personal data is processed to provide the seeU services, including user account management, event discovery based on location, ticket purchasing and payment processing, event check-in, Event Mode features (shared albums, group chat, proximity discovery), face recognition for photo tagging and user connections, location sharing between connected Users, and communication via chat and notifications.
3.2 Improvement and Development. The Operator uses data to improve the services, for example by analyzing usage patterns, optimizing the user experience, identifying and resolving technical issues, and testing new features (beta tests). Analyses are typically performed on aggregated and anonymized data. The Operator may also use individually attributable data to provide technical support or to better understand how individual Users use the services. Vector embeddings are generated from event data (titles, descriptions) to improve search functionality through semantic search.
3.3 Personalized Content and Recommendations. The Operator uses available information to personalize the services and offer Users relevant content. This includes event recommendations based on location, interests, and past behavior. seeU does not sell personal data to advertising networks and does not display third-party advertising within the App.
3.4 Safety, Security, and Fraud Prevention. Data is used to prevent various forms of misuse of the services, including fraudulent activities, unauthorized access, scraping, and other activities that violate the Terms of Service or applicable law. This includes automated content moderation (image analysis for prohibited content, text analysis for hate speech and harassment), rate limiting and bot protection, and the review of logs in case of suspected misuse.
3.5 Communication. The Operator uses the User's email address and push notification tokens to send transactional communications (authentication, ticket confirmations, refund notifications, invoices) and, with separate consent, marketing notifications about new events from followed Hosts. Users may deactivate push notifications at any time via device settings or the App. Marketing notifications require separate consent that may be withdrawn at any time.
3.6 Legal Compliance. Data may be processed to comply with legal obligations, including tax and commercial law retention requirements, responses to lawful requests from authorities, and the establishment, exercise, or defense of legal claims.
4. Legal Basis for Data Processing
The Operator processes personal data on the following legal bases under the GDPR:
(a) Contract Performance (Art. 6(1)(b) GDPR): Processing necessary for the performance of the contract between the User and seeU, including account management, ticket processing, payment handling, and service delivery.
(b) Legitimate Interest (Art. 6(1)(f) GDPR): Processing necessary for the legitimate interests of the Operator, including fraud prevention, service improvement, analytics, and security measures, provided these interests are not overridden by the User's rights.
(c) Consent (Art. 6(1)(a) GDPR): Processing based on the User's express consent, in particular for biometric data processing (face recognition, Art. 9(2)(a) GDPR), marketing notifications, and location sharing with other Users.
(d) Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary for compliance with legal obligations, including tax retention requirements and responses to lawful authority requests.
Any processing beyond these bases occurs only with the express consent of the User or on the basis of statutory provisions.
5. Content Moderation and Automated Processing
seeU employs automated systems to review content and ensure platform safety:
5.1 Image Moderation. Photos uploaded to the platform are automatically analyzed by an external service provider prior to publication. The analysis checks for prohibited content including explicit nudity, violence, drugs, hate symbols, and other categories. The review is based on a probability assessment (confidence threshold). Photos may be incorrectly rejected (false positives) or impermissible content may not be detected (false negatives). In the course of moderation, the image data is transmitted to the external service provider.
5.2 Text Moderation. Text content (messages, comments, descriptions) may be automatically analyzed by an external service provider for violations including hate speech, violence, sexual content, and harassment. The text content is transmitted to the external service provider for this purpose.
5.3 Video Content. Video uploads are currently not subject to automated moderation. seeU reserves the right to introduce automated video moderation at a later time.
5.4 Face Detection and Recognition. When photos are uploaded during Event Modes, faces are automatically detected and (for enrolled Users) compared against stored face models by an external service provider. Image data is transmitted to this provider for processing. This processing is based on the User's explicit consent and may be withdrawn at any time (see Section 2.2.5).
5.5 Automated Decision-Making. The automated moderation systems may result in content being rejected or hidden without prior human review. Users may contact support if they believe their content was incorrectly moderated. seeU does not use automated decision-making for account suspensions; all bans are applied through manual review.
6. Data Sharing and Disclosure
The Operator shall not share, sell, transfer, or otherwise disclose personal data in any manner other than as described in this Privacy Policy, unless required by law or with the User's express consent.
6.1 Disclosure to Hosts. To the extent necessary for the execution of an event, personal data (including contact data, profile information, and ticket details) may be shared with the respective Host. The Host is responsible for the proper processing and protection of such data. For uses beyond the organization of the event, the Host requires the separate consent of the affected User.
6.2 Disclosure to Authorities. The Operator may disclose personal data to law enforcement or other authorities if there is a suspicion of unlawful conduct in connection with the use of the services, provided a corresponding court order or administrative directive exists.
6.3 Data Processors. The Operator engages external service providers (data processors within the meaning of the GDPR) to deliver its services. Data processing agreements pursuant to Art. 28 GDPR are concluded with all such providers. Processors may only process data for the purposes specified in this Privacy Policy and expressly agreed upon with the respective provider. Details on the specific service providers are set out in Section 7.
6.4 Other Users. Certain data is visible to other authenticated Users of the platform, including: public profile information (display name, avatar, bio, hometown, interests, fame score, event statistics), location data (only if mutual location sharing is activated), and media uploaded in Event Modes. Users control the visibility of their location through the sharing settings described in Section 2.2.3.
7. Third-Party Services and International Data Transfers
The Operator engages the following categories of external service providers, many of which are based outside the European Economic Area (EEA):
7.1 Payment Processing. Provider: Stripe, Inc. (United States). Data shared: Name, email, payment card details, transaction amounts, business information (for Hosts). Purpose: Processing of ticket payments, refunds, and Host payouts via Stripe Connect. Stripe processes payment data under its own privacy policy and PCI DSS compliance standards.
7.2 Face Recognition and Image Moderation. Provider: Amazon Web Services (AWS Rekognition), United States. Data shared: Uploaded images, face embeddings, biometric data. Purpose: Face enrollment, face matching in event photos, and automated image content moderation.
7.3 Text Moderation. Provider: OpenAI, United States. Data shared: User-generated text content submitted for review. Purpose: Detection of hate speech, violence, harassment, and other prohibited text content.
7.4 Push Notifications. Provider: Firebase Cloud Messaging (Google), United States. Data shared: Device tokens (FCM tokens), notification content. Purpose: Delivery of push notifications to User devices.
7.5 Device Attestation. Provider: Firebase App Check (Google), United States. Data shared: Device attestation tokens. Purpose: Verification that requests originate from genuine app instances (bot protection for mobile).
7.6 Web Bot Protection. Provider: Cloudflare Turnstile, United States. Data shared: Browser fingerprint data. Purpose: Protection against automated access on the web platform.
7.7 Transactional Email. Provider: Resend, United States. Data shared: Email addresses, email content (authentication links, ticket confirmations, refund notifications, invoices). Purpose: Delivery of transactional emails.
7.8 Error Monitoring. Provider: Sentry. Data shared: Error traces, stack traces, device information. Purpose: Detection and resolution of technical errors.
7.9 Database, Authentication, and Storage. Provider: Supabase. Data shared: All application data, user credentials and sessions, uploaded files (images, videos, PDFs, invoices), API keys and encryption keys. Purpose: Core platform infrastructure including database, authentication, file storage, and server logic.
7.10 Third-Party Authentication. Providers: Google (United States), Apple (United States). Data shared: Name, email address, and profile picture (Google) or name and email address (Apple). Purpose: User registration and login via Google Sign-In or Apple Sign-In. These providers process authentication data under their own privacy policies. seeU does not receive or store passwords from these providers.
7.11 Semantic Search. Provider: AI service provider. Data shared: Event text (titles, descriptions). Purpose: Generation of vector embeddings for improved search functionality.
7.12 International Data Transfers. The service providers listed above are partially or fully based in the United States. seeU ensures that appropriate safeguards pursuant to the GDPR are in place for all data transfers to countries outside the EEA. This is achieved through: (a) Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR; and/or (b) an adequacy decision of the European Commission pursuant to Art. 45 GDPR (including the EU-U.S. Data Privacy Framework, where applicable). This applies in particular to the transfer of biometric data to AWS Rekognition and the processing of payment data by Stripe. In all other cases, transfers outside the EEA occur only with the User's consent.
8. Cookies and Tracking Technologies
The seeU website uses cookies to enable all functionalities and facilitate use of the site. Cookies are small text files that allow the Operator to store specific information on the User's device while visiting the website.
8.1 Essential Cookies. These cookies are necessary for the basic functionality of the website, such as maintaining login sessions and security features. They cannot be deactivated.
8.2 Analytics Cookies. With the User's consent, the Operator may use analytics tools to understand how the website and services are used. Such analyses are typically performed on aggregated and anonymized data.
8.3 Mobile App. The seeU mobile App does not use browser cookies. Instead, the App uses device tokens (FCM tokens for push notifications) and session tokens (JWT-based authentication via Supabase Auth) for identification and service delivery.
8.4 Managing Cookies. Users may deactivate cookies, restrict them to certain websites, or configure their browser to notify them about cookies. Users may also delete cookies from their device at any time. In such cases, limited display and functionality of the website may result.
9. Data Retention
The Operator stores personal data no longer than necessary for the fulfillment of the purposes described above or as required by statutory retention obligations. The following retention periods apply:
(a) Profile Data: Stored for the duration of the active user account. Deleted upon account deletion.
(b) Event Data: Active events are stored for the duration of their lifecycle. Archived events remain in archived form to provide permanent event histories, ratings, and event albums.
(c) Payment and Invoice Data: Stored for a minimum of seven (7) years after the transaction in accordance with Austrian tax and commercial law retention obligations.
(d) Biometric Data (Face Recognition): Stored only for the duration of active enrollment. Irrevocably deleted upon withdrawal of consent or account deletion.
(e) Location Data: Stored for the duration of the active user account. Deleted upon account deletion. Location data shared with other Users expires after 24 hours.
(f) Chat Messages: Deleted messages have their content removed; metadata (timestamp, sender) may persist for technical reasons. All messages are removed upon account deletion.
(g) Media (Photos/Videos): Deleted media are marked as deleted and become inaccessible. All media are removed upon account deletion, except media included in a Host's event album, which may persist pursuant to the Terms of Service (Section 12.5).
(h) Notification Data: Stored for the duration of the active user account. Removed upon account deletion.
(i) Error Logs: Success logs are retained for 48 hours; error logs are retained for 7 days.
10. Account Deletion
Users may delete their account at any time via the settings in the App. If open obligations exist at the time of the deletion request (e.g., valid tickets for upcoming events, active Co-Host roles, or pending payouts), the account is first deactivated. During deactivation:
- The User's profile is no longer visible to other Users.
- All active platform features are unavailable to the User.
- Personal data is no longer actively processed (no marketing, no feed, no recommendations).
The final deletion of the account and all associated data occurs automatically once all open obligations have been fulfilled, but no later than seven (7) days after the last obligation expires. Upon deletion, all data is removed, including biometric data, location data, chat content, media, connections, and notification records. Data subject to statutory retention obligations (e.g., payment records for tax purposes) is retained for the legally prescribed period and deleted promptly thereafter.
11. Security Measures
The Operator employs state-of-the-art technical and organizational security measures to protect User data against unauthorized access, manipulation, or loss:
(a) Encryption in Transit: All API communications are secured via TLS/HTTPS.
(b) Encryption at Rest: Direct messages, group chats, and broadcast messages are encrypted using symmetric PGP encryption with per-room keys stored in an encrypted key vault. Event Mode chats are stored in plaintext.
(c) Payment Security: Payment data is handled exclusively by the payment service provider (PCI DSS compliant). Only the last 4 digits of the card number and the card country are stored locally.
(d) Authentication: JWT-based session authentication with custom claims. Session tokens are issued and managed by the authentication provider.
(e) Device Verification: Mobile devices are verified through device attestation (Firebase App Check). Web access is protected against bots through challenge-based verification (Cloudflare Turnstile).
(f) Access Control: Row-Level Security (RLS) policies on all database tables ensure that Users can only access data they are authorized to view. The database schema separates public API access from internal data.
(g) Rate Limiting: Per-role request quotas prevent abuse (e.g., 100 to 1,000 requests per 5-minute window depending on user role).
(h) Anti-Abuse Measures: Slot-level locking prevents ticket overselling. Reservation timeouts automatically clean up abandoned purchases. HMAC time-based signatures secure internal service-to-service communication.
(i) Secrets Management: API keys and encryption keys are stored in an encrypted vault, not in application code.
12. Children and Minimum Age
The seeU platform is intended for Users aged 16 and above. Users provide their date of birth during registration. seeU restricts access based on the stated date of birth but cannot guarantee complete verification of actual age. The collection and processing of personal data of children under 16 is not intentional. If the Operator becomes aware that data has been collected from a person under the age of 16, the corresponding account will be suspended and the data deleted. Parents or guardians who believe their child under 16 has provided personal data to seeU may contact the Operator to request deletion.
13. User Rights
Under the GDPR, Users have the following rights regarding their personal data:
13.1 Right of Access. Users have the right to obtain information about whether and which personal data the Operator processes about them and to receive copies of such data. Requests may be submitted via the support chat or by email. Identity verification is required. seeU shall respond within 30 days.
13.2 Right to Rectification. Users have the right to request the correction or completion of inaccurate or incomplete personal data. Profile data may be corrected directly by the User in the App settings.
13.3 Right to Erasure. Users have the right to request the deletion of their personal data (Art. 17 GDPR). This right is exercised through account deletion in the App settings (see Section 10). The Operator may defer erasure where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
13.4 Right to Restriction of Processing. Users have the right to request the restriction of processing of their personal data under certain circumstances, for example while the accuracy of data is being verified.
13.5 Right to Data Portability. Users have the right to receive the personal data they have provided to seeU in a structured, commonly used, and machine-readable format (Art. 20 GDPR). Requests for a data extract may be submitted via the App settings or through support. seeU shall provide the extract within 30 days.
13.6 Right to Withdraw Consent. Where processing is based on consent (in particular face recognition, marketing notifications, and location sharing), Users may withdraw their consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal. Face recognition consent is withdrawn via the App settings (see Section 2.2.5). Marketing notification consent is withdrawn via the App settings. Location sharing is deactivated via the location sharing settings.
13.7 Right to Object. Users are entitled to object to the processing of their personal data under certain circumstances, in particular where processing is based on legitimate interest.
13.8 Right to Lodge a Complaint. Users are entitled to lodge a complaint with the competent data protection authority. For Austria: Austrian Data Protection Authority (Datenschutzbehörde), www.dsb.gv.at.
14. Data Protection Contact
For all questions regarding data protection or the exercise of your rights, please contact:
CU Development GmbH
Grazer Straße 62, 8111 Gratwein Straßengel, Austria
E-Mail: contact@seeu.events
15. Changes and Notifications
The Operator reserves the right to update this Privacy Policy as needed. The current version is available at all times on our website at www.seeu.events/privacy. By continuing to use the seeU services, Users acknowledge their agreement with the current version of the Privacy Policy. In the event of material changes, Users will be informed by email or by a prominent notice on the website or in the App.