Privacy Policy
Lumko Eventech Day · Last updated: 01 May 2026
Contents
1. Who We Are
Lumko Eventech Day is a community business event hosted in Heidedal, Bloemfontein, South Africa. References to "we", "us", or "our" in this policy refer to the organisers of Lumko Eventech Day.
We are a responsible party as defined in the Protection of Personal Information Act 4 of 2013 ("POPIA"). This means we determine how and why your personal information is processed.
2. Information We Collect
Depending on how you interact with our platform, we may collect:
- Identity & contact details — full name, email address, phone number
- Professional details — company name, job title (optional)
- Account credentials — hashed password (we never store plaintext passwords)
- Event participation data — ticket status, check-in records, session attendance, feedback ratings
- Proof of Payment (PoP) — uploaded bank transfer screenshots or receipts for ticket verification
- Networking profile — bio, optional photo (only if you opt in to the networking directory)
- Usage data — pages visited, QR code scan events (no tracking pixels or ad networks)
- Consent records — timestamp of when you accepted this policy
We do not collect race, religion, health, financial account numbers, or any other special-category information under POPIA Schedule 1.
3. Why We Collect It (Purposes)
We use your personal information only for the following purposes:
- Processing and managing your event ticket request
- Verifying your proof of payment and approving or rejecting your ticket application
- Generating and emailing your digital QR ticket
- Checking you in at the event venue
- Sending event-related communications (schedule updates, reminders, venue changes)
- Enabling the optional attendee networking directory (only if you opt in)
- Providing speakers with their session schedules
- Enabling sponsors to capture business leads from attendees who share their QR code voluntarily
- Improving future events through anonymised feedback and attendance analytics
- Complying with our legal obligations
We do not use your data for automated profiling, direct marketing unrelated to the event, or any purpose not listed above without first obtaining fresh consent.
4. Lawful Basis for Processing
Under POPIA, we rely on the following conditions for lawful processing:
- Consent — you explicitly accept this policy when registering or requesting a ticket.
- Contractual necessity — processing your name and email is necessary to fulfil the ticket contract and check you in at the event.
- Legitimate interest — anonymised event analytics to improve future editions (you may object to this at any time).
- Legal obligation — retaining financial records (PoP images) for the period required by law.
5. Sharing Your Information
We do not sell, rent, or trade your personal information to any third party. We share limited data only in the following circumstances:
- Event staff & volunteers — see your name and check-in status only, solely for venue access management.
- Sponsors (lead capture) — only if you choose to scan a sponsor's QR or share your details at a sponsor booth. You initiate this; it is never automatic.
- Email service provider — we use a transactional email service to deliver your ticket. They process your email address as a data processor on our behalf under a data-processing agreement.
- Legal requirement — if compelled by a court order or applicable South African law.
Your data stays in South Africa. We do not transfer personal information outside the Republic except where required by law or with your explicit permission.
6. Retention Periods
We keep your information for only as long as needed:
- Ticket & PoP records — 5 years from the event date (financial record-keeping obligation)
- Attendee profiles & check-in data — 1 year after the event, then anonymised or deleted
- User accounts — for as long as you maintain an active account, plus 6 months after deletion request
- Networking profiles — deleted immediately when you opt out or delete your account
- Event feedback — retained in anonymised form indefinitely for programme improvement
After the applicable retention period, data is securely deleted or irreversibly anonymised.
7. Security Measures
We take appropriate technical and organisational measures to safeguard your personal information:
- Passwords are hashed using bcrypt — we cannot read your password
- All data is transmitted over HTTPS / TLS encryption
- Proof-of-payment images are stored in a private, access-controlled storage location
- QR tickets use randomly generated tokens — not predictable sequential IDs
- Admin access is role-restricted — event staff can only see check-in data, not payment records
- Databases are not exposed publicly and are backed up securely
No system is 100% secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as required by POPIA section 22.
8. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights. You may exercise any of these by contacting us at the details in section 11:
Right of Access
Request a copy of the personal information we hold about you.
Right to Correct
Ask us to correct inaccurate or outdated information.
Right to Delete
Request deletion of your data, subject to our legal retention obligations.
Right to Object
Object to processing based on legitimate interest (e.g. analytics).
Right to Withdraw Consent
Withdraw consent at any time — see section 9 for how.
Right to Complain
Lodge a complaint with the Information Regulator if you believe we've misused your data.
We will respond to all rights requests within 30 days. Complex requests may take up to 90 days — we will let you know if this applies.
9. Withdrawing Consent
You may withdraw your consent to our processing of your personal information at any time. Please note the following consequences:
- If you withdraw consent before your ticket is approved, your ticket application will be cancelled.
- If you withdraw consent after approval, you will lose access to the attendee hub and digital ticket. Your entry to the event will no longer be possible via QR scan.
- We are still required to retain your PoP image and ticket reference for 5 years for financial compliance — this is a legal obligation and cannot be removed on consent withdrawal alone.
To withdraw consent, email us at pitchlab@gmail.com with the subject line "POPIA – Withdraw Consent" and include your full name and the email address used to register. We will process your request within 30 days.
10. Cookies & Tracking
Our platform uses a minimal number of cookies:
- Session cookie — required for login and CSRF protection. Deleted when you close your browser.
- XSRF-TOKEN cookie — security token to prevent cross-site request forgery. Session-scoped.
We do not use advertising cookies, Google Analytics, Facebook Pixel, or any third-party tracking technologies.
11. Contact & Complaints
For any privacy-related query, access request, correction request, or complaint, contact our Information Officer:
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa:
This policy was last reviewed and updated on 01 May 2026.
We reserve the right to update this policy. Material changes will be communicated by email or a notice on our platform.