Privacy Policy

NOGnet Event Management Platform

Last updated: 8 April 2026

1. Data Controller

The data controller for this platform is the event organizer who operates the NOGnet instance for their Network Operator Group (NOG) event. The organizer is identified on the event registration page and is responsible for all data processing decisions.

For platform-level inquiries, contact the NOGnet Data Protection Officer (DPO) at: [email protected]

2. Processing Purposes

We process personal data for the following purposes:

• Event registration and participant management
• Badge printing, check-in, and attendance tracking
• Call for Papers (CfP) submission and speaker management
• Payment processing for event fees (via Stripe, PayPal, or Mollie)
• Communication about event logistics (schedule changes, venue updates)
• Feedback collection and event improvement
• Visa invitation letter generation (when requested by participant)
• Whistleblower report processing (NOGwhisper -- anonymous, no PII stored)
• Security monitoring and abuse prevention

3. Legal Basis (Art. 6 GDPR)

• Art. 6(1)(b) -- Contract performance: Processing necessary for event registration, payment, and participation.
• Art. 6(1)(a) -- Consent: Optional features such as marketing communications, photo sharing, and feedback surveys. Consent can be withdrawn at any time.
• Art. 6(1)(f) -- Legitimate interest: Security monitoring, fraud prevention, and platform improvement. Balanced against data subject rights.
• Art. 6(1)(c) -- Legal obligation: Tax record retention for paid events, whistleblower protection (HinSchG/EU Directive 2019/1937).

4. Categories of Personal Data

• Identity data: Name, email, job title, organization, ASN
• Contact data: Email address, phone (optional), social media handles (optional)
• Professional data: NOG affiliation, peering policy, IXP memberships, talk proposals
• Payment data: Transaction tokens only -- no card numbers or CVVs are stored (PCI SAQ-A compliant)
• Technical data: Session cookies (HTTP-only, strictly necessary), request logs for security
• Dietary/accessibility data: Only when voluntarily provided for event logistics

5. Data Retention

• Event participant data: 365 days after event end date, then automatically deleted
• CfP submissions: Retained for the event cycle, then anonymized
• Payment records: Retained per applicable tax law (typically 7-10 years)
• Security/audit logs: 90 days, then purged
• Whistleblower reports: Retained per HinSchG requirements, then anonymized
• Session cookies: Expire at end of browser session or within 24 hours

6. Your Rights (Art. 15-22 GDPR)

You have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of all personal data we hold about you. Available via the participant portal or GDPR dashboard.
• Right to rectification (Art. 16): Correct inaccurate data via your participant portal or by contacting the event organizer.
• Right to erasure (Art. 17): Request deletion of your data. We will anonymize your record within 30 days while preserving event integrity.
• Right to data portability (Art. 20): Export your data in structured JSON format via the participant portal.
• Right to object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling grounds.
• Right to restrict processing (Art. 18): Request restriction while we verify accuracy or assess an objection.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time for consent-based processing, without affecting prior lawfulness.

To exercise any of these rights, contact the event organizer or email [email protected].

7. Sub-Processors and Third Parties

We use the following sub-processors to operate the platform:

8. International Data Transfers (Art. 44-49 GDPR)

Some sub-processors (SendGrid, Stripe, PayPal) are based in the United States. These transfers are protected by:

• EU-US Data Privacy Framework (where applicable)
• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Additional technical measures (encryption in transit and at rest)

Cloudflare offers EU data localization for customers who require all processing to remain within the EU.

9. Cookies and Local Storage

NOGnet uses only strictly necessary session cookies (HTTP-only) for authentication and security. These cookies are exempt from consent requirements under TTDSG Section 25(2)(2) and ePrivacy Directive Art. 5(3).

We do not use analytics cookies, tracking pixels, social media cookies, or any third-party tracking. No cookie consent banner is required because no non-essential cookies are used.

10. Data Security (Art. 32 GDPR)

• AES-256 encryption for sensitive data at rest
• TLS 1.2+ for all data in transit (HSTS with preload)
• bcrypt hashing for passwords and tokens
• Role-based access control (RBAC) with principle of least privilege
• Comprehensive audit logging with tamper detection
• Rate limiting and automated IP blocking for abuse prevention
• Regular security assessments and dependency auditing

11. Data Protection Officer

For all data protection inquiries, requests, or complaints:

Email: [email protected]
Response time: Within 30 days as required by Art. 12(3) GDPR

12. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). You may contact the supervisory authority in the EU/EEA member state of your habitual residence, your place of work, or the place of the alleged infringement.

13. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered participants. The "Last updated" date at the top of this page indicates when this policy was last revised.

NOGnet Event Management Platform -- Privacy Policy