Legal

Privacy Policy

Effective date: June 21, 2026

1. Who we are

Enventro is operated by 14580214 Canada Inc. (“Enventro”, “we”, “us”), located at 212 Ginebik Way, Ottawa, Ontario, K1X 0H4, Canada. We provide event ticketing and venue-booking software to organizers and venues.

For privacy questions or to exercise your rights, contact our privacy contact at privacy@enventro.com.

2. Who this policy covers

This policy applies to: organizers and their team members who hold Enventro accounts; attendees and ticket buyers; venue-booking customers; email subscribers and organization followers; and visitors to our site. Note that when you buy a ticket or book a venue, the organizer is also responsible for your data for their own purposes; Enventro processes that data to provide the service to them.

3. Personal information we collect

Depending on how you use Enventro:

  • Account holders (organizers/team): name, email, password credentials, organization details, payment-account connection details (Stripe/Square), member roles and invitations, and authentication data (including 2FA factors and hashed backup codes).
  • Attendees / ticket buyers: buyer and attendee name, email, phone (if collected), order and ticket details, check-in status, QR code, seat selection, answers to any custom checkout questions the organizer adds, and payment references (we do not store full card numbers — see §6).
  • Venue-booking customers: name, email, phone, party size, booking details, answers to checkout questions, two-way booking messages with the organizer, payment records, and — for some Square bookings — a card-on-file reference (brand + last four + the processor's saved-card ID, under a mandate tied to a signed rental agreement).
  • Subscribers / followers / contacts: email address, optional name, and for digest subscribers, city/province/country; plus any details an organizer records in their contact list.
  • Automatically: IP address, device/browser information, and usage/analytics data via cookies and the technologies in §7.

4. How we collect it

Directly from you; automatically as you use the site; and from organizers (for attendee/customer data they collect through Enventro).

5. Why we use it, and our legal bases

We use personal information to operate the platform, process registrations and payments, send transactional messages (tickets, receipts), provide support, send marketing with consent, prevent fraud and abuse, and meet legal obligations.

Under GDPR our legal bases are: performance of a contract (providing the service), legitimate interests (security, service improvement, fraud prevention), consent (marketing email, non-essential cookies), and legal obligation. Under PIPEDA and Law 25 we rely on consent (express or implied as permitted).

6. Payment information

Card payments are processed by Stripe and, for some venue bookings, Square. Card details are entered into a processor-hosted field, encrypted in your browser, and tokenized before reaching our systems — we store only a payment token and the last four digits. Stripe and Square are certified PCI Service Providers. (This matches the disclosure shown at checkout.)

7. Cookies and tracking technologies

Essential cookies keep you signed in and the service working: an authentication/session cookie, an OAuth verifier, a referral-attribution cookie, an admin-console cookie, and cookies that store your consent choice so we can honor it.

Consent-gated technologies. The following load only after you grant consent through our consent banner (your regional default determines the banner's starting state):

  • Google Analytics 4 — usage analytics (pageviews, clicks, scroll); no direct personal-data fields.
  • Microsoft Clarity — session analytics including session replay (recordings of page interactions); sensitive inputs such as email, name, and card fields are masked at the source.
  • PostHog — product analytics (opt-out by default until consent).
  • Meta (Facebook) Pixel — measurement of site actions; organizers may also attach their own Meta Pixel to their event pages (see §8).

Functional/security technologies (not consent-gated): the Stripe and Square payment fields (which set their own fraud-prevention signals in their iframes) and Cloudflare Turnstile (bot/abuse prevention). Mapbox is used only in the organizer dashboard for address lookup, not on public pages.

Third parties may set their own cookies on their own domains, governed by their policies.

8. How we share your information (sub-processors)

We share personal information only as needed to run the service, with providers acting on our instructions:

ProviderPurposeData shared
SupabaseDatabase, authentication, file storageAll account, attendee, booking, contact data; uploaded files
StripeEvent ticketing + venue payments (on organizers' connected accounts)Buyer/customer name, email, amount, currency, order/booking metadata; card via Stripe's field
SquareVenue payments (some bookings)Customer name, amount, currency, booking metadata; card via Square's field; saved-card reference
ResendTransactional & marketing emailRecipient name, email, message content; open/click signals
VercelHosting / serverlessRequest data: IP, user-agent, headers
Google (GA4)Analytics (consent-gated)Pageview/usage events, device, IP (no direct PII fields)
Microsoft (Clarity)Session analytics + replay (consent-gated)Masked session recordings, IP
PostHogProduct analytics (consent-gated)Usage events, authenticated user ID
Meta (Facebook)Advertising/measurement (consent-gated)Pageview/purchase events; CAPI sends hashed email + hashed ID, IP, user-agent, Meta cookies
Cloudflare (Turnstile)Bot/abuse preventionIP, user-agent, challenge signals
MapboxAddress lookup (organizer dashboard only)Search text, IP

We also share data with organizers for their own events and venues. Organizers may attach their own Meta Pixel to their event pages, in which case Enventro and the organizer are co-controllers of that data flow. We do not sell your personal information.

9. International data transfers

Your personal data is stored and processed in Canada. Our database, authentication, and file storage are hosted in Montreal (Supabase, ca-central-1), and our application servers run in Montreal (Vercel, yul1) — so the day-to-day handling of your data stays within Canada.

Some activity occurs outside Canada but does not store your personal data there: our software build pipeline runs in the United States (Vercel iad1 — compiles code only, no personal data) and our content-delivery network serves static files from the location closest to each visitor (no personal data). Separately, several sub-processors in §8 operate from the United States — Stripe, Resend, Google, Microsoft, and Meta — and receive the data described there.

For EU/UK users, transfers outside the EEA/UK rely on appropriate safeguards.

10. How long we keep it

We keep personal information for as long as needed to provide the service and to meet legal, tax, and accounting obligations, then delete or anonymize it. In practice: events and bookings tied to confirmed orders are soft-deleted (recoverable, and retained where required for financial/legal reasons) rather than hard-deleted; unsubscribing from emails sets a suppression flag rather than deleting the record; and analytics opt-out stops future collection but does not retroactively delete already-recorded events.

11. Your rights

Depending on your location you may have the right to access, correct, delete, port, object to, or restrict processing of your personal information, and to withdraw consent. Quebec residents additionally have rights to de-indexing and to be informed about automated decision-making; EU/UK residents may lodge a complaint with their supervisory authority (and Quebec residents with the Commission d'accès à l'information). To exercise any right, email privacy@enventro.com; we respond within the timeframes required by applicable law.

12. EU/UK and Quebec specifics

  • GDPR controller: 14580214 Canada Inc.
  • Quebec Law 25: person responsible for personal information — contact privacy@enventro.com. We will conduct privacy impact assessments where Law 25 requires.

13. Children

Enventro is intended for adults and is not directed to children. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@enventro.com and we will delete it.

14. Security

We protect your information using the safeguards described on our Security page (/security).

15. Changes

We may update this policy and will post the new effective date here; material changes will be communicated as required.

16. Contact

14580214 Canada Inc. — 212 Ginebik Way, Ottawa, Ontario, K1X 0H4, Canada · privacy@enventro.com · Governed by the laws of Ontario, Canada.