Privacy Policy

01 Who we are

Tugende is an EU-hosted operations platform. The data controller for this website and for your Tugende account is:

If your organisation runs Tugende as a customer, that organisation is the controller of the participant and driver data it uploads — see section 02.

02 Controller & processor

Tugende plays two roles, depending on the data:

• As controller — for the accounts of coordinators and administrators, for billing, and for our website. We decide why and how this data is processed.
• As processor — for the people data your organisation manages inside the platform (participants, drivers, volunteers). Your organisation is the controller; we process it only on your documented instructions under a Data Processing Agreement.

If you are a participant or driver and want to exercise your rights, please contact the organisation running your event first. We will support them in responding.

03 Data we collect

Account & organisation data

• Name, work email, role and workspace (tenant) you belong to.
• Authentication data — magic-link tokens or, where used, single sign-on identifiers. We do not store plaintext passwords.
• Organisation details and, for paid plans, billing contact information.

People data managed by your organisation

• Participant, driver and volunteer records: names, contact details, roles, and event-specific fields your organisation chooses to add.
• Operational data: trip assignments, attendance, badge scans and session enrolment.

Technical data

• Device, browser and IP information, and basic security logs needed to run the service reliably.
• Strictly necessary cookies (see section 10). We do not run third-party advertising trackers.

04 How we use it

• To provide the platform: timelines, attendance, badges, departure boards and the driver and participant apps.
• To authenticate users and keep accounts and tenants secure and separated.
• To send service communications (for example a magic link or an event notification).
• To provide support, and to maintain, debug and improve the service.
• To meet legal, accounting and security obligations.

We do not sell personal data, and we do not use participant data for advertising.

05 Legal bases (GDPR Art. 6)

• Contract: to deliver the service to you or your organisation.
• Legitimate interests: to secure, maintain and improve the platform, balanced against your rights.
• Legal obligation: for accounting, tax and lawful requests.
• Consent: where required, for example optional communications; you can withdraw it at any time.

For data processed on behalf of your organisation, the legal basis is determined by that organisation as controller.

06 Hosting & data residency

If any transfer outside the EU were ever necessary, it would only happen with appropriate safeguards in place, such as the European Commission's Standard Contractual Clauses.

07 Sharing & sub-processors

We share personal data only with the people and providers needed to run the service:

• Within your tenant: coordinators and administrators of your organisation, according to their role.
• EU sub-processors: vetted infrastructure, email and support providers acting under contract. A current list is available on request at privacy@tugende.eu.
• Legal: where required by law or to protect rights, safety and the integrity of the service.

Every sub-processor is bound by data-protection terms and processes data only on our instructions.

08 Retention

• Account data is kept while your account or workspace is active.
• People and operational data is kept for as long as your organisation needs it, then deleted or anonymised on their instruction.
• Security and billing records are kept only as long as legally required.

When a workspace is closed, data is deleted or returned within a defined window set out in the Data Processing Agreement.

09 Your rights

Under the GDPR you have the right to:

• Access a copy of your personal data.
• Correct inaccurate data, or complete incomplete data.
• Erase data, where applicable.
• Restrict or object to certain processing.
• Data portability, where applicable.
• Withdraw consent at any time, without affecting prior processing.

To exercise these rights, email privacy@tugende.eu. You also have the right to lodge a complaint with your local supervisory authority. In Belgium this is the Data Protection Authority (Gegevensbeschermingsautoriteit).

10 Cookies

We use a small number of strictly necessary cookies and similar storage to keep you signed in, remember your workspace, and keep the service secure. We do not use advertising or cross-site tracking cookies.

Because they are essential to the service, these do not require consent under the ePrivacy rules. Any optional analytics, if introduced, would be privacy-friendly and EU-based, and described here first.

11 Security

• Encryption in transit, and at rest for data stored on our infrastructure.
• Strict tenant separation so one organisation's data is never visible to another.
• Passwordless magic-link sign-in by default, with optional single sign-on or password-based sign-in.
• Role-based access, audit logging and least-privilege access for our team.

No system is perfectly secure, but we work to protect your data and to notify the right people promptly if something goes wrong.

12 Changes & contact

We may update this policy as the service evolves or the law changes. Material changes will be highlighted here, with the date and version updated at the top. For anything privacy-related, reach us at: