evelio
Make events

Privacy Policy

Last updated: 2026-03-10

1. Data Controller

The data controller for personal data processed through Evelio's services is:

Evelio Oy
Helsinki, Finland
Contact: joel@evelio.app

2. Data We Collect

We collect only the minimum data necessary to provide the Service:

  • Email address — collected when you sign up for the newsletter or create an account.
  • Name — provided automatically by Google or Apple when you sign in via OAuth.
  • Location — collected in the mobile app only with your explicit consent, used to show nearby events. Location is not stored on our servers.
  • Images — photos uploaded by creators when adding events or locations, stored in cloud object storage.
  • Usage analytics — we collect aggregated, anonymous analytics internally (via Vercel) to understand how the marketing site is used. No cookies are used for tracking purposes. We do, however, use session and authentication cookies strictly necessary for operating the Service (e.g. keeping you logged in). These are functional cookies, not tracking cookies.
  • Payment information — if you subscribe, payment data (card details etc.) is handled directly by Polar.sh. We do not store payment card information.

3. Legal Basis (GDPR)

We process your personal data on the following legal bases under GDPR Article 6:

  • Consent (Art. 6(1)(a)) — for newsletter subscription and in-app location access.
  • Contract (Art. 6(1)(b)) — for account creation and subscription management, where processing is necessary to provide the Service you requested.
  • Legitimate interests (Art. 6(1)(f)) — for internal, aggregated analytics used to improve the Service, where our interests are not overridden by your privacy rights.

4. Data Processors (Third Parties)

We share data with the following processors only to the extent necessary to operate the Service:

  • Vercel — hosting and analytics for the marketing website. Vercel is based in the US; transfers are covered by EU Standard Contractual Clauses (SCCs).
  • Polar.sh — subscription and payment processing. Handles billing data on our behalf. See Polar's Privacy Policy for details.
  • Resend — transactional email delivery (e.g. OTP codes, newsletter sends). Resend is based in the US; transfers are covered by EU Standard Contractual Clauses (SCCs).
  • Amazon Web Services (AWS S3) — cloud storage for images uploaded by creators (event and location images). Data is stored within the EU region.
  • Google — OAuth sign-in. Google may process your name and email to authenticate you.
  • Apple — OAuth sign-in. Apple may process your name and email to authenticate you.

We do not sell your personal data to any third party.

5. Data Storage & Location

Your data is stored in the European Economic Area (EEA), primarily in Finland. Data does not leave the EEA except where strictly necessary for the third-party processors listed above, all of which provide appropriate safeguards (SCCs or adequacy decisions) under GDPR Chapter V.

6. Data Retention

  • Newsletter emails — retained until you unsubscribe or request deletion.
  • Account data — retained for the lifetime of your account and deleted within 30 days of account deletion.
  • Location data — not stored on our servers; processing occurs on-device or in-memory only.
  • Creator images — retained for as long as the associated event or location exists, and deleted within 30 days of the event/location being removed or the account being deleted.

7. Your Rights (GDPR)

As a data subject under GDPR, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — request that we restrict processing of your data in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at joel@evelio.app. We will respond within 30 days. In complex cases we may extend this by a further two months; if so, we will inform you within the initial 30-day period.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware of the breach (GDPR Art. 33). Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (GDPR Art. 34), unless the data was adequately protected (e.g. encrypted) or direct notification would require disproportionate effort, in which case a public communication will be made.

9. Supervisory Authority

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi.

10. Age

The Service is intended for users aged 13 and older, in line with Finnish digital consent age requirements. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us so we can delete it.

11. Updates to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date above and, where appropriate, notify you by email. We encourage you to review this page periodically.

12. Contact

For any privacy-related questions or requests, please reach out to us at joel@evelio.app.

evelio

Find events and locations in Helsinki and beyond.

Links

© 2025 All rights reserved
ENFI
Privacy policyTerms of service