Alert area

PRIVACY POLICY

Éphémère is an event management platform. The protection of your personal data is essential to the trust you place in us.

This policy describes, in application of Regulation (EU) 2016/679 (GDPR) and Law No. 78-17 of January 6, 1978 as amended, the processing activities we implement, the legal bases on which they are founded, and the rights you have.

Last updated: May 8, 2026

Data Controller

The data controller within the meaning of Article 4(7) of the GDPR is:

  • Julien Thierry Denis Robic, sole trader editing the Ephemere platform
  • Registered in the French SIRENE business registry under SIREN number 804 168 565
  • Domiciled at 3 rue des lacs, 91350 Grigny, France
  • Reachable at privacy@ephemere.org

No Data Protection Officer (DPO) has been designated to date, as designation is not mandatory under Article 37 of the GDPR given the nature and scale of our processing activities. This position will be reviewed as the service grows.

Contact Us About Your Data

For any request relating to your personal data or the exercise of your rights, you may write to us at privacy@ephemere.org or by post to the headquarters address indicated above.

To process your request as quickly as possible, please specify the purpose of your request and, where applicable, the email address associated with your account. A proof of identity may be requested in case of reasonable doubt about the identity of the requester, in accordance with Article 12(6) of the GDPR.

Processing Purposes and Legal Bases

Your data is collected and processed for the following purposes, on the legal bases indicated:

  • Creation and management of your user account (authentication via email OTP, Google, or Facebook) — legal basis: contract performance (Article 6(1)(b) GDPR).
  • Organization and participation in events (event creation, registration, organization and member management) — legal basis: contract performance (Article 6(1)(b) GDPR).
  • Transactional communications (sending one-time passwords, registration confirmations, service notifications) — legal basis: contract performance (Article 6(1)(b) GDPR).
  • Service security and abuse prevention (logging of logins, intrusion detection) — legal basis: legitimate interest (Article 6(1)(f) GDPR), with documented balancing test against your rights.
  • Compliance with our legal obligations (retention of identification logs under LCEN, response to legal demands) — legal basis: legal obligation (Article 6(1)(c) GDPR).

No processing for commercial prospecting is implemented at this stage. Should this change, your prior consent would be collected (Article 6(1)(a) GDPR).

Categories of Data Collected

We apply a strict principle of data minimization (Article 5(1)(c) GDPR). The following categories may be collected:

  • Account identification: email address, username (username).
  • External account identifiers: Google ID (googleId), Facebook ID (facebookId) when you choose to authenticate through one of these providers.
  • Event location: postal address, city, geographic coordinates (latitude, longitude) — only when you specify the location of an event you are organizing.
  • Event participation: participant names (Attendee.name) and any notes you enter as an organizer.
  • Login data: IP address, timestamp, type of authentication used.

We do not collect any data falling under the special categories referred to in Article 9 of the GDPR (health, opinions, biometrics, etc.).

Recipients

Your data is accessible only to individuals whose intervention is necessary for the processing purpose:

  • Authorized members of the Éphémère team, bound by a confidentiality obligation.
  • Event organizers for events you participate in, strictly limited to information necessary for your participation.
  • Our technical sub-processors within the meaning of Article 28 GDPR, governed by data processing agreements: Google LLC and Meta Platforms, Inc. for OAuth authentication flows you initiate; OVH SAS for infrastructure hosting.
  • Administrative or judicial authorities in case of legally justified demand.

We do not sell, rent, or disclose your data to any third party for commercial purposes.

International Transfers Outside the EU

When you choose to authenticate via Google or Facebook, limited data (your email address and a technical identifier) is transmitted to the servers of Google LLC or Meta Platforms, Inc., located in the United States.

These transfers are governed by the European Commission adequacy decision of July 10, 2023, recognizing the EU-U.S. Data Privacy Framework, provided that the recipient entities are registered and self-certified under the program.

Mindful of the fragility of this legal basis given pending appeals before the Court of Justice of the European Union, we have prepared a fallback mechanism to Standard Contractual Clauses (SCCs) adopted by Decision (EU) 2021/914, accompanied by a Transfer Impact Assessment (TIA), to ensure continuity of protection in case of invalidation.

You can obtain a copy of applicable safeguards on simple request to privacy@ephemere.org.

To specifically delete data associated with your Facebook login, you can follow the dedicated procedure. For Google, you can revoke the access granted to Éphémère from the myaccount.google.com/permissions page; deletion of data stored with us is then obtained on request to privacy@ephemere.org.

Data Retention Periods

In accordance with Article 5(1)(e) GDPR, data is retained only as long as necessary to achieve the stated purpose:

  • Account data: retained as long as your account is active. Upon account deletion, data is erased from production databases within thirty days.
  • Post-deletion archival for evidential purposes: certain data strictly necessary to evidence contract performance is retained in intermediate archival for three years after the end of the relationship, in accordance with retention periods recommended by CNIL Deliberation No. 2021-131.
  • Identification logs: retained for exactly one year, in application of Article 6 of Law No. 2004-575 (LCEN) and Decree No. 2021-1363.
  • Application and security logs: retained for thirty days, except where a security incident justifies temporary extension for evidential purposes.
  • Event and participation data: retained as long as necessary for the event to take place, then archived or anonymized as needed by the organizer, within a maximum of three years.

Upon expiration of the above periods, data is deleted or anonymized irreversibly.

Your Rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights over your data:

  • Right of access (Article 15): obtain confirmation that data concerning you is being processed and receive a copy.
  • Right to rectification (Article 16): correct inaccurate or incomplete data.
  • Right to erasure (Article 17), known as the "right to be forgotten," in the cases provided by the regulation.
  • Right to restrict processing (Article 18).
  • Right to data portability (Article 20): receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21), for processing based on legitimate interest.
  • Right to set post-mortem directives regarding your data, in application of Article 85 of the Data Protection and Digital Freedoms Law.

To exercise any of these rights, write to privacy@ephemere.org. We commit to responding within one month from receipt of your request, which may be extended by two months due to complexity or volume of requests, in accordance with Article 12(3) GDPR. You will be informed of this extension and its reasons.

Cookies and Trackers

The service uses a limited number of cookies, exclusively for technical operation and security purposes, excluding any third-party audience analysis or advertising pixel.

Details of cookies set, their purpose, and consent requirements are described in our Cookie Policy.

Protection of Minors

Éphémère hosts events that may involve minors, notably in the context of sports competitions. The protection of minors is therefore a central pillar of the service design.

In accordance with Article 8 of the GDPR and Article 45 of the Data Protection and Digital Freedoms Law, the age from which a minor can consent alone to processing based on consent is set at fifteen years in France. Below that age, consent is given by the holder of parental authority or jointly with that holder.

For any minor user, we apply by default an enhanced protection stance inspired by the British Age Appropriate Design Code:

  • No profiling or targeted advertising.
  • No geolocation by default.
  • No public display of full name unless specific parental consent and tracked consent collected for that precise purpose — typically publication of competition results.
  • Visibility limited by default to organizers and structures to which the minor is attached.

If you hold parental authority and wish to exercise a right on behalf of a minor, write to privacy@ephemere.org. Verification of your status as legal representative may be requested.

Filing a Complaint with the Supervisory Authority

If you believe, after contacting us, that your rights are not being respected, you have the right to lodge a complaint with the supervisory authority competent in your jurisdiction, in accordance with Article 77 GDPR. For residents in the EU, information about your national data protection authority is available at EDPB member list.

Changes to This Policy

This policy may be modified to reflect changes to the service, processing activities, or applicable legal framework.

In case of material change (addition of a purpose, change of legal basis, extension of retention period, new recipient), you will be informed by email or visible notification on the service, and where applicable a new consent will be requested. The date of last update is shown at the top of this page.