This policy describes how Globexa ("we", "us") handles personal data collected through this platform. It applies to anyone visiting a Globexa- hosted conference site, registering as an attendee, submitting an abstract, or holding a staff account.

1. What we collect

• Account data — name, email, role, profile information, and authentication factors (TOTP secret, recovery codes, hashed passwords). Staff accounts only.
• Attendee registrations — name, email, organisation, ticket type, and any optional fields collected per conference (dietary, t-shirt size). Where Indian government ID scanning is enabled, we capture the last 4 digits of the Aadhaar number plus the photo + ID-card scans for in-person check-in. Full Aadhaar numbers are never stored.
• Paper submissions — author name, email, abstract text, optional uploaded paper file.
• Audit logs — login events (IP, user agent, method), document access logs, sent-email audit rows.
• Analytics — anonymous page-view counts (path, country, timestamp). No third-party trackers.

2. How we use it

• Operate the conference platform — registration, ticket issuance, check-in, certificate generation, on-site logistics.
• Send transactional emails (registration confirmation, paper decisions, password resets).
• Audit security events — failed logins, document access, super-admin impersonation, slug-redirect releases.
• Improve the product based on aggregate analytics.

3. Who sees it

• Conference organisers see the data submitted to their conference (attendees, papers, contact form messages). They cannot see other conferences' data.
• Globexa super admins see all data across all conferences for support and operations purposes.
• Service providers — we use Render.com (backend + Postgres), Netlify (frontend hosting), Cloudinary (uploaded media), Gmail SMTP (transactional email), and Sentry (error tracking). Each operates under their own privacy terms.

We never sell personal data.

4. Retention

• Account data is retained while your account is active. Closed accounts are anonymised within 30 days unless legally required to keep longer.
• Attendee registrations are retained for 5 years for accounting and certificate-verification purposes.
• Page-view analytics are pruned after 90 days (prune_pageviews management command).
• Sent-email audit rows are retained for 12 months.

5. Your rights (GDPR / DPDP)

If you live in the EU/EEA (GDPR) or India (DPDP Act), you have the right to access, correct, export, or delete your personal data.

• Access / export: Email privacy@globexa.com from the address on your account; we will send a JSON export within 30 days.
• Deletion: Same email — include "delete my account" in the subject. We confirm by reply, then anonymise within 30 days. Some audit rows (login events, security logs) survive in anonymised form for compliance.
• Correction: Most fields are editable from /admin/me/profile/. For others, email privacy@globexa.com.

6. Cookies

We use a single session cookie for staff authentication and a CSRF token cookie. No advertising or tracking cookies. EU visitors' use of the public conference sites does not set any cookie until they sign in to an admin surface.

7. Security

• HTTPS everywhere (HSTS preload, SSL_REDIRECT enforced).
• 2FA TOTP required for all staff accounts.
• Sensitive uploaded documents (ID scans, identity documents) stored in private storage outside the public media root, served only via gated views with audit logging.
• Image and document uploads validated against magic-byte signatures.
• Database backups daily on Render with 7-day retention.

8. Contact

Questions about this policy or how we handle your data: privacy@globexa.com.