Privacy Policy
Last updated: 19 April 2026
1. Introduction
Čekin is a B2B tool for checking attendees into events — conferences, workshops, and festivals. It is provided to event organisers as a software service and consists of two components:
- The web app
cekin.czfor organisers (event management, attendee import, statistics). - The iOS app Čekin for check-in staff (QR scanning, badge printing).
This document describes what personal data Čekin processes, in which role, and under what conditions.
2. Closed platform — no public sign-up
Čekin is not a public application. Users cannot register themselves — they are always invited: an event organiser is invited by the Čekin operator, and check-in staff are invited by the organiser. Every user therefore knowingly enters a business relationship with the platform.
3. Roles and GDPR responsibility
| Who | Data type | Čekin's legal role |
|---|---|---|
| Platform admin (Čekin staff) | Own email, name | Controller |
| Event organiser | Email, name, company, VAT ID | Controller |
| Check-in staff | Email, name, password (hash), organisation memberships | Controller |
| Event attendees | Name, email, ticket, ticket type, badge field | Processor — the controller is the event organiser who uploaded the data |
| Check-in logs | Who checked whom in, when, with which device | Controller (for audit and security) |
| Technical logs | IP, user-agent, login attempts | Controller (legitimate security interest) |
- Who
- Platform admin (Čekin staff)
- Data type
- Own email, name
- Čekin's legal role
- Controller
- Who
- Event organiser
- Data type
- Email, name, company, VAT ID
- Čekin's legal role
- Controller
- Who
- Check-in staff
- Data type
- Email, name, password (hash), organisation memberships
- Čekin's legal role
- Controller
- Who
- Event attendees
- Data type
- Name, email, ticket, ticket type, badge field
- Čekin's legal role
- Processor — the controller is the event organiser who uploaded the data
- Who
- Check-in logs
- Data type
- Who checked whom in, when, with which device
- Čekin's legal role
- Controller (for audit and security)
- Who
- Technical logs
- Data type
- IP, user-agent, login attempts
- Čekin's legal role
- Controller (legitimate security interest)
Key point: for event-attendee data Čekin acts solely as a processor. The controller is the event organiser who uploaded the data. An attendee wishing to exercise their rights (erasure, rectification) should first contact the organiser. Čekin provides technical assistance to fulfil such requests.
4. What data we process
Event organisers (after invitation)
- Email, first and last name
- Organisation name, optional VAT ID and address
- Password — stored only as a
bcrypthash in Supabase Auth - Login events (IP, timestamp, user-agent)
Check-in staff
- Email, name, password (hash)
- Organisation memberships
- Login events
- Device information they sign in from (user-agent)
Event attendees (data owned by the organiser)
- First and last name
- Ticket ID, ticket type
- Optional badge field (company, role — max 25 characters)
- Check-in state: when checked in and by whom
Data is uploaded by the organiser via CSV import or (in the future) API integration.
Check-in logs
- Reference to the attendee and event
- Reference to the staff member who performed the check-in
- Timestamp
- Scanned value (typically the ticket ID)
- Result:
success/duplicate/not_found - Device information (iPhone model, OS version) for audit and anomaly detection
Technical data (all roles)
- IP address
- User-agent (browser or iOS version)
- Server error and operational logs
5. Processing purposes and legal basis
| Data | Purpose | Legal basis |
|---|---|---|
| Organiser and staff data | Service delivery, authentication, billing | Performance of a contract — Art. 6(1)(b) GDPR |
| Event-attendee data | Processing for the organiser according to their instructions | Data-processing agreement with the controller (the organiser has their own legal basis vis-à-vis the attendee) |
| Check-in logs | Check-in audit and forensic analysis | Legitimate interest — Art. 6(1)(f) GDPR |
| Login events and technical logs | Security, attack detection | Legitimate interest — Art. 6(1)(f) GDPR |
- Data
- Organiser and staff data
- Purpose
- Service delivery, authentication, billing
- Legal basis
- Performance of a contract — Art. 6(1)(b) GDPR
- Data
- Event-attendee data
- Purpose
- Processing for the organiser according to their instructions
- Legal basis
- Data-processing agreement with the controller (the organiser has their own legal basis vis-à-vis the attendee)
- Data
- Check-in logs
- Purpose
- Check-in audit and forensic analysis
- Legal basis
- Legitimate interest — Art. 6(1)(f) GDPR
- Data
- Login events and technical logs
- Purpose
- Security, attack detection
- Legal basis
- Legitimate interest — Art. 6(1)(f) GDPR
6. Subprocessors
| Vendor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database, authentication, Storage (event images) | EU region | DPA + SCC |
| Vercel Inc. | Web hosting | USA (Edge Network) | SCC |
| Resend | Transactional email (invitations, password reset) | EU / USA | SCC |
| Apple Inc. | iOS app distribution via App Store / TestFlight | USA | Apple Developer Program Agreement |
| Brother Industries, Ltd. | SDK for local Bluetooth badge printing | — | No data leaves the device; printing is peer-to-peer |
- Vendor
- Supabase Inc.
- Role
- Database, authentication, Storage (event images)
- Location
- EU region
- Safeguards
- DPA + SCC
- Vendor
- Vercel Inc.
- Role
- Web hosting
- Location
- USA (Edge Network)
- Safeguards
- SCC
- Vendor
- Resend
- Role
- Transactional email (invitations, password reset)
- Location
- EU / USA
- Safeguards
- SCC
- Vendor
- Apple Inc.
- Role
- iOS app distribution via App Store / TestFlight
- Location
- USA
- Safeguards
- Apple Developer Program Agreement
- Vendor
- Brother Industries, Ltd.
- Role
- SDK for local Bluetooth badge printing
- Location
- —
- Safeguards
- No data leaves the device; printing is peer-to-peer
7. Retention periods
| Data | Retention |
|---|---|
| Organiser accounts | Lifetime of the account + 3 years after closure (accounting obligation) |
| Staff accounts | Duration of organisation membership + 1 year after removal |
| Event attendees and check-in logs | Governed by the organiser's instructions. Default: 24 months after the end of the event, then automatic deletion. |
| Technical logs | 90 days |
| Login events | 12 months |
- Data
- Organiser accounts
- Retention
- Lifetime of the account + 3 years after closure (accounting obligation)
- Data
- Staff accounts
- Retention
- Duration of organisation membership + 1 year after removal
- Data
- Event attendees and check-in logs
- Retention
- Governed by the organiser's instructions. Default: 24 months after the end of the event, then automatic deletion.
- Data
- Technical logs
- Retention
- 90 days
- Data
- Login events
- Retention
- 12 months
8. Data-subject rights
Users have the right to:
- access their data,
- rectification,
- erasure (the right to be forgotten),
- restriction of processing,
- data portability,
- object to processing.
Requests can be sent to privacy@cekin.cz. We respond within 30 days.
Complaints can be filed with the Czech Office for Personal Data Protection — uoou.cz.
For event attendees: please contact the event organiser (the data controller) first. Čekin, as a processor, will provide technical assistance to fulfil the request.
9. Security
- All traffic is encrypted via HTTPS / TLS 1.2+.
- Passwords are stored as bcrypt hashes in Supabase Auth.
- iOS session tokens are stored in the Keychain (hardware-backed secure storage).
- Row-Level Security is enabled on the database — every query is scoped by the user’s role and organisation or event membership.
- Critical server functions (e.g.
check_in_attendee) require authentication viaauth.uid()and verifyevent_staffmembership; the anonymous role has no execute privilege. - Employee access to the production database is restricted to platform admins only.
10. Cookies and local storage
Web
- Supabase session cookie for authentication — strictly necessary.
localStorage: Supabase session tokens and theprofileLastSeenAchievementIdskey used to visualise newly unlocked achievements.- No third-party analytics or marketing cookies.
iOS app
- Session tokens stored in the Keychain.
UserDefaults: selected printer preference and seen-achievement IDs.- No tracking SDKs.
11. Transfers to third countries
Some subprocessors (Vercel, Apple) operate servers in the USA. Such transfers take place under Standard Contractual Clauses (SCC) with additional technical and organisational safeguards.
12. Children's privacy
Čekin is a B2B tool for professional use (event organisers and their staff). It is not intended for persons under the age of 16 and we do not knowingly collect data from children.
13. Changes to this policy
Any changes to this policy will be published on this page. Material changes will be announced to registered organisers by email at least 30 days in advance.