Data Policy

Eventzloop uses a managed Postgres database hosted on Supabase in the AWS Asia (Mumbai) region. Files (photos, logos, documents) are stored in Supabase Storage in the same region. Push notification tokens are forwarded to Firebase Cloud Messaging and Apple Push Notification Service for delivery only.

Every record is tagged to a company tenant ID. Postgres row-level security (RLS) policies enforce that subscribers, sub-admins, vendors, team members, and customers can only read and write rows that belong to their company. RLS is on by default on every table and tested against every release.

• In transit: all traffic is HTTPS / TLS 1.2+. We do not accept HTTP traffic.
• At rest: Supabase Postgres uses AES-256 disk encryption. Storage objects are encrypted at rest by AWS S3 SSE-S3.
• Mobile token storage: auth tokens use Keychain (iOS) and EncryptedSharedPreferences (Android).
• Razorpay billing: we never see your card or UPI details. Razorpay handles them under their PCI-DSS compliance.

Supabase takes daily point-in-time backups of the Postgres database, retained for 7 days. We test restore at least quarterly. Storage objects are versioned and recoverable for 30 days after deletion.

• Only the Eventzloop super-admin role has cross-tenant visibility, and only for support, debugging, and legal compliance.
• All super-admin actions are logged with actor, action, record, and timestamp.
• Service-role keys (which bypass RLS) are stored as server-only environment variables and never shipped to the browser or mobile app.

We keep data while your account is active and for up to 6 months after deactivation, after which it is purged. Financial records (invoices, Razorpay transactions) are retained for 7 years to meet Indian tax and payments-regulator rules. See the Delete Account page for the full breakdown.

Any user can request deletion of their personal data either in-app (Profile → Delete account) or by emailing support@eventzloop.com. We complete deletion within 7 days of verification, with confirmation by email.

We use a small set of vetted sub-processors. Each handles only the slice of data needed for its function:

• Supabase — database, auth, file storage
• Vercel — web hosting and analytics
• Firebase / FCM / APNs — push delivery
• Razorpay — subscription billing
• Resend — transactional email

We maintain Data Processing Agreements where required and review each sub-processor at least annually.

If we identify a security incident affecting customer data, we will:

• Isolate the affected system within 24 hours of identification.
• Notify affected tenants by email within 72 hours.
• Notify the relevant Indian regulator (CERT-In) within the time prescribed by law.
• Publish a post-incident report describing root cause and remediation.

Customer data is processed and stored in India. Some sub-processors (Vercel, Firebase) may transfer metadata to servers outside India for routing and delivery. We rely on the EU Standard Contractual Clauses (or equivalent) where such transfers occur.

We update this page when our data practices change. Material changes are announced in-app for 30 days before taking effect.

Data-handling questions or to raise a security report: support@eventzloop.com