Privacy Policy

How we collect, use, and protect your data.

HEPCon web and mobile interface preview

Last updated: March 2026

HEPCon is operated by Sibelius EOOD, registered in Bulgaria ("HEPCon", "we", "us", or "our"). This policy explains what personal data we collect, why we collect it, and your rights under the General Data Protection Regulation (GDPR) and applicable Bulgarian and EU law.

If you have questions, contact us at privacy@hepcon.app or office@hepcon.app.

1. Who This Policy Applies To

This policy applies to:

  • Organizers — conference organisers, local organising committees, and institutions who engage HEPCon to create and operate a conference agenda app.
  • Attendees — participants, speakers, and authors who use the HEPCon mobile or web app at a conference.
  • Website visitors — anyone who visits hepcon.app.

2. Data We Collect and Why

2.1 Organizers

When you engage our services, we collect:

  • Contact details (name, work email, institution) — to communicate about your event setup, support, and invoicing.
  • Event and agenda data (programme, sessions, speakers, abstracts, rooms) — to build and operate the conference app. This data is provided by you and is used solely to power the app for your event.
  • Branding assets (logo, colours, sponsor information) — to configure the app's appearance.
  • Billing information — processed via Stripe. We do not store full payment card details on our servers.

Legal basis: Contract performance (Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR).

2.2 Attendees

When you use the HEPCon app at a conference, we may collect:

  • Account data (name, email, affiliation) — if you create an optional in-app profile or opt into the participant directory.
  • Personal schedule — sessions you bookmark are stored locally on your device and, if you are signed in, synced to our servers to enable cross-device access.
  • Usage data — session views, search queries, and feature interactions, collected in aggregate to improve the app and provide analytics to the conference organiser. This data is not linked to your identity unless you are signed in.
  • Push notification tokens — if you grant permission, used only to deliver schedule updates and announcements from the organiser.

Participant directory: The in-app participant list is strictly opt-in. Your name and affiliation only appear if you choose to make them visible.

Legal basis: Consent (Article 6(1)(a) GDPR) for optional features; legitimate interests (Article 6(1)(f) GDPR) for aggregate analytics.

2.3 Website Visitors

  • Analytics data — we use Google Analytics 4 to understand traffic patterns (pages visited, referral sources, session duration). This data is anonymised and aggregated. IP addresses are not stored in full.
  • Chat data — we use Tawk.to live chat. If you initiate a chat, your messages and any contact details you provide are stored by Tawk.to. See their privacy policy at tawk.to/privacy-policy.
  • Form submissions — name, email, event URL, and message content submitted via our contact or try-free forms. Used to respond to your enquiry.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR) for analytics; consent for chat; contract performance for form submissions.

3. Third-Party Services

Service Purpose Privacy Policy
Google Analytics 4 Website traffic analytics policies.google.com
Tawk.to Live chat support tawk.to
Stripe Payment processing stripe.com/privacy
Calendly Demo call scheduling calendly.com/privacy

We do not sell your data to third parties. We do not use advertising networks or tracking pixels.

4. Data Retention

  • Organizer data — retained for the duration of the engagement and up to 3 years after the event concludes, for legal and accounting purposes.
  • Event and agenda data — retained while the event is active in the app. Removed within 30 days of event closure or on organiser request, unless retention is required by law.
  • Attendee account data — retained while the account is active. You can delete your account at any time via the app settings.
  • Enquiry form data — retained for up to 2 years or until the enquiry is resolved.
  • Analytics data — aggregated, anonymised, retained indefinitely.

5. Your Rights Under GDPR

If you are in the European Economic Area (EEA), you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), subject to legal retention requirements.
  • Restrict processing of your data in certain circumstances.
  • Object to processing based on legitimate interests.
  • Port your data to another service in a machine-readable format.
  • Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, email privacy@hepcon.app. We will respond within 30 days. You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) at cpdp.bg.

6. Cookies

We use the following cookies on hepcon.app:

  • Analytics cookies (Google Analytics) — to understand how visitors use the site. You can opt out via Google's opt-out tool.
  • Chat cookies (Tawk.to) — set when you interact with the live chat widget.
  • Functional cookies — small session cookies required for basic site operation (e.g. form state). No personal data is stored.

We do not use advertising or retargeting cookies.

7. Data Security

We use industry-standard security measures including HTTPS, encrypted storage, and access controls. We limit access to personal data to team members who need it to deliver the service. In the event of a data breach affecting your rights, we will notify you and relevant supervisory authorities as required by GDPR.

8. International Transfers

Our primary servers are located within the EU. Some third-party services (Google Analytics, Tawk.to, Stripe, Calendly) may transfer data outside the EEA. Where this occurs, those providers rely on EU Standard Contractual Clauses or equivalent transfer mechanisms. See each provider's policy for details.

9. Children's Privacy

HEPCon is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be notified by email to active organizer contacts or by a notice on this page. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related enquiries:
Sibelius EOOD
Gen. Kartsov 86, Karlovo, 4300, Plovdiv, Bulgaria
privacy@hepcon.app