This Privacy Policy explains how Gatherlane, Inc. ("Gatherlane", "we", "us", "our") collects, uses, shares, and protects personal information in connection with the Platform at gatherlane.events. It applies to Event Owners, Vendors, Guests, and any other visitors to the Platform. We are committed to complying with the Ghana Data Protection Act, 2012 (Act 843) and the Protection of Personal Information Act, 2013 (POPIA) of South Africa.
Gatherlane, Inc. is the data controller (referred to as the Responsible Party under POPIA) of personal information collected through the Platform. Our contact details for data protection matters are:
Where Gatherlane processes personal information of Guests on behalf of an Event Owner (for example, when an Event Owner uploads a guest list), Gatherlane acts as a data processor (referred to as an Operator under POPIA) and the Event Owner is the data controller / Responsible Party for that Guest data.
| Category | Data Elements | Who Provides It |
|---|---|---|
| Account registration | Name, email address, password (hashed — we never store plaintext passwords) | Event Owners, Vendors |
| Google Sign-In | Name, email address, Google profile picture URL, Google identifier | Event Owners, Vendors (if using Google login) |
| Vendor profile | Business name, category, description, location, portfolio photos, website, phone | Vendors |
| Payout setup | Bank account details (held and processed by Paystack — Gatherlane stores only a reference) | Vendors |
| Event details | Event title, description, date/time, venue name and address, cover image | Event Owners |
| Guest list | Guest name, email address, phone number (optional) | Event Owners (on behalf of Guests) |
| RSVP responses | Attendance status, plus-one count, dietary restrictions, notes | Guests (via invitation link) |
| Media uploads | Photos and videos uploaded to the event gallery | Guests and Event Owners |
| Payment | Payment reference number only — card details are processed by Paystack, not stored by Gatherlane | Event Owners, Guests (ticket purchase) |
| Communications | Messages sent to us via support email | Any user |
| Category | Data Elements |
|---|---|
| Usage data | Pages visited, features used, clicks, session duration, referring URL |
| Device and technical data | IP address, browser type and version, operating system, screen resolution, device identifiers |
| Cookies and similar technologies | Session tokens, preference cookies, analytics identifiers — see our Cookie Policy |
| Error and performance data | Application errors, stack traces (via Sentry — see Section 8) |
We do not collect or store: full payment card numbers, CVV codes, or bank account details (these are held by Paystack). We do not collect biometric data, health information, religious or political beliefs, racial or ethnic origin, trade union membership, or sexual orientation — the special categories of personal information protected under POPIA s.26 and the Ghana Data Protection Act.
| Purpose | Lawful Basis (Ghana DPA Act 843 / POPIA s.11) |
|---|---|
| Creating and managing your account | Contractual necessity — necessary to perform the contract with you |
| Processing event tier and Add-On payments | Contractual necessity |
| Sending event invitations and RSVPs on behalf of Event Owners | Legitimate interests of the Event Owner; consent where required by applicable law |
| Sending WhatsApp invitations and reminders | Legitimate interests / consent where required by applicable law |
| Hosting and delivering event pages and media galleries | Contractual necessity |
| Processing vendor bookings and payouts | Contractual necessity |
| Responding to support requests and disputes | Legitimate interests of Gatherlane |
| Detecting and preventing fraud and abuse | Legitimate interests / Legal obligation |
| Maintaining audit logs and complying with legal obligations | Legal obligation |
| Improving the Platform (aggregated and anonymised analytics) | Legitimate interests of Gatherlane |
| Sending service-related notifications (account, payment, event) | Contractual necessity / Legitimate interests |
| Marketing communications (where opted in) | Consent |
When you create a public event, event details (title, date, venue, cover image) are accessible to anyone with the event link. Guest names are visible to the Event Owner. Vendors' public profile information (business name, description, category, location, rating, portfolio photos) is visible to all Platform users.
We share personal information with the following service providers, each acting under a data processing agreement or equivalent contractual safeguard:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Paystack | Payment processing, vendor payouts | Name, email, payment reference, bank account details (vendors) | Nigeria / Africa |
| Cloudinary | Photo and video storage and delivery | Media files uploaded by users | USA / EU |
| Resend | Transactional email delivery | Name, email address, email content | USA |
| Twilio (primary) / Vonage (fallback for SMS) | WhatsApp and SMS invitation and reminder delivery, relayed to Meta’s WhatsApp platform | Phone number, message content | USA / Global |
| Google Sign-In authentication | Google profile data for sign-in users | USA / Global | |
| Sentry | Application error monitoring | Error logs, which may include IP address or partial request data | USA |
| Neon (PostgreSQL) | Primary database hosting | All stored personal information | USA / EU |
| Redis Cloud | Rate limiting and caching | Session identifiers, IP addresses | EU / USA |
We may disclose personal information to law enforcement, regulatory bodies, or other third parties where required by applicable law, court order, or legal process, or where we reasonably believe disclosure is necessary to protect our rights, the safety of users, or the public.
In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal information may be transferred to the acquirer, subject to the acquirer agreeing to be bound by commitments no less protective than this Privacy Policy.
Gatherlane does not sell, rent, or trade personal information to third parties for their own marketing or commercial purposes.
Some of our service providers (listed in Section 4.2) are located outside Ghana and South Africa. When we transfer personal information internationally, we ensure appropriate safeguards are in place:
| Data Category | Retention Period |
|---|---|
| Account data (Event Owners, Vendors) | Duration of account + 30 days after deletion (then anonymised) |
| Event data and guest lists | Duration of event + selected archive period (1 week / 1 month / indefinite on paid tiers) |
| Media uploads — Event Owner (photos, videos) | Same as event data; deleted when event is permanently archived or owner requests deletion |
| Media uploads — Guest submissions (photos) | Same as event data; deleted on event deletion or archive expiry. Guest may also request early deletion — see Section 12.5 |
| Payment records and booking records | 7 years from transaction date (statutory minimum for financial records) |
| Audit logs | Minimum 2 years (append-only; retained for dispute resolution and legal compliance) |
| Support correspondence | 3 years from last interaction |
| Anonymised analytics data | Indefinitely (no personal identifiers) |
On account deletion, we soft-delete the account record. Personal identifiers (name, email, phone) are replaced with [deleted]. Audit log entries referencing the account are retained in anonymised form as required by applicable law.
Subject to applicable law, you have the following rights regarding your personal information. To exercise any of these rights, contact us at privacy@gatherlane.events with the subject line "Privacy Request — [Your Name]". We will respond within 30 days. We may need to verify your identity before acting on your request.
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal information we hold about you (Ghana DPA s.24; POPIA s.23). |
| Correction | Request correction of inaccurate or incomplete personal information (Ghana DPA s.25; POPIA s.24). |
| Deletion | Request deletion of your personal information where there is no overriding legal basis for retention (Ghana DPA s.26; POPIA s.24). |
| Objection | Object to the processing of your personal information, including for direct marketing purposes (Ghana DPA s.27; POPIA s.11(3)). |
| Portability | Receive your personal information in a structured, commonly used, machine-readable format where technically feasible. |
| Withdraw Consent | Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. |
If you are not satisfied with how we have handled your request, you have the right to lodge a complaint with the relevant supervisory authority:
We implement industry-standard technical and organisational measures to protect personal information, including:
No system is impenetrable. If you believe your personal information has been compromised, please contact us immediately at privacy@gatherlane.events. In the event of a personal information breach, we will notify affected individuals and the relevant supervisory authority (Ghana Data Protection Commission and/or the South Africa Information Regulator) as required by applicable law.
We use cookies and similar tracking technologies to operate the Platform and understand how users interact with it. For full details, including how to manage your cookie preferences, please read our Cookie Policy.
The Platform is not directed to children under the age of 18. We do not knowingly collect personal information from persons under 18. Both POPIA and the Ghana Data Protection Act afford heightened protection to personal information of children, and we require parental or guardian consent before processing any such data. If you believe we have inadvertently collected data from a child, please contact us at privacy@gatherlane.events and we will delete it promptly.
When an Event Owner adds Guests to the Platform (by uploading a guest list or manually adding guests), the Event Owner is acting as a data controller / Responsible Party in respect of that Guest data. The Event Owner is responsible for:
Gatherlane provides tools (guest deletion, event archiving) to enable Event Owners to meet these obligations. A Data Processing Agreement between Event Owners and Gatherlane is available on request at privacy@gatherlane.events.
This section explains how we handle photos and videos submitted by Guests through the public event gallery (the "Guest Upload" feature). These submissions are distinct from media uploaded by Event Owners.
When a Guest submits a photo or video, we collect: the media file itself, the submitter's name (as entered in the upload form), a guest tag (e.g. "family", "colleague"), and the submission timestamp. We do not require a Gatherlane account to submit photos.
Processing of Guest photo submissions is based on consent (Ghana Data Protection Act 2012, Act 843, s.17(1)(a); POPIA s.11(1)(a)). Consent is given at the point of submission, when the Guest enters their name, selects a tag, and taps "Submit." The upload form displays the notice: "It's in the host's photo library. They may share it on the event page later." This notice constitutes the disclosure required under Act 843 s.19 and POPIA s.18.
Where the Guest also ticks the optional download consent checkbox, the additional processing (Event Owner retaining a personal copy) is based on that separate, explicit consent.
| Party | Access |
|---|---|
| Event Owner | Can view all submitted photos in their moderation queue, approve or reject, and (if download consent given) download approved photos. |
| Gatherlane staff | Can view submissions only for moderation/support purposes or if required by law. |
| Public visitors | Can view only photos the Event Owner has explicitly approved and published. Cannot download. Copyright remains with the original photographer. |
| Other guests | No access to the moderation queue or unapproved submissions. |
Submitted photos are stored on Cloudinary (USA/EU — see Section 5 for transfer safeguards). They are retained for the same period as the associated event archive. When an event is permanently deleted or its archive expires, all associated media files are deleted from Cloudinary. Approved photos displayed on a public event page will be removed within 48 hours of event deletion.
A Guest may withdraw consent and request deletion of their submitted photo at any time by emailing privacy@gatherlane.events with the event name and a description of the submission (or the submitter name used). We will remove the photo within 10 business days. Withdrawal does not affect any lawful processing that occurred before the request.
Note: if a photo has already been approved and displayed publicly, removal from the event page is completed within 48 hours, but cached copies held by browsers or CDN nodes may remain visible for a short period until the cache expires.
Submitting a photo to an event does not transfer copyright to Gatherlane or to the Event Owner. The Guest who captured the image retains full copyright under the Ghana Copyright Act 2005 (Act 690), the South Africa Copyright Act 98 of 1978, and the Berne Convention. Public display of an approved photo on the event page does not grant any member of the public a licence to download, copy, or redistribute that photo. Visitors who wish to use or share displayed photos must obtain permission from the copyright owner directly.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where required, notify you by email. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated policy.
For privacy enquiries, to exercise your rights, or to submit a complaint:
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority: