Privacy Policy
1. Introduction & Data Controller
ThinkBiz (“we,” “our,” or “us”) operates the ThinkBiz mobile application — the official companion app for the ThinkBiz Academy conference series, the largest student entrepreneurship conference in Greece.
We are committed to protecting your privacy and handling your personal data with transparency. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and your rights under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Greek Law 4624/2019.
2. Scope & Minimum Age
This Privacy Policy applies to all users of the ThinkBiz App on iOS and Android.
3. Personal Data We Collect
3.1 Data You Provide Directly
Account & Identity (required to use the App):
- Email address
- First and last name
- Password (stored hashed and encrypted — never in plaintext)
- Profile photo (optional)
Professional & Academic Profile (optional):
- University or educational institution, department, year of study
- Professional headline, company or organisation affiliation
- Biography, LinkedIn, GitHub, Instagram, and personal website URLs
- CV / résumé file upload
Networking Preferences (optional, visibility controlled by you):
- Skills and proficiency levels
- Professional interests, goals, and languages spoken
- “Looking for” preferences (co-founders, mentors, job opportunities, etc.)
- Networking availability status and “Ask me about” summary
User-Generated Content:
- Questions and votes submitted during live Q&A sessions
- Poll votes and emoji reactions during live events
- Photos and videos posted as “Moments” (24-hour auto-expiring event highlights)
- Direct messages to other users
- Session bookmarks and personal schedule preferences
Ticket & Order Data (if you purchase event tickets):
- Ticket holder full name and email address
- Coupon or discount code used (if any)
- Marketing consent preference
3.2 Data Collected Automatically
Device & Technical Data:
- Device type, model, and OS version
- App version number
- Push notification token (managed by OneSignal)
- Device language and locale settings
Behavioral & Usage Data:
- Screens and features accessed within the App
- Sessions viewed and attendance check-ins
- Content interactions (story views, poll votes, reaction counts, bookmarks)
- Last-active timestamp
- Crash reports and error logs (via Sentry)
3.3 Data from Third-Party Sign-In Providers
| Provider | Data Received |
|---|---|
| Google Sign-In | Email, display name, profile picture URL, Google account ID |
| Apple Sign-In | Apple account ID, email (or Apple Private Relay address), name (if shared) |
We never receive or store your password from these providers.
4. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Contract — Art. 6(1)(b) |
| Authentication and session management | Contract — Art. 6(1)(b) |
| Displaying your profile to other users | Contract — Art. 6(1)(b) + Consent for optional fields — Art. 6(1)(a) |
| Processing ticket payments | Contract — Art. 6(1)(b) |
| Sending transactional emails (OTPs, order confirmations) | Contract — Art. 6(1)(b) |
| Sending event-related push notifications | Legitimate interests — Art. 6(1)(f) |
| Sending marketing communications | Consent — Art. 6(1)(a) |
| Crash reporting and error tracking (Sentry) | Legitimate interests — Art. 6(1)(f) |
| Aggregated usage analytics | Legitimate interests — Art. 6(1)(f) |
| Fraud prevention and abuse detection | Legitimate interests — Art. 6(1)(f) |
| Admin audit logging | Legal obligation — Art. 6(1)(c) |
Where processing is based on your consent, you may withdraw it at any time via App Settings or by emailing privacy@thinkbiz.gr. Withdrawal does not affect processing carried out before withdrawal.
5. How We Use Your Data
- Account management — Register you, authenticate your identity, and keep your account secure
- Event experience — Show schedules, speakers, live streams, and real-time announcements
- Networking — Enable you to discover and connect with other attendees based on your stated skills, interests, and availability
- Messaging — Facilitate direct communication between connected users
- Push notifications — Session reminders, connection requests, live stream alerts, and event updates
- Ticketing & payments — Process ticket purchases, generate QR codes for venue entry, and handle refunds
- Career Agora — Connect you with companies and job opportunities showcased at the event
- Live features — Power live Q&A, polls, emoji reactions, and Moments/story content
- Safety & security — Detect fraud, prevent abuse, and maintain platform integrity
- Legal compliance — Meet our obligations under applicable law
6. Third-Party Data Processors & International Transfers
We engage the following processors to help operate the App. Each is bound by a Data Processing Agreement (DPA) per GDPR Article 28:
| Processor | Purpose | Data Shared | Country |
|---|---|---|---|
| Convex, Inc. | Database, real-time backend, file storage | All user and event data | USA |
| Google LLC | Authentication (Google Sign-In); AI processing (Gemini, server-side only) | Account identifiers, AI-processed content | USA |
| Apple Inc. | Authentication (Apple Sign-In) | Apple account ID, email, name | USA |
| OneSignal, Inc. | Push notification delivery and engagement tracking | Device push tokens, user IDs, notification events | USA |
| Stripe, Inc. | Payment processing (ticket purchases) | Cardholder name, email, transaction amounts | USA |
| Amazon Web Services (SES) | Transactional email delivery (OTPs, order confirmations) | Recipient email addresses, email content | USA |
| Sentry (Functional Software, Inc.) | Crash reporting and error tracking | Device info, OS/app version, error stack traces, user ID | USA |
| Expo / EAS (650 Industries, Inc.) | App build and distribution infrastructure | App bundle data, basic device metadata | USA |
International Data Transfers
All processors listed above are based in the United States, outside the European Economic Area. We ensure these transfers comply with GDPR Chapter V through:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
- The EU–US Data Privacy Framework where applicable (Google, Stripe)
You may request a copy of the applicable safeguards by emailing privacy@thinkbiz.gr.
7. Data Retention
We retain personal data only as long as necessary for the purpose it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Account and profile data | Until account deletion, then purged within 30 days |
| Authentication sessions | 30 days from last activity; automatically refreshed daily |
| Event activity (views, check-ins, bookmarks, votes) | 12 months from event date, then permanently anonymised |
| Live Q&A questions and poll responses | 6 months from event date, then anonymised |
| Moments / story media | 24-hour auto-expiry; full purge within 30 days of expiry |
| Ticket and order records | 5 years (Greek tax and accounting law requirement) |
| Admin audit logs | 2 years, then permanently deleted |
| Crash reports (Sentry) | 90 days |
| Push notification tokens and logs | 90 days from last activity |
| Idempotency keys (payment deduplication) | 24 hours, then automatically purged |
| Anonymised aggregate analytics | Indefinitely (no longer personal data) |
After the applicable retention period, data is permanently and irreversibly deleted or anonymised.
8. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
Request a copy of all personal data we hold about you.
Correct inaccurate data — also available directly in App Settings.
Delete your account in Settings → Account → Delete Account. All data purged within 30 days.
Ask us to suspend processing in certain circumstances.
Receive your data in a structured, machine-readable format.
Object to processing based on legitimate interests.
Withdraw any given consent at any time, without penalty.
We do not make solely automated decisions that produce legal effects about you.
How to exercise your rights: Email privacy@thinkbiz.gr. We respond within 30 days (extendable to 60 days for complex requests, with notice). No fee for reasonable requests.
9. Data Sharing
With Other App Users
Your public profile (name, photo, headline, university, bio, skills, networking status) is visible to authenticated App users to enable conference networking. You control which optional fields are shown in your privacy settings. Messages you send are visible only to the recipient.
With Event Co-Organisers
We may share aggregated, anonymised attendance and engagement statistics. Individual personal data is never shared without your explicit consent.
For Legal Compliance
We may disclose data when required by law, court order, or legal process, or when necessary to protect our legal rights, user safety, or the public.
Business Transfers
In a merger, acquisition, or sale of company assets, your data may be transferred to the successor entity with appropriate advance notice to you.
10. App Permissions
| Permission | Purpose |
|---|---|
| Camera | Upload profile photo; record video for Moments/story content |
| Photo Library | Select existing photos or videos for your profile or Moments |
| Push Notifications | Receive event updates, session alerts, and networking notifications |
| Microphone | Record video with audio for Moments content |
None of these permissions are required for the App’s core browsing and scheduling features. You may grant or revoke any permission at any time in your device’s Settings app.
11. Local Storage
The App does not use browser cookies.
We use AsyncStorage to store your preferences locally on your device (language, theme, notification settings, onboarding status). This data remains on your device and is not transmitted to our servers.
We use expo-secure-store (backed by iOS Keychain / Android Keystore) to protect your authentication session tokens on-device with hardware-level encryption.
12. Data Security
We implement the following technical and organisational measures:
- All data in transit is encrypted using TLS 1.2+ (HTTPS)
- Data at rest is encrypted at the storage layer by our infrastructure providers
- Authentication tokens are stored in hardware-backed secure storage on your device
- Role-based access controls restrict internal access to personal data
- Server-side price validation prevents client-side manipulation of payment values
- Idempotency key protection prevents duplicate financial transactions
- Regular dependency updates and security patching
- Database-level access restrictions on all tables
Despite these measures, no internet transmission or digital storage is completely secure. If you believe your account has been compromised, contact us immediately at privacy@thinkbiz.gr.
13. Children’s Privacy
The App is not directed at children. We require users to be at least 16 years old (15 in Greece per Law 4624/2019, Art. 21).
If a parent or legal guardian believes their child has registered, contact privacy@thinkbiz.gr. We will delete the data without undue delay.
14. Changes to This Privacy Policy
We may update this policy periodically. When we make material changes, we will:
- Update the “Last Updated” date at the top of this document
- Publish the updated policy at thinkbiz.gr/privacy-policy
- Send an in-app notification for significant changes
Your continued use of the App after an update constitutes acknowledgement of the changes. If you do not agree, you should stop using the App and request account deletion.
15. Supervisory Authority — Right to Lodge a Complaint
You have the right to lodge a complaint with the competent data protection supervisory authority. In Greece:
If you reside in another EU/EEA member state, you may also contact the supervisory authority in your country of residence.
16. Contact Us
Get in Touch
General privacy enquiries: privacy@thinkbiz.gr
Data protection officer: privacy@thinkbiz.gr
Website: thinkbiz.gr
We aim to respond to all privacy-related enquiries within 5 business days.