Privacy Policy

§2.1Account data

When you create an account on Owa’w, we collect: the first name and the last name you declare; your date of birth (used in particular to verify the age minimum of 18 years required to access the Service); your email address; your password (stored as a one-way cryptographic hash using a recognised algorithm — we never store your password in a form that allows it to be recovered); your declared role (Participant or Organizer); your country of residence as declared.

§2.2Card-name check data (formerly "Identity Verification")

In short: When we check the name on your bank card matches the one you gave us, we receive only the cardholder name from Stripe, plus a technical reference and a success/failure flag. We never see your card number, expiry date, or security code.

During the card-name check procedure (described in section 4.2 of the Terms), we receive from Stripe: the name of the holder of the bank card you presented, as confirmed by your bank; a technical reference to the Stripe Setup Intent that allows us to refer back to the procedure if necessary; the success or failure result of the check. Where Stripe makes the information available, we also receive a signal indicating whether the card is consistent with a holder over 18 (without disclosing the precise age or date of birth).

We do not receive: your full bank card number (we do not have access to it at any time); your CVV (cryptographic security code); your card expiration date. These elements are processed exclusively by Stripe, in accordance with their own data protection policy.

§2.3Event data (Organizers only)

When, as an Organizer, you submit an Event on Owa’w, we collect: the title and description of the Event; the start and end date and time; the declared location of the Event (text address and geographic coordinates obtained by geocoding through our geocoding subprocessor — see §5.2); the public URL of the Event (ticketing page, social network post, official website); the displayed name of the Organizer (which may differ from the legal name declared at registration); the contact email of the Event (defaults to the account email, modifiable); the optional image of the Event; the chosen category(ies); the history of submissions, modifications, and statuses of your Event.

§2.4Bidirectional Verification data

During the Bidirectional Verification procedure (described in section 4.3 of the Terms), we collect: the unique code generated by Owa’w, linked to your account, your Event, and the declared URL; the history of attempts to verify the code (date, time, result success/failure); upon success of the verification, a timestamped record consisting of the URL, the time of verification, and the short textual snippet in which the code was found.

We do not retain a full copy of your public Event page. We retrieve it only to search for the verification code and to produce the timestamped record described above; no other content is retained.

§2.5Geolocation data (Participants only)

Default anonymity / Localisation par défaut hors ligne: Outside the Matching Windows of Events you have joined, we do not access your geolocation.

During the Matching Window of an Event you joined, we use the geolocation of your mobile device to: determine whether you are present in the Geographic Perimeter of the Event; enable the matching mechanism with other Participants who are also present.

We do not store the precise history of your locations. We only retain the information of "presence in such or such Perimeter at such or such moment", and only for the duration of the corresponding Matching Window. This information is erased within a maximum of seven (7) days after the closing of the Window.

§2.6Matching and messaging data

During the Matching Window of an Event, we collect: the list of Events you have joined as a Participant; the expressions of interest you make toward other Participants present in the Perimeter; the matches established with other Participants; the content of messages exchanged via the Owa’w private messaging.

Messages are accessible only to the two Participants concerned. They are erased on the closing of the messaging defined in section 4.4 of the Terms (up to two days — 24 to 48 hours — after the end of the Event).

§2.7Technical and usage data

During your use of the Service, we automatically collect: the IP address from which you access the Service (used in particular for the security of the Service and the prevention of abuse); the operating system and version of the operating system of your device; the version of the Owa’w mobile application installed; the date, time, and nature of significant actions performed on the Service (creation of account, submission of Event, expression of interest, etc.), for purposes of operating the Service and security; the errors encountered by the application on your device, for diagnostic purposes.

The Owa’w mobile application does not contain advertising cookies, retargeting pixels, or behavioral tracking shared with third parties for marketing purposes. It may contain first-party crash-reporting and error-diagnostic tools, listed transparently in §5.2, used exclusively to detect and fix software defects.

§2.8Moderation and reporting data

In case of reporting (by yourself or against you) or moderation intervention, we collect: the content of the report (declared facts, possible justification); the date and time of the report; the internal investigation conducted (consulted elements, decision made); the decision communicated to the reporting User and, if applicable, to the reported User; the history of past reports concerning the same Users.

The identity of a reporting User is never disclosed to a reported User, in accordance with section 7.1 of the Terms.

Preservation on report. When a User files a serious safety report (cases listed in §6.2 of the Terms, in particular suspected physical or sexual assault, harassment, threats, or any fact likely to constitute a criminal offense), or when Owa’w receives a preservation request from a competent authority, the geolocation data (2.5), the matching and messaging data (2.6) and the technical data (2.7) bearing directly on the facts reported are frozen and excluded from the ordinary deletion schedule (§6.5, §6.6) pending the conclusion of the investigation or the lawful processing of the request. The maximum preservation duration is one (1) year, renewable once by a documented decision when the criminal procedure so requires. Beyond that, the frozen data is erased unless transmitted to a competent authority under §5.3.

§2.9Derived reputational data — Trust tiers

In short: As you use Owa’w, your account earns a trust tier — New, Established, or Established+ — based on your verified participation in events and on the absence of confirmed reports against you. This tier is visible to other Users you encounter on the Service and is described in our marketing pages.

For each User, Owa’w computes and stores a trust tier (one of: New, Established, Established+), derived from objective signals: the completion and outcome of the card-name check (2.2), the number of Events the User has joined and at which their presence within the Geographic Perimeter has been confirmed by the matching mechanism, the absence of confirmed reports under §2.8, and the age of the account.

The exact thresholds between tiers may evolve to preserve their meaning; the criteria themselves are limited to those listed above. The tier is updated automatically when the underlying signals change. The tier is shared with other Users in the conditions of §5.1.

You may at any time consult your current tier, the signals on which it is based, and the reasons for any recent change, from your account settings. You may contest the tier or the underlying signals; see §8.10.

§4.1Operation of the Service

Purpose: enable the creation of your account, the access to features described in section 4 of the Terms, and your interactions with other Users within the Geographic Perimeters and Matching Windows of Events.

Data used: account data (2.1), Event data (2.3), Bidirectional Verification data (2.4), geolocation data (2.5), matching and messaging data (2.6).

Legal basis: execution of the contract concluded between you and Owa’w (GDPR Article 6.1.b). Geolocation during a Matching Window is not optional but the technical condition for the matching service; consequently, it is strictly necessary for the performance of the contract. Without this processing, the Service cannot be provided.

§4.2Card-name check and prevention of fraud

Purpose: reduce the risk of fictitious, anonymous, or fraudulent accounts by verifying that the name declared at registration matches the name on a bank card the User controls; verify, where the issuing-bank signal allows, that the card is consistent with a holder over 18; verify the control of an Event's public page by its declared Organizer.

Data used: card-name check data (2.2), Bidirectional Verification data (2.4), technical data (2.7).

Legal basis: execution of the contract for the part relating to your own verification (Article 6.1.b), and legitimate interest of Owa’w for the prevention of fraud, the security of the Service, and the protection of the rights of other Users (Article 6.1.f). A legitimate-interest assessment (LIA) is documented internally per Article 30.

§4.3Security of the Service and prevention of abuse

Purpose: detect and prevent any abuse of the Service, in particular automated attempts to access, identity theft, harassment, organized fraud, and circumventions of the technical limits of the Service.

Data used: technical data (2.7), moderation data (2.8).

Legal basis: legitimate interest of Owa’w to ensure the security of its Service and to protect its Users (Article 6.1.f). This legitimate interest has been weighed against your rights and freedoms in a documented LIA, and is considered proportionate insofar as the absence of such processing would expose all Users to disproportionate risks.

§4.4Moderation and handling of reports

Purpose: process reports made by Users (or against you), conduct internal investigations in case of suspected breach of the Terms, and take the graduated measures listed in section 7.2 of the Terms.

Data used: moderation data (2.8), account data (2.1), and, when strictly necessary for an investigation into a specific reported breach, the categories of data described in 2.5, 2.6, or 2.7 that bear directly on the facts under investigation. No data category outside §2 is collected or used for this purpose.

Legal basis: legitimate interest of Owa’w to ensure the proper functioning of the Service and to protect the rights of its Users (Article 6.1.f, with documented LIA), and execution of the contract regarding the application of the Terms (Article 6.1.b).

Non-discrimination. Moderation decisions and investigations are conducted on the basis of the reported facts, not on the basis of the religious, philosophical, political opinions, sexual orientation, gender identity, ethnic, national, or cultural origin, or lawful affiliation of the reported User. This non-discrimination commitment mirrors §6.4 of the Terms.

§4.5Service improvement

Purpose: analyze the use of the Service in aggregated form to improve its operation, fix defects, and design new features.

Data used: technical data (2.7), aggregated at the moment of collection where technically feasible, otherwise anonymized within thirty (30) days. The aggregation/anonymization process is documented internally and reviewed for re-identification risk.

Legal basis: legitimate interest of Owa’w to continuously improve its Service (Article 6.1.f). A documented LIA balances this interest against your rights; the residual risk is mitigated by aggregation at collection.

Use is contribution. Each Event submitted, each verification performed, each report filed contributes — in aggregated form — to the quality of the platform for the next User. We retain this aggregate learning indefinitely, on the understanding that no individual identification remains possible at this level.

§4.6Communication with Users

Purpose: send you the operational emails strictly necessary for the Service (account confirmation, password reset, notifications related to your Events or your Matches, notifications of substantial modification of the Terms or this Policy).

Data used: account data (2.1).

Legal basis: execution of the contract (Article 6.1.b) for operational emails strictly necessary for the Service. We do not send marketing emails outside of an explicit consent procedure that you may withdraw at any time.

Push notifications. Push notifications sent through the mobile application are restricted to events directly relevant to a User's active participation (start of a Matching Window the User is joining, receipt of a new Match, conclusion of a moderation decision concerning the User, etc.). Owa’w does not send notifications to recall an inactive User, to suggest re-engagement, or for marketing purposes.

§4.7Compliance with legal obligations

When a binding legal request reaches Owa’w (judicial requisition, request from a data protection authority, regulatory request in the context of an investigation, or any other legal procedure binding upon us), we process the strictly necessary data to respond, within the limits of the request received. We also keep traces required by tax, accounting, or sector laws when applicable.

Legal basis: compliance with a legal obligation to which Owa’w is subject (Article 6.1.c). This basis is invoked at the moment of compliance with each binding request, not as a pre-existing processing purpose.

§4.8What we do not use your data for

To remove any ambiguity, we do not use your personal data: to display behavioral advertising on the Service or elsewhere; to sell, rent, or share your data with advertisers or data brokers; to enrich third-party profiles or commercial databases; to make decisions based solely on automated processing that produce legal effects or significantly affect you — the trust tier (2.9) is computed automatically but does not constitute such a decision (see §8.10 for safeguards); to track your browsing outside the Owa’w Service.

§4.9Trust tier computation

Purpose: assign a trust tier (2.9) to each account based on objective signals, to give other Users a transparent indication of the level of verified participation of an account they encounter on the Service.

Data used: data described in 2.9 (signals only — no analysis of the content of your messages, profile, or behavior outside the events listed in 2.9).

Legal basis: legitimate interest of Owa’w and of other Users in being able to assess, on the basis of transparent criteria, the level of verified participation of a counterpart on the Service (Article 6.1.f). A documented LIA balances this against your rights; the residual risk is mitigated by the criteria being publicly listed, by your right to consult and contest the tier under §8.10, and by the absence of significant legal effect (the tier alone does not exclude, suspend, or remove access).

§6.1Account data

The account data described in 2.1 is kept for the entire duration of the active life of your account. Following the deletion of your account (whether voluntary or pronounced by Owa’w), this data is permanently erased within thirty (30) days, subject to the limited exceptions listed in 6.7. The 30-day window covers technical propagation across backups and is not used for any other purpose.

§6.2Card-name check data

The result of the card-name check (success / failure) and the Stripe technical reference described in 2.2 are kept for the entire duration of your account, then for a period of three (3) years after the deletion of your account for purposes of legal evidence and prevention of fraud (notably to prevent the recreation of an excluded account by the same person).

The name of the cardholder transmitted by Stripe is, on the other hand, erased simultaneously with the rest of the account data.

§6.3Event data

Event data described in 2.3 is kept indefinitely on Owa’w as part of the operation of the Service (Events listed remain visible for the history of the Service). However: if the Organizer of an Event deletes their account, the Organizer's name is replaced by a generic identifier on past Events, in accordance with section 7.4 of the Terms; Events for which the Organizer requests deletion are deleted or anonymized within thirty (30) days, except where their retention is justified by an ongoing investigation or legal obligation.

§6.4Bidirectional Verification data

Bidirectional Verification data described in 2.4 is kept for the entire duration of the associated Event and for one (1) year after its end, for purposes of proof and traceability. Beyond this period, the verification data is anonymized: only the fact that the verification has taken place is retained, without traceable elements specific to the User.

§6.5Geolocation, matching and messaging data

Geolocation data described in 2.5 is erased within a maximum of seven (7) days after the closing of the Matching Window of the Event concerned.

Matching and messaging data described in 2.6 (expressions of interest, matches, content of messages) is erased on the closing of the messaging defined in section 4.4 of the Terms (between 24 and 48 hours after the end of the Event). Beyond this closing, no copy of the messages is retained by Owa’w.

Exception — preservation on safety report. Where §2.8 last paragraph applies (serious safety report or preservation request from an authority), the data above is frozen and excluded from this deletion schedule for the duration provided in §2.8.

§6.6Technical and usage data

Technical and usage data described in 2.7 is kept for variable periods according to its purpose. The retention clocks below run from the moment of collection, and continue to run independently of any subsequent account deletion: IP addresses related to security (anti-fraud, anti-abuse): up to twelve (12) months; significant action logs (account creation, Event submission, etc.): up to twenty-four (24) months; technical error logs: up to ninety (90) days; aggregated and anonymized statistics derived from this data: kept indefinitely insofar as they no longer allow individual identification.

§6.7Moderation data and traces of exclusion

Moderation data described in 2.8 is kept for a period of three (3) years from the closing of the case, for purposes of legal evidence, history of repeated incidents, and protection of Users.

In case of exclusion of an account for serious breach (cases listed in 6.1 and 6.2 of the Terms), Owa’w retains a minimum trace of the exclusion (technical identifier, reason for exclusion, date) for a period of up to five (5) years, in order to prevent the recreation of an account by the same person. A 5-year period (rather than 3) is retained for these most serious cases to align with the criminal-procedure limitation periods that may apply to the underlying facts. This retention is limited in time to what is strictly necessary for this purpose.

The corresponding contractual provision is set out in section 7.4 of the Terms.

§8.1Right of access— see what data we have on you

You have the right to obtain confirmation that your personal data is processed by Owa’w, and to access this data. Upon request, we provide you with a complete summary of the data we hold about you, in an intelligible format.

§8.2Right of rectification— fix wrong information

You have the right to request the rectification of any personal data concerning you that would be inaccurate or incomplete. Most data can be modified directly from your account settings. For data that is not editable from the interface (notably the data resulting from your card-name check), please contact us.

§8.3Right of erasure— delete your data

You have the right to request the erasure of your personal data, in particular by deleting your account from your account settings. The erasure is effective within the deadlines provided for in section 6.

Some data may be retained beyond the deletion of your account, in the cases provided for in 6.2, 6.6, and 6.7 (legal obligation, evidence of fraud prevention, traces of exclusion). These exceptions are limited to what is strictly necessary, and the data concerned is no longer used for any other purpose.

§8.4Right to data portability— download a copy of your data

You have the right to receive the personal data you have provided to Owa’w in a structured, commonly used, and machine-readable format (a structured file you can open in standard software). You may also request the direct transmission of this data to another service of your choice, when technically possible.

The export of your data is accessible from your account settings, or by direct request to our team.

§8.5Right to object— say no to certain processing

You have the right to object to the processing of your personal data based on our legitimate interest, namely: fraud prevention (4.2 in part), Service security (4.3), moderation (4.4 in part), Service improvement (4.5), and the trust tier computation (4.9).

In case of objection, we examine your request. We may continue the processing if we demonstrate compelling legitimate grounds prevailing over your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. In any other case, we end the processing concerned.

Independently of your GDPR rights, you can configure the frequency of non-essential operational emails from your account settings, and disable push notifications described in §4.6 from your device settings.

§8.6Right to restriction of processing— put processing on hold

You have the right to request that the processing of your personal data be restricted in the following cases:

• —when you contest the accuracy of the data, for the time needed to verify;
• —when the processing is unlawful but you do not want the data erased;
• —when we no longer need the data but you need it for the establishment, exercise, or defense of legal claims;
• —when an objection under 8.5 is being examined.

In case of restriction granted, your data is retained but no longer subject to processing, except for those exceptions described by applicable law.

§8.7Right to withdraw consent— change your mind

When a processing is based on your consent (cases that are rare in our case, mentioned where applicable in section 4), you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out before the withdrawal.

§8.8Right to define post-mortem directives— decide what happens after your death

You have the right, in particular if you reside in France, to define directives concerning the fate of your personal data after your death (Article 85 of the French Data Protection Act). These directives can be communicated to us directly, or registered with a digital trust third party recognized by applicable law.

In the absence of contrary directives, your heirs can exercise certain rights over your data, in the framework provided for by applicable law.

§8.9Right not to be subject to a fully automated decision— human review available

You have the right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects you. Owa’w does not take such decisions: moderation measures with significant consequences (account exclusion, prolonged suspension) involve human review. Where automated processing is used as a first-line filter, you may request human review, express your point of view, and contest the decision by writing to the email indicated in 1.2.

§8.10Right to consult and contest your trust tier

You may at any time, from your account settings, consult: your current trust tier; the signals on which it is currently based (in the limitative list of §2.9); the most recent change to your tier and the signal that triggered it.

You may contest the tier or any underlying signal by writing to the email indicated in 1.2. We examine the contestation under human review, correct any erroneous signal, and recompute the tier accordingly.

The trust tier is not, on its own, a decision producing legal effects or significantly affecting you within the meaning of §8.9: it does not exclude, suspend, or remove access to the Service. The decisions that may have such effects (suspension, exclusion) are governed by §7 of the Terms and by §8.9 of this Policy.

§8.11How to exercise your rights

To exercise any of these rights, you can: use the dedicated features of your account settings, when they are available (account deletion, data export, modification of personal information, consultation of your trust tier, opposition to non-essential emails); contact our team by email at [PRIVACY CONTACT EMAIL — TO BE COMPLETED], specifying the nature of your request and any element allowing us to identify you with certainty.

We respond to your requests within one (1) month from receipt, extendable by two (2) months in case of complexity or significant volume, with information provided to you in advance.

In case of doubt about your identity, we may request additional elements to verify your authenticity before complying with the request. This verification is necessary to protect your data against unauthorized third-party requests.

The exercise of these rights is free. We may charge a reasonable administrative fee, or refuse to follow up, only in case of manifestly unfounded or excessive requests (in particular, repeated requests with no new element), with written justification.

§10.1Contacting Owa’w for any privacy-related question

For any question relating to this Privacy Policy, to the personal data processing carried out by Owa’w, or to exercise any of the rights described in section 8, you can contact us at: [PRIVACY CONTACT EMAIL — TO BE COMPLETED].

We acknowledge receipt of your request within seventy-two (72) hours and respond substantively within the deadlines provided for in 8.11.

§10.2Data Protection Officer (DPO)

Owa’w's DPO can be contacted directly at: [DPO EMAIL — TO BE COMPLETED]. The DPO is competent to handle questions relating to the protection of personal data on the Service and to facilitate exchanges with the competent supervisory authority.

§10.3Right of recourse to the supervisory authority

If you consider that Owa’w does not respect your rights over your personal data, despite a prior exchange with us, you have the right to file a complaint with the data protection supervisory authority competent in your country of residence.

• —In France: Commission Nationale de l'Informatique et des Libertés (CNIL), 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07. Online complaint: https://www.cnil.fr/fr/plaintes.
• —In another country of the European Union: the supervisory authority of your country of residence. The list of European authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
• —Outside the European Union: the supervisory authority competent under the data protection law applicable to your country of residence.

We encourage you, in any case, to first contact us so that we can endeavor to resolve your concern amicably.