Privacy Policy

Effective date: 2026-05-18

Data Controller

VšĮ BSides Vilnius (public institution registered in Lithuania) Email: info [at] bsidesvilnius.lt

What Data We Collect and Why

1. Event Registration (workshops, CTF)

When you register for a workshop or CTF through our registration system, we collect:

  • Full name
  • Email address
  • Ticket/order number (required for workshops)
  • Team name (CTF)
  • Team member handles (CTF)

Legal basis: Performance of a contract (GDPR Art. 6(1)(b)) — we need this information to confirm your registration, manage attendance, and communicate event details.

Retention: Registration data is retained until 30 days after the event concludes, then deleted.

2. Ticket Purchases

Ticket sales are processed by Paysera (UAB "Paysera LT"). When you purchase a ticket, Paysera collects and processes your payment information under their own privacy policy. We receive only your name, email, and order reference — no payment card details.

Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).

3. Website Visitors

This website is served through Cloudflare Pages. Cloudflare processes limited technical data (IP address, browser type, timestamps, referring pages) for security and performance purposes. We do not use any additional analytics tools or tracking scripts.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — ensuring website security and availability.

Retention: Cloudflare retains server logs for a limited period per their data processing policies.

4. Cookies

This website uses only strictly necessary cookies set by Cloudflare for security purposes (e.g., bot detection). We do not use advertising, analytics, or preference cookies. Details: Cloudflare cookie documentation.

5. Photography and Video Recording

The event is photographed and recorded on video. Footage and photos may be published on our website, social media, and YouTube channel.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — documenting and promoting a community event.

Opt-out: If you do not wish to be photographed or recorded, please inform the organizers at the registration desk. We will provide a visual identifier (lanyard/sticker) to signal to photographers that you should not be captured. If you find yourself in published material and want the image removed, contact us at info [at] bsidesvilnius.lt.

6. Email Communications

We send the following emails via Cloudflare Email Workers:

  • Transactional: registration confirmations, cancellation confirmations, waitlist notifications
  • Event-related: post-event feedback surveys

Legal basis: Performance of a contract (GDPR Art. 6(1)(b)) for transactional messages; legitimate interest (GDPR Art. 6(1)(f)) for feedback surveys directly related to an event you attended.

7. Live Q&A

During conference sessions, you may submit questions and replies through our live Q&A tool. We collect:

  • Question/reply text
  • Display name (optional — you may participate anonymously)
  • A daily-rotating hash of your IP address, used solely to prevent duplicate upvotes within the same session. This hash cannot be reversed to your IP address and is deleted when the Q&A session is cleared.

We do not store your raw IP address in Q&A data.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — enabling audience participation during sessions.

Retention: Q&A data is deleted when the session is cleared by organizers, typically within 7 days after the event.

Data Processors

We use the following third-party services that process data on our behalf:

Processor Purpose Location
Cloudflare, Inc. Website hosting, CDN, email delivery, registration system USA (EU-approved transfer mechanisms)
Microsoft Azure CTF platform hosting EU (North Europe region)
UAB "Paysera LT" Ticket sales and payment processing Lithuania / EU

International Data Transfers

Cloudflare is a US-based company. Data processed by Cloudflare may be transferred outside the EEA. Cloudflare relies on EU Standard Contractual Clauses and other approved transfer mechanisms. See Cloudflare's Data Processing Addendum.

Your Rights

Under GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data
  • Restriction — limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent

To exercise any of these rights, email us at info [at] bsidesvilnius.lt. We will respond within 30 days.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Lithuanian supervisory authority:

Valstybinė duomenų apsaugos inspekcija (VDAI) L. Sapiegos g. 17, 10312 Vilnius https://vdai.lrv.lt

Security

We use HTTPS encryption, access controls, and security headers to protect your data in transit and at rest. Registration data is stored in Cloudflare's infrastructure with encryption at rest, and access is limited to event organizers.

Our website contains links to external sites. We are not responsible for their privacy practices. Review their privacy policies before providing personal data.

Changes to This Policy

We may update this policy from time to time. Changes take effect immediately upon publication. The effective date at the top of this page reflects the latest revision.

Contact

For questions about this privacy policy or your personal data: Email: info [at] bsidesvilnius.lt