Bermevents Privacy Policy
Effective date: [To be set on publish] Last updated: [To be set on publish]
1. Who We Are
Bermevents is operated by Aaron de Silva, trading as "Bermevents" (referred to in this policy as "we", "us", or "Bermevents").
Registered address: 5 Cedarberry Drive, Lower Studio, Hamilton Parish CR 02, Bermuda. Website: bermevents.com Privacy contact: aaron@bermevents.com
Bermevents operates a marketplace where Bermudian event organizers list and sell tickets to buyers. This policy explains how we collect, use, share, and protect personal information in connection with that service.
2. Scope and Applicable Law
This policy applies to personal information collected through bermevents.com and any related services. We process personal information in accordance with the Personal Information Protection Act 2016 (PIPA), which came into force in Bermuda on 1 January 2025.
Where we act as a data processor on behalf of an event organizer (for example, when managing their attendee list), that organizer is the primary data controller for that personal information. This policy covers our processing as both controller (for platform operations) and processor (for organizer event data).
3. Data Controller Identity
Data controller (platform operations): Aaron de Silva t/a Bermevents 5 Cedarberry Drive, Lower Studio, Hamilton Parish CR 02, Bermuda aaron@bermevents.com
Data processor (attendee data on behalf of organizers): For personal information relating to attendees of a specific event, the event organizer is the primary data controller. Bermevents processes that information on the organizer's behalf under PIPA's controller/processor framework.
4. Personal Information We Collect
4.1 Ticket Buyers
When you purchase a ticket through Bermevents, we collect:
- Name -- required at checkout to identify your booking.
- Email address -- required at checkout for ticket delivery and booking confirmation.
- Phone number -- optional. We may use this for SMS ticket delivery in a future feature; we will ask for consent at that time.
- Payment reference -- we store only the payment ID reference issued by Checkout.com. Your card details (card number, CVV, expiry) are entered directly into Checkout.com's secure payment form and are never transmitted to or stored by Bermevents.
- IP address and browser information -- collected automatically for fraud prevention and analytics.
- Device identifiers and cookies -- used for session management and analytics. See Section 11 (Cookies).
- Purchase history -- your booking records are associated with your email address and, if you create an account, with your account.
4.2 Event Organizers
If you list events on Bermevents as an organizer, we collect:
- Everything listed in Section 4.1 above (organizers are also users of the platform).
- Company or trading name -- your business name as a sole proprietor or entity.
- Bermuda Business and Professional License number -- where applicable, for verification purposes.
- KYC information for payment processing -- Checkout.com collects identity verification data from organizers directly as part of their sub-merchant onboarding. This information is governed by Checkout.com's privacy policy; Bermevents does not hold it.
- Attendee data from your events -- as an organizer, you can access the attendee list for your own events (names, emails, ticket types purchased). You are the data controller of that attendee information. Bermevents processes it on your behalf.
4.3 Site Visitors
If you browse bermevents.com without purchasing or registering, we automatically collect:
- IP address, pages viewed, and referrer URL -- for aggregate analytics only. We do not use this to identify you individually.
5. How and Why We Use Your Information
We process personal information only where we have a lawful basis under PIPA. The table below sets out our processing activities and their lawful basis.
| Processing activity | Lawful basis |
|---|---|
| Processing your ticket purchase and delivering your tickets | Contract performance |
| Sending booking confirmations and event updates | Contract performance |
| Fraud prevention and platform security | Legitimate interests (protecting users and the platform) |
| Analytics to improve the service | Legitimate interests (service improvement) |
| Session management and core site functionality | Legitimate interests (operating the service) |
| Providing organizers access to their attendee lists | Contract performance (organizer agreement) |
| Verifying organizer identity and license | Legal obligation / legitimate interests |
| Sending marketing emails (if you opt in) | Consent |
| Retaining payment records for tax and dispute purposes | Legal obligation / legitimate interests |
We do not use your personal information for purposes incompatible with the purpose for which it was collected without seeking fresh consent or establishing another lawful basis.
6. Marketing Communications
We will only send you marketing emails if you have opted in at signup or checkout. Opt-in is not selected by default. You can withdraw consent and unsubscribe at any time by:
- Clicking the unsubscribe link in any marketing email, or
- Emailing aaron@bermevents.com.
Withdrawal of consent does not affect the lawfulness of any processing that occurred before withdrawal.
Transactional emails (booking confirmations, ticket delivery, event reminders) are sent regardless of marketing preferences because they relate to a service you have contracted for.
7. Sharing Your Information
We do not sell your personal information. We share it only in the following circumstances:
With event organizers. If you purchase a ticket to an event, the organizer of that event receives your name, email, and ticket details so they can manage attendance. They become a data controller for that information and are bound by our organizer agreement to handle it lawfully.
With service providers (sub-processors). We use the following third-party processors to operate the platform. Each is engaged under a data processing agreement or equivalent contractual safeguards:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Primary database (Postgres) | AWS us-east-2, USA |
| Resend | Transactional email delivery | USA |
| Checkout.com | Payment processing | EU, UK, USA |
| Vercel | Website hosting and edge delivery | USA (primarily) |
| Klaviyo | Newsletter delivery (opt-in users only) | USA |
This list may be updated as we add or change providers. We will notify you of material changes per Section 14.
For legal compliance. We may disclose information if required by Bermuda law, a court order, or to protect the rights, property, or safety of Bermevents, our users, or the public.
Business transfers. If Bermevents is sold or transferred as a business, personal information may be transferred as part of that transaction. We will notify affected users in advance where required by PIPA.
8. Cross-Border Data Transfers
Bermevents is based in Bermuda. Our service providers are located in the United States and the European Union. When we transfer your personal information outside Bermuda, we rely on the following to protect it:
- Contractual necessity -- transfers to our service providers are necessary to perform the services you have contracted for (ticket delivery, payment processing, hosting).
- Data processing agreements (DPAs) -- we have signed DPAs with our key processors, including Supabase, that include contractual commitments to protect your data.
- Provider safeguards -- Checkout.com and other processors operate under their own GDPR and equivalent compliance frameworks, which provide comparable protection.
If you have questions about the safeguards applied to any specific transfer, please contact aaron@bermevents.com.
9. Retention Periods
We retain personal information for as long as necessary for the purpose it was collected and as required by law.
| Data category | Retention period |
|---|---|
| Attendee data (name, email, ticket records) | 2 years after the last event attended |
| Account data (registered users) | Duration of account, plus 1 year after account closure |
| Payment records and transaction IDs | 7 years (Bermuda tax record requirements) |
| Analytics data (aggregated) | Up to 2 years |
| Fraud prevention logs | Up to 2 years, or as required by law |
When the retention period expires, we securely delete or anonymise your personal information. Anonymised data (which cannot be linked back to you) may be retained longer for aggregate analytics.
10. Security
We apply reasonable technical and organisational safeguards to protect your personal information, including:
- Encryption in transit via TLS on all connections to bermevents.com.
- Encryption at rest via Supabase's default database encryption.
- Access controls limiting who within Bermevents can access personal information.
- No storage of card data -- Bermevents never receives or stores payment card numbers, CVV codes, or expiry dates. All payment data is handled exclusively by Checkout.com.
No system is completely secure. If you believe your information has been compromised, please contact aaron@bermevents.com immediately.
11. Cookies
We use cookies and similar technologies on bermevents.com for:
- Session cookies -- to keep you logged in during a browsing session (deleted when you close your browser).
- Analytics cookies -- to understand how visitors use the site (pages visited, time on site, referral source). Analytics are collected in aggregate form.
Full details of the cookies we use, including how to control or delete them, will be published at bermevents.com/cookies (coming soon).
You can control cookies through your browser settings. Disabling certain cookies may affect site functionality.
12. Automated Decision-Making
Bermevents uses automated processes as part of fraud prevention (for example, automated scoring of transactions based on IP address, purchase patterns, and device signals). This automated processing does not produce legal or similarly significant effects without human review. Any final decision to decline a transaction or restrict access to the platform involves human review of the automated output.
We do not use your personal information for automated profiling that affects you significantly in any other way.
13. Children
Bermevents is not directed at children under the age of 14. We do not knowingly collect personal information from children under 14. If you are under 14, please do not use this service.
If you are between 14 and 17, you may use the service with the consent and involvement of a parent or legal guardian. By using the service, a minor in this age range (or their parent/guardian completing a purchase on their behalf) confirms that parental consent has been obtained.
If we become aware that we have collected personal information from a child under 14 without appropriate consent, we will delete it promptly. Please contact aaron@bermevents.com if you believe this has occurred.
14. Your Rights Under PIPA
Under the Personal Information Protection Act 2016, you have the following rights regarding your personal information:
- Right to access -- you may request a copy of the personal information we hold about you.
- Right to correct -- you may request correction of inaccurate or incomplete information.
- Right to delete -- you may request deletion of your personal information where we no longer have a lawful basis to retain it.
- Right to object -- you may object to processing based on legitimate interests, including direct marketing.
- Right to data portability -- you may request your information in a structured, machine-readable format where technically feasible.
- Right to withdraw consent -- where processing is based on your consent, you may withdraw it at any time without affecting prior processing.
How to exercise your rights: Email aaron@bermevents.com with "Privacy Request" in the subject line. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.
We may decline a request where PIPA permits (for example, where disclosure would harm the privacy of another person, or where a legal obligation requires retention). We will explain any refusal.
15. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, Bermevents will:
- Notify the Privacy Commissioner of Bermuda without undue delay (within 72 hours of becoming aware, where feasible).
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights.
Notification to affected individuals will be direct (by email) and will describe the nature of the breach, the information affected, the likely consequences, and the steps we have taken or propose to take.
16. Changes to This Policy
We may update this policy from time to time. For material changes (changes that affect how we use your personal information in a significant way), we will:
- Post a notice on bermevents.com at least 30 days before the change takes effect.
- Email registered users at the address we hold for them.
For minor changes (corrections, clarifications), we will update the "Last updated" date at the top of this policy without separate notice.
Continued use of the service after a material change takes effect constitutes acceptance of the updated policy.
17. Contact and Complaints
For any privacy-related questions, concerns, or to exercise your rights:
Email: aaron@bermevents.com Subject line: Privacy Request Address: 5 Cedarberry Drive, Lower Studio, Hamilton Parish CR 02, Bermuda
If you are not satisfied with our response, you have the right to lodge a complaint with the Privacy Commissioner of Bermuda. The Privacy Commissioner can be reached at www.privacy.bm or at the Office of the Privacy Commissioner, Hamilton, Bermuda.
18. Privacy Officer {#officer}
In accordance with PIPA best practices, Bermevents has designated a Privacy Officer responsible for overseeing compliance with this policy and PIPA obligations.
Privacy Officer: Aaron de Silva Contact: aaron@bermevents.com Organisation: Aaron de Silva t/a Bermevents, 5 Cedarberry Drive, Lower Studio, Hamilton Parish CR 02, Bermuda
The Privacy Officer is responsible for:
- Ensuring personal information is handled in accordance with PIPA.
- Responding to access and correction requests.
- Overseeing data breach response.
- Maintaining and updating this policy.
- Liaising with the Privacy Commissioner of Bermuda as required.
You can link directly to this section at: bermevents.com/privacy#officer