Privacy Policy

Your data. Our principles.

EngageX is built around the principle that the people whose data we process — visitors, exhibitors, organisers — should always know what we hold, where it lives, and how to get it out.

Last updated: 25 April 2026
Status · placeholder while legal review completes

Our formal Privacy Policy is being finalized with our legal counsel ahead of general availability. The operational privacy practices on this page are accurate and in force today. The technical mechanisms behind them are documented in detail at Security & Privacy, and our sub-processor register is at Sub-processors & DPA.

What we collect

We collect only what's needed to deliver the platform you've engaged us for. The categories vary by role:

  • Visitors: name, work email, company, role, event-relevant interests, meeting metadata (with whom, when), captured business cards or QR codes, and — only if you choose to record — meeting voice transcripts.
  • Exhibitors: the above for your booth's captured leads, plus your team members' platform credentials, your CRM connection metadata (OAuth tokens, encrypted at rest), and the BAND-scored qualification data your team adds.
  • Organisers: the visitor and exhibitor data above (you are the data controller), plus event configuration, agenda, floor map, and aggregated analytics.

Where it's processed and stored

All EngageX customer data is stored on EU-resident infrastructure (Hetzner Online, Finland/Germany), encrypted at rest with AES-256, in transit with TLS 1.3, and isolated per tenant with per-tenant encryption keys. Limited categories of data are processed by AI sub-processors (Anthropic Claude, OpenAI Whisper) under SCCs and explicit consent — see the DPA register for the full list, jurisdictions, and transfer mechanisms.

How long we keep it

  • Active customer data: retained for the duration of your subscription plus 90 days for export grace period.
  • Meeting audio: discarded after transcription. We retain the transcript only.
  • Business card images: discarded after OCR extraction. We retain the parsed contact only.
  • Logs: 90 days at our edge (Cloudflare); 30 days at infrastructure level.
  • Backups: encrypted, retained for disaster recovery up to 30 days, then auto-pruned.

Your rights

Under GDPR Articles 15–22, DIFC Data Protection Law 2020, and UAE PDPL, you have the right to access, correct, delete, port, or restrict the processing of your personal data. We respond to written DSARs within 30 days (or sooner where law requires).

How to exercise:

  • Email dpo@engagex.io with the request and a way to verify your identity.
  • If you're a visitor or exhibitor at an event run on EngageX, your event organiser is the data controller — your request goes through them, and we'll assist as their processor.
  • If you're unsatisfied with our response, you may complain to your local data protection authority (UK ICO, EU national DPA, DIFC Commissioner of Data Protection, UAE Data Office).

Cookies and client-side storage

EngageX is intentionally light on tracking. We don't set advertising cookies, third-party social trackers, or fingerprinting scripts. Full details are at Cookie Policy.

Need our DPA or a written privacy commitment?

Procurement and legal teams can request a countersigned Data Processing Addendum within 3 business days.

Request DPA →