Privacy Policy

KickIt (kickit.be-promo.com) is a lightweight tool for organising informal meetups. We are committed to protecting your privacy and handling your data in a transparent, GDPR-friendly way.

Contact: admin@be-promo.com

Organiser (event creator)

• Email address — collected when you sign in via Magic Link or Google OAuth. Used solely to identify your account and send transactional emails (magic links, event reminders).
• Name and profile picture — provided by Google OAuth if you choose that sign-in method.
• Event data — title, description, location, date/time you enter when creating an event.

Guest (event attendee)

• Name — you provide when submitting your RSVP. Visible to the event organiser and other attendees.
• RSVP status — yes / no / maybe.
• Anonymous session ID — a random string stored in your browser's localStorage. Never linked to your identity.

Automatically collected

• IP address (hashed) — stored as a one-way SHA-256 hash for abuse prevention. The raw IP is never persisted.
• User-Agent — browser/OS string, truncated to 500 characters.
• Referrer URL — the page you came from, if any.
• Page views and interaction events — anonymous analytics events stored in our own PostgreSQL database. No third-party analytics (no Google Analytics, no Mixpanel).

When a guest chooses to check their calendar availability, KickIt requests access to Google Calendar using the calendar.freebusy scope only. This means:

• We see only free / busy time slots — no event titles, no descriptions, no attendees.
• The OAuth token is used only for the single free/busy check during your RSVP session.
• If you tick "Revoke access after use", the token is immediately revoked via Google's OAuth revocation endpoint.
• We do not store your Google Calendar OAuth tokens beyond the active session.

• To operate the KickIt service (create events, manage RSVPs, send invitations).
• To send transactional emails (magic-link sign-in, event reminders). Marketing emails are never sent without explicit consent.
• To display aggregated, anonymous usage statistics in our internal admin dashboard.
• To detect and prevent abuse.

We never sell your data to third parties.

• Event data — retained until you delete the event or your account.
• RSVP data — retained as long as the event exists.
• Magic-link tokens — expire after 24 hours and are deleted automatically.
• Analytics events — retained for 90 days, then purged.
• Hashed IPs — retained for 30 days.

• Authentication cookie (kickit_token) — an HttpOnly JWT cookie, valid for 30 days. Set only after sign-in.
• localStorage — anonymous session ID (kickit_sid) for analytics and RSVP session token. No personal data.
• sessionStorage — temporary event draft (cleared when you close the tab).

We do not use advertising cookies or third-party tracking pixels.

If you are in the EU/EEA you have the right to access, rectify, erase, restrict processing of, or port your personal data. To exercise any of these rights, email us at admin@be-promo.com. We will respond within 30 days.

All data is transmitted over HTTPS. Passwords are never stored — authentication is passwordless (Magic Link or Google OAuth). JWT tokens are stored in HttpOnly cookies, not localStorage.

We may update this policy from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of KickIt after changes constitutes acceptance of the updated policy.