Privacy Policy

Standwyse provides an AI-guided exhibitor readiness platform used by event organisers and their exhibitors. Our role under UK GDPR depends on the data:

• For exhibitor and event personal data (exhibitor contacts, uploaded documents, profile content), the event organiser is the data controller and Standwyse acts as a processor on the organiser's instructions, governed by our Data Processing Agreement.
• For account and login identities (the records that let someone sign in) and for service operation, security, and audit logging, Standwyse acts as a controller for the limited purpose of running the platform.

The Service is operated by Katone AI Limited, a company registered in England & Wales trading as Standwyse. Where Standwyse acts as a controller, Katone AI Limited is the data controller; contact details are in the Contact section below.

We hold a documented inventory of every field in our system that can contain personal data, its legal basis, who can access it, and how long it is kept. In summary, we process:

• Account and profile identities — email address, name, hashed password and sign-in metadata (managed by our authentication provider), and the identifiers that link a person to organisations, events, and exhibitor accounts.
• Exhibitor contacts and memberships — primary contact names and emails for exhibitor accounts, and role assignments.
• Event configuration — support contact details and organiser-defined fields, which may contain personal data entered as free text.
• Documents — uploaded files (such as insurance certificates and method statements) that routinely contain names, addresses, and signatures, together with file metadata and the identities of who uploaded or reviewed them. This is our most sensitive category.
• Communications, support, and AI — email delivery logs, support requests (free text), and AI conversation content, which may contain personal data and is shared with our AI sub-processor.
• Audit and activity — a record of who did what and when, retained for security and integrity.

The authoritative, field-level record (legal basis, access, and retention for each item) is maintained internally as our PII inventory and kept consistent with this policy.

Where Standwyse is a controller, we rely on the following UK GDPR Article 6 bases:

• Performance of a contract (Art. 6(1)(b)) — to create and operate your account and provide the Service.
• Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, maintain audit logs, and prevent abuse.
• Consent (Art. 6(1)(a)) — for non-essential analytics cookies and any optional, non-essential email. You can withdraw consent at any time.

Where Standwyse acts as a processor for organiser-controlled data, the lawful basis sits with the organiser as controller.

• To provide, operate, and improve the Service and its readiness workflows.
• To authenticate users and secure accounts.
• To send transactional email (such as invitations and notifications).
• To provide AI-assisted features by sending relevant context to our AI sub-processor.
• To monitor errors and maintain security and audit trails.
• To understand product usage through analytics, subject to your cookie choices.

We share personal data with the following sub-processors strictly to provide the Service. This list is kept consistent with our Data Processing Agreement.

Some sub-processors are located outside the UK/EEA. Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement/Addendum and Standard Contractual Clauses, as reflected in each provider’s data processing terms. The full, maintained list lives on our sub-processors page, and our Data Processing Agreement is also available on request via privacy@standwyse.com.

We keep personal data only for as long as needed for the purposes above. Our defaults are:

• Event-scoped data (exhibitor accounts, profiles, checklist items, documents and document files, support requests, email logs, and event activity) — deleted or anonymised 24 months after the event end date, unless the organiser contract requires otherwise.
• AI conversations and messages — 12 months, shorter than other event data because the free-text content is higher risk and lower long-term value.
• Account identities (login records, profiles, memberships) — retained while the account is active; removed on account closure or a verified erasure request.
• Audit and activity logs — 24 months, after which identifying references may be anonymised while a minimal, non-identifying record is retained for security integrity.
• Backups — point-in-time and snapshot backups may retain deleted data for the backup window; personal data is fully purged once it ages out of backup retention.

Subject to applicable law, you have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. Where we rely on consent, you may withdraw it at any time. To exercise these rights, contact us using the details below. Because the organiser is the controller for event data, some requests about exhibitor or event data may be routed to or confirmed with the relevant organiser.

You can request deletion of your personal data by emailing privacy@standwyse.com (or, for organiser-controlled data, the organiser’s support address). We verify that the requester controls the account email or is the named data subject, and complete verified requests within 30 days. Deleting an account cascades to memberships and nullifies identifying references in audit tables, preserving a non-identifying audit trail. Personal data persisting only in backups is purged when those backups age out, and restored data is re-erased.

We use a small number of essential cookies to run the Service, and analytics cookies only with your consent. See our Cookie Policy for the full list and to change your preferences.

We protect personal data using access controls (including row-level security between tenants), encrypted document storage with signed-URL access, error monitoring with a PII redaction filter, and audit logging. No system is perfectly secure, but we work to protect your data with appropriate technical and organisational measures.

The Service is intended for business users and is not directed at children. We do not knowingly collect personal data from anyone under 16.

We may update this policy from time to time and will revise the effective date above. If you have concerns about how your personal data is handled, contact us first; you also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

Privacy questions and requests can be sent to privacy@standwyse.com or via the support page. The data controller is Katone AI Limited, trading as Standwyse, England & Wales.