Privacy policy

This Privacy Policy applies to personal data collected and processed by diidum ("we", "us", "our") across both of our platforms:

• diidum.com — our public marketing and information website
• events.diidum.com — our event registration and management platform, through which attendees register for events and organisers manage them

diidum is operated by Rupert Kilroy, based in Ireland. For the purposes of EU GDPR, diidum acts as both a data controller (for platform operations and the diidum.com website) and a data processor (when processing attendee data on behalf of event organisers).

Last updated: April 2026

On diidum.com (marketing website):

• Contact form submissions — name, email address, and message content
• Technical data automatically collected by the server — IP address, browser type, pages visited, and referral source (via server logs, not analytics cookies)
• Session data required for normal website function

On events.diidum.com (registration platform):

• Full name and email address
• Billing information (processed directly by Stripe — diidum does not store full card details)
• Event-specific registration data as required by the organiser — which may include date of birth, gender, club or team affiliation, t-shirt size, emergency contact details, medical conditions relevant to event safety, predicted finish times, or other event-specific questions
• Order history and payment status
• QR code check-in records
• IP address and device/browser information at time of registration
• Communications sent to or from you through the platform

We collect only the data necessary for the purposes described in this policy. Event organisers are responsible for determining what registration questions are appropriate and lawful for their event.

Under EU GDPR, we rely on the following lawful bases for processing personal data:

• Contract performance (Article 6(1)(b)): Processing your registration data is necessary to fulfil the contract between you and the event organiser, and to deliver the platform services organisers have contracted with us for.
• Legitimate interests (Article 6(1)(f)): We process limited technical data (server logs, IP addresses) for platform security, fraud prevention, and service reliability. Our legitimate interest in maintaining a secure and functioning platform outweighs the minimal privacy impact of this processing.
• Legal obligation (Article 6(1)(c)): We may process and retain certain data where required to comply with applicable law, including tax and financial record-keeping obligations.
• Consent (Article 6(1)(a)): Where an event organiser collects optional data — such as marketing preferences or optional registration questions — that processing is based on your consent, which you may withdraw at any time.

For special category data (such as health or medical information collected by some event organisers for safety purposes), the lawful basis is explicit consent (Article 9(2)(a)) or, where applicable, vital interests.

diidum uses your data to:

• Process and confirm your event registration
• Generate and deliver your confirmation email and QR code
• Share your registration details with the relevant event organiser
• Handle refunds or registration amendments where applicable
• Send transactional emails essential to the event (confirmation, reminders, important updates)
• Enable QR code check-in on event day
• Maintain financial records as required by law
• Detect and prevent fraud or platform abuse
• Respond to support enquiries submitted through diidum.com or the platform
• Maintain and improve platform security and functionality

diidum does not use attendee data for advertising, profiling, or marketing of any kind. We do not sell data to any third party.

We share personal data only where necessary and with appropriate safeguards. The third parties who may access your data, and their roles, are set out below:

• Event organisers — Your registration data (name, email, answers to registration questions, payment status) is shared with the relevant event organiser as the primary data controller for that event. Organisers access this data through the diidum control panel to manage their event.
• Stripe — Payment processing is handled by Stripe Payments Europe Ltd (EU) or Stripe, Inc. (US). Stripe processes payment card data as a separate data controller under its own privacy policy. diidum does not store full card details. Stripe is certified to PCI-DSS Level 1. See stripe.com/ie/privacy.
• Netcup GmbH — The events.diidum.com platform is hosted on a Virtual Private Server operated by Netcup GmbH, based in Germany (EU). Netcup processes infrastructure-level data as a sub-processor under our instructions.
• Hostarmada — The diidum.com website is hosted on shared infrastructure operated by Hostarmada, Inc. EU-region servers are used.
• Cloudflare — Cloudflare provides network security and performance services for diidum.com. Traffic may pass through Cloudflare's infrastructure. See cloudflare.com/privacypolicy.

When you register for an event through events.diidum.com, the event organiser becomes an independent data controller for your registration data. diidum acts as a data processor on their behalf.

This means:

• The event organiser determines what data is collected and why
• The organiser is responsible for the lawfulness of any custom registration questions they add to their event
• The organiser is responsible for how they use, store, communicate, and eventually delete your data
• The organiser is responsible for handling your data protection rights requests in relation to event data
• diidum is not responsible for the data practices of individual event organisers once data has been shared with them

diidum is based in Ireland and our primary infrastructure (events.diidum.com) is hosted in Germany — both within the European Economic Area (EEA). The majority of your data is processed and stored within the EEA.

Some of our sub-processors (including Stripe and Cloudflare) operate globally and may transfer data outside the EEA in the course of providing their services. Where such transfers occur, they are subject to appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission where applicable
• Binding Corporate Rules or other approved transfer mechanisms

You can request details of the specific safeguards in place for any international transfer by contacting us using the details in §15.

We retain personal data for as long as necessary for the purpose for which it was collected, subject to any legal retention obligations. Our standard retention periods are:

• Registration and order data: Retained for 7 years from the date of the event to comply with Irish and EU tax and financial record-keeping requirements (Revenue Commissioners guidance).
• Contact form submissions: Retained for up to 12 months after your enquiry is resolved, then deleted.
• Technical and server log data: Retained for up to 90 days for security and fraud prevention purposes.
• Payment records: Retained for 7 years as required by financial regulations. Full card details are never stored by diidum — these are held solely by Stripe.
• Check-in records: Retained for up to 12 months after the event date, then deleted.

Event organisers may request deletion of event data after their event has concluded. Where data must be retained to comply with a legal obligation, we will inform you of the applicable retention period.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

• HTTPS encryption across all diidum.com and events.diidum.com pages
• Access controls limiting who can access the organiser control panel and attendee data
• EU-based server infrastructure (Netcup VPS, Germany) for the registration platform
• Payment processing exclusively through Stripe, which is PCI-DSS Level 1 certified
• Regular platform updates and security patches
• No storage of payment card details by diidum — all card data is tokenised by Stripe

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals without undue delay where required by law.

Under EU GDPR you have the following rights in relation to your personal data processed by diidum:

• Right of access (Article 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Article 16): You may ask us to correct inaccurate or incomplete personal data.
• Right to erasure (Article 17): You may ask us to delete your personal data where there is no longer a lawful basis for processing it, subject to any legal retention obligations.
• Right to restriction of processing (Article 18): You may ask us to restrict processing of your data in certain circumstances.
• Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Transactional communications — When you register for an event, you will receive emails that are strictly necessary to deliver the service, including your registration confirmation, QR code, payment receipt, and any important event updates from the organiser. These communications do not require marketing consent and cannot be opted out of while your registration is active.

Organiser marketing — Where an event organiser wishes to send promotional communications (future events, newsletters etc.), this will only occur if you have given explicit consent. Consent is collected and managed by the organiser, who acts as an independent data controller for such communications. You may withdraw consent at any time by using the unsubscribe link in the organiser's communications or by contacting the organiser directly.

diidum marketing — diidum does not send marketing emails to attendees. We do not use event registration data for our own promotional purposes.

diidum.com uses only essential session cookies required for the site to function. We do not use advertising cookies, tracking pixels, or third-party analytics that set cookies. Server-level access logs are retained for up to 90 days for security purposes.

events.diidum.com uses session cookies essential to the registration process — including maintaining your basket, processing your payment securely through Stripe, and authenticating organiser access to the control panel. These cookies are strictly necessary for the platform to function and cannot be disabled without breaking core functionality.

Stripe may set its own cookies as part of the secure payment flow. These are governed by Stripe's privacy policy.

We do not use Google Analytics, Facebook Pixel, or any other third-party behavioural tracking tool on either platform.

diidum is based in Ireland. The lead supervisory authority for EU GDPR purposes is the Data Protection Commission (DPC), Ireland.

• Data Protection Commission (Ireland): dataprotection.ie — 01 765 0100

If you are located in another EU member state, you also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work, or the place where the alleged infringement occurred.

We would, however, appreciate the opportunity to address any concern you have directly before you approach a supervisory authority. Please contact us first using the details in §15.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of §1 and, where appropriate, notify affected users by email.

We encourage you to review this policy periodically. Continued use of our platforms after a policy update constitutes acceptance of the revised policy.

Previous versions of this policy are available on request.