Legal

Privacy Policy

Last updated: June 2026

1. Introduction

dibsl ("we", "our", or "us") is committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable EU privacy laws. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use dibsl.com.

dibsl acts as a data controller for the personal data of event organizers. For participant data collected through events, dibsl acts as a data processor on behalf of the event organizer, who is the data controller.

2. Information We Collect

We collect the following types of information:

Account information (organizers)

Email address and hashed password when you create an account. Legal basis: contract performance (Article 6(1)(b) GDPR).

Participant information

Email address when you register for an event. We generate an anonymous code to identify you in results without exposing your identity to other participants. Legal basis: legitimate interests of the event organizer (Article 6(1)(f) GDPR).

Usage and event data

Click timestamps, reaction times, and event participation data necessary for the operation of the Service. Legal basis: contract performance (Article 6(1)(b) GDPR).

Technical data

Server logs, IP addresses (anonymized), and error logs for security and performance monitoring. Legal basis: legitimate interests (Article 6(1)(f) GDPR).

3. How We Use Your Information

  • To provide and operate the Service
  • To send event confirmations, reminders, and results
  • To verify your identity and prevent fraud
  • To improve and optimize the Service
  • To communicate important updates about the Service
  • To comply with legal obligations

4. Anonymous Participation

By design, participants in events are identified only by an anonymous code (e.g. "KX7-449") in public results. Your email address is never shown to other participants or publicly displayed. Only the event organizer can see participant email addresses, and only for events they have created.

5. Data Sharing and Processors

We do not sell your personal data. We share data only with the following third-party processors, each bound by GDPR-compliant data processing agreements:

  • Supabase (USA) — database and authentication. Transfers covered by Standard Contractual Clauses.
  • Resend (USA) — transactional email delivery. Transfers covered by Standard Contractual Clauses.
  • Vercel (USA) — hosting and infrastructure. Transfers covered by Standard Contractual Clauses.
  • Cloudflare (USA) — security, CDN, and bot protection. Transfers covered by Standard Contractual Clauses.
  • Upstash/QStash (USA) — job scheduling. Transfers covered by Standard Contractual Clauses.
  • Event organizers — who can see the email addresses of participants in their own events only.

6. Data Retention

We retain your personal data only as long as necessary:

  • Account data — for as long as your account is active, plus 30 days after deletion request
  • Event and participant data — until the event organizer deletes the event or closes their account
  • Email communication logs — 90 days
  • Server logs — 30 days

You may request deletion of your account and all associated data at any time by contacting us at hello@dibsl.com.

7. Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights under GDPR:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — correct inaccurate or incomplete personal data
  • Right to erasure — request deletion of your personal data ("right to be forgotten")
  • Right to restriction — request that we limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at hello@dibsl.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies

We use only essential cookies necessary for the operation of the Service:

  • Authentication cookies — to keep you logged in during your session
  • Security cookies — Cloudflare Turnstile for bot protection

We do not use tracking, advertising, or analytics cookies. We do not use Google Analytics or any similar tracking services.

9. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), including in the United States. We ensure that all such transfers are protected by appropriate safeguards, primarily Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46 GDPR.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS/TLS), secure authentication via Supabase, bot protection via Cloudflare Turnstile, and access controls limiting who can access personal data. However, no method of transmission over the internet is 100% secure.

11. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, please contact us immediately at hello@dibsl.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on the Service at least 30 days before the changes take effect. The date of the last update is shown at the top of this page.

13. Contact and Data Controller

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

You also have the right to lodge a complaint with your national data protection supervisory authority. In Croatia, this is the Agencija za zaštitu osobnih podataka (AZOP) — azop.hr.