Privacy Policy

This Privacy Policy describes how the organisers of the Africa Energy Technology Conference (“AETC”, “ we”, “us”, “our”) collect, use, disclose, store, and protect personal data when you use our website at aetconference.com, related subdomains, registration and attendee flows, and our official attendee mobile application (the “AETC Attendees” app, together with the website, the “Services”).

We are committed to respecting privacy rights under the EU General Data Protection Regulation (“GDPR”) where it applies, the Ghana Data Protection Act, 2012 (Act 843) as amended and related regulations where applicable, and other relevant laws. This Policy explains what data we process, why and on what legal bases, who we share it with, how long we keep it, and what choices and rights you have.

For cookie and similar-technology details, see our Cookie Policy. For contractual terms governing use of the Services, see our Terms of Use.

The data controller responsible for personal data processed for AETC is the conference organising team identified on this website and in registration communications. For all privacy-related requests (including rights requests under Section 12), contact us at:

Where GDPR applies and we are required to designate an EU representative or document further statutory contacts, we will publish updated details on this page.

This Policy applies to:

• Visitors and registered users of our website and related web applications;
• Attendees, prospective attendees, sponsors, exhibitors, speakers, media applicants, and other persons who submit forms or correspond with us;
• Users of the AETC Attendees mobile app who authenticate, purchase tickets, complete attendee profiles, access QR codes, use interactive features (for example live hub, photo wall, conference feedback, social cover generator), or otherwise interact with Services backed by our infrastructure.

Our Services may contain links to third-party sites or payment flows (for example Paystack checkout). Those providers process personal data under their own policies when you leave our controlled environment or interact with their widgets.

Depending on how you use the Services, we may process:

• Identity & contact data

  Name, email address, telephone number, organisation, job title, country, billing address where provided.

• Registration & attendee data

  Conference registration details, ticket type, attendance preferences, dietary requirements, accessibility needs, areas of interest, emergency contact if collected, and similar fields you voluntarily submit.

• Special categories of personal data (where applicable)

  Some registration fields (for example dietary restrictions tied to health or accessibility requirements) may reveal health or similar sensitive information. We process such information only where necessary for the event you registered for and/or where you have provided explicit consent, and we limit access to authorised staff and processors.

• Account & authentication data

  Supabase-backed authentication identifiers, session tokens, OTP logs metadata (timestamps, delivery channel), password reset tokens where applicable, and profile identifiers linking your account to orders and attendee records.

• Transaction & payment-related data

  Order references, ticket identifiers, payment status, partial payment metadata. Card payments are handled by Paystack; we do not store full payment card numbers — Paystack processes card data according to its privacy notice and PCI obligations.

• Marketing & communications content

  Messages you send via contact forms, partnership / sponsorship / media applications, visa assistance requests, exhibitor inquiries, and conference feedback (including optional attachments).

• User-generated media

  Photo-wall uploads with associated display names and consent records; images attached to structured feedback; assets submitted to social-cover or similar creative tools.

• Technical & usage data

  IP address, approximate location derived from IP, user agent, browser type, device type, operating system, app version (where reported), referring URLs, timestamps, diagnostic logs, security telemetry, and interactions necessary to operate Supabase Realtime features or APIs.

• Push notification device data

  When you register for push notifications in the AETC Attendees app, we collect your device's Expo push notification token, user-assigned device name (e.g. 'Mawuli's iPhone'), device platform (iOS / Android), and app version. This data is linked to your account and is used solely to deliver the notification categories you have opted into (live updates, session reminders, organiser announcements, venue alerts, marketing — the last of which is opt-in only and off by default). It is not shared with third parties for advertising or tracking. You can manage or revoke device registrations at any time from Explore → Plan your visit → Notifications in the app, or by signing out.

• Cookie / local-storage preference data

  Your cookie preference selection stored locally in the browser (see Cookie Policy). Essential authentication cookies operate independently of that banner.

We obtain personal data:

• Directly from you when you register, complete forms, email us, or use the app;
• Automatically through cookies, logging, and application telemetry described above;
• From payment processors (payment confirmation metadata), email delivery providers (delivery events metadata), and hosting/database providers as part of service operation;
• From colleagues or group coordinators who register attendees on their behalf (where permitted).

Where GDPR applies, we rely on one or more of the following legal bases (additional bases such as explicit consent under Article 9 may apply to certain sensitive fields):

Where we rely on legitimate interests, we balance our interests against your rights and offer objection rights where required (see Section 12). Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

We share personal data only as needed to operate AETC with vetted service providers (“processors”) under agreements requiring them to protect personal data and process it only on our instructions. Categories include:

• Supabase — cloud authentication, PostgreSQL database, file storage, and realtime channels powering accounts, ticketing data, live features, uploads, and related APIs.
• SendGrid (or successor transactional email provider) — delivering OTP codes and transactional emails initiated via our Next.js server routes (Supabase does not send signup OTP emails directly in our architecture).
• Paystack — card and payment processing during checkout; subject to Paystack’s privacy policy when you enter payment details on their flow.
• Vercel (or equivalent hosting) — hosting the Next.js application and, if enabled after consent, privacy-aware analytics as described in our Cookie Policy.
• Professional advisers, auditors, or insurers where confidentiality obligations apply.
• Law enforcement, regulators, courts, or parties to legal process when required by applicable law or necessary to establish, exercise, or defend legal claims.

We do not sell personal data as commonly understood under GDPR or US state privacy laws, and we do not share personal data for cross-context behavioural advertising as part of this Policy’s intended operation.

Our processors may store or process personal data in the European Economic Area, the United Kingdom, the United States, and other regions where they operate data centres. Where GDPR applies and personal data is transferred outside the EEA/UK to countries not subject to an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum, or other lawful transfer mechanisms offered by our processors. Copies of relevant safeguards may be requested subject to confidentiality.

We retain personal data only as long as necessary for the purposes described, including statutory, accounting, or dispute-resolution requirements. Indicative retention rules:

• Orders & finance: retained for the period required by Ghana tax, commercial, and company law (often multiple years) unless a shorter legitimate period applies after anonymisation.
• Marketing consents & proof records: until withdrawn plus a limited audit window where legally necessary.
• Security logs: rotated according to operational policies (typically weeks to months unless incident investigation requires longer retention).
• Contact / feedback / applications: until resolved or archived per operational inbox policies, unless longer retention is justified for legal defence or legitimate interests.

When retention expires, we delete or irreversibly anonymise personal data where feasible.

We implement administrative, technical, and organisational measures appropriate to the risk, including encryption in transit (HTTPS/TLS), access controls, separation of duties for administrator accounts, monitoring, and reliance on reputable infrastructure providers. No method of transmission or storage is completely secure; please use strong, unique passwords where applicable and protect OTP codes like passwords.

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you solely by automated means as described in GDPR Article 22. Basic filtering (for example spam prevention) may occur without profiling individual behaviour for automated decisions.

The Services are intended for professionals attending or engaging with a business conference. They are not directed at children under 16. If you believe we have collected personal data from a child without appropriate authority, contact privacy@aetconference.com and we will take prompt steps to investigate and delete information where appropriate.

Depending on your jurisdiction (including GDPR where applicable), you may have the right to:

• Access

  Obtain confirmation whether we process your personal data and receive a copy.

• Rectification

  Correct inaccurate or incomplete personal data.

• Erasure (“right to be forgotten”)

  Request deletion where applicable law permits — subject to legal retention duties.

• Restriction of processing

  Limit processing in defined circumstances.

• Data portability

  Receive certain machine-readable data you provided where processing is based on consent or contract.

• Object

  Object to processing based on legitimate interests or direct marketing.

• Withdraw consent

  Where processing is consent-based, withdraw without affecting prior lawful processing.

• Lodge a complaint

  With your local supervisory authority (EU/EEA) or the Ghana Data Protection Commission (GDPC) where applicable.

To exercise rights, email privacy@aetconference.com with subject line “Data Protection Request”, describing your request and verifying contact details. We respond within statutory timelines (typically one month under GDPR, extendable where permitted). You may need to verify identity before we disclose or modify records.

For transparency with Apple App Store and Google Play reviewers and users:

• The app connects to Supabase (authenticated APIs and anon keys over TLS) and your deployed Next.js API origin configured via environment variables (for example OTP, ticketing, attendee endpoints, photo wall, feedback, cover generator) — personal data is processed under this Policy.
• Camera & photo library: Used only when you choose features that capture or attach images (for example photo wall, conference feedback attachments, social cover). We do not access the camera or library in the background without your action; OS permission prompts explain each use.
• Push notifications: After sign-in, the app presents a one-time priming screen explaining notification categories before requesting OS permission. If you grant permission, we store your Expo push notification token, device name, platform, and app version linked to your account to deliver notifications you have opted into. This data constitutes a Device ID linked to your account for Apple App Privacy purposes. It is used only for App Functionality (delivering notifications) and is not used for tracking or shared with advertisers. You may manage notification categories or deregister your device at any time from Explore → Plan your visit → Notifications.
• Clipboard: Used where the app offers convenience features (for example copying Wi‑Fi passwords on the live screen) only when you explicitly trigger copy actions where implemented.
• We do not request unrelated sensitive permissions for core ticketing; optional features disclose purpose at runtime per platform guidelines.

We may update this Privacy Policy to reflect operational, technical, or legal changes. Material updates will be communicated through prominent notices on the Site, email where appropriate, or in-app messaging where feasible. Continued use after the effective date constitutes acceptance of reasonable updates where permitted by law.

Questions about this Privacy Policy or our data practices:
privacy@aetconference.com
Legal inquiries relating to contracts may be directed to legal@aetconference.com.