Legal
Version 1.0 — Effective Date: 1 May 2026
Regulation (EU) 2016/679 · Organic Law 3/2018 (LOPDGDD)
Pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”), and to Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter “LOPDGDD”), the Data Controller responsible for the processing of Personal Data collected through the wellness-rave platform (hereinafter “Platform”) is:
Karisma Events S.L.
Carrer de Pau Claris 138, 08009 Barcelona, Spain
Data Protection Contact: privacy@wellnessrave.com
The Data Controller has not designated a formal Data Protection Officer (DPO) as of the Effective Date. Queries relating to data protection shall be directed to the data protection contact above. Should a DPO be appointed, this Policy will be updated accordingly.
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) as defined in Art. 4(1) GDPR. “Processing” means any operation or set of operations which is performed on Personal Data, as defined in Art. 4(2) GDPR. “Commercial Partners” means the sponsors, brand partners, and commercial collaborators who participate in or sponsor Wellness Rave events operated by the Data Controller.
The Data Controller processes the following categories of Personal Data, collected directly from the Data Subject or generated through use of the Platform:
2.1 Identity and Contact Data
Full name; electronic mail address; profile photograph (where voluntarily submitted); professional title; city of residence; Instagram username (where voluntarily submitted).
2.2 Transactional and Attendance Data
Ticket reference numbers; QR code data; check-in records; session bookings; payment metadata (transaction IDs; last four digits of payment instrument; payment status) — note that full payment card data is processed exclusively by the Data Processor Stripe Inc. and is not stored by the Data Controller.
2.3 Technical and Device Data
Internet Protocol (IP) addresses (stored in pseudonymised hashed form); browser user-agent strings; device type (mobile or desktop); referral URL; session duration; page views; interaction events.
2.4 Behavioural and Analytics Data
Platform navigation events; feature interaction logs (clicks, scrolls, engagement with brand partner content); session booking attempts; content dwell time; scroll depth; push notification subscription status.
2.5 Preference and Community Data
Wellness interests and activity preferences; community visibility settings; social connection data (accepted connections within the Platform); survey responses (anonymised by default unless email address is voluntarily provided).
2.6 Consent Records
Records of consent granted or withdrawn, including consent version, timestamp, categories accepted, and pseudonymised IP hash, in accordance with the accountability principle under Art. 5(2) GDPR.
All Processing operations are grounded on at least one lawful basis pursuant to Art. 6 GDPR. The Data Controller processes Personal Data for the following purposes and on the following legal bases:
3.1 Platform Provisioning and Authentication
Legal basis: Art. 6(1)(b) GDPR — performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract. Processing is necessary to authenticate users via the Clerk identity platform, manage session bookings, deliver purchased tickets, and provide access to the Platform features for which the Data Subject has registered.
3.2 Event Operations and Check-In
Legal basis: Art. 6(1)(b) GDPR — contractual performance; Art. 6(1)(c) GDPR — compliance with legal obligations (including health and safety, access control). Processing includes verification of ticket ownership, check-in management, session capacity enforcement, and post-event communications directly related to the contracted event.
3.3 Payment Processing
Legal basis: Art. 6(1)(b) GDPR — contractual performance. Financial transaction records are retained for seven (7) years pursuant to Article 30 of the Spanish Commercial Code (Código de Comercio) and applicable fiscal obligations under Ley 37/1992 de IVA, constituting a separate legal basis under Art. 6(1)(c) GDPR.
3.4 Analytics and Platform Improvement
Legal basis: Art. 6(1)(a) GDPR — consent, freely given, specific, informed, and unambiguous. Where the Data Subject provides consent through the Platform's consent mechanism, behavioural analytics data (including Platform analytics events, Google Analytics 4, and Microsoft Clarity session recordings) is processed for the purpose of improving Platform performance, understanding user behaviour, and optimising the attendee experience. Consent may be withdrawn at any time without detriment per Art. 7(3) GDPR.
3.5 Commercial Partner Data Sharing and Marketing
Legal basis: Art. 6(1)(a) GDPR — explicit consent. Where the Data Subject provides specific consent to the “Analytics & Brand Marketing” category through the Platform's consent mechanism, the Data Controller may share the Data Subject's name, email address, attendance confirmation, and session booking data with Commercial Partners who have executed data processing agreements or joint-controller agreements with the Data Controller. Commercial Partners may use such data to send marketing communications relating to their products and services. The Data Subject may withdraw consent and unsubscribe from Commercial Partner communications at any time via the unsubscribe mechanism at /unsubscribe.
3.6 Legal Claims and Legitimate Interests
Legal basis: Art. 6(1)(f) GDPR — legitimate interests pursued by the Data Controller, including: fraud prevention; network and information security; enforcement of contractual terms; defence of legal claims. The Data Controller has conducted a legitimate interests assessment (LIA) and determined that these interests are not overridden by the fundamental rights and freedoms of Data Subjects, given the limited nature of Processing involved and the availability of data subject rights.
Personal Data shall not be retained for longer than is necessary for the purpose for which it was collected, in accordance with the storage limitation principle under Art. 5(1)(e) GDPR. Specific retention periods are as follows:
Account and identity data
Duration of active account + 12 months following account deletion request, unless a longer period is required by law.
Event attendance and session booking data
Three (3) years from the date of the relevant event, to satisfy potential contractual claims under the applicable limitation period.
Financial and payment records
Seven (7) years from the date of the relevant transaction, pursuant to Art. 30 Código de Comercio and applicable Spanish fiscal law.
Analytics and behavioural data
Thirteen (13) months for Google Analytics 4 (GA4 default retention). Platform analytics events: up to twenty-four (24) months. Microsoft Clarity session recordings: thirty (30) days.
Consent records
Five (5) years from the date of the consent record, as evidence of compliance with Art. 5(2) GDPR accountability obligations.
Unsubscribe requests
Indefinitely retained in processed/suppression form to ensure ongoing compliance with opt-out instructions.
Survey responses
Twenty-four (24) months, following which data is anonymised or deleted.
At the expiry of the applicable retention period, Personal Data shall be securely deleted or anonymised such that re-identification is not reasonably possible.
Subject to the Data Subject's explicit consent pursuant to Art. 6(1)(a) GDPR (see Section 3.5 above), the Data Controller may disclose the following Personal Data to Commercial Partners — being the sponsors and brand partners of the Wellness Rave event, including without limitation Les Mills (AEFA-Les Mills S.L.), lululemon, Hyperice, YoPRO, and such other partners as are engaged for a given event edition:
Each Commercial Partner receiving Personal Data is required to execute a data processing agreement (or, where applicable, a joint-controller agreement) with the Data Controller prior to receipt of any Personal Data, and is contractually bound to: (a) process Personal Data solely for the purposes disclosed at the time of consent; (b) implement appropriate technical and organisational security measures; (c) honour Data Subject rights requests forwarded by the Data Controller; and (d) delete Data Subject data upon request or at the expiry of the agreed retention period.
Commercial Partners may use disclosed Personal Data to send marketing communications concerning their products, services, and future events. The Data Subject may withdraw consent to Commercial Partner communications at any time by visiting wellnessrave.com/unsubscribe or by clicking the unsubscribe link included in any such communication. Withdrawal of this consent does not affect the lawfulness of Processing carried out prior to withdrawal, pursuant to Art. 7(3) GDPR.
The Data Controller engages the following third-party Data Processors within the meaning of Art. 4(8) GDPR, each bound by data processing agreements compliant with Art. 28 GDPR:
Supabase Inc. — USA
Database hosting and storage of all Platform Personal Data.
Standard Contractual Clauses (Art. 46(2)(c) GDPR) — EU Model Clauses. supabase.com/privacy
Clerk Inc. — USA
User authentication, identity management, session tokens.
Standard Contractual Clauses (Art. 46(2)(c) GDPR). clerk.com/privacy
Stripe Inc. — USA
Payment processing, tokenisation of payment instruments.
Standard Contractual Clauses (Art. 46(2)(c) GDPR). stripe.com/privacy
Vercel Inc. — USA
Platform hosting, CDN, serverless function execution, server-side logs.
Standard Contractual Clauses (Art. 46(2)(c) GDPR). vercel.com/legal/privacy-policy
Google LLC — USA
Google Analytics 4 — aggregated and pseudonymised behavioural analytics. Where consent is withdrawn, GA4 event collection ceases.
Standard Contractual Clauses (Art. 46(2)(c) GDPR). policies.google.com/privacy
Microsoft Corporation — USA
Microsoft Clarity — session recordings and heatmaps. Where consent is withdrawn, Clarity collection ceases.
Standard Contractual Clauses (Art. 46(2)(c) GDPR). privacy.microsoft.com
Luma Labs Inc. — USA
Event ticketing platform and guest list management.
Standard Contractual Clauses (Art. 46(2)(c) GDPR). lu.ma/privacy
The Data Processors listed in Section 6 are incorporated in or operate infrastructure in the United States of America, which does not benefit from an adequacy decision under Art. 45 GDPR in respect of all categories of transfer. Transfers of Personal Data to these processors are effected on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), as supplemented where necessary by additional technical and organisational measures in accordance with the guidance of the European Data Protection Board (EDPB).
The Data Controller has conducted transfer impact assessments (TIAs) for material transfers and assessed that, in view of the technical security measures, contractual obligations, and practical likelihood of governmental access, transfers present an acceptable level of risk for the purposes of the Processing operations described herein. Data Subjects may obtain a copy of the applicable SCCs by contacting privacy@wellnessrave.com.
Pursuant to Chapter III of the GDPR, Data Subjects have the following rights in respect of their Personal Data processed by the Data Controller. Requests shall be submitted to privacy@wellnessrave.com and will be responded to within one (1) calendar month in accordance with Art. 12(3) GDPR (extendable by two further months where necessary given the complexity or number of requests):
8.1 Right of Access (Art. 15 GDPR)
The Data Subject has the right to obtain confirmation as to whether or not Personal Data concerning them is being processed, and, where that is the case, access to such Personal Data and the supplementary information specified in Art. 15(1) GDPR, including the purposes of Processing, the categories of data concerned, and the recipients or categories of recipients.
8.2 Right to Rectification (Art. 16 GDPR)
The Data Subject has the right to obtain without undue delay the rectification of inaccurate Personal Data and, taking into account the purposes of the Processing, the right to have incomplete Personal Data completed.
8.3 Right to Erasure / Right to be Forgotten (Art. 17 GDPR)
The Data Subject has the right to obtain the erasure of Personal Data without undue delay where one of the grounds in Art. 17(1) GDPR applies — including, but not limited to, where the data is no longer necessary for the purpose for which it was collected, or where consent is withdrawn and there is no other legal basis for Processing. This right is subject to the exceptions set out in Art. 17(3) GDPR, including compliance with legal obligations and the establishment, exercise or defence of legal claims.
8.4 Right to Restriction of Processing (Art. 18 GDPR)
The Data Subject has the right to obtain restriction of Processing in the circumstances specified in Art. 18(1) GDPR, including where the accuracy of Personal Data is contested, or where the Processing is unlawful and the Data Subject opposes erasure.
8.5 Right to Data Portability (Art. 20 GDPR)
Where Processing is based on consent (Art. 6(1)(a)) or contract (Art. 6(1)(b)) and is carried out by automated means, the Data Subject has the right to receive Personal Data concerning them in a structured, commonly used, and machine-readable format, and to transmit such data to another controller.
8.6 Right to Object (Art. 21 GDPR)
The Data Subject has the right to object, on grounds relating to their particular situation, to Processing based on Art. 6(1)(f) (legitimate interests). The Data Controller shall cease such Processing unless compelling legitimate grounds can be demonstrated which override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defence of legal claims.
8.7 Right Not to be Subject to Solely Automated Decision-Making (Art. 22 GDPR)
The Data Subject has the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The Data Controller does not engage in such automated decision-making as of the Effective Date.
8.8 Right to Withdraw Consent (Art. 7(3) GDPR)
Where Processing is based on consent, the Data Subject has the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of Processing based on consent before its withdrawal. Consent may be withdrawn via the Platform consent interface, by contacting privacy@wellnessrave.com, or by using the unsubscribe mechanism at /unsubscribe.
8.9 Right to Lodge a Complaint (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, the Data Subject has the right to lodge a complaint with a supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD), C. Jorge Juan 6, 28001 Madrid, www.aepd.es — if they consider that the Processing of their Personal Data infringes the GDPR.
The Platform uses cookies and analogous tracking technologies in accordance with Recital 30 GDPR and the implementing provisions of applicable Spanish law (Real Decreto-ley 13/2012 transposing Directive 2009/136/EC — the “Cookie Directive”). The following categories of cookies and tracking technologies are employed:
9.1 Strictly Necessary (No Consent Required)
Session authentication tokens issued by Clerk Inc.; CSRF protection tokens; session state cookies necessary for the operation of the Platform. These cookies are set on the basis of Art. 6(1)(b) GDPR and are not subject to the consent requirement under the Cookie Directive, being strictly necessary for the provision of the service explicitly requested by the Data Subject.
9.2 Analytics Cookies (Consent Required)
Google Analytics 4 (_ga, _ga_*, _gid): pseudonymised identifiers enabling cross-session behavioural analysis. Retention: thirteen (13) months. These cookies are only set where the Data Subject has provided consent to the analytics category. Microsoft Clarity (MUID, _clsk, _clck): session recording and heatmap identifiers. These are also consent-dependent.
9.3 Consent Preference Storage
The Platform stores consent preferences in browser localStorage under the key wr_gdpr_v1, containing a JSON object recording consent categories, timestamp, and version. This is not a cookie but a first-party localStorage entry. It does not transmit data to any third party.
The Data Subject may withdraw consent to non-essential cookies and tracking at any time through the Platform consent interface. Note that withdrawal of consent to analytics cookies will not delete cookies already set; Data Subjects may additionally clear cookies through their browser settings.
Pursuant to Art. 32 GDPR, the Data Controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: (a) encryption of data in transit using TLS 1.2 or higher; (b) encryption of data at rest on Supabase infrastructure; (c) pseudonymisation of IP addresses stored in analytics records via SHA-256 hashing; (d) role-based access control limiting access to Personal Data to authorised personnel; (e) multi-factor authentication requirements for administrative access; (f) regular security testing of the Platform codebase; (g) contractual security obligations imposed on all Data Processors pursuant to Art. 28(3)(c) GDPR. In the event of a personal data breach within the meaning of Art. 4(12) GDPR, the Data Controller shall notify the relevant supervisory authority in accordance with Art. 33 GDPR and, where required, the affected Data Subjects pursuant to Art. 34 GDPR.
The Platform is not directed to children under the age of sixteen (16). The Data Controller does not knowingly collect Personal Data from children under sixteen (16) years of age. Pursuant to Art. 8 GDPR and Art. 7 LOPDGDD (which sets the age of digital consent in Spain at fourteen (14) years, subject to the higher threshold applicable to this Platform given its commercial and event-attendance nature), any accounts found to belong to individuals under sixteen (16) will be terminated and associated Personal Data deleted without undue delay.
The Data Controller reserves the right to amend this Privacy Policy at any time. Where amendments are material — i.e., where they affect the purposes of Processing, the categories of Personal Data processed, or the rights available to Data Subjects — the Data Controller shall: (a) publish the revised Policy on the Platform with an updated Effective Date; (b) notify registered Data Subjects by electronic mail where reasonably practicable; and (c) where the amendment requires fresh consent, present a new consent request through the Platform's consent mechanism. Continued use of the Platform following publication of a revised Policy constitutes acknowledgement (though not consent, where consent is required) of the revised terms.
To exercise any of the rights described in Section 8, or to submit a query, complaint, or concern relating to the Processing of your Personal Data, contact:
Karisma Events S.L. — Data Protection
Carrer de Pau Claris 138, 08009 Barcelona, Spain
Requests must include sufficient information to identify the Data Subject. The Data Controller may request additional identification documentation where the identity of the requester cannot be established with reasonable certainty, in accordance with Art. 12(6) GDPR. No fee will be charged for processing requests except where requests are manifestly unfounded or excessive (Art. 12(5) GDPR).
Version 1.0 — Effective Date: 1 May 2026
Issued by Karisma Events S.L., Barcelona, Spain
Governing law: Regulation (EU) 2016/679 (GDPR) · Organic Law 3/2018 (LOPDGDD) · Directive 2009/136/EC