Privacy Policy

Last updated: 2025-11-21

1. Controller and contact details

The controller of your personal data in connection with the use of Comaply is:

If a Data Protection Officer (DPO) is appointed, you can reach them via info@kalmars.lv (your request will be forwarded to the appropriate person).



2. Scope of this Privacy Policy

This Privacy Policy applies to personal data processing related to the website https://comaply.com and associated systems (including ticket purchase, event registrations, user accounts, payments, support, marketing and security).



3. Roles: controller vs. processor

  • Comaply as controller – we act as a controller for user accounts, purchases, invoices/VAT, customer support, security, marketing and logging activities.

  • Event organiser as separate controller – the event organiser is a separate controller for the execution of the event and communication about a specific event. The organiser receives personal data only for participants who have registered for or purchased tickets to their event.

  • Payment institutions – payment service providers (e.g. Klix/Citadele, banks, card schemes) are usually separate controllers for payment-related data. Comaply does not store full card details.



4. What data we collect and from where

  • Identification / account data – first name, last name, email address, phone number, password or single sign-on (SSO) identifier.

  • Purchase / billing data – event, ticket basket, invoice details, VAT details (if provided), payment status/ID (without full card data).

  • Support data – support requests, correspondence, refund requests and related evidence.

  • Usage and security data – IP address, browser/device information, access logs, error/risk indicators.

  • Marketing preferences – settings in the profile (Notifications section) related to marketing communications.

  • Cookies and pixels – see section 10 on cookies and similar technologies.



5. Purposes and legal bases (GDPR Art. 6)

We process your personal data for the following purposes and on the following legal bases:

Purpose Legal basis
Ticket sales, event registrations, account management and service delivery legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Invoices, VAT, accounting and consumer protection legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
Security, fraud/chargeback risk reduction and incident logging legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Customer support and dispute handling legal basis: performance of a contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f) GDPR).
Marketing emails about similar services legal basis: legitimate interests (Art. 6(1)(f) GDPR) with the possibility to opt out at any time.
Analytics (Google Analytics) and UX improvements (Microsoft Clarity) legal basis: your consent to non-essential cookies (Art. 6(1)(a) GDPR).

Opt-out / Notifications: when registering, a user may be opted in to receive marketing communications, and you can disable marketing emails at any time in your profile (Notifications) as well as via the "unsubscribe" link in every marketing email.



6. Recipients of personal data

We may share your personal data with the following categories of recipients where necessary:

  • Payment institutions – such as Klix (Citadele), banks and card schemes for processing payments.

  • Email service providers – such as Brevo for transactional and marketing emails.

  • Analytics and UX tools – Google Analytics and Microsoft Clarity (only with your consent to cookies).

  • Hosting/CDN/Proxy providers within the EEA – servers (for example, located in Warsaw within the European Economic Area) and possible intermediary servers in other EEA countries.

  • Event organisers – they receive your first name, last name, email address and (if applicable) company name only when you register for or purchase tickets to their specific event.

  • Accounting/audit, legal advisors and supervisory authorities – where required by law or for the protection of our rights.

We conclude data processing agreements in accordance with Article 28 GDPR with processors who process personal data on our behalf.



7. Retention periods

  • Account/customer data, support correspondence and applications – kept for 2 years after your last activity or after a specific case is closed (unless there is an ongoing dispute or longer retention is required by law).

  • Marketing consent/opt-out records – kept until withdrawal of consent/opt-out plus 2 years for audit purposes.

  • Security logs – kept for 6–24 months depending on risk and necessity.

  • Invoices and accounting documents – kept in accordance with applicable legal minimum retention periods (usually longer than 2 years).



8. Your rights as a data subject

Under applicable data protection laws (including GDPR), you have the right to:

  • request access to your personal data;
  • request rectification of inaccurate or incomplete data;
  • request erasure of your data in certain cases ("right to be forgotten");
  • request restriction of processing;
  • object to processing based on legitimate interests or direct marketing;
  • receive your data in a structured, commonly used and machine-readable format and transmit it to another controller ("data portability");
  • withdraw your consent at any time (for cookies/marketing where consent is the legal basis).

You can submit requests by emailing info@kalmars.lv. For identification and security reasons, we may ask for additional information to confirm your identity.

You also have the right to lodge a complaint with the national data protection authority (for example, the Data State Inspectorate in Latvia). Consumers in the EU can also use the European Commission’s Online Dispute Resolution (ODR) platform: https://ec.europa.eu/consumers/odr/



9. Age limitations

  • Registration/participation in an event via the platform is allowed from 16 years of age. The person must be able to understand the type of event and its terms.
  • Organising an event on the platform is allowed from 18 years of age.
  • For 18+ events, responsibility for providing correct age information lies with the individual. The organiser has the right to verify age and refuse entry if age requirements are not met.


10. Cookies and similar technologies

We use cookies and similar technologies to ensure the technical operation of the website, improve security, measure usage and enhance user experience. Some cookies are strictly necessary, while others are used only with your consent.

Types of cookies we use

  • Strictly necessary cookies – these include session ID, login status, CSRF protection and user settings (such as language). Without these cookies, the website and core functionalities would not work properly.

  • Analytics cookies (with your consent) – for example, Google Analytics cookies (such as _ga*, _gid and similar) used to collect anonymised usage statistics and understand how the site is used. IP anonymisation is enabled.

  • UX insight cookies (with your consent) – for example, Microsoft Clarity cookies (such as cluid and similar) used for click/scroll analysis and UX improvements. Sensitive fields are not recorded.

Managing cookie settings

  • In the “Cookie settings” tool on the website, you can accept or refuse non-essential cookies at any time.
  • You can also delete cookies or block them entirely in your browser settings. However, this may limit some features of the website.

Detailed information about cookies used on the site is available in our separate Cookie Policy and in the cookie management tool (CMP).



11. Data transfers outside the EEA

We primarily use infrastructure and service providers located within the European Economic Area (EEA). If personal data is transferred to recipients outside the EEA, we ensure appropriate safeguards, such as EU Standard Contractual Clauses and other measures required by data protection law.



12. Data security

We implement appropriate technical and organisational measures to protect your personal data, including the use of TLS encryption, access controls, data minimisation and logging. However, no method of transmission or storage is completely secure, and we cannot guarantee 100% security.



13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be available on https://comaply.com.

If we make significant changes, we will notify you on the website and/or by email where appropriate before the changes take effect.



14. Contact

For any questions, write to: info@kalmars.lv

Please include your name, order number (if applicable), and the type of request.