Privacy Policy

0. Overview

This Privacy Policy describes the types of personal information dinnerHQ collects from website visitors and people who use our Services, how we use and share that information, and the choices you have. Please read it carefully to understand our practices and how we will treat your information.

Capitalized terms not defined in this Policy have the meaning given in our Terms of Use.

1. Who we are

dinnerHQ operates curated B2B networking dinners in the United States.

Postal address: 3870 NE 167th St, North Miami Beach, Florida 33160, USA
Email: [email protected]

We take privacy seriously and align our practices with leading U.S. and international frameworks, including the GDPR and California CCPA/CPRA.

2. Definitions

“Services” means our public website at www.dinnerhq.com (the “Site”) and the curated B2B networking dinners and related features we operate (for example, ticketing and attendee rosters).

“Personal Information” means information about an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to that person’s identity.

“Third‑Party Products/Service Providers” are products or services not owned or controlled by dinnerHQ (for example, Luma for ticketing or Stripe for payments). Their own privacy notices apply to their handling of information.

3. Scope of this Policy

This Policy explains how we collect, use, share and protect personal information when you:

• browse www.dinnerhq.com (the “Site”);
• purchase or manage a ticket via Luma or other ticketing widgets embedded in the Site;
• interact with our emails, SMS messages or social‑media ads; or
• attend a dinnerHQ event;
• network with other professional attendees via dinner‑specific rosters or post‑event follow‑up messages.

This Policy does not cover third‑party websites or services that link to or from us. Their own privacy statements apply.

Controller details: The controller responsible for the processing of personal information is dinnerHQ. You can reach us at the address and email listed above.

4. Acceptance of this Policy

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services. You can contact us at [email protected] with questions about this Policy.

5. Updates to this Policy

We may update this Policy from time to time. When we do, we will post the revised version on this page and update the effective date at the top. Where required, we will provide additional notice (for example, by email or banner). Your continued use after an update constitutes acceptance of the revised Policy.

5a. Legal Basis for Processing Your Data

Under GDPR and similar privacy laws, we must have a legal basis to process your personal information. We rely on the following bases depending on the processing activity:

6. Information we collect

We collect information from the following sources: (a) directly from you; (b) automatically from your device and browser; (c) from event partners and service providers that help us operate dinners (for example, Luma, Stripe); (d) from publicly available professional and company sources; and (e) from third-party professional or business data providers, where allowed by law and subject to our vendor review and data protection requirements.

We do not intentionally collect sensitive data such as social-security numbers, government identifiers, or detailed health records. We may collect limited dietary, allergy-related, accessibility, or safety information if you choose to provide it for event logistics.

We also do not seek or require information about legally protected characteristics (for example race, color, religion, national origin, disability, or medical details). Please do not provide such information.

We do not intentionally use professional enrichment to infer sensitive characteristics such as race, religion, health status, political opinions, union membership, sexual orientation, or similar protected traits. If a public or third-party source includes information that appears sensitive or irrelevant to professional event curation, we aim to exclude it from matching and sponsor-facing summaries.

7. How we use your information

We process personal information to:

• Provide our service — issue tickets, confirm restaurant logistics, handle seating and send pre‑/post‑event communications.
• Process payments via Stripe and detect fraud.
• Curate and recommend events — use professional profile data, company attributes, derived affiliations, and matching signals to recommend dinners, assess event fit or eligibility, form relevant attendee groups, and personalize outreach.
• Evaluate sponsor relevance — use professional and company context to understand whether an event audience is relevant to current or prospective sponsors, without sharing raw enrichment payloads, embeddings, or similarity scores.
• Operate, secure and improve the Site and any future mobile app.
• Facilitate networking — share limited professional contact details (name, company, role, professional profile link) with other confirmed attendees so you can follow up after the dinner.
• Send marketing emails/SMS you opt into; you may unsubscribe at any time.
• Comply with law — e.g. tax, accounting and lawful requests.
• Defend our rights and prevent misuse of our services.

We rely on one or more of the following legal bases, as applicable: (i) performance of a contract (ticket purchase), (ii) our legitimate interests in running and marketing the business, (iii) your consent (for optional newsletters/texts), and (iv) compliance with legal obligations.

Automated profiling and human review. We may use automated tools to help classify professional profiles, generate embeddings or other machine-readable representations, recommend events, assess event fit, evaluate sponsor relevance, and support eligibility or waitlist decisions. These tools support dinnerHQ operations and are not intended to make decisions with legal or similarly significant effects without meaningful human involvement. If you believe an automated recommendation, eligibility decision, or profile classification is inaccurate or unfair, you may contact us to request human review.

8. Cookies & similar technologies

We use first‑ and third‑party cookies, pixel tags and local‑storage objects to recognise your browser, analyse traffic, remember preferences and measure ad performance. You can control cookies through your browser settings. Blocking all cookies may degrade Site functionality.

Key third‑party cookies/pixels:

• Google Analytics 4 — site analytics (IP anonymised)
• PostHog — user behavior analytics and feature flags
• Meta (Facebook) & LinkedIn Insight Tags — conversion tracking & retargeting
• Stripe — checkout session, fraud prevention and payment performance
• Loops — email campaign analytics

9. Who we share information with

We disclose information only as needed to run the service:

We require each service provider to keep information confidential and to use it only for the purpose we disclosed it.

Event sponsors: We may share professional contact information and limited human-readable professional context (for example, name, business email, company, job title, industry, seniority, role focus, relevant company attributes, professional background, attendance history, and profile URL if provided) with event sponsors to enable professional networking, business development, and sponsorship ROI assessment. This data sharing applies to all dinnerHQ events (both sponsored and non-sponsored community dinners). We do not share raw third-party provider payloads, embeddings, similarity scores, or internal matching logic with sponsors. Sponsors must comply with anti-spam laws (CAN-SPAM, GDPR, CASL) and cannot resell, broker, or relicense your data to third parties without your consent. See Section 6.1 for full details.

Payment processing: We use Stripe to process payments and do not store full credit‑card numbers. Stripe handles card data in accordance with its own privacy policy and PCI‑DSS requirements. We receive tokens and limited payment metadata (e.g., last four digits, card brand, amount).

We may also share information (i) to comply with law or valid legal process, (ii) to enforce our Terms of Use, (iii) in connection with a business transfer such as a merger or sale, or (iv) with your consent.

10. International transfers

dinnerHQ is based in the United States. When you access our services from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is transferred to the US.

We use appropriate safeguards for international data transfers where required, including Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), transfer impact assessments, vendor security review, data minimization, and contractual confidentiality or data protection commitments. Safeguards may vary by vendor, service, and transfer type.

Request Documentation: For more details on our data processing practices, international transfer safeguards, and key service providers, see our Data Processing and Transfer Addendum. You can also request a copy by emailing [email protected] (GDPR Article 46(2)(c) right to information about safeguards).

If you object to international data transfers, you may choose not to use our services. We cannot provide our services without transferring data to US-based processors. However, where technically feasible, we can accommodate requests to store your data on EU servers — email [email protected] to request EU-based hosting options.

11. Retention

We keep information only as long as necessary to fulfil the purposes in Section 7, to resolve disputes or as required by law (e.g., U.S. tax regulations). When no longer needed, we securely delete or de‑identify it.

Professional enrichment records, derived affiliations, profile embeddings, and matching or recommendation signals are retained only as long as needed for event curation, sponsor relevance assessment, dispute resolution, legal compliance, and service improvement. When no longer needed, we delete, de-identify, or regenerate these derived records from updated source data as appropriate.

12. Your choices & rights

• Email & SMS marketing — click “Unsubscribe” in any message or email [email protected].
• Cookies — use browser controls to block or delete cookies.
• Access / correction / deletion — U.S. residents may request a copy or deletion of personal information by emailing [email protected].
• Professional profile and automated profiling rights — you may ask us to explain, correct, delete, or stop using professional enrichment data, derived affiliations, profile embeddings, or automated recommendation and eligibility signals associated with your profile, subject to legal and operational limitations.
• California residents — you have CCPA rights to know, delete and opt out.
• EEA/UK/Swiss visitors — you have GDPR rights of access, rectification, erasure, restriction, objection and data portability, exercisable via the same email. Because we are not established in the EEA, we process your data on the Article 3(2) GDPR extraterritorial basis.

We will respond within 30 days (or the period required by applicable law). We may ask for identity verification.

Do Not Track. At this time there is no industry standard for recognizing browser “Do Not Track” signals. We honor legally required browser or platform opt-out signals where required and technically feasible. You can also control cookie-based tracking via your browser settings.

13. Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (GDPR Article 32).

Technical Measures

• Encryption: HTTPS/TLS in transit and encryption-at-rest controls provided by our hosting, database, storage, and payment providers
• Access Controls: Access to production systems is limited to authorized personnel and reviewed when roles or needs change
• Network Security: Managed infrastructure controls, rate limiting, request filtering, and provider-level network protections
• Security Review: Code review, dependency updates, provider security documentation, and monitoring to identify and remediate risks
• Logging & Monitoring: Application and infrastructure monitoring to investigate errors, abuse, and reliability issues
• Backups: Backup practices depend on the provider and data type, and retained data remains subject to applicable deletion and retention limits

Organizational Measures

• Staff Awareness: Personnel with access to personal data are expected to follow security and privacy procedures
• Incident Response: Procedures for investigating incidents and providing legally required notices
• Data Minimization: Collection, sponsor disclosures, and provider disclosures limited to data reasonably needed for the stated purpose
• Vendor Management: Review of key vendors and use of appropriate contractual, technical, and operational safeguards based on vendor role and risk
• Confidentiality: Personnel and relevant service providers are subject to confidentiality obligations
• Access Reviews: Periodic access review and revocation of unnecessary access permissions

Security Limitations: No internet transmission is ever 100% secure. By using our services, you acknowledge this inherent risk. We cannot guarantee absolute security but commit to implementing industry-standard safeguards appropriate to the risk.

Data Breach Notification

If we become aware of a personal data breach that compromises your information, we will:

• Notify Regulators: We will notify relevant regulators where required by applicable law
• Notify You: We will inform affected individuals where required by applicable law
• Provide Details: Notification will include the nature of the breach, likely consequences, and mitigation measures taken
• Cooperation: We will cooperate fully with any regulatory investigation and provide necessary documentation

Legal Remedies: Applicable privacy laws may provide remedies or compensation for certain violations. Nothing in this Policy limits rights that cannot legally be limited.

14. Responsible disclosure of security vulnerabilities

If you discover or suspect a security vulnerability in our Services, please notify us immediately at[email protected]. If, during testing, you encounter any sensitive data, stop the test and do not share that data. We will investigate in a reasonable timeframe and may limit access while an issue is assessed.

15. Children’s privacy

Our Services are intended for adults 18 years and older. We do not knowingly collect information from children. If you believe we have done so inadvertently, please contact us for removal.

16. Contact

Privacy Contact

For data protection inquiries, privacy rights requests, or to exercise your rights under applicable data protection laws, contact our privacy team:

General Privacy Inquiries

For general questions about this Policy or your personal information, email [email protected] or write to the Florida address above.