1pm
Start free trial
← All help articles

What to put in your own privacy policy

account-and-billing
What to put in your own privacy policy

When your venue runs events in 1pm and you invite people to use it or submit information in any capacity, you collect personal data about your guests, contacts, and crew. 1pm holds and processes that data on your behalf. In data-protection language, you are the controller and 1pm is your processor.

This article walks through what to declare, with an example drop-in clause at the end you can adapt. It is general guidance, not legal advice.

Why this lands on you, not us

A guest who books a function room, a contact you add to an event, or a crew member who opens a shared link has handed their details to you. When that person asks "who has my data and where does it go", the answer starts with you, not 1pm directly. 1pm appears in that answer as a named provider you use, the same way your accounting software or your email host does.

The practical upshot: your privacy policy should mention 1pm and its subprocessors (the third-party providers 1pm uses) that follow from using it.

What to declare

That you use 1pm as a provider. 1pm.app is operated by WorkZerk Pty Ltd from the state of Queensland in Australia. The best practice is to link to 1pm.app/subprocessors rather than copying the list yourself, so it stays current when our providers change (as these are very much subject to change)

What personal data you collect into it. Be as specific as you can as to what you actually gather. For most 1pm controllers (users) that is:

  • Names and contact details for guests, clients, and contacts
  • Crew and supplier contact details
  • Dietary requirements (see the sensitive-data note below)
  • Files, photos, and attachments or documents tied to an event (normally images or PDFs)
  • RSVP and ticketing details for your own in-house events

Dietary requirements are sensitive data. This is the one venues most often miss. An allergy or dietary requirement can reveal health or religious information, which most privacy laws (the Australian Privacy Act, the EU and UK GDPR) treat as a special, protected category. Collecting it usually needs the guest's clear consent, and your policy should say you collect it and why. A line at the point you ask for it ("we collect dietary needs so the kitchen can cater safely") covers most of this.

That data may be stored and accessed outside Australia. 1pm runs on Microsoft Azure in Australia with replication to other Azure regions which may not be inside Australia, and uses third-party providers in the US and EU for things like email delivery and payments. Australian venues need to disclose overseas disclosure under Australian Privacy Principle 8. If you serve guests in the EU or UK, note that transfers happen under Standard Contractual Clauses, which is the mechanism 1pm relies on.

That you share event details and contact information with crew and suppliers. 1pm gives crew and suppliers a filtered view of the run of show through a shareable link that needs no login. If a contact's name or a timeline item naming them appears on that view, you are sharing it with the people working the event.

Enquiry forms on your own website. If you embed a 1pm enquiry form on your site, you are the controller of every enquiry that comes through it. You should probably have a short collection notice at the point of capture (next to the form) telling people what you do with their details and/or link to your privacy policy for this purpose.

Payments. If you take deposits or invoice payments through 1pm, card details are handled by Stripe under its own security standards. You and 1pm do not store card numbers.

How long you keep it, and how people reach you. Say roughly how long you hold event data and that you delete it on request. Most importantly, tell people that access and correction requests should come to you first, because you are the controller. If a guest or crew member asks 1pm directly, we refer them back to you.

A drop-in clause you can adapt

Paste this into your privacy policy and edit the bracketed parts. Adjust it to match what your venue actually does.

Event management software. We use 1pm (1pm.app, operated by WorkZerk Pty Ltd) to manage the events we host. When you book or attend an event with us, or when we add you as a contact or crew member, we store and process your details in 1pm on our behalf. This can include your name and contact details, dietary requirements (which we treat as sensitive information and collect with your consent so we can cater safely), and any files or notes connected to your event.

1pm stores this data on Microsoft Azure in Australia with backup replication to other Azure regions outside Australia, and uses third party providers for email delivery, payments, and security. Your information may therefore be stored or accessed outside [your country]. The current list of those providers is published at 1pm.app/subprocessors. For guests in the EU or UK, these transfers are made under Standard Contractual Clauses.

We share relevant event details, such as timelines and the crew involved, with our crew and suppliers through 1pm so the event runs smoothly. We do not sell your personal information.

To ask what data we hold about you, to correct it, or to have it deleted, contact us at [your email]. We will respond within [30 days].

Where to read what 1pm actually does

If you want the detail behind the summary above, our own Privacy Policy sets out the controller and processor split (clause 4), the embedded-enquiry-form position (clause 4.8), and how we handle crew data and rights requests. The Subprocessors page lists every provider, what they do, where they are, and their data-protection terms. Both are the source you should point your own policy at rather than reproducing where possible so the information stays current and accurate.