ONLIST

Privacy policy

Last updated: 2026-07-06

ONLIST is a QR-based guest management app for events. This policy explains what personal data we process, why, for how long, and what rights you have over it.

Who's responsible for your data

The data controller is Fran Celadilla. For any question about this policy or to exercise your rights, write to hello@onlistapp.com.

What data we collect

Depending on how you use ONLIST, we process different data:

  • Guests: name and email (for named invitations); generic invitations don't require a name and the email is optional.
  • Event staff (organizers, managers, promoters, door staff): the email they sign in with and, optionally, their name.
  • Entry audit: every ticket scan is logged (result, time, method, and who scanned it) so door disputes can be resolved and fraud detected — this doesn't include the guest's contact details, only the validation outcome.

What we use it for

We use this data exclusively to manage your invitation: generating and sending your QR entry code, validating it at the door, and keeping an entry log that lets us resolve disputes or detect fraud attempts (e.g. the same code used more than once).

Who we share it with

We don't sell or share your data with third parties for commercial or advertising purposes. We do work with technical providers that process data on our behalf to operate the service:

  • Supabase — database and authentication.
  • Resend — sending the emails with your ticket.
  • Vercel — application hosting.
  • Google — only if you choose to sign in with your Google account, to verify your identity.

How long we keep it

Guest data (name and email) is kept for a number of days after the event set by the organizer (30 days by default). After that, an automatic process anonymizes those fields: the invitation record remains (for the event's stats — how many tickets, how many were used), but the name and email are no longer attached to it.

Staff account data is kept while the account stays active on the platform.

Your rights

You can ask us to access your data, correct it, request early deletion before the automatic deadline, or object to its processing by writing to hello@onlistapp.com. We'll respond within a reasonable time.

If you're in Spain or the European Union, you also have the right to data portability and to restriction of processing, and you can file a complaint with the Spanish Data Protection Agency (AEPD, aepd.es) if you believe we haven't respected your rights. If you're in Argentina, the oversight body is the Agencia de Acceso a la Información Pública.

Security

Access to data is controlled at the database level (not just in the interface): each event role only sees what it's entitled to. The app runs over encrypted connections (HTTPS) and we don't log personal data on the server.

Cookies

We only use functional cookies: to keep you signed in and to remember your language preference (Spanish/English). We don't use third-party tracking or advertising cookies.

Changes to this policy

If we update this policy, we'll reflect the change date above. We recommend checking back if you're part of an event's staff.

Governing law

ONLIST is used mainly in Argentina and Spain, so this policy aims to comply with Argentina's Personal Data Protection Law No. 25,326 and, for those in Spain or the European Union, with the General Data Protection Regulation (GDPR). Where the two differ, we apply whichever standard protects you more.

Go home
ONLIST