Privacy Policy

Who is Responsible for the Personal Data that we Collect?

For the purpose of data protection law, ICOM is the data controller in respect of the personal data that we collect and use as part of the App. This is because we determine the purpose for which your personal data is used and how we use your personal information.

The respective ICOM member agencies may be responsible for the data processing they carry out in connection with registering attendees for ICOM events, and in particular for the transfer of attendee data to ICOM for inclusion in the App.

Collection of Personal Data

We collect personal data through the App in the following ways:

Information provided by you or your organization:

• Name, job title, organization/agency, location, and professional biography — provided by your organization or ICOM staff when registering you for a conference
• Email address and phone number — provided by your organization or ICOM staff for the purposes of event coordination and authentication
• Profile photograph — optionally uploaded by you or ICOM staff
• Chat messages — text messages you send in the App's chat rooms, direct messages, and group chats during a conference
• Chat invite records — records of invitations you send or receive for direct messages and group chats, including whether each invite was accepted, denied, or expired
• Block lists — identifiers of other attendees you have chosen to block within the App
• Message reports — messages you flag as inappropriate, stored with a snapshot of the reported message at the time of reporting so ICOM staff can review
• Group chat membership records — the groups you belong to (past and present) and per-group read state such as last-read timestamps and unread counters
• Photos and videos — media you voluntarily share to the conference gallery

Information collected automatically:

• Push notification token — a device identifier (Expo push token) used to deliver schedule updates and announcements to your device, along with device type and platform (iOS/Android)
• Screen view analytics — which screens you visit within the App, collected only if you provide explicit opt-in consent when prompted. If you decline, no analytics data is collected
• Crash diagnostics — device type, operating system version, and application stack traces collected automatically to help identify and fix technical issues. This data does not contain personally identifiable information

Information provided by third parties:

If your organization or ICOM member agency provides personal data to us on your behalf for the purpose of event registration, they confirm that they have the consent of the individual or another legal basis to share such personal data with us, and that they have made the information in this Privacy Policy available to the individual.

Legal Basis for Processing

ICOM collects and uses personal data for the purposes described below, and we will only use your personal data when the law allows us to. We have indicated the legal basis we rely on for each purpose:

• To provide the attendee directory and enable networking — This includes processing your name, job title, organization, location, biography, and profile photograph. We process this data for our legitimate business purposes (i.e., the provision of the conference experience and enabling attendees to identify and connect with one another).
• To authenticate your identity and provide access to the App — This includes processing your email address to send a one-time verification code. We process this data as it is necessary for the performance of a contract (i.e., delivering the conference services you or your organization registered for).
• To enable group communication — This includes processing chat messages you send in conference chat rooms, direct messages, and group chats. We process this data for our legitimate business purposes (i.e., facilitating real-time communication between conference attendees).
• To operate direct messages, group chats, and the invite-based access model — This includes processing invite records, group membership records, and per-user read state. We process this data as it is necessary for the performance of a contract (i.e., delivering the networking features of the App) and for our legitimate business purposes (i.e., preventing spam through rate limits and expiring invites).
• To operate blocking — This includes processing the list of identifiers you have blocked. We process this data for our legitimate business purposes (i.e., allowing you to control who can contact you within the App).
• To moderate reported content and enforce the Code of Conduct — This includes processing reports you submit (with the reported message content), and processing admin actions taken against reported content or users (dismiss, delete, ban). We process this data for our legitimate business purposes (i.e., keeping the conference community safe) and, where applicable, to comply with a legal obligation.
• To deliver push notifications — This includes processing your push notification token and user role/track to deliver schedule changes, announcements, and reminders. We process this data as it is necessary for the performance of a contract (i.e., keeping you informed of conference activities).
• To enable media sharing — This includes processing photos and videos you upload to the conference gallery. We process this data based on your consent (i.e., you voluntarily choose to upload media).
• To analyze usage of the App — This includes processing screen view data to understand which features are used and improve future conferences. We process this data based on your explicit consent. If you decline the analytics prompt, no data is collected or transmitted.
• To identify and fix technical issues — This includes processing crash diagnostics (device type, OS version, stack traces). We process this data for our legitimate business purposes (i.e., maintaining the stability, security, and functionality of the App).

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Chat Features (Direct Messages and Groups)

The App includes direct message (DM) and named group chat features that let attendees connect during the conference. This section explains what data these features store, who can see it, and how blocking, reporting, and retention work.

What we store:

• Messages you send — text content, timestamp, and sender identity, stored so that you and the other participants in a conversation can see your chat history.
• Invite records — who invited whom, when, and whether the invite was accepted, denied, or expired. Invite records are used to prevent spam and to enforce a 7-day cooldown before a sender can re-invite the same recipient.
• Block lists — a list of the identifiers you have blocked, stored against your own profile. Blocks are one-directional and silent: the person you block is not notified that you have blocked them.
• Reports — messages you flag as inappropriate, stored with a snapshot of the reported message at the time of reporting. Reports are reviewed by ICOM staff.
• Group metadata and membership — group name, creator, current members, past members (for read-only history access), and per-user read state (last-read timestamps and unread counters).

Who can see what:

• You and the other participants in a DM or group chat can see the full message history of that conversation.
• ICOM admins can see metadata only for direct messages and group chats by default — participant names, message counts, creation and last-activity timestamps, and flagged-report counts. Admins do not see DM or group message content by default.
• When a message is reported, ICOM admins can see the full content of the reported message on the admin Reports page. The reporter's identity is not shown to the person whose message was reported.
• Admins acting on a report may dismiss it, hard-delete the reported message, or ban the sender from chat features. Every admin action is recorded in the App's audit log.

Blocking:

If you block another user, they can no longer send you new direct-message invites or invite you to new groups. They are not notified of the block. Blocking only affects future interactions — any existing groups you already share continue to function, and you can mute or leave those groups separately. You can unblock users at any time from the Blocked Users screen in Settings.

Bans:

ICOM staff may ban a user from chat features in response to a report or a Code-of-Conduct violation. A banned user cannot send new messages or invites until the ban is lifted by ICOM. A ban applies only to chat-related functionality within the App; it does not remove the user's profile from the attendee directory.

Retention:

Chat data (messages, rooms, invites, reports, block lists, and group membership records) follows the standard 90-day post-event retention described in "Retention of Personal Data" below. Expired and completed invites are hard-deleted 90 days after reaching their terminal state. You can request earlier deletion of your own data at any time by contacting comms@icomagencies.com.

Your rights within chat features:

• You can block any user at any time from the DM header menu or from Settings.
• You can report any message you find inappropriate. ICOM staff will review reports within a reasonable time.
• You can leave a group at any time. Past messages remain visible to you in read-only form after you leave.
• You can request deletion of your account and all associated chat data by emailing comms@icomagencies.com.

Disclosure of your Personal Data

We may share your personal data in the following circumstances:

• Service providers — We share your data with the third-party service providers listed in the "Third-Party Service Providers" section below, solely for the purposes described in this Privacy Policy. These providers act as data processors on our behalf and are contractually bound to protect your data.
• ICOM member agencies — Your name, organization, and professional details may be visible to other conference attendees through the App's attendee directory, which is the core purpose of the App.
• Legal obligations — We may disclose your personal data if required to do so by law, or in response to valid requests by public authorities (e.g., a court or government agency).
• Protection of rights — We may disclose your personal data where we believe it is necessary to protect our legal rights, your safety, or the safety of others, to investigate fraud, or to respond to a government request.

Third-Party Service Providers

The App relies on the following third-party services. Each service receives only the data necessary to perform its function.

• Firebase (Google Cloud) Receives all app data — profiles, chat messages, event photos, push tokens, and app content. Firebase hosts the database, file storage, user authentication, and admin panel. Data location: Google Cloud infrastructure (United States and other regions). firebase.google.com/support/privacy
• PostHog (EU Cloud) Screen view analytics — which screens you visit. Only collected if you explicitly opt in. If you decline, PostHog is never initialized and no data is sent. Data location: European Union. posthog.com/privacy
• Expo / EAS (Expo Application Services) Receives your device's push notification token to deliver notifications. Expo also handles over-the-air app updates (no personal data involved in updates). expo.dev/privacy
• Brevo (formerly Sendinblue) Receives your email address solely to deliver the one-time verification code when you log in. Brevo does not receive any other personal data. brevo.com/legal/privacypolicy
• Sentry Receives crash reports containing technical information — device type, OS version, and app stack traces. Sentry does not receive personally identifiable information (no names, emails, or profile data). sentry.io/privacy

Data Integrity and Security

The security of your data is important to us. ICOM strives to maintain the reliability, accuracy, completeness, and currency of all personal data in our systems and to protect the privacy and security of our databases.

ICOM has put in place appropriate security measures to prevent your personal data from being accidentally lost, destroyed, used or accessed in an unauthorized way, altered, distributed, or disclosed. Specifically:

• All app data is stored in Firebase (Google Cloud infrastructure), which provides encryption both in transit (TLS) and at rest
• Access to the App requires email verification, ensuring only registered conference attendees can view attendee profiles, chat messages, and media
• Admin access to manage conference content requires separate authentication with restricted credentials
• The admin panel is additionally protected by Firebase App Check with reCAPTCHA v3 to prevent automated or bot access
• We limit access to your personal data to those ICOM staff and contractors who have a business need to manage conference content. They will only process your personal data on ICOM's instructions and they are subject to a duty of confidentiality

Your Rights

You have the following rights in relation to your personal data:

• Right to access — You have the right to access the personal data that ICOM holds about you, subject to certain exceptions.
• Right to rectification — You have the right to ask ICOM to correct the personal data that ICOM holds where it is incorrect or incomplete.
• Right to erasure — In certain circumstances, you have the right to ask ICOM to delete the personal data that we hold about you. See "Requesting Data Deletion" below for details.
• Right to restrict processing — In certain circumstances, you have the right to request that we limit how we use your data while a concern is being resolved.
• Right to data portability — In certain circumstances, you have the right to obtain your personal data in a structured, commonly used, and machine-readable format and for it to be transferred to another organization, where it is technically feasible.
• Right to object — You have the right to object to the use of your personal data in certain circumstances. For example, (i) where you have grounds relating to your particular situation and we use your personal data for our legitimate interests (or those of a third party); and (ii) if you object to the use of your personal data for direct marketing purposes.
• Right to withdraw consent — You have the right to withdraw your consent at any time where ICOM relies on consent to use your personal data (for example, analytics tracking or media uploads).
• Right to non-discrimination — You will not be treated differently for exercising your privacy rights.

California residents (CCPA/CPRA): You have the right to know what personal information is collected, the right to delete it, and the right to opt out of the sale or sharing of personal information. ICOM does not sell or share your personal information as defined under the CCPA/CPRA.

EU/EEA residents (GDPR): You may exercise any of the rights above under the General Data Protection Regulation. You also have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe ICOM has not used your personal data in accordance with data protection law. We would, however, appreciate the chance to deal with your concerns before you approach your relevant data protection authority, so please contact us in the first instance.

With regards to any of the requests above, please contact us by sending an email to comms@icomagencies.com.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, ICOM may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, ICOM could refuse to comply with your request in these circumstances.

ICOM may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one week. Occasionally it could take us longer than one week if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Requesting Data Deletion

When you request deletion, we will remove:

• Your participant or speaker profile (name, email, phone, photo, biography)
• Your chat messages from all chat rooms, direct messages, and group chats
• Your chat invite records, block list, group memberships, and per-group read state
• Any reports you have filed (retaining only anonymized audit entries where required for accountability)
• Any photos or videos you uploaded to the conference gallery
• Your push notification token

Please include your name and the email address associated with your conference registration so we can locate your data.

Retention of Personal Data

Conference data — including profiles, chat messages (rooms, direct messages, and groups), chat invites, block lists, reports, group membership records, media, and push tokens — is retained during the event and for 90 days after the event concludes to support post-conference follow-ups and communications.

Chat invites that reach a terminal state (accepted, denied, or expired) are hard-deleted 90 days after that terminal state is reached. Rate-limit history tied to an invite is retained for 7 days after the invite reaches a terminal state.

After the 90-day window, remaining event data is archived or deleted by an ICOM administrator before the next conference is configured. This is a documented process performed by authorized staff.

Crash reports and analytics data are retained by the respective third-party services according to their own retention policies (see "Third-Party Service Providers" above).

When the personal data that ICOM has collected is no longer required, ICOM will delete it in a secure manner.

Automated Decision-Making

Decisions that produce legal effects concerning you or significantly affect you in a similar way (automated individual decision-making) do not take place within the App. No algorithms are used to make decisions about your access to services, content visibility, or any other matter.

Transfer of Data Abroad

Your data may be transferred to and processed in countries outside your country of residence. ICOM uses service providers that may process data in the following locations:

• Firebase (Google Cloud) — Data may be stored and processed in the United States or other Google Cloud regions
• PostHog — Analytics data is processed in the European Union (EU Cloud)
• Expo, Brevo, Sentry — These services operate in the United States

Some countries outside of the European Economic Area (the "EEA") are recognized by the European Commission as providing an adequate level of data protection according to EEA regulations. For transfers from the EEA to countries not considered adequate by the European Commission, ICOM and its service providers have put in place adequate measures, such as standard contractual clauses adopted by the relevant authority, to protect your personal information.

Please contact us if you want further information on the specific mechanism used by ICOM when transferring your personal data out of the EEA.

Analytics Consent

The App asks for your consent to collect screen view analytics when you first log in. This is entirely optional.

• If you accept, anonymous screen view data is collected via PostHog to help improve the App
• If you decline, the analytics service is never started and no data is collected or transmitted

You can change your analytics preference at any time through the App's Settings screen. Your choice applies only to your device.

Tracking Technologies

The ICOM Conference App is a native mobile application and does not use browser cookies.

The App uses the following technologies:

• PostHog SDK — Screen view tracking, active only when you provide explicit opt-in consent
• Sentry SDK — Crash reporting, active automatically (no personally identifiable information collected)
• Firebase SDK — Core app functionality (authentication, database, file storage)

No third-party advertising trackers or cross-app tracking identifiers are used within the App.

Children's Privacy

The ICOM Conference App is designed for professional conference attendees and is not directed at children under the age of 13 (or 16 where applicable under local law). We do not knowingly collect personal data from children. If you believe a child's data has been submitted in error, please contact us at comms@icomagencies.com and we will promptly remove it.

Changes to this Privacy Policy

ICOM reserves the right to amend this Privacy Policy at any time. The applicable version will always be found within the App and on our website. Material changes will be communicated through the App or by email where possible. We encourage you to check this policy periodically to ensure that you are happy with any changes.

Governing Law

This Privacy Policy is governed by the laws of the United States of America and the State of Georgia. For EU/EEA residents, nothing in this section limits your rights under the GDPR or your right to bring a claim before the courts of your country of residence.

Contacting ICOM with Questions, Concerns or Complaints

If you have any questions or feedback about this Privacy Policy, or would like to exercise any of your rights relating to your personal data, please contact us:

By email: comms@icomagencies.com

By mail: 1870 The Exchange SE Ste 220, PMB 88484, Atlanta, GA 30339-2177