ShowDayGuide

Privacy Policy

Last updated: 1 July 2026 (v1.2)

1. Who We Are

ShowDayGuide is a trading name of ShowDayGuide Ltd, a private limited company registered in England and Wales (company number 17222819), whose registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We operate the ShowDayGuide platform at showdayguide.co.uk (also accessible via showdayguide.com). In this Policy "we", "us", and "our" refer to ShowDayGuide Ltd.

We are the data controller for the personal data we collect directly through the Service. Where show organisers use the Service to publish their own shows, the organiser is the data controller for personal data contained in their show content (including images, vendor details, and visitor analytics visible to them), and we act as a data processor in respect of that data, under the Data Processing Annex to the Organiser Agreement.

We are committed to handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO) under registration number ZC186208.

For any questions about this Policy or your personal data, contact us at [email protected].

2. What Data We Collect

Show Visitors (no account required)

When you access a show guide, we may collect:

  • Device and usage data: Browser type, device type, operating system, pages visited, time spent, and referring URL. This is collected via privacy-respecting analytics and performance-monitoring tools
  • Approximate location: If you use the GPS "find me on the map" feature, your device's location is processed locally in your browser to display your position on the site map. We do not store or transmit your precise GPS coordinates to our servers
  • Push notification tokens: If you opt in to event reminders, we store a push subscription identifier to deliver notifications. This is not linked to your identity and is deleted when you unsubscribe or the associated event passes
  • Interaction analytics: Anonymous interactions such as map pin taps and schedule views, used to provide show organisers with aggregate engagement data

Show Organisers (account required)

When you create an account and manage shows, we collect:

  • Account information: Email address and password (password is hashed and stored securely by our authentication provider; we never see your plaintext password)
  • Authentication metadata: Login timestamps, session information, email confirmation state, and verification data from anti-bot challenges (CAPTCHA verification)
  • Show content: All information you enter about your show, including descriptions, schedules, map images, site feature polygons, announcements, vendor listings, sponsor details, and settings
  • AI usage metadata: When you use AI-assisted import features, we log the feature used, the approximate size of the request (in tokens), the estimated cost, whether the request succeeded, and your user ID — used for cost management, rate-limit enforcement, and service improvement. We do not retain the content of AI requests beyond what is necessary to produce the requested output
  • Payment information: When you pay for features, payment is processed by our third-party payment provider. We do not store your full card details; we store only a record of the transaction, amount, and payment status

Vendors & Sponsors

Vendor and sponsor information (business name, description, contact details, offers) is provided by the vendor/sponsor or by the show organiser on their behalf, and is displayed publicly within show guides.

Image Uploads and Copyright Confirmation

When you upload an image to the Service — for example a vendor, sponsor, or advertiser logo or promotional image, or a show map — we ask you to confirm that you own the image or otherwise have the right to use it. At the moment you give that confirmation, we record it in a secure, tamper-evident log. This record is separate from the short-lived security logs described below, and includes:

  • The exact wording of the confirmation you agreed to
  • The date and time of the confirmation
  • Your IP address and user agent (browser and device information) at the time of the confirmation

We keep this record so that, if ownership of an uploaded image is ever questioned, we hold reliable evidence of who confirmed the right to use it and when. Our lawful basis is our legitimate interests, and those of the show organiser, in defending against copyright and other intellectual-property claims and in maintaining an accurate audit trail of these confirmations (see sections 3 and 8).

Enquiry Form Submissions

If you submit an enquiry via our contact form, we collect your name, email address, phone number (if provided), and message content.

Security and Abuse Prevention Logs

To protect the Service from abuse and to meet our security obligations, we collect:

  • Rate-limit records: Timestamps of certain sensitive actions (such as login attempts, AI feature usage, and sign-ups) keyed by user identifier or IP address
  • Failed authentication attempts and bot-detection signals
  • IP addresses and user agents for requests to the Service
  • Administrative audit logs of privileged actions taken by ShowDayGuide administrators within the platform

These logs are retained only as long as necessary for the stated purposes (typically days to weeks), except where longer retention is required to investigate suspected abuse or to comply with legal obligations.

3. How We Use Your Data

We use personal data for the following purposes:

PurposeLawful Basis (UK GDPR)
Providing the Service to visitors (show guides, maps, schedules)Legitimate interests (Art. 6(1)(f))
Providing the Service to organisers and Commercial Partners (account management, show building, placement configuration)Performance of a contract (Art. 6(1)(b))
Managing organiser accounts and show contentPerformance of a contract (Art. 6(1)(b))
Processing paymentsPerformance of a contract (Art. 6(1)(b))
Providing AI-assisted import featuresPerformance of a contract (Art. 6(1)(b))
Logging AI usage for cost management and rate limitingLegitimate interests (Art. 6(1)(f))
Sending push notification remindersConsent (Art. 6(1)(a))
Operational analytics — counting page views and aggregated use of the Service to improve it (visitor_id, session_id, event records; aggregated; never shared with third parties)PECR Reg 6(4)(c) statistical purposes exception (in force via the Data (Use and Access) Act 2025); no Article 6 basis required because this is non-PII aggregated data. Right to object: see section 9.
Commercial analytics — providing aggregated metrics about Shows, Vendor Placements, Sponsor Placements, and Advertiser Placements to the relevant organiser, vendor, sponsor, or advertiserPerformance of a contract with the relevant organiser / Commercial Partner (Art. 6(1)(b)), and our legitimate interests in providing the commercial features of the Service to those parties (Art. 6(1)(f)). Aggregated output only; no individual visitor identifiers are surfaced.
Responding to enquiriesLegitimate interests (Art. 6(1)(f))
Improving the Service and fixing issuesLegitimate interests (Art. 6(1)(f))
Security, abuse prevention, fraud detection, and administrative audit loggingLegitimate interests (Art. 6(1)(f))
Content safety scanning (including automated CSAM detection and image safety classification)Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f))
Recording your confirmation that you own or have the right to use an uploaded image, and retaining that record (including IP address and user agent) to defend against intellectual-property disputesLegitimate interests (Art. 6(1)(f))
Complying with legal obligations and responding to lawful requestsLegal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have conducted a balancing assessment to ensure our interests do not override your rights and freedoms. You can request details of these assessments by contacting us.

4. AI-Powered Features

Some features of the Service use artificial intelligence (AI) to assist show organisers — for example, extracting schedule information from uploaded CSV files, PDFs, images of printed programmes, or pasted text, and interpreting vendor lists from uploaded spreadsheets.

When you use an AI feature, the content you submit is sent to a third-party AI provider for the sole purpose of generating the requested output. The AI provider, at the time of writing, processes the content under contractual terms that prohibit its use for training AI models or for any purpose other than producing the response. We commit to contracting only with AI providers whose terms similarly prohibit such use. We may change AI providers from time to time and will update this Privacy Policy to reflect any material change. We do not sell, share, or repurpose your AI inputs.

We retain usage metadata (feature used, token counts, cost, success/failure, user ID) for the purposes set out in section 3. We do not retain the content of AI requests beyond what is necessary to produce the output you requested.

AI outputs are not guaranteed to be accurate. You are responsible for reviewing AI-generated content before publishing it.

5. Content Safety Scanning

To protect visitors, particularly children, and to meet our legal obligations, content uploaded to the Service is scanned by automated systems. These include:

  • Automated CSAM detection using the Cloudflare CSAM Scanning Tool. This compares served images against known CSAM hash databases maintained by the National Center for Missing & Exploited Children (NCMEC) and other leading child safety organisations. Matches are reported to NCMEC and, where required, to UK law enforcement, in accordance with our legal obligations. We do not view the content of your images as part of this scanning; it is a hash-based comparison
  • Image safety classification, which analyses images for indicators of adult content, violence, or other prohibited material
  • Bot and abuse detection based on access patterns, user agents, and IP reputation

Where a match or flag is identified, content may be held for review, removed, or reported to relevant authorities without prior notice. We may preserve copies of flagged content, associated metadata, and access logs for a minimum of 90 days to support investigations.

6. Who We Share Data With

We do not sell your personal data. We share data only with:

  • Show organisers: Aggregate analytics about visitor engagement with their show guides (e.g. total visitors, most-viewed areas, popular schedule items). We do not share individual visitor identities with organisers
  • Service providers: We use carefully selected third-party providers to operate the Service. Categories of providers include:
    • Cloud hosting, content delivery, and DNS
    • Database, authentication, and file storage
    • Image storage and optimisation
    • AI processing (for import features)
    • Map and geocoding services
    • Payment processing (when enabled)
    • Transactional email delivery (when enabled)
    • Performance monitoring, bot mitigation, CAPTCHA challenges, and automated content safety scanning
  • Child safety organisations: Where our automated systems identify content matching known CSAM hashes, we may share the necessary information with the National Center for Missing & Exploited Children (NCMEC) and other relevant organisations in accordance with legal obligations
  • Law enforcement or regulators: Where required by law, to protect our legal rights, or to protect the safety of users or the public
  • Successor entities: If we are involved in a merger, acquisition, or asset sale, personal data may be transferred to the successor entity, subject to appropriate safeguards

Each service provider processes data only as necessary to provide their service and is bound by appropriate data processing agreements.

7. International Data Transfers

Some of our service providers process data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or reliance on an adequacy decision recognised by the UK. Details of the specific safeguards in place for any given transfer are available on request.

8. Data Retention

We retain personal data only as long as necessary:

  • Organiser accounts: Retained while your account is active. You can request deletion at any time
  • Show content: Retained while the show is on the platform. Organisers can delete show content via the dashboard. For a short period after deletion, deleted content may remain in technical backups before being fully purged
  • Visitor interaction analytics: Raw event records and identifiers (visitor_id, session_id) are retained for up to 18 months from the event date. Aggregated rollup tables (daily metrics for shows, vendors, sponsors, and advertisers) are retained indefinitely because they contain no personal data after aggregation. See section 4 of our Cookie Policy for how to object.
  • Push notification subscriptions: Automatically removed after the associated event has passed, or when you unsubscribe
  • AI usage metadata: Retained for up to 12 months for cost management, rate-limit enforcement, and service improvement. Aggregated data may be retained longer
  • Rate-limit and abuse-prevention logs: Retained only for the period necessary to serve their purpose (typically days to weeks), except where longer retention is needed to investigate suspected abuse
  • Administrative audit logs: Retained for at least 12 months for security and compliance purposes
  • Enquiries: Retained for up to 12 months after the enquiry is resolved, then deleted
  • Payment records: Retained for 7 years as required by UK tax and accounting regulations
  • Copyright confirmation records: Retained for as long as the related image or placement is live on the platform, and for 6 years afterwards, to allow us to respond to any intellectual-property dispute that may arise
  • Content preserved for legal reasons: Where content is removed in response to suspected illegal activity, we may preserve copies and associated metadata for a minimum of 90 days to support investigations

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate personal data
  • Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances
  • Right to data portability: Request your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent (e.g. push notifications), you can withdraw it at any time
  • Rights in relation to automated decision-making (UK GDPR Article 22): Where we make a decision about you based solely on automated processing (without meaningful human involvement) that produces a legal effect or similarly significantly affects you, you have the right to request human intervention, to express your point of view, and to contest the decision. Our content safety scanning processes are subject to human review before any significant action is taken affecting you (see section 5); our SDG-introduced placement reservation mechanic (see the Organiser Agreement and Commercial Partner Agreement) incorporates a human-review checkpoint before any charge is captured.
  • Right to object to operational analytics (PECR statistical purposes exception): Our operational analytics rely on the statistical purposes exception in PECR Regulation 6(4)(c) (as amended by the Data (Use and Access) Act 2025) rather than on consent. You have a right to object at any time. To exercise this right, email [email protected], telling us which device or browser you used. We will confirm receipt within 5 working days, and complete your objection within 30 calendar days in line with the response window under UK GDPR Article 12. See section 4 of our Cookie Policy for full detail.

To exercise any of these rights, contact us at [email protected]. We will respond within one month. In most cases, verifying your identity is a prerequisite to acting on a request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. Show guides are publicly accessible and do not require any personal information to view.

We take the safety of children seriously. All images uploaded to the Service are scanned automatically for CSAM as described in section 5. If you believe a child's personal data has been provided to us without appropriate consent, please contact us at [email protected] and we will investigate and, where appropriate, delete the data promptly.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encrypted connections (HTTPS) across the Service
  • Secure authentication with password hashing handled by our authentication provider
  • Role-based access control and row-level security on stored data
  • Rate limiting and bot detection to prevent abuse
  • CAPTCHA challenges on sensitive actions such as sign-up and login
  • Administrative audit logging of privileged actions
  • Regular review of access, security settings, and third-party providers

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You also have a role to play: please use a strong unique password, keep your login details confidential, and notify us promptly if you suspect a compromise.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or by email where practicable. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

For data protection, GDPR, or privacy matters, contact [email protected].

For content safety concerns and reports, contact [email protected].

For legal notices and formal correspondence, contact [email protected].

For general questions, contact [email protected].