Privacy Policy

At GDG Medan, we are committed to protecting your privacy and ensuring transparency about how we collect, use, store, and share your personal information. This Privacy Policy explains our practices regarding the collection and use of information, including Google user data, when you use our website and services.

By using our services, you agree to the collection and use of information in accordance with this policy. We comply with the Google API Services User Data Policy and Google APIs Terms of Service.

We use Google OAuth 2.0 to authenticate users and access the following Google user data:

• OpenID Connect (openid scope): Used for user authentication and identification. We receive your Google account ID (sub) which serves as your unique identifier in our system.
• Email (email scope): We access your Google account email address to create and manage your account, send event-related communications, and provide service notifications.
• Profile (profile scope): We access your name and profile picture URL from your Google account to personalize your experience and display your information in event registrations and certificates.

We only request the minimum scopes necessary to provide our services. We do not access any other Google user data beyond what is explicitly listed above.

We use the Google user data we collect for the following purposes:

• User Authentication and Account Management: Your Google account ID, email, name, and profile picture are used to create and maintain your user account, authenticate your identity, and manage your access to our services.
• Event Registration and Management: We use your information to process event registrations, manage ticket purchases, and generate event certificates.
• Personalization: Your data enables us to provide personalized features such as saved events, event recommendations based on your past attendance, and customized event calendars.
• Communication: We use your email address to send you important notifications about event registrations, payment updates, event reminders, and post-event follow-ups. You can manage your notification preferences in your account settings.
• Service Delivery: Your information is used to provide core services including room bookings, merchandise orders, feedback collection, and certificate generation.
• Security and Fraud Prevention: We use your data to maintain the security of our services, prevent fraud, and ensure compliance with our terms of service.

We do not use Google user data for advertising purposes or to build advertising profiles.

We do not sell, rent, or trade your Google user data. However, we may share your information with the following third-party service providers who assist us in operating our services:

• Midtrans: Payment processing service that receives payment-related information (email, name, payment amounts) necessary to process transactions. Midtrans is compliant with PCI DSS standards for payment data security.
• Cloudflare: Our hosting and infrastructure provider. Cloudflare hosts our database (D1) and storage (R2) services. All data stored with Cloudflare is encrypted at rest and in transit.
• Firebase Cloud Messaging (FCM): Push notification service that receives FCM tokens to deliver push notifications to your devices. FCM tokens are device-specific and do not contain personal information.
• Email Service Providers: We use email service providers to send transactional emails. These providers receive your email address and necessary information to deliver event-related communications.
• GDG Community API: We fetch public event data from the GDG Community API. We do not share your personal information with this service; it only provides public event listings.

All third-party service providers are contractually obligated to protect your information and use it only for the purposes we specify. They are not permitted to use your data for their own purposes.

We may also disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our users or others.

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit using HTTPS/TLS encryption. Data stored in our database is encrypted at rest.
• Token Security: Google OAuth refresh tokens are encrypted before storage in our database using industry-standard encryption algorithms. Session tokens are JWT-based with secure expiration policies.
• Secure Session Management: We use secure, HttpOnly cookies for session management with SameSite protection to prevent CSRF attacks.
• Access Controls: We implement role-based access controls to ensure that only authorized personnel can access user data. All access is logged and monitored.
• CSRF Protection: We implement Cross-Site Request Forgery (CSRF) protection to prevent unauthorized actions.
• Secure Infrastructure: Our services are hosted on Cloudflare's secure infrastructure, which provides DDoS protection, firewall services, and continuous security monitoring.

While we implement strong security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.

Data Retention: We retain your Google user data and associated information for as long as your account is active and you continue to use our services. We also retain data as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

Data Deletion: You have the right to request deletion of your account and all associated data at any time. Upon receiving a valid deletion request, we will:

• Delete your user account and all associated Google user data
• Delete all event registrations associated with your account
• Delete all feedback submissions you have made
• Delete all room bookings associated with your account
• Delete all saved events and preferences
• Delete all FCM tokens for push notifications
• Delete all session tokens and refresh tokens
• Delete your notification preferences

How to Request Deletion: To request deletion of your account and data, please send an email to info@gdgmedan.com with the subject line "Account Deletion Request" and include your registered email address. We will process your request and confirm deletion within 30 days.

Important Notes:

• Some information may be retained for legal or compliance purposes (e.g., payment records for accounting purposes, audit logs for security). Such data will be anonymized where possible.
• If you have pending event registrations or active transactions, we may need to complete those processes before deletion can be finalized.
• After account deletion, you will no longer be able to access any certificates, registrations, or other data associated with your account.

Additional Data Collected: In addition to Google user data, we may collect optional information that you provide, such as phone number, company, and job title. This information is used solely for event registration and service delivery purposes.

Cookies and Tracking: We use essential cookies for authentication and session management. We do not use tracking cookies or analytics cookies that share data with third parties.

Children's Privacy: Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13.

Changes to This Policy: We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

Your Rights: You have the right to access, update, or delete your personal information at any time through your account settings or by contacting us. You can also revoke Google OAuth access through your Google account settings.