Privacy policy

1. Introduction

The Mass Crowd Events (hereinafter “Platform” or “System”) is operated by the Ministry for Tourism, Commerce, Investment, Creative Industries, Culture and Heritage of Saint Lucia. We are committed to protecting the privacy and security of personal data entrusted to us by users of this Platform.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our Platform to apply for permits and licenses to conduct mass crowd events in Saint Lucia. It applies to all users including event organizers, applicants, and their representatives.

By using the Platform, you consent to the data practices described in this Privacy Policy. If you do not agree with any part of this policy, please do not use the Platform.

2. Information we collect

We collect various categories of information to process event applications and coordinate with government agencies:

2.1 Account data

• Full name or legal entity name
• Email address (primary communication channel)
• Phone number(s)
• Password (stored as cryptographic hashes, never in plain text)

2.2 Event application data

• Event name and official title
• Event type (Land Party, Boat Ride, Beach Party, Concert, Festival, or Other)
• Venue/location details including geographic coordinates
• Expected attendance numbers
• Start date, start time, end date, and end time
• Ticket pricing and revenue projections
• Organizer details (name, contact information, professional background)
• Security officer details (names, credentials, contact information)

2.3 Supporting documents

• Event site plans (PDF, images)
• Insurance certificates and documentation
• Permits and licenses (government-issued)
• File metadata including mime-types and upload timestamps

2.4 Agency form responses and safety data

• Food handler certification lists and catering arrangements
• Sanitation and hygiene arrangements
• Medical support and emergency response plans
• Fire safety checklists and compliance documentation
• Concessionaire information and vendor details
• Waste management and environmental plans

2.5 Communication data

• Public comments submitted by users on applications
• Internal comments from government agency personnel
• Notification history and delivery records

2.6 Payment and financial data

• Invoice numbers and tracking identifiers
• Payment amounts for ECCO (Environmental Compliance and Clearance Organization) fees
• Payment amounts for Fire Service license and inspection fees
• Payment status and transaction dates

Note: We do not store full credit card numbers or payment card details. Payment processing is handled through PCI DSS compliant payment channels or processors designated by the Government of Saint Lucia, in line with applicable security standards.

2.7 Technical data

• Activity logs including user actions and timestamps
• Session data and authentication tokens
• IP addresses and connection details
• Browser type, operating system, and device information

2.8 Notification data

• Email delivery records and status
• SMS delivery records and status
• Notification preferences and opt-out records

3. How we collect information

3.1 Directly from you

• Account registration and profile creation
• Event application form submissions
• Document uploads (site plans, certificates, permits)
• Form responses to agency questionnaires
• Payment submissions and fee processing
• Comments and communications within the Platform

3.2 Automatically collected data

• Activity logs recording actions performed within the Platform
• Session information automatically generated during login and usage
• IP addresses and technical connection details
• Browser and device information sent by your browser

3.3 From third parties

• Government agency submissions and background checks
• Information provided by organizers about security officers and vendors

4. Purpose of data collection

We collect and process your personal data for the following purposes:

• Processing and evaluating mass crowd event permit applications
• Coordinating and facilitating inter-agency review and approval processes
• Communicating application decisions, approvals, and required actions to applicants
• Generating government reports and event statistics
• Ensuring compliance with government regulations and licensing requirements
• Assessing and mitigating public safety risks associated with mass crowd events
• Sending notifications and updates about application status
• Maintaining audit trails for administrative and security purposes
• Improving Platform functionality and user experience

5. Legal basis for processing

5.1 Legitimate government interest

Processing is necessary for the legitimate interests pursued by the government of Saint Lucia in regulating and licensing mass crowd events, and in ensuring public safety and order.

5.2 Public safety and security

Processing is necessary to protect public health, safety, and security in the context of large public gatherings.

5.3 Regulatory compliance

Processing is required by law to fulfill statutory obligations and regulatory requirements applicable to event licensing and public safety.

5.4 User consent

You provide explicit consent when you submit an event application and register on the Platform. You may withdraw consent at any time by contacting us, though this may prevent further use of the Platform.

6. Data sharing with third parties

6.1 Government agencies

We share relevant application data with the following government agencies to facilitate permit review, regulatory compliance, and public safety coordination:

• Royal Saint Lucia Police Force — for security assessment and public order
• Saint Lucia Fire Service — for fire safety compliance and emergency response planning
• Ministry of Health — for public health and sanitation compliance
• Environmental Health Division — for environmental and sanitation standards
• ECCO (Environmental Compliance and Clearance Organization) — for environmental assessments
• Local Government — for local authority coordination and licensing
• Maritime Authority — for maritime safety (applicable to Boat Ride events)
• NEMO (National Emergency Management Organization) — for disaster and emergency planning
• Solid Waste Management — for waste management and environmental impact
• Ministry of Infrastructure — for venue and infrastructure assessment

6.2 Third-party service providers

We engage third-party service providers to support Platform operations. These providers are contractually obligated to protect your data and only use it as needed for our purposes:

• Twilio — for SMS notification delivery (phone numbers shared for SMS routing)
• Resend — for email delivery and notification services (email addresses shared for message delivery)

6.3 No sale of personal data

We do not sell, rent, lease, or trade personal data to commercial entities. All sharing is strictly for government service delivery, public safety, and regulatory compliance purposes.

6.4 Data sharing agreements

All government agencies and service providers with whom we share data are bound by formal data sharing agreements that establish clear terms for data protection, permitted uses, and security standards.

7. Data retention

We retain personal data in accordance with the following schedules and legal requirements:

7.1 Account data

Retained for the duration of your account. Upon account deletion, deleted within 30 days unless required for legal compliance.

7.2 Event application data

Retained for a minimum of seven (7) years after event completion. Extended retention of up to seven (7) years if litigation, complaints, or regulatory investigations are pending.

7.3 Supporting documents

Retained for seven (7) years after the event. May be archived for government records retention purposes in accordance with Saint Lucia’s government data retention policies.

7.4 Activity and session logs

Retained for one (1) year for security and audit purposes. Older logs are deleted automatically.

7.5 Agency comments and communications

Retained for the duration of the application process and two (2) years thereafter.

7.6 Payment data

Invoice numbers and payment amounts are retained for seven (7) years for financial and tax compliance purposes.

7.7 Notification records

Email and SMS delivery records are retained for two (2) years for communication verification purposes.

7.8 Data deletion requests

You may request deletion of your data in accordance with Section 9 (Your rights). However, we may retain data as required by law or for public safety purposes.

8. Data security

We implement robust technical and organizational security measures to protect personal data against unauthorized access, alteration, or loss:

8.1 Encryption

• Data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
• Sensitive data at rest is encrypted using AES-256 or equivalent standards

8.2 Access controls and authentication

• Role-based access control (RBAC) ensures users only access data appropriate to their role
• Multi-factor authentication (MFA) is available and recommended for accounts with administrative privileges
• All system accounts are protected by strong password policies requiring at least 8 characters and the complexity rules enforced at account registration

8.3 Password hashing

User passwords are never stored in plain text. All passwords are hashed using industry-standard cryptographic algorithms (bcrypt, Argon2, or equivalent) with salts to prevent rainbow table attacks.

8.4 Audit logging

• All access to personal data is logged with timestamps and user identifiers
• Audit logs are protected from tampering and reviewed regularly for suspicious activity
• Failed login attempts and unauthorized access attempts are monitored

8.5 Data integrity and backups

• Regular backups are performed to prevent data loss
• Backups are encrypted and stored securely in geographically diverse locations
• Data integrity checks are performed regularly to detect corruption

8.6 Incident response

We maintain an incident response plan to address potential data breaches. In the event of a security incident affecting personal data, we will notify affected users and authorities as required by law.

8.7 Limitations

While we implement comprehensive security measures, no system is completely immune to security breaches. We cannot guarantee absolute security, but we continuously work to improve our defenses.

9. Your rights

You have the following rights regarding your personal data:

9.1 Right to access

You have the right to request access to all personal data we hold about you. Upon receiving a request, we will provide a copy of your data in a structured, commonly used format within 30 business days.

9.2 Right to correction

You have the right to request correction of inaccurate or incomplete personal data. We will correct such data without undue delay.

9.3 Right to delete (“right to be forgotten”)

You may request deletion of your personal data, except where retention is required by law for public safety, regulatory compliance, or ongoing legal matters. Such requests will be processed within 30 business days.

9.4 Right to withdraw consent

If your personal data is processed based on your consent, you may withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

9.5 Right to lodge a complaint

You have the right to lodge a complaint with the Office of the Information Commissioner of Saint Lucia (or the competent supervisory authority under applicable Saint Lucia law) if you believe your rights have been violated.

9.6 Right to data portability

You have the right to obtain your personal data in a portable, machine-readable format and transmit it to another controller.

9.7 Exercising your rights

To exercise any of these rights, submit a written request using the contact information provided in Section 14. You will be asked to verify your identity to prevent unauthorized access to your data.

10. Cookies and session data

10.1 Session-based authentication

The Platform uses session-based authentication cookies to maintain your login session. These cookies:

• Contain encrypted session tokens that expire after a period of inactivity
• Are essential for Platform functionality and security
• Are deleted when you log out or close your browser (subject to browser behaviour)

10.2 No third-party tracking cookies

The Platform does not use third-party tracking cookies, analytics cookies, or behavioral advertising cookies. We do not track user behavior for marketing purposes.

10.3 Session timeout

For security purposes, your session will automatically expire after 120 minutes of inactivity (configured server session lifetime). You will be required to log in again to continue using the Platform.

11. Children’s privacy

The Mass Crowd Events is not intended for children under 18 years of age. We do not knowingly collect personal data from children under this age. If we become aware that we have collected data from a child, we will delete it promptly. Parents or guardians who believe their child has provided information to the Platform should contact us immediately.

12. International data transfers

Some of your personal data may be transferred to and processed in countries outside Saint Lucia, including:

• Email addresses transmitted to Resend servers (locations include the United States and other jurisdictions where Resend operates)
• Phone numbers transmitted to Twilio servers (locations include the United States and other jurisdictions where Twilio operates)

These transfers are necessary for Platform functionality and are protected by data processing agreements that ensure appropriate safeguards equivalent to those in Saint Lucia. By using the Platform, you consent to these international transfers.

13. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify users of material changes by:

• Posting the updated policy on the Platform with a new “Last updated” date
• Sending an email notification to registered users
• Requesting explicit consent if the changes materially affect your rights

Your continued use of the Platform after changes become effective constitutes your acceptance of the updated policy.

14. Contact information

If you have questions about this Privacy Policy, wish to exercise your rights, or have privacy concerns, please contact:

Data Protection Officer / Platform Administrator

Email

Use the Contact us page — an official inbox will be shown there once configured.

Office hours

Monday to Friday, 8:00 a.m. to 4:30 p.m. (Atlantic Standard Time), excluding public holidays, unless otherwise published on the Contact us page.

We will respond to all inquiries and requests within 30 business days.

15. Filing a complaint

If you believe your privacy rights have been violated or have concerns about how your data is being handled, you may:

• Submit a complaint to the Data Protection Officer using the contact information in Section 14
• File a formal complaint with the Office of the Information Commissioner of Saint Lucia (or the competent authority under applicable law)

We will investigate all complaints and respond within 30 business days. You have the right to pursue legal remedies if you are not satisfied with our response.