1. Who We Are and How to Contact Us

Data Controller (for the Service): TicketLane (the “Platform”).

Contact: [email protected]

Important role split: When you buy a ticket or register for an event, the event organiser is typically the data controller for personal data they use to run their event (e.g., attendee lists, communications, access control), and we act as a data processor for the organiser for those activities. We remain a data controller for our own platform operations (accounts, security, billing, fraud prevention, analytics, and support).

2. Definitions

• “Personal Data”: Information relating to an identified or identifiable natural person.
• “Processing”: Any operation performed on Personal Data (e.g., collection, storage, use, disclosure).
• “Organiser”: A person or entity that creates and manages events on the Service.
• “Buyer”: A person purchasing or receiving tickets/registrations via the Service.
• “Usage Data”: Technical data collected automatically (e.g., IP address, device identifiers, logs).
• “Cookies”: Small files stored on your device used for functionality and (where enabled) analytics/marketing.

3. Personal Data We Collect

3.1 Data you provide

• Account data: name, email address, phone number, login credentials (hashed), and profile settings.
• Purchase data: tickets purchased, order details, receipts/invoices where applicable, refund history.
• Organiser data: organiser profile information, event details, payout details, and compliance information you submit.
• Support communications: messages you send us (including attachments where provided).
• Marketing preferences: your opt-in/opt-out status and communication choices.

3.2 Data collected automatically

• Usage Data: IP address, device type, operating system, browser type, app version, pages/screens viewed, timestamps, referring URLs, and diagnostic logs.
• Security and fraud signals: login events, risk indicators, device identifiers (where available), and activity patterns used to protect the Service.

3.3 Payment data

Card and payment credentials are processed by our third-party payment providers. We typically receive only limited payment information (e.g., payment status, last four digits, payment method type, and transaction identifiers) needed for records, refunds, dispute handling, and fraud prevention.

4. How We Use Your Data and Legal Bases (GDPR)

We process personal data only where we have a lawful basis. Depending on the context, our legal bases include: contract necessity, legal obligation, legitimate interests, and consent.

• Provide the Service (Contract): create accounts, enable event listings, facilitate ticket purchase flows, provide tickets/QR codes, handle customer service, and administer organiser payouts.
• Payments, refunds, and dispute handling (Contract / Legal obligation / Legitimate interests): process transactions, prevent fraud, handle chargebacks, comply with payment partner rules, and maintain accounting records.
• Security and fraud prevention (Legitimate interests / Legal obligation): monitor, detect, and prevent unauthorised access, abuse, and other harmful activity; enforce our terms; protect users and payment partners.
• Platform improvement and analytics (Legitimate interests; Consent where required): understand usage, fix bugs, improve features, and measure performance. Where local law requires consent for non-essential cookies/trackers, we rely on consent.
• Marketing communications (Consent / Legitimate interests): send promotional messages where you have opted in (or where permitted by law). You can opt out at any time.
• Compliance (Legal obligation): comply with applicable laws, lawful requests, and regulatory requirements.

5. How We Share Your Data

We share personal data only where necessary and with appropriate safeguards:

• With Organisers: if you buy/receive a ticket, we share relevant attendee information with the Organiser to operate the event (e.g., attendee lists, check-in/scanning, event updates, refunds where applicable). Organisers are responsible for their own privacy practices.
• With service providers (Processors): payment processing, email delivery, hosting, analytics, customer support tools, and security services. They may access data only to perform services for us under contractual obligations.
• With authorities and for legal reasons: where required by law, court order, or to protect rights, safety, and the integrity of the Service.
• Business transactions: if we undergo a merger, acquisition, restructuring, or asset sale, your data may be transferred subject to confidentiality and applicable law.
• With your consent: where you ask us to share data for a specific purpose.

6. Cookies and Similar Technologies

We use cookies and similar technologies for functionality, security, and (where enabled) analytics and marketing. You can control cookies through your browser settings and, where available, through our cookie preference tools. Disabling certain cookies may limit functionality.

• Strictly necessary: required for login, security, and core site/app functionality.
• Preferences: remember settings (e.g., language, session choices).
• Analytics: help us understand usage and improve performance (may require consent depending on your jurisdiction).
• Marketing: used to measure and improve promotions (only where enabled and permitted/consented).

7. International Transfers

Your data may be processed in countries outside the European Economic Area (“EEA”) where our service providers operate. Where this occurs, we implement appropriate safeguards such as standard contractual clauses or equivalent mechanisms recognised under GDPR, and we take steps to ensure an adequate level of protection.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy, including for legal, accounting, fraud prevention, dispute handling, and enforcement purposes.

• Account data: retained while your account is active, and for a reasonable period thereafter as required for security, legal, and audit needs.
• Transaction records: retained as required for accounting/tax obligations and dispute/chargeback windows.
• Support communications: retained for as long as needed to resolve issues and maintain records.
• Usage/log data: typically retained for shorter periods unless needed for security investigations or legal compliance.

Where you request deletion, we may retain certain information where required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution, compliance).

9. Your Rights (GDPR)

Subject to applicable law, you may have the right to:

• Access your personal data and obtain a copy.
• Rectify inaccurate or incomplete data.
• Request deletion (“right to be forgotten”) in certain circumstances.
• Restrict processing in certain circumstances.
• Object to processing based on legitimate interests and to direct marketing.
• Data portability (receive data in a structured, commonly used, machine-readable format).
• Withdraw consent at any time where processing is based on consent (this does not affect prior lawful processing).

To exercise these rights, email us at [email protected]. We may ask for verification of identity before fulfilling your request.

Complaints: You also have the right to lodge a complaint with your local data protection authority (and, if applicable, the supervisory authority in Malta).

10. Automated Decision-Making

We may use automated systems to help detect fraud, prevent abuse, and protect the Service (e.g., risk scoring and security signals). Where such processing produces legal or similarly significant effects, we implement appropriate safeguards and you may request human review where required by law.

11. Security of Your Data

We use reasonable administrative, technical, and organisational measures designed to protect personal data. However, no method of transmission or storage is completely secure. Please use strong passwords and keep your devices secure.

12. Children’s Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal data from individuals under 13. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last Modified” date. Continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

For questions or concerns about this Privacy Policy, contact: [email protected]