Privacy & Cookies

Last updated: YYYY-MM-DD
[Company Name] (the “Controller”) — registered at [Address], company reg. no. [Number], VAT [Number]. Contact: privacy@[your-domain].com.

1. Introduction

This page explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and your rights under EU data protection law (GDPR). It also explains cookies and how to control them.

2. What personal data we collect

We collect personal data you give us when you:

  • Buy tickets: name, email, billing address, invoicing data, order details, phone (optional), IP address, payment metadata (payment provider retains card details; we only see transaction metadata).
  • Use the contact form: name, email, message content, optional attachments.
  • Use the site: technical data (IP address, browser user agent, device info), cookies, and analytics data if you consent.
  • Create an account or log in (if applicable): username, email, hashed password.

We do not store raw card numbers — payment card data is handled by our payment provider (e.g. Stripe / PayPal). See Third Parties below.

3. Legal bases for processing

  • Contract — to process ticket orders and deliver e-tickets, invoices, and customer support.
  • Consent — for analytics, marketing, and non-essential cookies (you can withdraw consent at any time).
  • Legal obligation — where retention or records are required by law (tax, invoicing).
  • Legitimate interest — limited administrative tasks, fraud prevention, and preventing abuse where we have balanced interests (we document this internally).

4. How we use your data (purposes)

  • Process and fulfil ticket purchases (orders, confirmations, e-tickets).
  • Communicate with you about your purchase or inquiries (contact form or support).
  • Prevent fraud and ensure payment security.
  • Improve the website via analytics (only with consent).
  • Send marketing emails only if you opted in; you can unsubscribe anytime.
  • Comply with legal obligations (accounting, taxation).

5. Third-party processors & transfers

We share personal data with service providers necessary to run the service:

Hosting & infrastructure — CDN / hosting provider (Netlify, WP host, etc.).
Where providers are outside the EEA, we rely on EU-approved safeguards (standard contractual clauses) or the provider’s adequacy decisions. Contact privacy@[your-domain].com if you want details.

Payment providers (e.g. Stripe, PayPal) — process payments and fraud prevention. They may set cookies and collect data; card data is processed by them under their terms.

Email providers (e.g. SendGrid, Mailgun) — to send order confirmations and transactional emails.

Analytics & ads (e.g. Google Analytics, Facebook Pixel) — only if you consent.

reCAPTCHA / anti-fraud services — may process visitor data to prevent abuse.

6. Cookies and tracking

Short version: we use strictly necessary cookies for checkout and sessions. Non-essential cookies (analytics, marketing) are disabled until you consent. Use Cookie settings to manage preferences.

Cookie categories (examples)

Marketing / Advertising — Facebook Pixel, retargeting tags. (Consent required.)

Necessary / essential — session cookies for cart/checkout, authentication: required to operate the ticket purchase. (No consent required.)

Preferences / functional — remember language or display choices. (Consent preferred.)

Analytics — Google Analytics, Matomo (collect anonymous site usage). (Consent required.)

How to manage cookies

  • Click Cookie settings (link/modal in footer) to accept or decline non-essential cookies.
  • You can withdraw consent at any time via the same Cookie settings.
  • You can also clear cookies in your browser — but that may affect your checkout session.

7. Data retention

  • Order data and invoices: kept for accounting/tax purposes as required by law (typically 6–10 years depending on jurisdiction).
  • Contact form messages: retained for up to 2 years unless you request deletion.
  • Analytics data: retained according to consent and provider defaults (we recommend 14–26 months unless otherwise configured).
  • Consent logs: retained for 5 years to demonstrate consent records.

8. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you.
  • Request rectification of inaccurate data.
  • Request erasure (“right to be forgotten”) where no legal retention obligation exists.
  • Request restriction of processing.
  • Object to processing based on legitimate interest or direct marketing.
  • Request portability of data in a machine-readable format.
  • Withdraw consent at any time (does not affect processing before withdrawal).
    To exercise any right, contact: privacy@[your-domain].com. We will respond within one month (may extend to two months for complex requests).

If you believe we mishandled your data, you also have the right to lodge a complaint with a supervisory authority in your EU member state.

9. Security

We use technical and organizational measures (encryption in transit, access controls) to protect personal data. Payment card data is handled by our payment providers under PCI requirements.

10. Children

Our services are not directed to children under 16. If you believe we have collected data from a child under the applicable age, contact us to request deletion.

11. Changes to this policy

We’ll post changes on this page and update the “Last updated” date. Material changes will be notified by email if we have your address.