We don't sell your data. We don't rent it. We don't trade it. Data you put into Tickitz is yours — we process it only to provide and improve the service you signed up for. We aim to collect the minimum data necessary and retain it only as long as needed. If you want a copy, correction, or deletion of your data, we'll honour that request.
Introduction
Tickitz Inc. ("Tickitz", "we", "us", "our") operates the Tickitz platform — including the web application at tickitz.io, the REST API, all official SDKs, webhooks, and related developer tooling (collectively, the "Platform"). This Privacy Policy ("Policy") explains how we collect, use, store, share, and protect information about you when you use the Platform.
This Policy applies to:
- Account holders — individuals and organizations that have registered a Tickitz account to build and manage ticketing experiences
- Visitors — individuals who browse
tickitz.iowithout creating an account - API users — developers accessing the Tickitz API using an API Key
It does not directly govern how Attendees' data is handled, because Tickitz acts as a data processor for Attendee data on behalf of our customers (who are the data controllers). The responsibilities of customers regarding Attendee data are described in §15.
By using the Platform, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please stop using the Platform and contact us to delete your account.
Who We Are
The data controller for personal data collected from account holders and website visitors is:
Tickitz Inc.
651 N Broad St, Suite 201
Middletown, Delaware 19709
United States of America
privacy@tickitz.io
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, Tickitz's EU/UK Representative for data protection purposes is reachable at eu-privacy@tickitz.io.
Our Data Protection Officer (DPO) can be contacted at dpo@tickitz.io. The DPO is responsible for overseeing compliance with applicable data protection laws, including the GDPR and UK GDPR.
Data We Collect
We collect the minimum data necessary to operate and improve the Platform. Here is a comprehensive overview:
Account & Identity
Full name, email address, company name, job title, profile photo (optional), account password (hashed — never stored in plain text), billing name and address.
Billing & Payment
Plan tier, billing cycle, invoice history, last 4 digits of payment card, card expiry, billing email. Full card details are handled entirely by Stripe — never stored on Tickitz servers.
Usage & Activity
Pages visited on tickitz.io, dashboard actions, feature usage patterns, API endpoint calls (method, path, timestamp, response code — not request body content), error logs.
Device & Technical
IP address, browser type and version, operating system, device type, screen resolution, referrer URL, preferred language, time zone. Collected automatically via server logs and analytics.
Communications
Emails you send to support or sales, live chat transcripts, feedback and survey responses, feature requests, and support ticket content.
Event & API Data
Event names, descriptions, venue details, ticket tier configuration, booking records, QR check-in logs — data you create through the Platform in the normal course of using it.
Data We Do Not Collect
We do not collect, and you must never submit to Tickitz:
- Government-issued ID numbers (passport, SSN, national ID)
- Full payment card numbers, CVV codes, or bank account numbers
- Biometric data or health information
- The contents of your API request bodies (only metadata is logged)
- Data about children under 13
How We Collect Data
4.1 Directly from you
When you register for an account, fill in your profile, submit a support request, respond to a survey, or correspond with us by email or chat, you provide data to us directly.
4.2 Automatically as you use the Platform
Server logs, analytics tools, and monitoring systems automatically record information about your interaction with the Platform. This includes page visits, API calls, error events, and session metadata. We use this to diagnose issues, monitor performance, and understand how features are used.
4.3 Via cookies and similar technologies
The Tickitz website uses cookies, local storage, and similar browser technologies. See §9 for a full breakdown of which cookies we set, why, and how to control them.
4.4 From third-party integrations
If you connect a third-party service (e.g. sign in with Google), we receive limited profile information from that service (typically name and email). We use only the minimum information necessary to create or link your account.
4.5 From payment providers
Stripe provides us with billing confirmation events (payment succeeded, subscription created, invoice paid, etc.) and non-sensitive card metadata (last 4 digits, expiry, brand) to display in your billing dashboard.
4.6 Inferred data
We may infer information about you from your usage patterns — for example, which SDK language you use most, your typical event size, or your billing country — to personalise communications and improve the product.
Legal Basis for Processing (GDPR)
For users in the EEA, UK, or Switzerland, we rely on the following legal bases under GDPR / UK GDPR:
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Contract performance (Art. 6(1)(b)) |
| Processing payments and issuing invoices | Contract performance (Art. 6(1)(b)) |
| Providing API access and platform features | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (confirmations, alerts) | Contract performance (Art. 6(1)(b)) |
| Fraud prevention and security monitoring | Legitimate interests (Art. 6(1)(f)) |
| Platform analytics and product improvement | Legitimate interests (Art. 6(1)(f)) |
| Responding to support requests | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails and product updates | Consent (Art. 6(1)(a)) or Legitimate interests where applicable |
| Complying with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c)) |
| Non-essential cookies and analytics tracking | Consent (Art. 6(1)(a)) |
Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests are not overridden by your rights and interests. You can request a copy of our legitimate interests assessment by contacting privacy@tickitz.io.
How We Use Your Data
We use the information we collect for the following purposes:
6.1 Providing and operating the Platform
To create and manage your account, authenticate API requests, process bookings, issue tickets, deliver webhooks, run the QR check-in system, and perform all other core Platform functions.
6.2 Billing and payments
To process subscription payments, issue invoices, apply credits, handle upgrades and downgrades, and communicate about billing issues.
6.3 Security and fraud prevention
To detect and investigate suspicious API activity, protect against unauthorized access, enforce rate limits, identify abuse patterns, and secure your account and data. This includes our fraud detection module, which scores bookings on your behalf and may use aggregate anonymised signals from across the Platform to improve detection accuracy.
6.4 Customer support
To respond to your support requests, diagnose technical issues, and communicate about Platform changes or incidents that affect your account.
6.5 Product improvement and analytics
To understand how the Platform is used, identify bugs and performance bottlenecks, test new features, measure the impact of changes, and prioritise our product roadmap. Analytics data is aggregated and anonymised wherever possible.
6.6 Communications
To send transactional emails (booking confirmations, webhook failure alerts, API key rotation reminders, invoice receipts) and — with your consent or where otherwise permitted — product news, feature announcements, and engineering blog posts.
6.7 Legal compliance
To comply with applicable laws, regulations, legal processes, and government requests; to enforce our Terms of Service; and to protect the rights, property, or safety of Tickitz, our customers, or others.
We do not use your data to build advertising profiles or sell it to advertisers, data brokers, or marketing platforms. We do not use third-party advertising networks on the Platform. Full stop.
Sharing & Disclosure
We do not sell, rent, or trade your personal data. We share data with third parties only in the following limited circumstances:
7.1 Service providers (sub-processors)
We engage trusted third-party companies to help us operate the Platform. These sub-processors access your data only to perform services on our behalf and are contractually obligated to protect it:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, billing, and invoicing | US / EU |
| AWS (Amazon Web Services) | Cloud hosting, storage, CDN, and databases | US / EU |
| Postmark | Transactional email delivery | US |
| Cloudflare | DDoS protection, DNS, edge caching | Global |
| Datadog | Application monitoring, logging, and alerting | US / EU |
| Linear | Internal bug tracking (no customer PII) | US |
| Intercom | In-app support chat and help desk | US / EU |
A complete and up-to-date list of sub-processors is available at tickitz.io/legal/sub-processors. We will notify you at least 10 days before adding a new sub-processor that handles personal data.
7.2 Business transfers
If Tickitz is involved in a merger, acquisition, restructuring, asset sale, or bankruptcy, your data may be transferred to the successor entity. We will notify you before your data is transferred and becomes subject to a different privacy policy, and you will have the opportunity to delete your account before the transfer.
7.3 Legal requirements
We may disclose your data when required by law, court order, or valid legal process, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Tickitz, our customers, or the public. We will notify you of such requests where legally permitted and will challenge overly broad or legally deficient requests.
7.4 With your consent
We may share your data with third parties if you have given us explicit consent to do so, for example if you participate in a joint case study or integration partnership.
Third-Party Services & Links
The Platform may contain links to third-party websites, integrations, or documentation hosted by external parties (e.g. npm, GitHub, Stripe). Clicking these links will take you to sites not operated by Tickitz. We are not responsible for the privacy practices of those sites and strongly encourage you to review their privacy policies.
The Tickitz SDK is published on npm and hosted on GitHub. Use of those platforms is subject to their respective terms and privacy policies (npm / GitHub are owned by Microsoft). We do not control what data those platforms collect when you access our packages.
If you connect Tickitz to a third-party service (e.g. Slack for webhook notifications, Zapier for automation), that connection is governed by the third party's privacy policy. Review it carefully before connecting. You can disconnect any integration at any time from Dashboard → Integrations.
Cookies & Tracking Technologies
9.1 What cookies we use
| Cookie / Technology | Type | Purpose | Duration |
|---|---|---|---|
tz_session | Essential | Maintains your authenticated session | Session |
tz_csrf | Essential | CSRF protection token | Session |
tz_theme | Functional | Stores your dark/light mode preference | 1 year |
tz_lang | Functional | Stores your language preference | 1 year |
tz_analytics | Analytics | Anonymous usage analytics (no PII) | 90 days |
| Intercom widget | Functional | Powers the in-app support chat | Session / persistent |
| Stripe.js | Essential | Secure payment form, fraud prevention | Session |
9.2 We do not use
- Third-party advertising or retargeting cookies (Google Ads, Facebook Pixel, etc.)
- Cross-site tracking technologies
- Fingerprinting or device identification beyond standard session management
9.3 Cookie consent and control
On your first visit, we display a cookie consent banner. Essential cookies are set without consent (as they are strictly necessary for the Platform to function). Functional and analytics cookies require your consent. You may withdraw consent or manage your preferences at any time via the cookie settings panel (accessible from the footer) or by clearing your browser's cookies.
Most browsers allow you to refuse cookies, delete existing cookies, or receive notifications when cookies are set. Note that disabling essential cookies will prevent you from logging in to the Platform.
Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, unless a longer retention period is required by law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account profile data | Duration of account + 90 days | Allow data export after closure |
| Event, booking, and ticket records | Duration of account + 90 days | Operational continuity |
| API request logs (metadata only) | 90 days rolling | Debugging, security monitoring |
| Billing records and invoices | 7 years | Tax and legal compliance |
| Support communications | 3 years from last interaction | Context for ongoing support |
| Anonymised analytics | Indefinite | Product improvement (no PII) |
| Security audit logs | 2 years | Incident investigation |
| Webhook delivery logs | 30 days rolling | Debugging failed deliveries |
After the applicable retention period, data is securely deleted from production systems. Encrypted backups may retain data for up to 30 additional days after deletion from live systems, after which they are overwritten or destroyed.
You may request earlier deletion of your personal data at any time (subject to legal retention requirements) by emailing privacy@tickitz.io.
Data Security
We take the security of your data seriously and implement the following technical and organisational measures:
11.1 Technical measures
- Encryption in transit — all data transmitted between your browser or application and Tickitz is encrypted using TLS 1.2 or higher. We enforce HTTPS and use HSTS headers.
- Encryption at rest — all data stored in our databases and file storage is encrypted using AES-256. Database backups are encrypted using separate keys.
- API key security — API keys are stored as one-way hashes (never in plain text). Keys are prefixed (
sk_live_/sk_test_) to allow automated secret scanning in code repositories. - Secure credential handling — account passwords are hashed using bcrypt with a cost factor of 12 or higher. We do not support SMS-based 2FA; we support TOTP authenticator apps and hardware security keys (WebAuthn).
- Network isolation — our production databases are not publicly accessible and are isolated within a private VPC. Access requires VPN and certificate-based authentication.
11.2 Organisational measures
- SOC 2 Type II compliance — annual audit by an independent third party
- Annual penetration testing by an external security firm
- Role-based access control — employees access only the minimum data required for their role
- Background checks on all employees with access to production systems
- Security awareness training for all staff on joining and annually thereafter
- A formal incident response plan with defined escalation paths and customer notification timelines
11.3 Data breach notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and, where required by law, the relevant supervisory authority within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the data involved, the likely consequences, and the measures taken to address it.
While we implement industry-leading security measures, no method of transmission over the internet or electronic storage is absolutely secure. If you believe your account has been compromised, revoke your API keys immediately and contact security@tickitz.io.
International Data Transfers
Tickitz is headquartered in the United States. If you are located in the EEA, UK, or Switzerland, your personal data may be transferred to and processed in the United States or other countries that may not offer the same level of data protection as your home country.
We ensure that all such transfers are carried out lawfully using one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) — we have entered into the EU Standard Contractual Clauses approved by the European Commission with sub-processors and relevant partners.
- UK International Data Transfer Agreements (IDTAs) — used for transfers to and from the United Kingdom.
- Adequacy decisions — where the European Commission or UK ICO has recognized a third country as providing an adequate level of protection.
Copies of our SCCs and data transfer impact assessments are available on request at privacy@tickitz.io.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data. We honour all of these requests without requiring you to pay a fee, and we will respond within 30 days (or 45 days for complex requests).
Access
Request a copy of the personal data we hold about you and information about how we process it.
Rectification
Request correction of inaccurate or incomplete personal data. Most account data can be updated directly in the Dashboard.
Erasure
Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Restriction
Request that we restrict processing of your data in certain circumstances (e.g. while accuracy is disputed).
Portability
Receive your personal data in a structured, machine-readable format and transmit it to another controller.
Objection
Object to processing based on legitimate interests, including profiling. We will stop unless we have compelling legitimate grounds.
Withdraw Consent
Where processing is based on consent, withdraw it at any time. Withdrawal does not affect prior processing.
Automated Decisions
Not be subject to solely automated decisions (including profiling) that produce significant legal effects, without human review.
To exercise any of these rights, email privacy@tickitz.io with your request. We may need to verify your identity before processing. If you are in the EEA or UK, you also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, the CNIL in France).
California residents (CCPA/CPRA): You have additional rights including the right to know what personal information we collect and to whom it is sold or disclosed (we do not sell it), the right to delete, the right to opt out of sale (not applicable — we don't sell), and the right to non-discrimination. Submit requests to privacy@tickitz.io or call our toll-free number listed on the contact page.
Children's Privacy
The Tickitz Platform is not directed at children under the age of 13 (or 16 in the EEA/UK, where applicable), and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately at privacy@tickitz.io.
If we discover that we have inadvertently collected personal data from a child under the applicable age threshold, we will delete that data as promptly as possible. Platform accounts require the account holder to be at least 18 years old.
Attendee Data (Customer Responsibilities)
When you use Tickitz to sell tickets and manage events, you collect and process personal data about your Attendees (names, email addresses, purchase history, check-in records, etc.). In this context:
- You are the data controller — you decide the purposes and means of processing Attendee data.
- Tickitz is the data processor — we process Attendee data only on your documented instructions, as defined in our Data Processing Agreement (DPA).
As the data controller, you are responsible for:
- Having a valid legal basis to collect and process Attendee data
- Maintaining a privacy policy that discloses to Attendees your use of Tickitz as a sub-processor
- Responding to Attendees' data subject access requests relating to their personal data
- Ensuring that your use of the QR check-in and fraud detection modules complies with applicable law
- Obtaining any required consents before sending marketing communications to Attendees
Tickitz will assist you in meeting your obligations under applicable data protection law by providing the technical tools and contractual commitments described in the DPA. To request our DPA, contact privacy@tickitz.io.
API & Developer Data
When you use the Tickitz API, we collect API request metadata for security monitoring, rate limiting, and debugging. This includes:
- API endpoint called (method + path)
- Timestamp and response code
- Response time in milliseconds
- API Key identifier (prefix only, not full key)
- IP address of the requesting client
- SDK version identifier (from the
User-Agentheader)
We do not log request or response bodies. The content of your API payloads (event details, customer data, booking records) is processed in memory to produce the response and is not persisted to our logging infrastructure.
API logs are retained for 90 days on a rolling basis. You can access your API logs via Dashboard → Logs or programmatically via GET /v1/logs.
The fraud detection module uses anonymised, aggregated signals from across all Platform bookings to improve its models. No Personally Identifiable Information (PII) is used in model training. Individual booking-level risk scores are visible only to the account holder that processed the booking.
Marketing Communications
We send the following types of email communications:
17.1 Transactional (no opt-out)
These are essential to the service and cannot be unsubscribed from while you hold an active account. They include: account registration and email verification, password reset requests, API key rotation alerts, webhook failure notifications, billing confirmations and invoices, and security incident notifications.
17.2 Product & marketing (opt-in)
With your consent (obtained during registration or via your account settings), we may send: product update announcements, new feature highlights, engineering blog posts, case studies, event industry insights, and survey invitations. You can unsubscribe at any time via the "Unsubscribe" link in any marketing email or via Dashboard → Settings → Notifications.
17.3 No third-party marketing
We do not share your email address with third parties for their marketing purposes. We do not send marketing on behalf of our partners or sponsors. If you receive marketing communications claiming to be from Tickitz that look suspicious, report it to security@tickitz.io.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email to the address associated with your account at least 14 days before the change takes effect
- Display a prominent notice in the Dashboard for 30 days following the update
For minor, non-material changes (correcting typos, clarifying language without changing meaning, updating contact details), we may update the Policy without advance notice.
Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree, you may close your account before the effective date. A changelog of all Policy versions is available at tickitz.io/legal/privacy/history.
Contact & Data Protection Officer
If you have questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us:
| Topic | Contact |
|---|---|
| General privacy questions | privacy@tickitz.io |
| Data subject access requests (DSAR) | privacy@tickitz.io |
| Data Protection Officer | dpo@tickitz.io |
| EU/UK representative | eu-privacy@tickitz.io |
| Security incidents | security@tickitz.io |
| Data Processing Agreement (DPA) | privacy@tickitz.io |
Postal address: Tickitz Inc., Attn: Privacy Team, 651 N Broad St, Suite 201, Middletown, Delaware 19709, USA.
We aim to respond to all privacy-related inquiries within 5 business days. If you are in the EEA or UK and feel that we have not adequately addressed your concern, you have the right to escalate to your local supervisory authority. In the UK this is the Information Commissioner's Office (ICO). In the EU, contact the supervisory authority in your country of residence.
Your account settings give you direct control over most of your data — update your profile, manage notification preferences, download your data, or delete your account from Dashboard → Settings. For anything else, we're one email away at privacy@tickitz.io.