Privacy Policy

1. What Information We Collect

Information you provide directly

• Account information: name, email address, password (hashed), and profile details when you create an account
• Purchase information: billing details, order history, ticket selections, and discount codes used
• Organizer information: business name, payout details, event content, venue information, and team member details
• Communications: messages sent through our support channels, feedback, and survey responses

Information collected automatically

• Device & browser data: IP address, browser type and version, operating system, device identifiers
• Usage data: pages visited, features used, click patterns, search queries, and session duration
• Check-in data: QR code scan timestamps, device used for scanning, and venue location data
• Referral data: how you arrived at our platform (e.g., search engine, social media, direct link)
• Camera data (mobile app): the TicketSmart Door app accesses your device camera solely to scan ticket QR codes. No images or video are stored, recorded, or transmitted — the camera feed is processed on-device in real time and immediately discarded

Information from third parties

• Authentication providers: when you sign in with Google, we receive your name, email, and profile photo
• Payment processors: Stripe provides us with transaction confirmation, partial card details (last 4 digits), and fraud risk assessments

2. How We Use Your Information

We use your information for the following purposes:

• Service delivery: processing ticket purchases, issuing tickets and QR codes, managing check-ins, and delivering order confirmations
• Payment processing: facilitating payments between buyers and organizers through Stripe Connect
• Account management: maintaining your account, authentication, and session management
• Communications: sending order confirmations, ticket delivery emails, event updates, and support responses
• Organizer tools: providing event analytics, attendee lists, sales reports, and door management features
• Security & fraud prevention: detecting unauthorized access, preventing payment fraud, and rate-limiting abuse
• Platform improvement: analyzing usage patterns to improve features, fix bugs, and optimize performance

3. When We Share Your Information

We do not sell your personal information. We share data only in these circumstances:

• With event organizers: when you purchase a ticket, the organizer receives your name, email, and order details to manage attendance and communicate event updates
• Payment processors: Stripe processes payments and receives necessary transaction data
• Email delivery: Resend delivers transactional emails on our behalf
• Organizer-controlled integrations: when an event organizer connects a third-party tool to their TicketSmart account (for example, a Telegram bot for order alerts or workflow automations), attendee data the organizer can already see in our dashboard — such as buyer name, email, and order details — may be relayed to that tool. The organizer is the data controller for the integration they enable, and is responsible for that tool's data handling and retention. We never enable third-party integrations without explicit organizer action.
• Legal requirements: when required by law, court order, or to protect the rights and safety of our users
• Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice

4. Payment Processing

All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. TicketSmart does not store, process, or have access to your full card number, CVV, or card security codes. Payment data is transmitted directly to Stripe via their secure, encrypted APIs.

Organizer payouts are handled through Stripe Connect Standard accounts. Organizers connect their own Stripe accounts and manage their payout schedules independently.

5. Cookies and Tracking

We use cookies and similar technologies for:

• Essential cookies: authentication, session management, and security (required for the platform to function)
• Functional cookies: remembering your preferences, language, and theme settings
• Analytics cookies: understanding how visitors use the platform to improve features and performance

We do not use advertising or third-party tracking cookies. You can control cookies through your browser settings, though disabling essential cookies may prevent you from using the platform.

6. How Long We Keep Your Data

We retain your data for as long as necessary to provide our services and fulfill the purposes described in this policy:

• Account data: retained while your account is active and for 30 days after deletion request
• Transaction records: retained for 7 years to comply with financial and tax reporting obligations
• Check-in logs: retained for 12 months after the event date
• Support communications: retained for 24 months after resolution
• Server logs: retained for 90 days for security and debugging purposes

7. How We Protect Your Data

We implement industry-standard security measures including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Hashed and salted password storage
• JWT-based session tokens with expiration
• Role-based access controls for organizer teams
• Rate limiting on authentication and API endpoints
• Regular security reviews and dependency updates

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to support@ticketsmart.ai.

In the event of a data breach affecting your personal information, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

• Access: request a copy of the personal data we hold about you
• Correction: update or correct inaccurate information
• Deletion: request deletion of your account and associated data
• Portability: receive your data in a machine-readable format
• Objection: object to certain types of data processing
• Withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at support@ticketsmart.ai. We will respond within 30 days.

9. Children's Privacy

TicketSmart is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. International Data Transfers

Our services are hosted on infrastructure in the United States and Europe. If you access our platform from outside these regions, your data may be transferred to and processed in these locations. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where applicable.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders and a prominent notice on the platform. Your continued use of TicketSmart after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or concerns:

• Email: support@ticketsmart.ai
• Subject line: “Privacy Request” for faster routing

13. TicketSmart Door Mobile App

The TicketSmart Door app is a companion iOS application used by event staff to check in attendees at venue entrances. In addition to the data described above, the following applies specifically to the Door app:

• Camera access: The app requests camera permission exclusively for scanning ticket QR codes. The camera feed is processed locally on your device in real time. No photos, video, or image data are captured, stored, or sent to our servers.
• Staff credentials: Door staff sign in with a dedicated username and password created by the event organizer. These credentials are separate from attendee accounts and are stored securely using on-device keychain encryption.
• Offline data: The app caches the event guest roster on-device to support offline check-in. This data is encrypted at rest and is cleared when the staff member signs out.
• No analytics or tracking: The Door app does not include any third-party analytics SDKs, advertising frameworks, or background location tracking.