Skip to main content
EquaTicket

Privacy Policy

Last updated: [DATE — ATTORNEY REVIEW REQUIRED]

[ATTORNEY REVIEW REQUIRED] — This document is a template and must be reviewed by qualified legal counsel before publication. All sections marked with brackets require review and customization for applicable jurisdictions (GDPR, CCPA, etc.).

1. Who We Are

[PLATFORM NAME] is operated by [LEGAL ENTITY NAME], a [STATE] [ENTITY TYPE]. This Privacy Policy describes how we collect, use, and share personal information when you use our ticketing platform (the "Service").

2. Roles and Relationships

Our platform involves three parties with distinct data roles:

  • Platform (us): We are a data controller for account data and platform usage data. We are a data processor when handling buyer data on behalf of Organizers.
  • Organizers: Event organizers are independent data controllers for the buyer/attendee data they collect through the platform.
  • Buyers: Ticket purchasers whose data is collected during checkout.

[ATTORNEY REVIEW REQUIRED — Confirm controller/processor roles are correctly characterized for GDPR purposes. Data Processing Agreement (DPA) should be available for Organizers.]

3. Information We Collect

3.1 Organizer Account Data

  • Email address and name (from Supabase Auth)
  • Organization name and details
  • Stripe Connect account ID (not full financial credentials)
  • Subscription and billing status

3.2 Buyer Data (collected during checkout)

  • Email address (required for ticket delivery)
  • Name (as provided during checkout)
  • Payment information is collected directly by Stripe — we never store credit card numbers, CVVs, or full payment credentials

3.3 Automatically Collected Data

  • IP address and approximate geolocation
  • Browser type and device information
  • Pages visited and actions taken within the Service
  • Cookies and similar tracking technologies (see Section 7)

3.4 Check-in Data

  • Ticket scan timestamps
  • Check-in device information (for real-time sync functionality)

4. How We Use Information

We use personal information to:

  • Provide and maintain the Service
  • Process ticket purchases and deliver tickets via email
  • Send transactional emails (order confirmations, ticket delivery)
  • Process subscription payments
  • Provide customer support
  • Detect fraud and prevent abuse
  • Monitor and improve the Service
  • Comply with legal obligations

We do not sell personal information. We do not operate an event marketplace or use buyer data for cross-event marketing.

5. How We Share Information

We share personal information only in these circumstances:

  • With Organizers: Buyer data (name, email, ticket details) is shared with the Organizer whose event the Buyer purchased tickets for. Organizers are responsible for their own use of this data.
  • Stripe: Payment processing is handled by Stripe Inc. under their Privacy Policy.
  • Email delivery: We use Resend for email delivery. Organizers on Growth/Pro tiers may use their own email provider API key, in which case emails are sent through that provider.
  • Error monitoring: We use Sentry for error tracking, which may receive technical data including IP addresses.
  • Legal requirements: When required by law, regulation, or legal process.

6. Data Retention

  • Organizer accounts: Retained while the account is active and for [PERIOD — ATTORNEY REVIEW REQUIRED] after termination.
  • Buyer data: Retained as long as the Organizer account is active. After Organizer account termination, buyer data is retained for [PERIOD] for legal compliance, then deleted.
  • Anonymous checkout users: Anonymous user records with no associated purchases are automatically deleted after 30 days.
  • Audit logs: Retained for [PERIOD — ATTORNEY REVIEW REQUIRED, minimum 1 year recommended].

7. Cookies and Tracking

We use the following cookies:

  • Authentication cookies: HttpOnly, Secure, SameSite=Lax session cookies required for login. These are strictly necessary and cannot be disabled.
  • Analytics: Vercel Analytics for page performance metrics (privacy-friendly, no cross-site tracking).

Our embeddable ticket widget does not set cookies. Widget checkout redirects to our hosted pages where standard session cookies apply.

[ATTORNEY REVIEW REQUIRED — Evaluate cookie consent banner requirements under GDPR and state laws. Currently minimal cookies (auth + analytics), but confirm no consent banner is needed or add one.]

8. Data Security

We protect personal information through:

  • Encryption in transit (TLS/HTTPS on all connections)
  • Encryption at rest (Supabase managed PostgreSQL encryption)
  • Row Level Security (RLS) ensuring tenant data isolation
  • Encrypted storage of sensitive API keys (AES-256-GCM or Supabase Vault)
  • PCI DSS compliance handled by Stripe (we never process or store card data)
  • Regular security monitoring via Sentry

9. Your Rights

[ATTORNEY REVIEW REQUIRED — Tailor this section based on applicable jurisdictions. Include rights under:]

GDPR (EU/EEA residents)

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority

[ATTORNEY REVIEW REQUIRED — Confirm legal basis for processing: contract performance for ticket purchases, legitimate interest for fraud prevention, consent for optional marketing.]

CCPA (California residents)

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt out of sale (we do not sell personal information)
  • Right to non-discrimination

[ATTORNEY REVIEW REQUIRED — Confirm CCPA applicability threshold. Platform may fall below thresholds initially but should comply proactively.]

10. International Data Transfers

The Service is hosted on Vercel (edge network) and Supabase (AWS-hosted PostgreSQL). Data may be processed in the United States and other countries where our service providers operate.

[ATTORNEY REVIEW REQUIRED — For EU users: confirm Standard Contractual Clauses (SCCs) are in place with sub-processors (Supabase, Vercel, Stripe, Resend). Consider adding a sub-processor list.]

11. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at [SUPPORT EMAIL].

[ATTORNEY REVIEW REQUIRED — Buyers may be under 18 purchasing event tickets. Confirm COPPA compliance approach.]

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to registered users at least 30 days before taking effect. The "Last updated" date at the top indicates the most recent revision.

13. Contact Us

For privacy-related inquiries, data access requests, or complaints:

  • Email: [PRIVACY EMAIL — e.g., privacy@platform.com]
  • Address: [MAILING ADDRESS]

[ATTORNEY REVIEW REQUIRED — If subject to GDPR, consider appointing a Data Protection Officer (DPO) or EU representative.]