privacy policy.
what we collect, why, and — more importantly — what we don't.
effective: may 1, 2025
we don't sell data. we don't sell it. we don't rent it. we don't feed it to a broker. we don't use it to "recommend" things. we don't build ad audiences. we don't do "partnerships" that mean the same thing.
we collect the minimum we need to sell you a ticket, pay out an organizer, and keep the lights on.
1. what we collect
if you buy a ticket
- account basics — name, email, country
- order info — tickets purchased, event, price, fees, payment method last-4
- payment — we don't store full card numbers. stripe does. we get a token.
- device — ip, browser, os (for fraud prevention)
if you run events
- everything above, plus: your venue, your payout account (via stripe connect), tax information where required, the attendees who buy tickets to your events
if you use our api
- your api key, call logs (for 90 days), your ip, and anything your application sends us on behalf of users
2. what we don't collect
we don't track you across the web. we don't have facebook pixel, google ads tags, tiktok pixel, or any other third-party trackers on our marketing pages. we don't fingerprint. we don't read your contacts. we don't touch your location unless you're scanning at a door and your phone hands it to the scanner app.
3. why we collect it
to (a) sell you the thing you're buying, (b) pay the organizer, (c) comply with tax and financial-services law, (d) keep fraudsters out. that's it.
4. who sees it
- the organizer of an event sees their own ticket buyers — names, emails, order details. they don't see other organizers' buyers.
- our sub-processors: stripe (payments), aws (hosting, us-east-1), postmark (transactional email), sentry (error monitoring). current list at tiredevents.com/legal/subprocessors.
- nobody else. including us, for most purposes. access to production data requires a justification and is logged.
5. your rights
you can, from settings, any time, no questions asked:
- export everything we have on you (json + csv)
- correct anything wrong
- delete your account and all associated data
- opt out of analytical cookies (by default: on; you can turn them off)
if you're in the eu/uk: your rights under gdpr are the same as above, plus the right to object to processing and the right to restrict processing. lodge a complaint with your supervisory authority any time.
if you're in california: your rights under ccpa/cpra are the same. we don't sell or share data as defined by that law; we do not need a "do not sell my info" link because there's nothing to opt out of.
6. data retention
- active account data — as long as your account is open
- after you delete your account — 30 days (or 24 hours if you request it)
- financial records — 7 years (tax law)
- api call logs — 90 days
7. cookies
we use one necessary cookie (session) and one analytical cookie (plausible, self-hosted, non-identifying). no third-party cookies, ever. see cookie policy.
8. children
we don't knowingly collect information from children under 13. if a parent/guardian is buying a ticket for a child, the account is the parent's.
9. international transfers
we're hosted on aws us-east-1. if you're in the eu/uk, your data crosses the atlantic under standard contractual clauses. if this changes, we'll say so here before it takes effect.
10. security
we're soc 2 type ii (audited by prescient, 2024). pci dss handled via stripe. bugs reported via security@tiredevents.com are paid for.
11. changes
we'll email you about any material change at least 30 days ahead. diffs of every version live at /legal/changelog.
12. contact
for privacy-specific questions, data requests, or our data protection officer: privacy@tiredevents.com.