Last updated: 24 April 2026
Privacy Policy
This policy explains how TicketWave HQ Ltd collects, uses, shares and retains personal data in compliance with the UK GDPR and the Data Protection Act 2018. It applies to ticketwavehq.com, the embedded booking widget, the 2026{city}.com discovery sites (2026ibiza.com, 2026barcelona.com, 2026greece.com), and every connected product.
1. Data Controller
The data controller under the UK GDPR for the processing described below is:
TicketWave HQ Ltd
Company no. 17143167 · Registered in England & Wales
Registered office: Radley House, Richardshaw Road, Pudsey, LS28 6LE, United Kingdom
Contact for data protection: privacy@ticketwavehq.com
For certain processing — most notably, events and tickets sold by a venue on the platform — the venue is the controller of the purchaser’s data and TicketWave HQ Ltd acts as a processor. That relationship is governed by our standard Data Processing Agreement (DPA). Venues may contact dpa@ticketwavehq.com to request a copy.
2. What Data We Collect
We collect the following categories of personal data:
- Account Data: Name, email address, business name, password (hashed), and account preferences when you register for an account.
- Transaction Data: Purchase history, ticket details, payment information (processed securely by Stripe — we do not store full card numbers), refund records, and commission data.
- Usage Data: IP address, browser type and version, device information, pages visited, time spent on pages, and other diagnostic data collected automatically when you use our platform.
- Cookies: We use essential cookies to operate the platform. See our Cookie Policy for full details.
3. Legal Basis for Processing
We process your personal data on the following legal bases under the GDPR:
- Contract Performance: Processing necessary to perform our contract with you, including account management, ticket sales, and payment processing.
- Legitimate Interest: Processing necessary for our legitimate interests, such as fraud prevention, platform security, analytics, and improving our services, provided these interests are not overridden by your rights.
- Consent: Where we rely on your consent, such as for marketing communications. You can withdraw consent at any time.
4. How We Use Your Data
- Service Delivery: To create and manage your account, process ticket transactions, generate QR codes, facilitate check-ins, and provide customer support.
- Communications: To send transactional emails (order confirmations, ticket delivery), and, with your consent, marketing communications about new features and promotions.
- Analytics: To understand how our platform is used, identify trends, and improve the user experience.
- Fraud Prevention: To detect and prevent fraudulent transactions, abuse, and security threats.
5. Data Sharing and Third-Party Processors
We share personal data with the sub-processors listed below. Each is bound by a written data processing agreement and processes data only on our instructions.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing + Connect payouts (PCI-DSS Level 1) | EU / US (SCCs) |
| Resend | Transactional + marketing email delivery | US (SCCs + EU-US DPF) |
| Neon Inc. | Managed Postgres hosting (encrypted at rest) | EU |
| Vercel Inc. | Application hosting, edge CDN, analytics | EU / US (SCCs) |
| Upstash | Redis caching, rate-limit counters (short-lived, no PII) | EU |
| Cloudflare | DNS, traffic protection, DDoS mitigation for the public surfaces | Global edge |
| Google (Analytics 4) | Aggregated usage analytics — only when the cookie banner is accepted; IP anonymisation enabled | US (SCCs) |
| Sentry | Application error reporting (PII scrubbed before transmission) | US (SCCs) |
| Mapbox Inc. | Map tile rendering on listing / event pages (requests IP-logged for rate-limit; no personal data sent) | US (SCCs) |
We do not sell personal data and we do not share it with advertising networks beyond the aggregated analytics above. We publish a full list of sub-processors on this page and will post updates at least 30 days before any material change.
6. International Data Transfers
Your data may be transferred to, stored, and processed in countries outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or equivalent mechanisms recognised by the European Commission to protect your data.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Account data: Retained for the duration of your account and for 30 days after deletion to allow recovery.
- Transaction data: Retained for 7 years to comply with tax and accounting obligations.
- Usage data: Retained for up to 26 months, then anonymised or deleted.
- Marketing consent records: Retained for as long as consent is active, plus 3 years after withdrawal for compliance records.
8. Your Rights
Under the GDPR and applicable data protection laws, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
- Right to Data Portability: Request a machine-readable copy of your data to transfer to another service.
- Right to Object: Object to processing based on legitimate interests, including profiling.
- Right to Restriction: Request that we limit the processing of your data in certain circumstances.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
9. How to Exercise Your Rights
To exercise any of the rights above, email privacy@ticketwavehq.com. We respond to all data subject requests within 30 days (extendable to 90 days in complex cases, with notice). We may request identity verification before acting on a request.
If you’re in the UK and not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). EEA residents may contact their local supervisory authority.
9b. Marketing subscribers & double opt-in
When you subscribe to weekly editorial picks on any 2026{city}.com site we store your email, the interests you chose, and your city. We then send you a single confirmation email with a unique link; your subscription isn’t activated until you click it (“double opt-in”). Unconfirmed records are deleted after 7 days.
Every broadcast includes a one-click unsubscribe link in the footer; unsubscribing is honoured within 24 hours. If you also opt in to WhatsApp event reminders, that consent is stored separately and can be revoked by replying “STOP” to any message — or by emailing us. We never re-enable a channel you’ve opted out of without a fresh, explicit re-consent.
10. Children's Privacy
TicketWave is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us at support@ticketwavehq.com and we will promptly delete the data.
11. Cookie Policy
We use cookies and similar technologies to operate our platform. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
12. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify you of any material changes by posting the updated policy on this page with a revised “Last updated” date. We encourage you to review this policy periodically.
13. Contact Information
For any privacy-related query — rights requests, complaints, data processing questions — email privacy@ticketwavehq.com. For general product support use support@ticketwavehq.com.
Postal: TicketWave HQ Ltd, Radley House, Richardshaw Road, Pudsey, LS28 6LE, United Kingdom.