Privacy Notice

This notice applies to ticket buyers, participants, account holders, and other individuals whose data is processed through the platform in connection with event ticketing, participant accounts, wallet balances, and refunds.

Depending on the service, event organisers and EventsGrind may each process personal data for their own purposes. The final allocation of controller and processor responsibilities should be set out in the relevant organiser agreements.

We may collect identity and contact data such as names, email addresses, phone numbers, billing and address information.

When payments or refunds are involved, we may also process payment-related data such as transaction amounts, payment status, payment references, Stripe payment intent or refund identifiers, and limited billing and fraud-prevention data linked to the transaction.

We may collect participant account data such as login details, bracelet links, event participation records, wallet balances, transaction history, and refund request history.

Where participant account lifecycle tools are used, we may also process account status and retention data such as deactivation dates, deletion request dates, anonymisation dates, purge scheduling dates, deactivation reasons, and hashed verification-token data with expiry timestamps.

We may also collect technical and security data such as IP addresses, browser and device information, sign-in activity, and operational logs needed to secure the service and investigate issues.

We use personal data to take ticket orders, provide participant accounts, link bracelets to the correct account, display wallet activity, process top-ups and refunds, provide support, and send service messages that relate to those functions.

We also use personal data to protect the platform, prevent fraud, reconcile payment and refund activity, enforce event rules, and keep business and financial records.

Where a participant asks to deactivate their account, we use personal data to verify that request, sign the participant out, block further access, support any restoration request made within the available window, anonymise account-identifying fields when the grace period expires, and schedule final purge in line with the configured retention period.

We generally rely on contract where processing is needed to sell tickets, provide participant account access, operate wallet functionality, or handle refunds requested through the platform.

We may rely on legitimate interests for fraud prevention, service security, operational monitoring, and internal reconciliation where those uses are necessary and proportionate.

We may rely on legal obligation where data must be retained or disclosed for tax, accounting, anti-fraud, dispute, or regulatory purposes.

Where consent is required by law, such as for optional marketing or non-essential cookies, we will ask for it separately.

We may share personal data with event organisers, payment providers, hosting and infrastructure providers, email delivery providers, support providers, and professional advisers where needed to operate the service or comply with the law.

We use Stripe as a payment service provider for ticket payments, wallet top-ups, and refunds. Depending on the service being provided, Stripe may process personal data on our behalf and may also use certain payment and fraud-related data for its own compliance, security, and network purposes under its own privacy terms.

We do not share more data than is reasonably necessary for those purposes.

Where Stripe-hosted checkout or payment tools are used, payment card details are processed by Stripe rather than stored on our servers. We may still receive and store related payment metadata needed to confirm payment status, reconcile orders, support refunds, and keep audit records.

You can read more about Stripe's handling of personal data in Stripe's own privacy documentation.

When a participant requests a refund, we may process wallet balances, deposit records, payment references, bracelet links, account emails, and refund verification data to determine eligibility, prevent duplicate refunds, and return funds to the appropriate payment route where available.

Refund verification links and refund activity are used as part of our security and audit controls.

If a participant deactivates their account from the participant profile area, we will immediately restrict access to that account and schedule it for lifecycle processing.

For password-based accounts, deactivation happens once the participant confirms with their current password. For Google-only accounts, we send a deactivation confirmation link to the account email address before the account is deactivated.

During the current restoration window, which is configured at 90 days from the deletion request, a deactivated participant may be able to restore the account before anonymisation happens.

When the restoration window expires, we anonymise core account-identifying fields such as the participant name, email address, Google identifier, password, remember token, and email-verification state. We retain only the minimum data needed for security, fraud prevention, refunds, auditability, and legal or accounting obligations.

After anonymisation, the remaining participant account record is scheduled for final purge once the configured retention period ends. The current purge schedule is 6 years from the deletion request date, unless a different period is required by law or a valid legal hold applies.

We keep personal data only for as long as it is needed for the purpose for which it was collected, including to provide the service, resolve disputes, prevent fraud, and meet legal, tax, accounting, or regulatory obligations.

For participant accounts that go through the self-service deactivation flow, the current lifecycle settings are a 90-day restoration and anonymisation window followed by a purge schedule set to 6 years from the deletion request date, unless a different period is required by law.

Even where an account is deactivated, anonymised, or purged, related event, wallet, refund, anti-fraud, and accounting records may need to be retained separately where the law allows or requires that retention.

We use organisational and technical measures intended to protect personal data, including access controls, authentication, audit logging, and payment/refund verification controls appropriate to the service.

Depending on the circumstances, individuals may have rights to request access, correction, deletion, restriction, objection, and data portability.

Where a participant uses the self-service deactivation flow, we will normally move the account into the lifecycle process described above rather than immediately erasing every related record. Requests should be reviewed against the platform's controller/processor allocation and any legal obligations to retain financial, fraud, refund, or accounting records.

Privacy questions and rights requests should be sent to the contact details made available through the platform or the relevant event organiser, depending on the service and the role of each party.