Legal

PRIVACY POLICY

Last updated: June 22, 2026
⚠ This document is template content provided for development purposes only. Have it reviewed by qualified privacy counsel and aligned with your actual data-handling practices before relying on it in production.
Contents
  1. Scope
  2. Information we collect
  3. How we use your information
  4. When we share information
  5. Cookies & tracking
  6. Data retention
  7. Your rights
  8. Security
  9. Children
  10. International transfers
  11. Changes to this policy
  12. Contact us

1. Scope

This Privacy Policy describes how EventBricks ("EventBricks", "we", "us") collects, uses, and shares information about you when you use our website, mobile pages, and APIs (collectively the "Service"). By using the Service you agree to the practices described here.

2. Information we collect

Information you provide directly

  • Account info: first name, last name, email, phone number (optional), city, state, date of birth (collected only when you purchase a ticket to an age-restricted event), optional profile photo, hashed password (Bcrypt — we never store cleartext).
  • Order info: contact name, email, phone (optional), billing address, ticket recipients' names and emails (when "different attendee" is selected), marketing opt-in preference captured at checkout. Your IP address and browser user-agent are also recorded at order time and are used exclusively for Stripe chargeback dispute evidence.
  • Payment info: card details are entered directly into Stripe's secure iframes and never reach our servers; we receive only the last four digits and a tokenized reference.
  • Organizer info: if you apply to host events, we collect business identity, tax ID, government ID document, address, and bank account details. Sensitive numbers (tax ID, account, routing) are encrypted at rest with AES-256-GCM.
  • Support communications: messages you send to our support team and the metadata of those interactions.

Information we collect automatically

  • Device & usage: IP address, user-agent, pages viewed, timestamps, referring pages.
  • Authentication: a JSON Web Token issued on sign-in, stored in your browser to keep you logged in.
  • Check-in records: when your ticket is scanned at an event gate, we record the ticket code, gate label, scan result (e.g. admitted, already used), timestamp, and the operator who ran the scanner. This is used for event operations and post-event reporting to the organizer.
  • Analytics events: aggregated server-side metrics such as checkout funnel completion. We do not use any third-party analytics SDKs, advertising pixels, or cross-site tracking technologies.

Information from third parties

  • Stripe shares the result of your payment attempt (success / failure / decline reason / dispute notifications) and a token representing your saved card if you opted to save it.
  • Email providers notify us of bounces and unsubscribes.

3. How we use your information

We use the categories of information above for the following purposes:

  • To deliver the Service: create accounts, process orders, issue tickets, send confirmations, route messages, run check-in.
  • To process payments: validate cards, complete charges, issue refunds, investigate disputes.
  • To verify organizers: review identity documents, validate tax IDs, confirm bank details before payouts.
  • To prevent fraud: detect stolen cards, account takeover, and ticket scalping.
  • To support you: respond to inquiries, troubleshoot issues, send service updates.
  • To improve the Service: understand usage patterns, identify performance bottlenecks, fix bugs.
  • To send marketing emails — only if you affirmatively opt in at checkout or in your account preferences. You may unsubscribe at any time using the link in every marketing email or by toggling the preference in your account settings.
  • To comply with the law: respond to subpoenas, enforce our Terms, and meet tax / regulatory obligations.

4. When we share information

We do not sell your personal information. We share data only with:

RecipientWhat we shareWhy
Event organizersTicket holder name, email, phone (if provided)So organizers can run check-in, contact attendees about event changes, and honor refunds.
Stripe (Payments)Order amount, currency, customer name, email, phone, and billing address (passed via PaymentIntent). Card numbers and CVVs are entered directly into Stripe's secure iframes and never reach our servers; we receive only the last four digits and a tokenized payment reference.Payment processing, fraud prevention, refunds, and chargeback dispute evidence.
Stripe TaxVenue address (for in-person events) or buyer billing address (for online events), plus line-item amounts and event tax codes.Automatic sales tax calculation where required by law.
Email service (Google Workspace SMTP / similar)Recipient address, message contentOrder confirmations, transactional emails, marketing (where opted in).
Cloud hosting providerAll data processed by the ServiceInfrastructure to operate the Service.
Law enforcement / regulatorsInformation responsive to a valid legal requestLegal obligation. We push back on overbroad requests where we can.
Successors in interestAll data, in a merger/acquisitionContinuity of service.

5. Cookies & tracking

EventBricks uses a small number of cookies and browser-storage values:

  • Authentication token and user object stored in localStorage to keep you signed in across pages. The stored object includes your name, email, role, and account identifiers — no payment data. Tokens are invalidated immediately on password change or when you sign out all devices.
  • Cart session stored in sessionStorage to remember your in-progress order if you navigate away. This storage dies with the browser tab and is cleared on sign-out.
  • UI preferences like last-selected filters, stored in localStorage.

We do not use third-party advertising cookies or cross-site tracking pixels.

6. Data retention

We retain personal information for as long as your account is active and as needed to provide the Service. Specifically:

  • Order, ticket, and refund records: seven years (for tax and dispute response).
  • Account profile and preferences: until you delete your account.
  • Verification documents (KYC IDs): five years after the related organizer relationship ends.
  • Support messages: three years from the last interaction.
  • Server logs: 90 days rolling.

You can request deletion of your account at any time (see "Your rights" below). When you do, your account is deactivated immediately and scheduled for permanent erasure after a 30-day grace period during which you can cancel the deletion. After the grace period, your profile data is pseudonymized: your name, email, phone, date of birth, and billing address are replaced with anonymised values and your authentication credentials are cleared. Financial records (orders, tickets, refunds, payout entries) are retained in redacted form for the periods listed above to meet tax and dispute obligations; the link between those records and your identity is broken at erasure time.

7. Your rights

Depending on where you live, you may have rights to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information ("right to be forgotten").
  • Restrict or object to certain processing.
  • Port your data to another service.
  • Withdraw consent for marketing emails at any time, without affecting prior lawful processing.
  • Lodge a complaint with a supervisory authority (e.g. your state's attorney general or your country's data-protection authority).

Submit any of these requests through the Help Center or to privacy@eventbricks.com. We respond within 30 days. We do not discriminate against users for exercising these rights.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we have collected and the right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising.

8. Security

We protect your data with industry-standard measures including:

  • HTTPS for all client-server traffic.
  • Bcrypt-hashed passwords (we never store cleartext passwords).
  • AES-256-GCM encryption at rest for sensitive financial fields (tax IDs, bank account numbers, routing numbers) and two-factor authentication secrets (TOTP seed and recovery codes).
  • PCI-DSS scope minimization via Stripe Elements (card data is collected by Stripe and never reaches our servers).
  • Webhook signature verification for asynchronous payment events.
  • Per-request idempotency tokens to prevent duplicate charges.
  • Role-based access control on all administrative endpoints.

No system is 100% secure. If we discover a breach affecting your information, we will notify you and the relevant authorities as required by law.

9. Children

The Service is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe we have inadvertently collected such information, contact us and we will delete it. Tickets to age-restricted events may only be purchased by adults of the appropriate age.

10. International transfers

EventBricks is operated from the United States. If you access the Service from outside the U.S., be aware that your information will be processed in the U.S. We use standard contractual clauses or other lawful transfer mechanisms where required.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email and on this page. Continued use of the Service after the effective date of an update constitutes acceptance.

12. Contact us

Questions or requests? Reach us at:

Email: privacy@eventbricks.com
Mail: EventBricks Privacy Office, [Mailing Address Line 1], [City, State, ZIP]