Data Processing Addendum

The parties to this DPA are MGC Systems Ltd, a private limited company incorporated in England and Wales (“Gather Tickets”, “we”) and you, the Organiser (“you”).

We adopt a hybrid role allocation:

• Independent controller— for our own purposes including fraud prevention, security, billing, service operation, error monitoring, and compliance with our own legal obligations. Our processing for these purposes is described in our Privacy Policy and is not governed by this DPA.
• Processor— for the processing of attendee personal data carried out on your documented instruction. This DPA governs that processing.

Where we act as your processor, you are the controller and remain responsible for the lawful basis, transparency, and fairness of the processing.

The subject matter and purpose of the processing is the operation of the Gather Tickets ticketing service for your Events. The duration is the period during which you have an active Organiser account, plus any retention period required by law (see Section 7). The nature of the processing includes collection, storage, retrieval, organisation, transmission, deletion, and other operations necessary to deliver tickets, communicate with attendees on your instruction, and process refunds.

Data subjects: attendees who purchase or register for tickets to your Events.

Categories of personal data: name, email address, ticket purchase records, IP address (for fraud prevention), payment metadata returned by Stripe (last four card digits, card brand, country), and any additional information you choose to collect on the Event listing form.

We do not process special category personal data on your behalf. You must not collect special category data through Gather Tickets unless you have agreed it with us in writing in advance and have a valid Article 9 condition.

When we act as your processor, we will:

• process the personal data only on your documented instructions, including with regard to transfers, except where required to do so by law (in which case we will inform you of the requirement unless prohibited from doing so)
• ensure that personnel authorised to process the data are bound by appropriate confidentiality obligations
• implement the technical and organisational measures described in Annex 2
• assist you, taking into account the nature of the processing, in fulfilling your obligations to respond to data subject requests under Articles 12–23 of the UK GDPR
• assist you in ensuring compliance with your obligations under Articles 32–36 (security, breach notification, impact assessments, prior consultation), taking into account the information available to us
• notify you without undue delay after becoming aware of a personal data breach affecting your data, and in any event within 48 hours of becoming aware
• on termination of the service, at your choice delete or return your personal data, and delete existing copies unless retention is required by law
• make available to you the information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you

You give us general authorisation to engage the sub-processors listed in Annex 3. We will give you at least 30 days’ notice by email of any addition to or replacement of a sub-processor before that sub-processor begins processing your data. You may object to the change for reasons related to data protection by replying to that notice. If we cannot reasonably accommodate your objection, you may terminate your Organiser account. We will require each sub-processor to be bound by obligations equivalent to those set out in Section 4.

Where personal data is transferred from the United Kingdom to a country that has not received UK adequacy regulations, the transfer is governed by the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner under section 119A of the Data Protection Act 2018. The IDTA is hereby incorporated into this DPA by reference. Per-recipient transfer details are set out in Annex 4.

Where the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) apply to a transfer, they apply together with the UK Addendum issued by the ICO.

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except where the law does not permit such limitation.

• Subject matter: ticketing services for your Events.
• Duration: for the lifetime of your Organiser account, plus any retention period required by law (UK accounting/tax: 7 years from order completion).
• Nature and purpose: selling and delivering tickets to attendees, processing payments and refunds via Stripe, sending transactional email, providing you with attendee data needed to admit attendees to your Event.
• Type of personal data: name, email, ticket purchase records, IP address (for fraud prevention), payment metadata returned by Stripe.
• Categories of data subjects: attendees who purchase or register for tickets to your Events.
• Frequency: continuous, for the duration of the service.

• Encryption in transit: all traffic to and from Gather Tickets is served over TLS 1.2 or higher.
• Encryption at rest: personal data stored in Supabase Postgres is encrypted at rest. Payment card details are stored only by Stripe and never touch our infrastructure.
• Access controls: row-level security in Postgres restricts access to authenticated users; service-role credentials are restricted to specific server-side workflows (e.g. Stripe webhooks).
• Authentication: Supabase-managed sessions with secure cookies; password and magic-link authentication.
• Audit logging: server-side request logs and payment events retained for security and reconciliation.
• Error monitoring: Sentry, scoped to runtime errors with 90-day retention.
• Incident response: documented playbook for handling personal data breaches, including 48-hour notification to affected Organisers.
• Backups: regular automated database backups held by Supabase.
• Confidentiality: personnel with access to personal data are bound by confidentiality obligations.
• Sub-processor diligence: we contract with sub-processors that provide appropriate guarantees (see Annex 3).

Personal data may be transferred to the sub-processors listed in Annex 3. For transfers to recipients outside the United Kingdom that do not benefit from UK adequacy regulations, we rely on the UK International Data Transfer Agreement (IDTA), incorporated by reference into this DPA. The official text of the IDTA is published by the ICO at ico.org.uk.

For each US-based sub-processor (Stripe, Inc., Resend, Inc., Vercel, Inc., Functional Software, Inc.), the transfer mechanism is the UK IDTA, except where Stripe Payments Europe Limited handles processing within the EEA, in which case the EU Standard Contractual Clauses (2021) together with the UK Addendum apply.

For questions about this DPA or to give documented instructions, contact support@gathertickets.co.uk.