Privacy Policy

Gather Tickets is operated by MGC Systems Ltd, a private limited company incorporated in England and Wales with registered address at [TBD: registered address] (company number 15552651).

We are the data controller for the personal data we collect about you, except where we act as a data processor on behalf of an event Organizer (see our Data Processing Addendum).

We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZB767268.

For privacy questions, contact us at support@gathertickets.co.uk.

The personal data we collect depends on how you use Gather Tickets.

If you buy tickets (Buyers)

• Email address and display name (account creation)
• Ticket purchase records (which events, when, quantity, price paid)
• IP address and browser/device information (for fraud prevention and security)
• Payment metadata returned by Stripe (last four digits of card, card brand, country). We never see or store full card numbers, expiry dates, or CVV codes.

If you list events (Organizers)

• All Buyer data above, where applicable
• Identity verification (KYC) details required by Stripe Connect. These are collected and held by Stripe; we receive only the verification status.
• Payout details (bank account or debit card) held by Stripe
• Event content you publish (titles, descriptions, images)

From everyone who visits the site

• Essential cookies for authentication (Supabase session cookies prefixed sb-).
• Optional analytics cookies (Google Analytics 4), only set after you accept the cookie banner. See section 9 for details and how to withdraw consent.
• Server logs and error reports (sent to Sentry) including IP, user agent, request path, and stack traces. We do not perform browser fingerprinting.

We rely on the following lawful bases under UK GDPR Article 6:

• Contract (Art. 6(1)(b)): processing necessary to sell you a ticket, deliver it by email, pay the Organizer, and provide refunds when an Organizer authorises one.
• Legitimate interests (Art. 6(1)(f)): fraud prevention, security, abuse detection, error monitoring, and improving the reliability of the service. We have assessed these interests against your rights and consider them proportionate.
• Legal obligation (Art. 6(1)(c)): retaining transaction records for UK accounting, tax, and anti-money laundering requirements.
• Consent (Art. 6(1)(a)): where required, for example if we ever introduce optional marketing communications. Today we do not send marketing email.

• To create and operate your account
• To process ticket purchases and deliver tickets by email
• To pay Organizers via Stripe Connect
• To send transactional email about your tickets (confirmations, cancellations, event reminders)
• To prevent fraud, abuse, and unauthorised access
• To debug and improve the reliability of the service
• To comply with legal and regulatory obligations
• To enforce our Terms of Service

We use the third-party service providers below to operate Gather Tickets. Each is bound by a data processing agreement that requires appropriate technical and organisational measures and limits use of your data to the purposes stated below.

We notify Organizers of changes to this list at least 30 days in advance via email; see our Data Processing Addendum for details.

Several of our sub-processors are based in the United States. Where personal data is transferred outside the United Kingdom, we rely on one or more of the following safeguards:

• UK adequacy regulations, where they apply
• The UK International Data Transfer Agreement (IDTA), incorporated into the data processing terms we have in place with each sub-processor
• The EU Standard Contractual Clauses (2021) together with the UK Addendum issued by the ICO

• Tickets and orders: 7 years from the date of purchase, to satisfy UK accounting and tax record-keeping requirements (Companies Act 2006; HMRC retention rules).
• Account records: while your account is active, and for 30 days after deletion to allow account recovery and to satisfy any outstanding refund or chargeback obligations.
• Sentry error events: 90 days, after which they are automatically purged.
• Server access logs: up to 30 days for security and abuse monitoring.

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request erasure of your data (subject to our legal obligation to keep transaction records)
• Object to processing based on our legitimate interests
• Request restriction of processing
• Receive a copy of your data in a portable format and have it transferred to another controller where technically feasible
• Withdraw any consent you have given (without affecting the lawfulness of processing before withdrawal)

To exercise any of these rights, email support@gathertickets.co.uk. We will respond within one month.

If you are unhappy with how we have handled your data, you have the right to complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint.

Strictly necessary cookies

We use Supabase authentication cookies (prefixed sb-) to keep you signed in. These are essential to the service and are not gated by a consent banner. Clearing them in your browser will sign you out.

Analytics cookies (consent required)

We use Google Analytics 4 to understand aggregate usage of the site (which pages are popular, how visitors arrive, rough geography). GA4 sets cookies prefixed _ga in your browser.

We implement Google Consent Mode v2 with all storage defaulting to denied. No analytics or advertising cookies are written until you click Accept on our cookie banner. We do not enable Google Signals, Google Ads remarketing, or any cross-site advertising features.

Withdrawing or changing your consent

You can change your choice at any time by clicking “Cookie settings” in the footer of any page. This will reopen the banner so you can accept or reject analytics. You can also clear all cookies in your browser settings, which will reset your choice and re-prompt you on your next visit.

Gather Tickets is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We use TLS for all data in transit. Personal data is stored in Supabase Postgres with encryption at rest and is protected by row-level security policies that restrict access to authenticated users. Access to our service-role credentials is limited to a small number of trusted automated workflows (for example, payment webhooks). Payment card details are handled exclusively by Stripe and never reach our servers.

We may update this Privacy Policy from time to time. We will update the “Last updated” date above and, for material changes, notify you by email or via a notice on the site at least 14 days before the change takes effect.

For privacy questions or to exercise your rights, contact support@gathertickets.co.uk or write to us at [TBD: registered address].