Privacy Policy

1. Introduction and Our Privacy-First Commitment

Welcome to Boxside Bookings. We are a dedicated booking platform designed to connect you with events and facilitate the sale of tickets. From our inception, we have built our platform with a "Privacy-First" architecture. Unlike many digital platforms that monetize user behavior, our business model relies solely on selling tickets, not selling your data. We have minimized the data we collect to the absolute essentials required to provide our services and meet legal obligations.

We act as the Data Controller for your personal data. This policy outlines how we collect, process, and protect your information in compliance with the General Data Protection Regulation (GDPR) and relevant national laws in Belgium. For details on your rights and obligations when using our platform, please also review our Terms of Service.

2. Personal Data We Collect and How We Use It

To facilitate your ticket purchase and event attendance, we process specific categories of data based on different lawful grounds.

3. Data Sharing and Third-Party Processors

We have a strict policy regarding third-party data sharing: we never sell your personal data. However, to provide our services, we must share limited data with trusted third-party service providers (Data Processors).

• Payment Processing: We use Stripe to process payments securely. When you pay, your credit card details are transmitted directly to Stripe; Boxside Bookings never sees your full card number. We share your email and name with Stripe to validate the transaction and prevent fraud.
• Transactional Emails: We use Resend to deliver your tickets and receipts to your email inbox. We share your name, email address, and ticket metadata with them strictly for the purpose of delivering these communications.
• Digital Wallets: If you choose to add your ticket to Apple Wallet or Google Wallet, the ticket metadata will be processed by these providers on your device. This processing is initiated by you and implies consent via usage.

4. International Data Transfers

Some of our partners, specifically Stripe and Resend, are headquartered in the United States. This means your personal data may be processed outside the European Economic Area (EEA).

To ensure your data remains protected to GDPR standards, we rely on robust legal frameworks. We ensure our partners are certified under the EU-US Data Privacy Framework or act under strict Standard Contractual Clauses (SCCs) approved by the European Commission. These agreements mandate that your data receives the same level of protection in the US as it does in the EU.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, or to satisfy legal requirements.

• Tax and Financial Records: In compliance with Belgian and Polish tax laws, we are legally required to retain all order details, invoices, and associated identity data (Name, Transaction ID) for a period of 10 years.
• User Accounts: If you choose to save your details, we retain your authentication data until you choose to delete your profile.
• Technical Data: Session data and IP addresses used for security are retained for a short period and then purged.

6. Security Measures

We take the security of your data seriously and have implemented "Privacy by Design" technical measures to protect it.

We utilize Application-Level Encryption for personally identifiable information (PII). This means that sensitive fields like your name and email are encrypted using a specific key before they are ever written to our database. Even in the unlikely event of a database breach, your personal data would remain unreadable to unauthorized parties. Additionally, we use industry-standard HTTPS/TLS encryption for all data in transit and secure hashing (bcrypt) for passwords.

7. Your Rights Under GDPR

As a user in the European Union, you possess specific rights regarding your personal data. We have built technical tools directly into Boxside Bookings to help you exercise these rights easily.

• Right of Access & Portability: You have the right to request a copy of the data we hold about you. You can download your data in a structured, machine-readable format via our user portal.
• Right to Erasure ("Right to be Forgotten"): You have the right to request the deletion of your personal data. You may do this via your account settings. Please Note: While we will delete your user profile and marketing data immediately, we are legally required to retain transaction records (invoices) for 10 years for tax audit purposes. These records will be minimized and kept strictly for legal compliance.
• Right to Rectification: You can correct inaccurate personal data directly through your account settings or by contacting us.
• Right to Withdraw Consent: If you have provided voluntary data (such as age or city), you may withdraw your consent and remove this data at any time.

8. Age Restrictions and Minors

Boxside Bookings is not intended for use by children under the age of 16 without parental consent. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers.