FoundTix Privacy Policy
Last updated: 2026-06-02
1. Who we are and how to contact us
1.1 This Privacy Policy describes how FoundTix Ltd (“FoundTix”, “we”, “us”, “our”) collects, uses, and protects personal data when you use the FoundTix platform at foundtix.com or buy a Ticket through it. FoundTix Ltd is registered in England and Wales (Company No: 17238343), registered office 128 City Road, London EC1V 2NX, United Kingdom.
1.2 For any privacy question, data-rights request, or to report a concern, contact info@foundtix.com. We aim to respond within 30 calendar days, as required by UK GDPR.
1.3 If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint.
2. Our role under data-protection law
2.1 For most of the personal data we handle, FoundTix is the controller — we decide what data is collected, for what purpose, and how it is used. This includes platform accounts, ticket purchases, and the marketing channels we operate ourselves.
2.2 For data we receive from a buyer and pass to the Organiser of the Event they have a Ticket for (for example, an attendee list CSV you have asked us to email to your venue), FoundTix and the Organiser are independent controllers. Each is responsible for its own use of that data; the Organiser’s privacy practices are theirs to publish.
2.3 For limited functions — for example, transactional email delivery or hosting — we use third-party processors that act on our written instructions and only for the purposes we set. The processors we rely on are listed in clause 7.
3. The personal data we collect from buyers
3.1 When you buy a Ticket, FoundTix collects the following from you:
(a) Account / contact details — first name, last name, email address, postcode, country, and (optionally) mobile phone number.
(b) Hashed identifiers — a SHA-256 hash of your email and (when provided) your mobile number, used for Custom Audience matching with Meta (see clause 7). The hashes are computed alongside your record so plaintext identifiers are not transmitted to advertising partners.
(c) Purchase details — the Events you bought Tickets for, quantity, price paid, purchase time, and the Stripe payment reference. We do not see or store your full payment-card number or CVC — Stripe collects those directly from you (clause 7).
(d) Consent records — for each marketing channel (email marketing, SMS marketing, audience-network targeting) we keep an immutable history of granted and revoked consents with the time, the IP address used, your browser user-agent, and the version of the consent copy you agreed to. This is required for us to demonstrate lawful basis under UK GDPR.
(e) Derived attributes — once you have a purchase history, we may compute aggregated tags such as a preferred music genre, an artist affinity, a venue affinity, or a region. These attributes are derived from your purchase record and are used only for the audience-targeting purposes in clause 6.
(f) Technical data — IP address, browser user-agent, and timestamps of important actions, captured in server-side logs by our hosting provider (clause 7) for security, debugging, and abuse prevention.
3.2 You can buy a Ticket without creating a long-lived account. Buyers are not signed-in users; your identity in our system is your (hashed) email address.
4. The personal data we collect from promoters
4.1 When you create a promoter account on FoundTix, we collect:
(a) Account details — display name, contact email, optional contact phone, and (where you choose to register one) a business name and country.
(b) Authentication data — Supabase Auth issues a signed session token and stores a hashed password (if you set one). Magic-link sign-in stores a short-lived one-time token.
(c) Stripe Connect identifiers — your Stripe connected-account id and the high-level state of your onboarding (charges enabled, payouts enabled, details submitted). The full KYC / business-verification data is collected by Stripe directly through their hosted onboarding flow; we never see it.
(d) Meta integration tokens — when you connect a Meta account, we store the OAuth access token in an encrypted column (encryption key held only in our environment). The token is never logged in plaintext and never returned to your browser. You can remove this connection at any time: disconnect it from your FoundTix Settings, remove FoundTix from your Facebook account’s Settings → Business Integrations, or request full deletion of the Meta data we hold — any of which erases the stored tokens. Deletion requests made through Facebook are confirmed at foundtix.com/data-deletion, and you can always email us at info@foundtix.com.
5. How we use your data and our lawful bases
5.1 To deliver your purchase (Article 6(1)(b) — contract). We use your name, email, phone, postcode, and purchase details to issue your Ticket(s) (PDF attachment and, where available, Apple Wallet / Google Wallet passes), to email you the order-confirmation, to process refunds, and to send any change-of-event notifications the Organiser triggers under our Terms.
5.2 To run the platform (Article 6(1)(f) — legitimate interest). We use technical data (IP, user-agent, logs) for security, fraud detection, debugging, and abuse prevention. Our interests in keeping the platform secure are balanced against the limited intrusiveness of these logs.
5.3 For marketing recommendations (Article 6(1)(a) — consent). We send promotional emails about other Events only to buyers who have explicitly granted email-marketing consent at checkout. The same applies to SMS alerts (separate consent) and to the audience-network targeting described in clause 6. You may withdraw consent for any channel at any time without affecting the lawfulness of processing before withdrawal.
5.4 To meet legal obligations (Article 6(1)(c)). We retain order and payment records as required by HMRC and other applicable law (see clause 9).
5.5 We do not sell personal data, and we do not share it with anyone outside the recipients listed in clause 7.
6. Consent at checkout, marketing, and the audience network
6.1 At checkout we ask for marketing consents, each unchecked by default, before payment is taken. The email and audience-network options are grouped under “Hear about similar events you’ll love” with an “All Marketing” select-all that simply ticks both individual options — it is not itself a stored consent. We record each real consent independently:
(a) Transactional emails — auto-applied because they are required for us to deliver your booking under the contract we have with you. This is a notice, not a tick-box.
(b) Email marketing — optional, opt-in: occasional recommendations for similar shows. Unchecked by default.
(c) Audience network — optional, opt-in: lets us include your hashed details in a Meta Custom Audience to reach you with similar events (see clause 6.2). Unchecked by default.
(d) SMS marketing — optional, opt-in, shown only once you provide a mobile number: rare text alerts for last-minute drops or surprise announcements. Unchecked by default and kept separate from the group above.
6.2 Audience network. Where you have granted audience-network consent, we may include your hashed email and hashed mobile (clause 3.1(b)) in a Custom Audience uploaded to Meta to seed audience targeting for relevant Events on FoundTix. The promoter of the Event being advertised never receives your contact details — Meta does the matching server side and the promoter only sees aggregate, anonymised audience figures.
6.3 Custom Audiences shared with Meta on this basis are time-limited: access is automatically revoked 30 days after the relevant Event ends, and we maintain an internal log of every audience export.
6.4 Every marketing email we send carries a one-click unsubscribe link. You can revisit any consent at any time, free of charge, by contacting info@foundtix.com.
7. Third parties that process your data
7.1 We use the following processors and partners. Each is bound by a contract or DPA requiring them to handle personal data in line with UK GDPR.
(a) Stripe Payments UK Ltd (and Stripe Inc) — payment processing and Stripe Connect. Stripe collects your payment-card data directly via their hosted elements; we never see or store the card number, expiry, or CVC. Stripe also processes any refunds we issue on your behalf. Stripe is a separate controller for the fraud-prevention data it collects. stripe.com/gb/privacy
(b) Supabase, Inc. — managed Postgres database, authentication, and object storage. Supabase hosts the data described in clauses 3 and 4. supabase.com/privacy
(c) Vercel Inc. — application hosting and edge logging. Vercel sees request metadata including IP addresses for the purpose of serving pages and recording technical logs. vercel.com/legal/privacy-policy
(d) The Rocket Science Group LLC (“Mailchimp Transactional”, formerly Mandrill) — transactional email delivery. We pass them recipient email address, message body, and (for ticket emails) the PDF attachment. mailchimp.com/legal/privacy
(e) Meta Platforms, Inc. — for Conversions API (CAPI) server-side conversion events and Custom Audiences. We send only hashed identifiers (email, phone, name, country) per Meta’s matching specification; we do not send plaintext contact details. CAPI events are limited to the lifecycle events listed in our integration reference (page view, view content, add to cart, initiate checkout, purchase). facebook.com/privacy/policy
(f) The Organiser of any Event you buy a Ticket for receives — only when you have purchased a Ticket from them — your name, contact details, ticket-type, and order number, so they can run the Event (door scans, guest lists, problem resolution). The Organiser is an independent controller for that data; their own privacy notice applies.
7.2 We do not use Wallet pass providers (Apple, Google) as processors of buyer personal data — by design, the wallet pass payload we generate contains only the ticket code, event details, and the organiser’s display name, never your name, email, or phone.
8. International transfers
8.1 Some of the processors in clause 7 are based in, or transfer data to, the United States (notably Mailchimp Transactional, Meta Platforms, and Vercel). Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or the EU SCCs themselves) as the safeguard, along with each provider’s published transfer-impact assessment and supplementary measures.
8.2 You can request a copy of the safeguards in place for any specific transfer by emailing info@foundtix.com.
9. Retention
9.1 Order and financial records. We keep order, refund, and payment-related records for at least six years after the end of the tax year in which the transaction occurred, in line with HMRC record-keeping requirements.
9.2 Consent records. We retain the full immutable history of consents (granted and revoked) for as long as your underlying account or order data is retained, so that we can demonstrate the lawful basis for any past processing. New consent changes are stored as additional rows, not by overwriting earlier ones.
9.3 Marketing-only data. Where we hold data on you solely for marketing purposes (e.g., the derived attributes described in clause 3.1(e)), we will delete it within a reasonable period after you withdraw all marketing consents, unless we are required to retain it under clause 9.1.
9.4 Server logs. Vercel’s request logs are retained per Vercel’s standard log-retention policy at the time. Supabase database backups are retained per Supabase’s standard backup policy at the time.
10. Your rights under UK GDPR
10.1 You have the following rights in relation to the personal data we hold about you:
(a) Access — request a copy of the personal data we hold about you.
(b) Rectification — ask us to correct inaccurate or incomplete data.
(c) Erasure (“right to be forgotten”) — ask us to delete your data, subject to the legal-retention obligations in clause 9.
(d) Restriction — ask us to limit processing in specific circumstances.
(e) Portability — ask us to provide your data in a structured, machine-readable format, or to transmit it to another controller where technically feasible.
(f) Objection — object to processing based on legitimate interest, including for direct marketing.
(g) Withdrawal of consent — withdraw any consent you have given, at any time, without explanation. Withdrawal does not affect the lawfulness of processing before the withdrawal.
(h) Complaint — lodge a complaint with the UK Information Commissioner’s Office (see clause 1.3).
10.2 To exercise any of these rights, email info@foundtix.com from the address associated with your account or purchase. We may ask for additional information to verify your identity before we can act. We respond within 30 calendar days; this can be extended by a further two months for particularly complex requests, in which case we will tell you within the first 30 days.
11. Cookies and similar technologies
11.1 We use a small number of cookies, all of which are either strictly necessary for the site to work or preference cookies that simply remember a choice you made.
(a) Strictly necessary. Supabase authentication session cookies (used to keep promoters signed into the dashboard) and the Stripe checkout cookies set on the payment step. These do not require consent under PECR.
(b) Preference. A small cookie namedft_demo_banner_dismissedthat remembers when a promoter has dismissed the demo banner on the dashboard.
11.2 We do not set advertising or analytics cookies in the buyer browser for our own purposes. Meta Conversions API events (clause 7) are sent server-side from FoundTix to Meta with hashed identifiers; they do not write client-side cookies on your device.
12. Children
12.1 FoundTix is intended for adults. We do not knowingly collect personal data from anyone under 13 years of age. If you believe we may have collected such data, contact us at info@foundtix.com and we will delete it.
12.2 Age restrictions for individual Events are set by the Organiser and are shown on the public Event page; tickets should not be purchased for attendees below the stated minimum age unless the listing explicitly allows it (e.g. “14+ with an adult”).
13. Security
13.1 We hold personal data in Supabase Postgres with row-level security enforced at the database layer. Service-role credentials are used only by trusted server code paths (webhooks, cron jobs, post-payment ticket issuance) and never exposed to untrusted input. The Meta integration token is stored encrypted; the encryption key lives only in our hosting environment.
13.2 All traffic between the buyer / promoter and FoundTix is served over TLS. Payment-card data is collected by Stripe directly via their PCI-DSS Level 1 infrastructure and never transits or rests on FoundTix systems.
13.3 No internet-connected system is perfectly secure. If we ever suffer a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you directly without undue delay.
14. Changes to this Privacy Policy
14.1 We may update this Privacy Policy from time to time. The version in force when you provided personal data continues to govern that data unless we tell you otherwise; for material changes we will give reasonable notice (a dashboard banner for promoters, and an email for active marketing-consented buyers).
14.2 The current version is indicated by the “Last updated” date at the top of this page.
15. Governing law
15.1 This Privacy Policy and any dispute or claim arising out of or in connection with it is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction in relation to any dispute.