Early AccessJoin PaySeats early and enjoy exclusive launch terms for your space 

Trust Center

Privacy Policy

Last Updated: March 15, 2026

1. General Information

In accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), this Privacy Policy describes how your personal data is processed by PaySeats.

Data Controller:

  • Company Name: PaySeats Europe SL
  • Tax ID (NIF): B22704407
  • EU VAT ID: ESB22704407
  • Registered Address: Calle Camí d'es Castell 261, 2º 3ª, 07702 Mahón, Balearic Islands, Spain
  • Contact Email: [email protected]
  • Data Protection Contact: [email protected]

PaySeats acts as a controller for data processed to operate the platform and manage accounts. Where we process Attendee data on behalf of Organizers, we act as a data processor and the Organizer is the controller. For details, see our Data Processing Addendum (DPA).

The Service includes the public website, public product-help experiences such as PaySeats Pulse, organizer/admin interfaces (including CRM, customer messaging, consent and suppression controls, privacy-request workflows, and domain, DNS, redirect, SSL, and hosted mailbox management workflows), and PaySeats Terminal, the in-person operations app used for paired-device setup, operator access, check-in, and supported on-site sales.

2. Categories of Personal Data We Process

2.1. For Organizers

  • Identity Data: Full name or business name, fiscal address, country of residence, and VAT ID (if applicable).
  • Contact Data: Email address and phone number.
  • Domain and Email Administration Data: Domain registration contact records, registrant/admin/technical contact details, DNS and redirect configuration, SSL lifecycle status, hosted mailbox addresses, local-part identifiers, mailbox status and quota settings, catch-all targets, provider reference IDs, and mailbox credential inputs submitted for provisioning or password changes when an Organizer uses PaySeats to manage domains or hosted mailboxes.
  • Payment and Billing Data: Bank account details for payouts are handled by the Payment Partner. For PaySeats plan billing, we process billing email, billing name, tax IDs or tax classification, billing address, country, default currency, and limited Payment Partner customer, subscription, invoice, payment-method, or verification status data needed to operate organizer billing, support, and compliance.
  • Technical Data: IP addresses, device and browser information, terminal device metadata (such as device name, platform, model, OS version, app version, status, scopes, approval and last-seen data), logs, operator session/authentication records, activity metadata, and platform usage data.

2.2. For Attendees

  • Identity Data: Full name and, where collected by the Organizer, related attendee, parent/guardian, or company details.
  • Contact Data: Email address and any phone number, billing detail, or other contact information provided during checkout, booking, support, or account creation.
  • Transaction Data: Purchase, booking, membership, subscription, check-in, refund, dispute, reservation, box-office sale, in-person payment-intent or payment-status information, ticket scan results, and any custom fields, notes, or other data voluntarily shared during checkout or service delivery.

An Attendee's email address is used to deliver tickets, booking confirmations, and operational communications about the purchased event or service (for example, changes, cancellations, or account access for guest checkout history). Marketing communications are only sent with explicit consent where required.

2.3. Support, CRM, and Communications

  • Support Data: Messages, attachments, metadata, terminal diagnostics, and records of privacy or support requests submitted through the Support Ticket System or related service workflows.
  • CRM and Engagement Data: Staff notes, tags, custom fields, segment memberships, follow-up tasks, customer conversation or support-routing records, campaign enrollment or send status, communication templates or variants, campaign performance events linked to a customer, consent ledger entries, communication suppression history, privacy request records, and related audit metadata recorded by the Organizer through the Service.
  • Product Help Data: Questions submitted through PaySeats Pulse, selected language, citations returned, and limited technical/request metadata needed to operate, secure, and improve that help experience. Please do not submit sensitive personal, attendee, or payment information in PaySeats Pulse prompts.
  • Communication Preferences: Opt-in or opt-out status for marketing communications and any customer communication preferences recorded by the Organizer through the Service.

3. Purposes for Processing Your Data

We use your data for the following purposes:

3.1. Service Provision

To create and manage Organizer accounts, process online and in-person sales, support paired-device recovery and operator-authenticated terminal workflows, facilitate event management and check-in, manage CRM profiles, segments, follow-up tasks, support-linked customer conversations, consent and communication-suppression controls, organizer-initiated campaign workflows, and customer privacy-request queues, support domain registration, DNS, redirect, SSL, and hosted mailbox workflows, manage organizer subscription checkout, billing portal, invoicing, and related billing controls, send operational communications essential for the service, and provide public product-help experiences such as PaySeats Pulse.

3.2. Legal Compliance

To comply with legal obligations regarding taxation, accounting, fraud prevention, and to respond to requests from competent authorities.

3.3. Security and Fraud Prevention

To protect the platform and PaySeats Terminal, authenticate operators and devices, prevent abuse, and investigate suspicious activity.

3.4. Marketing Communications

Only with your explicit consent, we will send you information about our products, news, or promotions. These campaigns are managed via third-party providers acting as data processors, who cannot use your data for their own purposes.

3.5. Service Improvement

To perform aggregated and anonymous usage analysis, gather statistics, conduct satisfaction surveys, and diagnose service issues that help us develop new features and improve the platform, including frontline terminal workflows.

3.6. Account Management Experience

To provide a seamless user experience, we process data from Guest Checkouts to allow users to later create a full account and access past order history without creating duplicate records.

4. Legal Basis for Processing

We process your data based on the following legal grounds:

  • Performance of a contract with you (Art. 6.1.b GDPR).
  • Compliance with a legal obligation (Art. 6.1.c GDPR).
  • Your explicit consent for specific purposes, such as marketing communications (Art. 6.1.a GDPR).
  • Our legitimate interest in ensuring platform security, preventing fraud, and improving our services (Art. 6.1.f GDPR).

5. Data Retention Period

We retain data for as long as necessary to provide the service and comply with legal obligations:

  • Organizer Data: Retained for the duration of the account and for required legal retention periods after closure.
  • Attendee Data: Checkout, booking, membership, and guest records are retained for as long as needed to provide the purchased service, handle disputes or refunds, and comply with legal requirements. If a guest record is converted into a full account, retention follows the active account policy.
  • Suspended or Investigated Accounts: If an account is under review for fraud, disputes, or legal obligations, data may be retained longer to protect users and comply with law.

Terminal device metadata, operator-session records, check-in records, and in-person transaction status data follow the same operational, support, dispute, and legal retention logic described above.

PaySeats Pulse questions and related technical request records, where retained, follow our support, security, and log-retention practices.

Domain registration contact data, DNS/redirect configurations, and hosted mailbox administration records follow the same account, support, security, and legal retention logic described above.

Billing profile data and subscription, customer, or invoice reference data follow the same account, billing, accounting, tax, and legal retention requirements that apply to the Organizer's relationship with PaySeats.

CRM notes, tags, custom fields, segment memberships, follow-up tasks, campaign send or performance records, consent or suppression ledgers, and privacy request records follow the same account, communication, support, compliance, and legal retention logic described above.

Once retention periods end, data is deleted or anonymized.

6. Recipients and Data Processors

We do not sell your data. We only share it with service providers who help us operate, under strict data processing agreements or other lawful transfer mechanisms:

  • Payment Partners (currently Stripe, unless we notify you of a replacement or additional provider): To handle online and supported in-person payments, payouts, refunds, disputes, regulatory onboarding, and PaySeats organizer subscription billing (including checkout, billing portal, invoices, promotion codes, payment methods, and tax-enabled billing where configured). The Payment Partner may act as an independent controller for regulatory compliance (KYC/AML and similar obligations).
  • Cloud Infrastructure and Database Hosting: DigitalOcean.
  • Transactional Email Delivery: Resend.
  • Monitoring and Error Logging: Better Stack.
  • AI Service Provider: OpenAI, to generate PaySeats Pulse responses based on PaySeats documentation when you use that feature. OpenAI receives the question you submit and related request metadata needed to operate the feature. Please do not submit payment card, bank, or other sensitive personal data in those prompts.
  • Domain Registration and Hosted Email Services: Tucows / OpenSRS when an Organizer uses PaySeats to register or manage a domain, provision hosted mailboxes, or manage related DNS or email routing.
  • Marketing Email Delivery: EmailOctopus for opt-in marketing or launch communications when those communications are enabled.

7. International Data Transfers

Some providers may be located outside the European Economic Area (EEA). In such cases, we ensure that international data transfers are carried out using the European Commission's Standard Contractual Clauses (SCCs) or other appropriate safeguards.

8. Your Rights and Choices

You may at any time exercise your rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection, and you have the right not to be subject to automated individual decision-making.

You can exercise your rights by sending an email to our Data Protection Contact at [email protected]. We may ask you to verify your identity to protect your data. If we cannot verify your identity, we may be unable to fulfill the request.

Withdrawing consent will not affect lawful processing already performed, but it may limit certain features (for example, marketing communications or optional analytics).

9. Data Security

We implement technical and organizational measures to protect your data, such as encryption of information in transit and at rest, strict access controls, backup protocols, and business continuity plans. In the event of a security breach, we will notify affected users and the competent supervisory authority within 72 hours when required by law.

10. Minors

PaySeats can be used for family, youth, or guardian-managed registrations when an Organizer chooses to offer them. Organizers are responsible for determining whether parental or guardian consent is required and for configuring their forms, notices, and communications accordingly. If you believe personal data about a minor has been submitted unlawfully, contact us at [email protected] and we will review the request under applicable law.

11. Changes to this Policy

We may amend this policy in the future. We will notify you of any substantial changes at least 30 days in advance via the platform or by email.

12. Supervisory Authority

If you believe your rights have not been adequately addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at http://www.aepd.es or the data protection authority in your EU country of residence.