GDPR & Data Processing

This page outlines SurgeTix's compliance with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP/nDSG), and provides information relevant to our Data Processing Agreement with Festival Organisers.

1. Our Commitment to Privacy

SurgeTix is committed to protecting personal data in accordance with the highest standards of European data protection law. We comply with both the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP/nDSG). Our entire infrastructure operates within the European Union, and we have implemented comprehensive technical and organisational measures to ensure data security.

2. Controller vs. Processor Roles

When Festival Organisers use SurgeTix to sell tickets, the Festival Organiser acts as the Data Controller for attendee personal data, and SurgeTix acts as the Data Processor. This means the Festival Organiser determines the purposes and means of processing attendee data, while SurgeTix processes data only according to the Festival Organiser's documented instructions.

3. Right to Erasure (Right to Be Forgotten)

Attendees who wish to have their personal data deleted should contact the Festival Organiser from whom they purchased tickets. The Festival Organiser, as Data Controller, is responsible for assessing and responding to erasure requests.

Once the Festival Organiser approves a deletion request, they can initiate the deletion through the SurgeTix platform, or contact us to process the deletion on their behalf. We will delete or anonymise the attendee's personal data within 30 days, unless retention is required by law (e.g., for financial records).

4. Data Export & Portability

Festival Organisers can export all their data from SurgeTix at any time, without restriction, in standard machine-readable formats (CSV, JSON). This includes event data, ticket sales, attendee information, and analytics. We believe your data belongs to you, and we will never hold it hostage.

5. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify affected Festival Organisers without undue delay and within 72 hours of becoming aware of the breach. Our notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.

6. Data Processing Agreement

All Festival Organisers using SurgeTix are covered by our standard Data Processing Agreement (DPA), which is incorporated into our Terms of Service. The DPA sets out the obligations and rights of both parties regarding data processing, including processing instructions, security measures, sub-processor engagement, data subject rights, and breach notification procedures.