Privacy Policy

SurgeTix AG takes the protection of personal data seriously. This Privacy Policy explains how we collect, use, store, and protect personal data when Festival Organisers use our platform and when attendees purchase tickets through our infrastructure.

1. Our Dual Role in Data Processing

SurgeTix operates in two distinct capacities depending on the data involved. For Festival Organiser account data, we act as the Data Controller. This includes the information you provide when creating an account, contact details of your organisation, billing and payment information, and platform usage data.

For Attendee data (ticket buyers), SurgeTix acts strictly as a Data Processor on behalf of the Festival Organiser, who remains the Data Controller. We process attendee data solely according to the Festival Organiser's instructions and for the purpose of delivering ticketing services. We do not use attendee data for our own marketing purposes.

2. Data We Collect

For Festival Organisers, we collect: name and contact information, organisation details, billing address, payment method details (processed via Stripe), and platform usage analytics.

For Attendees (on behalf of Festival Organisers), we process: name and email address, ticket purchase details, payment tokens (via Stripe — sensitive card data never touches our servers), and wallet pass identifiers. We do not collect or store complete credit card numbers, CVV codes, or other sensitive payment credentials.

3. Data Storage & Security

All data is stored in secure, EU-based data centres with enterprise-grade security measures including encryption at rest and in transit, regular security audits, and strict access controls. Our infrastructure is designed to meet the requirements of both GDPR and Swiss data protection law (FADP/nDSG).

4. Third-Party Data Sharing

We share data only with essential service providers required to deliver our platform, including our hosting provider, payment processor (Stripe), and transactional email service. We have data processing agreements in place with all sub-processors.

We do not sell data. We do not market to your attendees. Your audience is yours.

5. Cookies & Tracking

Our platform uses essential cookies required for authentication and session management. We use privacy-focused analytics to understand platform usage. We do not use third-party advertising cookies or cross-site tracking technologies.

6. Your Rights

Under GDPR and Swiss law, you have the right to access your personal data, rectify inaccurate data, request erasure of your data, restrict processing, data portability, and object to processing. Festival Organisers can exercise these rights through their account settings or by contacting us. Attendees should contact the Festival Organiser who controls their data, who will then coordinate with us as needed.

7. Data Retention

We retain Festival Organiser data for as long as your account is active and for a period thereafter as required by applicable law (typically seven years for financial records). Attendee data is retained according to the Festival Organiser's instructions and applicable legal requirements.

8. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including TLS encryption for all data in transit, AES-256 encryption for data at rest, regular penetration testing and security audits, role-based access controls, and incident response procedures.

9. Changes to This Policy

We may update this Privacy Policy from time to time. The updated policy will be posted on our website with the revision date.