Back

Privacy Policy

Last updated: 5 June 2026

This policy explains how etocky ("we", operated by [YOUR LEGAL ENTITY NAME], registered at [YOUR ADDRESS], Luxembourg, RCS [YOUR RCS NUMBER]) processes your personal data when you register for an event, top up tokens, and use the app. We act as the data controller for this processing.

What we collect

  • Account details: your name, email address, and (optionally) phone number.
  • Ticket & wallet data: your event ticket, token balance, and transaction history.
  • Payment data: handled by Stripe. We never see or store your card number — only the amount, a payment reference, and refund status.

Why we use it & legal basis

  • To issue your ticket and run your token wallet — performance of a contract.
  • To process top-ups and refunds via Stripe — performance of a contract.
  • To keep transaction records for accounting — legal obligation (Luxembourg commercial law, 10-year retention).

Who processes your data

We use the following processors, each under a GDPR-compliant data processing agreement:

  • Supabase Inc. — database & authentication (EU region, Frankfurt)
  • Stripe Payments Europe Ltd. — payment processing (Ireland)
  • Vercel Inc. — application hosting (Frankfurt region, fra1)
  • Email provider — to send your one-time sign-in codes

International data transfers

Some of our processors (Supabase, Vercel) are US-based companies. Data is processed in EU data centres (Frankfurt). Where data may be transferred outside the EEA, it is protected by EU Standard Contractual Clauses (SCCs) or an adequacy decision.

Cookies

We use strictly necessary cookies to keep you signed in. We do not use advertising or analytics cookies that track you, so no cookie consent banner is required.

Data retention

We keep your account and ticket data while your account is active. After the event ends, unused accounts are deleted within 90 days. You can delete your account at any time from your ticket page. Transaction records required for accounting are retained for 10 years as required by Luxembourg commercial law (Art. 16 Code de commerce).

Your rights

Under the GDPR you have the right to access, correct, export, or delete your data, and to object to or restrict processing. To exercise these rights:

  • Delete your data: use "Delete my account" on your ticket page.
  • Export your data: use "Export my data" on your ticket page, which provides all your data in JSON format.
  • Other requests: contact us at the email below.

Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commission nationale pour la protection des données (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg — https://cnpd.public.lu

Automated decision-making

We do not use automated decision-making or profiling that produces legal effects concerning you.

Contact

For any privacy request, contact: [YOUR PRIVACY EMAIL ADDRESS]