5.0% flatPlatform fee

yourboxoffice.net

Privacy Policy for yourboxoffice.net

Effective Date: May 29, 2026

Last updated: June 7, 2026 (Section 7 — data subject requests)

This Privacy Policy describes how yourboxoffice.net (operated by the platform provider) processes data when you use our platform as an organizer ("Venue") or a ticket buyer ("Patron").

We operate under a core commandment: Absolute Data Sovereignty. We do not sell data, we do not pool data, and we do not perform cross-venue profiling.

1. Data Processing Roles

  • Venues (Organizers): We act as a Data Processor regarding Patron information collected during checkout. The local Venue organizing your event is the primary Data Controller. Your information belongs entirely to that Venue.
  • Patrons (Ticket Buyers): We process your information strictly to fulfill transactions, generate admission tickets, prevent fraud, and route operational transaction states.

2. Information We Collect and Purpose Limitation

We strictly limit data collection to the minimum required for immediate transaction utility:

  • Transaction & Checkout Data: First Name, Last Name, Email Address, ticket quantity, and transaction value. This data is utilized solely to process purchases via our gateway partner, verify your identity via secure One-Time Passwords (OTP), and route admission credentials.
  • Infrastructure Operations & Security: IP addresses, browser agent headers, and request routing metadata are processed temporarily at our edge layer to prevent high-concurrency bot abuse, malicious scalping actions, and financial transaction fraud.

3. Payment Processing and PCI-DSS Boundary Enforcement

Your credit card account numbers, expirations, and secure CVV codes never enter or touch our core database infrastructure. All cardholder details are captured and tokenized directly inside an isolated iframe environment provided exclusively by our payment processor, Stripe. This configuration ensures our system remains entirely outside the Cardholder Data Environment (CDE) under PCI-DSS SAQ-A parameters.

4. Third-Party Subprocessors

We minimize external network data routing. We use only the following essential subprocessors to maintain platform operations:

  • Stripe, Inc. — Payment gateway processing, financial multi-party split-routing, and fraud risk analysis.
  • Resend Inc. — High-throughput transactional email delivery (tickets, verification codes, and receipt payloads).
  • Cloudflare, Inc. — Edge network ingress, DNS management, and bot-mitigation rate limits.
  • Neon, Inc. — Isolated, serverless relational database storage engine.
  • Upstash, Inc. — In-memory caching layers utilized exclusively for holding temporary event tickets during checkout sessions.

5. No Third-Party Tracking or Ads

This platform contains zero external advertising tracking pixels, cross-site analytics web scripts, or retargeting network cookies. Your checkout journey remains an isolated environment protected from commercial tracking exploitation.

6. Transactional Communications

We use your contact details exclusively for critical transaction notifications, including:

  • Security validation verification codes (email_verification_code).
  • Order confirmation notifications containing secure admission QR stubs.
  • Secure single-use verification links (guest_order_magic_link) to locate previously purchased credentials.

7. Your data rights and how to request them

We respond to access, portability, correction, erasure, and restriction requests under applicable privacy law (including GDPR where it applies).

Patrons (ticket buyers)

The venue that sold your tickets is the Data Controller for your purchase. For refunds, event questions, or deletion of your order information, contact that venue first using the details on your confirmation email.

If the venue cannot help, or your request concerns how the platform processes your data, email `legal@yourboxoffice.net` with:

  • The email address used at checkout
  • Venue or event name (if known)
  • Order date or confirmation details
  • What you are requesting (copy of data, correction, or erasure)

We may verify your identity (for example by confirming control of the checkout email) before fulfilling a request. We aim to respond within 30 days.

Self-service (limited)

You can view paid orders for an email address using Find my tickets on the venue site (magic link sent to your inbox). To download a structured JSON export of your orders and ticket metadata for a venue, request a separate data export link (sent to the same checkout email; distinct from the ticket-lookup link). Each flow covers one venue at a time and does not include payment card data.

Venues (organizers)

Signed-in venue staff with box office manager permissions can export or erase patron data for their tenant from Privacy requests in venue admin (/admin/org/{slug}/privacy/dsar). Export includes orders, ticket references, and marketing opt-in status for a single patron email. Erasure anonymizes personal fields on retained order rows (financial totals and status are kept for accounting). For venue account closure or platform-level deletion, contact `support@yourboxoffice.net`. Regulatory or cross-border inquiries: `legal@yourboxoffice.net`.

Retention

We retain order records for as long as the venue needs them for operations, refunds, and accounting, and as required by law. After an approved erasure, we replace personal identifiers with anonymized placeholders where transaction metadata must remain. See our [Data Practices](/data-practices) page for a plain-language summary.

Patron erasure

Patrons cannot self-delete checkout data in the product UI today. Contact the venue or `legal@yourboxoffice.net`; venue staff can execute org-scoped erasure from admin after confirming your identity.