Tixserve App UK Privacy Policy
Tixserve
Document ID: IRP-013
Version: 2.0
Date: 26/01/2026
Property of Tixserve – Controlled Document
Document ID
VDQ-014
Version
2
Owner
Head of Operations
Approved by
James Kirby
Next Review Date
21/06/2026
Compliance Standards: UK GDPR, EU GDPR, ISO/IEC 29184:2020, ISO/IEC 27701
1. Introduction and Scope
This Privacy Notice describes how Tixserve (UK) Limited collects, processes, stores, and protects Personally Identifiable Information (PII) (also known as "personal data") when you use the Tixserve mobile ticketing application (the "App" or "Service").
This policy is designed to comply with the ISO/IEC 29184:2020 standard for online privacy notices, as well as the UK and EU General Data Protection Regulations (GDPR).
Scope: This policy applies specifically to the Tixserve account on the Tixserve UK mobile ticketing App, used for demonstration and sales purposes. It does not cover personal data processed by separate client accounts on the App, for which the respective client serves as the PII Controller.
2. Identity and Contact Details of the PII Controller
Under ISO/IEC 29100 and GDPR, the entity responsible for determining the purposes and means of processing your PII is the PII Controller (or Data Controller).
Name: Tixserve (UK) Limited
Address: Greens Court, West Street, Midhurst, West Sussex GU29 9NQ, United Kingdom
Contact Email: hello@tixserve.com
Data Protection Officer: Liam Strevens (hello@tixserve.com)
3. Categories of PII We Collect
We collect specific categories of PII necessary for the App to function securely and effectively.
3.1 PII Provided Directly by You (Volunteered Data)
- Account Identity Information: Full Name, Date of Birth, Gender.
- Contact Information: Phone Number, Email Address, Postal Address.
- Preferences: Records of your consents (e.g., marketing opt-ins) and acceptance of this Privacy Policy.
3.2 PII Collected Automatically (Observed Data)
- Device & Security Identifiers: Unique device identifiers, push notification tokens, and device fingerprints (OS version, model, IP address).
- Usage Data: User ID, ticketing history, and activity timestamps (e.g., account creation time).
- Diagnostics: Technical logs utilised for error handling and fraud prevention.
3.3 Temporary Data Processing
- Device Contacts: With your explicit permission, we may access your contact list to facilitate ticket transfers. This data is processed temporarily in memory and is not committed to our permanent database.
4. Purposes and Legal Basis for Processing
In accordance with ISO/IEC 29100 (Principle of Purpose Legitimacy), we only process PII for specified, explicit, and legitimate purposes
Purpose
PII Categories Involved
Legal Basis (GDPR/ISO)
Purpose: Service Provision: Creating accounts, verifying phone numbers, and delivering tickets.
PII Categories Involved: Name, Phone, Email, Address, User ID, Ticket History.
Legal Basis (GDPR/ISO): Contract: Performance of the service agreement.
Purpose: Fraud Prevention: Detecting abuse during registration (via reCaptcha).
PII Categories Involved: IP Address, Typing patterns, Device settings.
Legal Basis (GDPR/ISO): Legitimate Interest: Protecting the integrity of the App.
Purpose: Service Improvement: Diagnosing crashes and bugs.
PII Categories Involved: Device Fingerprint, Usage Logs, Error Reports.
Legal Basis (GDPR/ISO): Legitimate Interest: Ensuring technical stability.
Purpose:Communications (Transactional): Sending OTPs and ticket notifications.
PII Categories Involved:Phone Number, Email Address.
Legal Basis (GDPR/ISO): Legitimate Interest: Account security and functionality.
Purpose: Push Notifications: Event updates and alerts.
PII Categories Involved: Device Token.
Legal Basis (GDPR/ISO): Consent: Revocable at any time.
Purpose: Direct Marketing: Promoting news and offers.
PII Categories Involved: Email, Device Token
Legal Basis (GDPR/ISO): Consent: Revocable at any time
Purpose: Demonstration: Showcasing App data collection capabilities.
PII Categories Involved: Address, DOB, Gender
Legal Basis (GDPR/ISO): Legitimate Interest: Commercial demonstration purposes.
5. Sharing and Disclosure of PII
We may share your PII with third-party service providers (PII Processors) who perform functions on our behalf. All providers are bound by Data Processing Agreements in compliance with ISO/IEC 27701 and GDPR.
- Cloud Hosting: AWS (Amazon Web Services).
- Fraud Protection: Google reCAPTCHA (Google).
- SMS & Messaging: Vonage (SMS/Voice OTPs) and WhatsApp Business Platform.
- Email Services: SMTP2Go (Email OTPs).
- Crash Analytics: Sentry (Error diagnosis).
We may also disclose data to legal authorities if required by law, or to professional advisers (lawyers, auditors) for legitimate business operations.
6. International Data Transfers
Your PII is primarily stored on servers located in the UK. However, global service providers (e.g., Google) may process data in jurisdictions outside the UK/EU, such as the United States.
We ensure these transfers comply with ISO/IEC 29184 and GDPR requirements by implementing appropriate safeguards, such as strict vendor risk assessments and standard contractual clauses, to ensure your data remains protected to a standard equivalent to that of the UK and EU.
7. Retention and Disposal
We adhere to the ISO/IEC 29100 principle of Use, Retention and Disclosure Limitation. We retain PII only as long as necessary for the purposes defined above.
- Active Account Data: Retained for the life of the account + 30 days after a deletion request (unless legally required otherwise).
- Device Tokens: Retained for 6 months, then refreshed.
- Contact Lists: Accessed temporarily; never retained.
- Anonymisation: Upon expiration of the retention period, data is securely anonymised or permanently deleted.
8. Security Measures
We implement technical and organisational measures aligned with ISO/IEC 27001 and Article 32 of the GDPR to protect your PII, including:
- Encryption: SSL/TLS for data in transit.
- Access Control: Strict "need-to-know" access for employees.
- Minimisation: Collecting only what is necessary.
- Vendor Management: Rigorous assessment of third-party security.
9. Rights of the PII Principal (User)
As the "PII Principal," you have specific rights regarding your data. You may contact us at hello@tixserve.com to exercise these rights:
- Right to be Informed: To know how your data is used (this policy).
- Right of Access: To request a copy of your data.
- Right to Rectification: To correct inaccurate data.
- Right to Erasure: To request that we delete your data ("Right to be Forgotten").
- Right to Restrict Processing: To pause processing in certain disputes.
- Right to Data Portability: To receive your data in a machine-readable format.
- Right to Object: To opt out of processing based on legitimate interests or marketing.
- Rights regarding Automated Decision-Making: To not be subject to decisions based solely on automated processing.
10. Consent and Withdrawal
Where processing is based on Consent (e.g., Marketing, Push Notifications, Contact List access), you have the right to withdraw your consent at any time.
- How to Withdraw: You can adjust permissions within the App’s "Settings" menu or your device’s operating system settings.
- Impact: Withdrawal does not affect the lawfulness of processing that occurred prior to the withdrawal.
11. Children's Privacy
This App is for demonstration and sales purposes and is not intended for children. We do not knowingly collect PII from individuals under the age of 16. If discovered, such data will be deleted immediately.
12. Complaint Mechanisms
If you believe your privacy rights have been infringed, you have the right to lodge a complaint with a supervisory authority:
- UK: Information Commissioner's Office (ICO) - https://ico.org.uk/
- Ireland: Data Protection Commission (DPC) - https://www.dataprotection.ie/
13. Changes to this Policy
We may update this policy to reflect operational or regulatory changes. The latest version will always be available within the App and on our website. You can view our App Terms and Conditions here. Last Updated: 26-01-26