Privacy Policy

Responsible person and contact

The controller within the meaning of the General Data Protection Regulation (GDPR) is the company named below. We have not appointed an external data protection officer, as there is no legal obligation to do so.

You can contact us at [email protected] for all matters relating to data protection.

on:Tickets (on:NetworkAgency UG)
Holstenhofweg 54
22043 Hamburg
Deutschland

Phone: +49 (40) 70 2929 97
Email: [email protected]

Area of application and roles

This privacy policy describes which personal data on:Tickets processes as a platform operator - in particular in connection with visiting the ontickets.de website, creating a buyer account, purchasing tickets and operating the organizer dashboard.

Intermediary model: on:Tickets is a ticketing platform through which event organizers sell tickets for their own events. Insofar as personal data is transmitted to the respective organizer so that they can fulfill the ticket purchase contract, the organizer is independently responsible within the meaning of the GDPR and has its own privacy policy.

If on:Tickets processes data on behalf of an organizer (e.g. for mailings initiated individually by the organizer), this is done on the basis of an order processing contract (AVV).

General information on data processing

We only process personal data insofar as this is necessary to provide a functional platform and our services or insofar as effective consent has been given.

The legal bases of our processing are in particular

Art. 6 para. 1 lit. a GDPR - consent (e.g. cookies, newsletter); Art. 6 para. 1 lit. b GDPR - contract fulfillment and pre-contractual measures (e.g. ticket purchase, account registration); Art. 6 para. 1 lit. c GDPR - legal obligation (e.g. commercial and tax law retention); Art. 6 para. 1 lit. f GDPR - legitimate interest (e.g. IT security, bot protection, platform stability).

Storage period: Personal data is deleted as soon as it is no longer required for the purpose for which it was collected and there are no legal obligations to retain it (in particular 6 or 10 years according to HGB/AO).

Provision of the website and log files

When ontickets.de is accessed, data is automatically transmitted to our servers and stored in server log files: IP address of the requesting device (shortened as far as possible for operation), date and time of access, URL accessed and referrer, HTTP status code and amount of data transferred, browser used, operating system and language version.

Purpose: technical provision of the website, defense against attacks, stability and error analysis. Legal basis: Art. 6 para. 1 lit. f GDPR. Storage period: usually a maximum of 14 days, unless security-related events require longer storage.

Buyer account and authentication

Anyone who creates an on:Tickets account or purchases tickets must provide at least the following data: E-mail address, first name and surname, telephone number if applicable, additional information required for event participation when purchasing tickets (e.g. address, additional guest data for personalized tickets).

Registration procedure: Magic Link - Registration via a one-time login link that is sent to the e-mail address provided. Tokens (hashed) and the time of sending are saved. Microsoft Entra SSO (optional) - single sign-on via Microsoft accounts of organizer organizations; name, e-mail, tenant ID are processed. Multi-factor authentication (TOTP) - when activated, an encrypted TOTP secret is stored in the account.

Purpose: secure authentication and protection of the account against unauthorized access. Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment) and Art. 6 para. 1 lit. f GDPR (account security).

Ticket purchase and organizer transfer

When a ticket is purchased, we process the following data to process the contract: order data (event, ticket category, number, price, service fee), buyer data (name, email, address if applicable, telephone number), guest data for each ticket in the case of personalized tickets and payment data (see section "Payment processing").

Transmission to the organizer: In order for the organizer to fulfill the ticket purchase contract (in particular admission, communication about the event, any refunds), we transmit the buyer and guest data to the respective organizer. From receipt of the data, the organizer is a data controller under data protection law.

Legal basis: Art. 6 para. 1 lit. b GDPR. Storage period: for the duration of the contractual relationship and for the subsequent retention period under commercial and tax law (regularly 10 years).

Payment processing

Payments are processed by external payment service providers. The data required for payment processing (e.g. cardholder, card number, IBAN, payment amount) is transmitted directly to the respective payment service provider and processed there. on:Tickets generally only receives a confirmation of the status of the payment and a pseudonymized transaction ID.

Payment service providers used: Stripe Payments Europe, Ltd, Dublin, Ireland (credit card, SEPA, Apple Pay, Google Pay, Stripe Connect - payment to event organizers); PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg (payment via PayPal).

When paying by invoice, prepayment or SEPA direct debit (B2B / collective invoices), contact details and bank details are processed for invoicing and posting.

Legal basis: Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. c GDPR (statutory record-keeping obligations).

E-mail dispatch (tickets, notifications, transaction e-mails)

We send transactional emails (order confirmations, tickets, Magic Link logins, refund confirmations, notices from the organizer, etc.) as part of the platform operation.

It is primarily sent via Microsoft Azure Communication Services (ACS Email), alternatively via Microsoft Graph API. Provider: Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

Dispatch status (recipient, sender, timestamp, status, message ID) is logged in our system to diagnose delivery problems. Legal basis: Art. 6 para. 1 lit. b GDPR.

Hosting, CDN and bot protection

Hosting: Our application is hosted on servers in the European Union (Germany).

CDN / Proxy: We use Cloudflare as a reverse proxy and content delivery network in front of our servers. Provider: Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany, and Cloudflare Inc, USA. Cloudflare processes the IP address, technical request data and headers for each access. Processing takes place on the basis of a DPA; for transfers to the USA, there are EU standard contractual clauses and additional protective measures.

Image storage: Images uploaded by the organizer (event headers, logos, galleries) are stored in Cloudflare R2 (S3-compatible object storage). Provider also Cloudflare.

Bot protection / Captcha: We use Cloudflare Turnstile at security-critical points (login, registration). Turnstile checks technical signals from the browser to detect bots. No visible captchas are displayed and, as a rule, no cookies are set.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in IT security and platform stability).

Error Monitoring and Performance Tracking (Sentry)

To ensure the stable and error-free operation of this platform, we use the service Sentry for error monitoring and performance tracking.

Provider: Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. European representative: Sentry Software Netherlands B.V., Keizersgracht 391A, 1016 EJ Amsterdam, Netherlands.

Data processed:

• Anonymized IP address (last octet set to '0' before transmission)
• Requested URL, HTTP method and status code
• Error message, stack trace and affected component
• Browser and operating system information, device type
• Anonymized session information (error rate per software version)
• Server-side: performance data of affected functions (without personal data)

If you voluntarily submit an error report via the 'Report Error' button on an error page, the information you enter (error description and optionally name and email address) will also be transmitted.

Purpose: Detection, analysis and resolution of technical errors; ensuring the stability, security and performance of the platform.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest consists in maintaining a technically stable, secure and functional service. IP anonymization prior to transmission ensures that no direct identification of users is possible.

Data transfer: Processing via the European Sentry endpoint; storage in Germany and the USA based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Sentry.

Retention period: Error events are stored for 90 days and then automatically deleted.

Right to object: You may object to the processing pursuant to Art. 21 GDPR by contacting: [email protected]. You can also prevent transmission by disabling JavaScript in your browser.

Further information: sentry.io/privacy

Web analytics - Google Tag Manager / Google Analytics

If you have given your consent, we use Google Tag Manager and Google Analytics from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to analyze platform usage.

Cookies and similar technologies are used to process the following information, among other things: anonymized IP address, device and browser information, page views, length of visit, origin of access.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent via cookie banner) in conjunction with § 25 para. 1 TDDDG. You can revoke your consent at any time via the "Cookie settings" link in the footer with effect for the future. When using Google services, data may be transferred to the USA. Google is certified in accordance with the EU-US Data Privacy Framework.

Cookies and similar technologies

We use cookies and similar technologies (e.g. local storage) in the following categories:

Technically necessary cookies (e.g. session cookie, CSRF token, theme selection) - legal basis: § 25 para. 2 no. 2 TDDDG and Art. 6 para. 1 lit. b/f GDPR. No consent required.

Analysis cookies (Google Analytics, see above) - only with consent. Marketing cookies - currently not in use; should they be added, they will only be set with prior consent.

You will find a detailed list and the option to revoke your consent in the cookie banner on your first visit and at any time via the "Cookie settings" link in the footer.

Recipients / processors at a glance

The following processors and recipients are involved in platform operation:

Stripe Payments Europe, Ltd (Ireland) - payment processing, payout to organizer (Connect) - Art. 6 para. 1 lit. b GDPR.

PayPal (Europe) S.à r.l. (Luxembourg) - Payment via PayPal - Art. 6 para. 1 lit. b GDPR.

Microsoft Ireland Operations Ltd (Azure ACS / Graph, Ireland) - Transactional e-mail dispatch - Art. 6 para. 1 lit. b GDPR.

Microsoft Ireland Operations Ltd (Entra ID, Ireland) - Optional SSO registration for organizers - Art. 6 para. 1 lit. b GDPR.

Cloudflare Germany GmbH / Cloudflare Inc. (DE / USA) - CDN, proxy, turnstile bot protection - Art. 6 para. 1 lit. f GDPR.

Cloudflare (R2, EU) - Image storage (event images) - Art. 6 para. 1 lit. b/f GDPR.

Google Ireland Ltd (Tag Manager / Analytics, Ireland) - Web Analytics (only with consent) - Art. 6 para. 1 lit. a GDPR.

The respective organizer of the booked event (EU/EEA) - Own responsibility - Event implementation - Art. 6 para. 1 lit. b GDPR.

Hosting provider (Plesk / server in DE) - Technical provision - Art. 6 para. 1 lit. f GDPR.

If recipients are located in third countries, the transfer takes place on the basis of EU standard contractual clauses and supplementary protective measures or - where applicable - adequacy decisions (e.g. EU-US Data Privacy Framework).

Your rights as a data subject

You have the right at any time to request information about the data stored about you (Art. 15 GDPR), to request the correction of incorrect data (Art. 16 GDPR), to request the deletion of your data, provided that there are no legal storage obligations to the contrary (Art. 17 GDPR), to request the restriction of processing (Art. 18 GDPR), to request the transfer of your data in a structured format (Art. 20 GDPR), to object to processing on grounds relating to your particular situation (Art. 21 GDPR), to withdraw your consent at any time with effect for the future (Art. 7 para. 3 GDPR), to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

The Hamburg Commissioner for Data Protection and Freedom of Information is responsible for us. To exercise your rights, simply send an informal e-mail to [email protected].

Automated decisions / profiling

Automated decision-making within the meaning of Art. 22 GDPR does not take place at on:Tickets. We also do not create personality or scoring profiles.

Changes to this privacy policy

This privacy policy will be adapted as soon as there are changes to the processing or legal requirements. The current version is available at ontickets.de/legal/data-protection.