GDPR & Data Protection

Last updated: 16 February 2026

Our Commitment

OurTicketGrid is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take the protection of personal data seriously at every level of our platform.

Data Roles

Event Organisers

Data Controller

As a merchant using OurTicketGrid, you are the data controller for your customers. You determine why and how their data is processed. You are responsible for having a lawful basis for processing, responding to data subject requests, and maintaining your own privacy policy.

OurTicketGrid

Data Processor

We process customer data on behalf of event organisers to facilitate ticket sales, check-in, and communications. We also act as a data controller for merchant account data and platform operations.

Data Processing Agreement

By using OurTicketGrid as a merchant, a Data Processing Agreement (DPA) is in effect between you (controller) and us (processor). Key terms:

We only process customer data as instructed by the merchant and as necessary to provide the service
We implement appropriate technical and organisational security measures
We do not transfer data outside the UK/EEA without adequate safeguards
We assist merchants in fulfilling data subject access requests
We notify merchants of any personal data breach without undue delay

Technical Measures

Encryption in transit: All data transmitted via HTTPS/TLS
Password security: bcrypt hashing with salt rounds
Payment data: Handled entirely by Stripe (PCI DSS Level 1). We never store card numbers.
Data isolation: Each merchant's data is siloed by merchant_id — merchants cannot access each other's customer data
Access controls: Role-based access, session-based authentication
Database security: PostgreSQL with parameterised queries (SQL injection prevention)

Data Subject Rights

Individuals whose data is processed through OurTicketGrid have the following rights under UK GDPR:

Right of Access

Request a copy of your personal data

Right to Rectification

Correct inaccurate personal data

Right to Erasure

Request deletion of your data

Right to Restrict

Limit how your data is processed

Right to Portability

Receive your data in a portable format

Right to Object

Object to certain types of processing

How to Exercise Your Rights

Ticket buyers: Contact the event organiser first, as they are the data controller. If you need further assistance, email privacy@ourticketgrid.com.

Merchants: You can export and delete customer data directly from your OurTicketGrid dashboard. For account-level requests, email privacy@ourticketgrid.com.

We respond to all data subject requests within 30 days.

Data Breach Procedure

In the event of a personal data breach:

We will assess the breach and its severity immediately
Affected merchants will be notified without undue delay (within 72 hours)
If required, the ICO will be notified within 72 hours
Affected data subjects will be notified if there is a high risk to their rights and freedoms

Contact Our Data Protection Team

Email: privacy@ourticketgrid.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).