Privacy Policy

Last Updated: April 18, 2025

At XTIX, we respect your privacy and are committed to protecting your personal data. This policy explains how we collect, use, and share your information when you use our platform for event organization or ticket purchasing. We only collect necessary data, use it to provide and improve our services, and share it with trusted partners under strict confidentiality. You have rights to access, correct, or delete your data, and we take strong security measures to keep it safe.

1. Introduction

This Privacy Policy (the "Policy") describes how XTIX ("we," "us," "our," or the "Platform") collects, uses, and shares the personal information of users who interact with our websites, mobile applications, widgets, and related services (collectively, the "Services"). By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy.

Our mission is to provide a secure and user-friendly platform for event organization, ticket distribution, and related services. We take your privacy seriously and strive to handle your personal data responsibly, in accordance with applicable data protection laws.

Please note that XTIX acts primarily as a data processor with respect to personal data collected on behalf of Event Organizers. The Event Organizer is the data controller and determines which data is collected and how it is used in relation to each specific event. XTIX only processes this data to deliver technical services in accordance with the Organizer’s instructions.

2. Scope

This Privacy Policy (“Policy”) applies to personal data collected by XTIX (the “Platform”) in connection with your use of our websites, mobile applications, widgets, and related services (collectively, the “Services”). XTIX serves as a technical environment where:

  1. Event Organizers (Business Users) create and manage events, configure ticket details, and publish event information.

  2. Fans browse events, purchase tickets, and receive confirmation directly from the Event Organizers.

  3. Partners or Distributors (if applicable) may assist in marketing or distributing tickets, but they are separate entities operating under their own terms and responsibilities.

No Participation in Negotiations

XTIX does not participate in the negotiation or formation of contracts between Event Organizers and Ticket Buyers. Instead, the Platform provides a transactional interface through which organizers and buyers connect, and any resulting agreement or sale of tickets occurs directly between the two parties. Organizers bear responsibility for the terms and conditions of their events, and buyers enter into the purchase agreement with the organizer, not with XTIX.

Our Role as a Platform

  • We facilitate event listings, ticketing functionality, and secure payment processing via third-party payment providers.
  • We do not act as an agent or representative of the Event Organizer.
  • We do not determine or influence pricing, seat availability, or contractual obligations between organizers and buyers.

By using our Services, you acknowledge that XTIX is not a contracting party to any transaction between Event Organizers and Ticket Buyers and that XTIX’s role is limited to providing the tools and technology necessary for facilitating such transactions. Please review organizers’ event pages and any contractual terms they provide, as those govern your relationship with the Event Organizer.

3. Information We Collect

3.1. Information You Provide Directly

Account and Profile Information

  • For business users (Event Organizers): Company name, contact person’s name, email address, legal details, and any other information you provide in your company profile.

  • For individual users (Ticket Buyers): Email address (at a minimum) and any other optional information you choose to provide.

Contact Information
We may collect your email address, phone number, and, in some cases, mailing address, if you provide them during account setup, ticket purchase, or other interactions with the Platform.

Payment Details
We do not store or process credit card numbers, billing addresses, or other financial information on our servers. Payment processing is handled through third-party providers (e.g., Stripe, Airwallex, Xendit). We only receive transaction status (e.g., successful, canceled).

Event Details
If you are an Event Organizer, we collect information about your event (e.g., venue, schedule). If you are a Ticket Buyer, the information required for ticketing and registration—typically name, phone number, and email address—may vary based on the Event Organizer’s specific needs.

Organizer-Defined Fields: Please note that the Event Organizer determines which data fields are required on tickets or registration forms. Typically, this includes your name, phone number, and email address for ticket issuance and communication. However, Organizers may request additional information relevant to their event, such as T-shirt size, dietary preferences, emergency contact details, accessibility needs, professional affiliations, government-issued identification documents, photographs, or social media profile links.

XTIX does not control, review, or dictate the content of these additional fields. If you have concerns about a specific field or the nature of the data requested, please carefully review the event’s description or contact the Event Organizer directly for clarification.

Support Requests
If you contact us for support (e.g., via email or a help desk form), we will collect any information you include in your request so we can properly address your question or issue.

3.2. Information We Collect Automatically

IP Address and Device Information: We collect your IP address, operating system, browser type, device identifiers, and other technical details to ensure the security and proper functioning of our Services.

Usage Data: We track interactions on our websites, widgets, or apps, such as pages viewed, time spent, and navigation patterns, using analytics tools like Google Analytics, Yandex.Metrika, and others.

3.3. Cookies and Similar Technologies

We use various types of cookies and similar technologies:

  • Essential Cookies: Required for the Platform's functionality (e.g., session cookies).
  • Analytics Cookies: Used to gather usage statistics and improve performance (e.g., Google Analytics, Yandex.Metrika).
  • Marketing Cookies: Used by advertising and marketing platforms (e.g., Facebook Pixel, Google Tag Manager).

For users in regions with specific legal requirements (e.g., GDPR in the EU), we provide a cookie consent banner where you can manage your preferences. Outside of those regions, cookies can be managed through browser settings.

In addition to using cookies for personalized marketing, we may also use your contact details (such as your email address) to send relevant event recommendations and promotional content based on your activity on the Platform. These communications are part of our service offering and can be opted out of at any time.

For more detailed information about our use of cookies, including how to opt out, please see our Cookie Policy.

4. How We Use Your Information

We use personal data for the following purposes:

Service Delivery:

  • To create, manage, and maintain user accounts.
  • To process and confirm ticket purchases.
  • To facilitate event organization for business users.

Communication:

  • To send transactional emails (e.g., purchase confirmations, event updates).
  • To respond to your inquiries and provide customer support.
  • To send marketing communications if you have opted in.

Analytics and Improvements:

  • To understand how users interact with our Services.
  • To personalize user experience and enhance Platform functionality.

Compliance and Security:

  • To monitor, detect, and prevent potential fraud or unauthorized access.
  • To comply with legal obligations and respond to lawful requests.

We may use your email address and other contact details to send you promotional communications about other events or features available on the XTIX platform, based on our legitimate interest in improving our services and user engagement. You can opt out of such communications at any time by clicking the "unsubscribe" link in the message or contacting us at support@xtix.ai.

5. Legal Bases for Processing

Where required by law (e.g., GDPR), we rely on specific legal grounds to process personal data, which include:

  • Consent: Where users voluntarily submit their information or opt in to marketing communications.
  • Contract Performance: Where data processing is needed to perform a contract (e.g., ticket sale transaction).
  • Legitimate Interests: To maintain and improve our Services, ensure security, and develop new features.
  • Legal Obligations: To comply with applicable laws and regulations.

6. Sharing and Disclosure of Information

We do not sell personal data to third parties. However, we may share your data under the following circumstances:

Service Providers and Partners:

We engage third parties to support our operations, including:

  • Payment processors (Stripe, Airwallex, Xendit)
  • Analytics providers (Google Analytics, Yandex Metrika)
  • Marketing services (Meta Pixel, Google Tag Manager, Unisender, MailGun)
  • Maps services (Google Maps, Yandex Maps)
  • Customer relationship management tools (Intercom, HubSpot)
  • Scheduling tools (Calendly, Reclaim.ai)

These Service Providers are contractually obligated to protect your data and use it solely for the purposes specified by XTIX, in accordance with our instructions and applicable data protection laws.

Event Organizers and Data Handling:

When you register for or purchase a ticket to an event through the XTIX Platform, your personal data—such as your name, email address, and any other fields requested by the Organizer—is collected and stored on XTIX systems. This information is made available to the respective Event Organizer via our platform tools.

The Organizer acts as the primary data controller, determining which data fields are collected and for what purposes. XTIX acts as a technical facilitator of the data collection and transmission process, and in some contexts may act as a joint controller for the purposes of data hosting, security, and regulatory compliance.

XTIX stores this data on behalf of Organizers and applies appropriate technical and organizational measures to ensure its protection in accordance with applicable data protection laws. However, XTIX does not determine the purposes or means of processing once the data is accessed or exported by the Organizer.

XTIX is not responsible for the Organizer’s handling of your personal data once it has been accessed or exported through the Platform. If you have concerns about how a specific Organizer uses your data, please refer to their privacy policy or contact them directly.

Certain data—such as your name or phone number—may be collected by the Organizer for specific purposes, including marketing. If such data is not necessary for the ticketing transaction, you will be given the option to opt out or refuse to provide it. XTIX encourages Organizers to only request data that is strictly necessary and lawful for their event management purposes.

Legal Compliance:

We may disclose personal data if required by law, legal process, or governmental request.

Business Transfers:

In connection with a merger, acquisition, or asset sale, user data may be transferred to the acquiring entity, subject to appropriate confidentiality safeguards.

7. International Data Transfers

Currently, our servers are located in Indonesia, and we do not routinely transfer personal data to other countries. Should it become necessary to transfer data across borders, we will implement appropriate safeguards in accordance with applicable laws, which may include:

  • Standard Contractual Clauses approved by relevant data protection authorities
  • Binding Corporate Rules
  • Data Processing Agreements with specific data protection provisions
  • Adherence to relevant international data protection frameworks

We are committed to ensuring that any international transfer of your personal data is conducted in a manner that provides adequate protection, such as through the use of Standard Contractual Clauses or adherence to recognized international data protection frameworks (e.g., the EU-US Data Privacy Framework, where applicable).

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy. Specific retention periods include:

·   Account Information: Personal data associated with active accounts is retained until the user requests deletion or account termination. Inactive accounts may be deleted after 24 months of inactivity.

·   Transaction Records: Information related to ticket purchases or financial transactions is retained for 7 years to comply with tax, accounting, and legal requirements.

·   Marketing Data: If you've opted into marketing communications, we retain this data until you unsubscribe or request deletion.

·   Usage Data: Anonymized usage data may be retained indefinitely for analytical purposes.

Upon receiving a verified request to delete or anonymize data, we will act within 30 days, provided such deletion does not conflict with lawful obligations, such as tax, accounting, or other record-keeping requirements mandated by applicable laws.

9. Your Rights and Choices

Depending on your jurisdiction, you may have rights regarding your personal data:

·   Access and Portability: Request a copy of personal data we hold about you in a machine-readable format.

·   Rectification: Request corrections to inaccurate or incomplete data.

·   Deletion: Request deletion of personal data where legally applicable.

·   Restriction or Objection: Ask us to limit or stop certain types of processing.

·   Consent Withdrawal: If you previously gave consent, you can withdraw it at any time by emailing support@xtix.ai with 'Withdraw Consent' in the subject line. Withdrawing consent will not affect the lawfulness of processing that occurred before the withdrawal.

You have the right to opt out of marketing communications from XTIX at any time by using the “unsubscribe” link included in our emails or by contacting us. This does not affect transactional or event-related messages (e.g., ticket confirmations, reminders).

To exercise these rights, please:

  1. Contact our support team at support@xtix.ai
  2. Provide sufficient information to identify yourself
  3. Clearly specify the information or processing to which your request relates

We will respond to all legitimate requests within 30 days. In some cases, we may require additional information to verify your identity before fulfilling your request.

10. Security Measures

We employ a variety of security measures to protect your data:

·   Encryption: All passwords are stored using bcrypt with salt, and sensitive data is encrypted at rest using AES-256 encryption. Communications between your device and our servers are secured using SSL/TLS encryption. Additionally, we adhere to industry-standard security practices and regularly review our systems to maintain a high level of data protection.

·   Access Controls: Role-based access control (RBAC) and API keys restrict unauthorized data access. Only authorized personnel have access to personal data.

·   Regular Security Audits: We conduct internal and external reviews of our systems and processes to identify and address potential vulnerabilities.

·   Employee Training: Our team members receive regular training on data protection and security practices.

·   Incident Response Plan: We maintain procedures to handle potential data breaches promptly and effectively.

11. Data Breach Response

In the event of a data breach or suspected security incident:

·   Investigation: We will promptly assess the scope of the breach, identifying compromised data or system vulnerabilities within 24 hours of discovery.

·   Containment and Remediation: We will isolate affected systems, reset credentials if necessary, and reinforce security barriers to prevent further unauthorized access.

·   Notification: If legally required (e.g., under GDPR’s 72-hour rule for EU residents or Indonesia’s data protection laws), we will notify the appropriate regulatory authorities, such as Indonesia’s data protection authority or the Information Commissioner’s Office (ICO) for UK users.

. We will also inform affected users without undue delay, providing clear information about:

  • The nature of the breach
  • Categories of data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact information for further inquiries

·   Follow-Up: We document all incidents, conduct post-breach reviews, and improve our security posture to prevent future occurrences.

12. Children and Age Restrictions

Our Platform is not intended for independent use by anyone under the age of 18. Subject to Section 6.2 of our Terms of Use, if you are under 18 but at least 13 years of age, you may use the Platform only with the involvement and consent of a parent or legal guardian who agrees to be bound by these Terms. “Involvement” means that the parent or guardian:

  1. Reviews and approves your registration;
  2. Controls your use of the Platform;
  3. Is responsible for your actions on the Platform.

We do not knowingly collect data from users under 13. If we discover that a child under 13 has registered or provided personal information without parental consent, we will promptly delete such information. While we do not actively verify age beyond self-reported information, we encourage parents and guardians to monitor their children’s online activities and contact us if they believe their child has provided data without consent.

If you are a parent or guardian and believe that your child has improperly provided us with personal information, please contact us at support@xtix.ai and we will promptly take appropriate action.

13. Links to Third-Party Websites

Our Services may contain links or integrations to third-party websites and services including:

  • Google Maps and Yandex Maps for location services
  • Calendly and Reclaim.ai for scheduling
  • Intercom and HubSpot for customer support and relationship management
  • Social media platforms for sharing and integration

Please note that we are not responsible for the privacy practices or content of these sites. We encourage you to review the privacy policies of any third-party services you access through our platform.

14. Changes to This Policy

We may update or modify this Policy at our discretion. When we do, we will:

  • Revise the "Last Updated" date at the top of this document
  • Post a notice on our website for significant changes
  • Send email notifications to registered users for material changes

Your continued use of our Services after we post an updated version signifies your acceptance of the changes. We recommend checking this Policy periodically to stay informed about our data practices.

15. Contact Us

If you have any questions or concerns about this Policy, or if you wish to exercise your data protection rights, please contact us:

  • Email: support@xtix.ai

16. Region-Specific Supplements

16.1 European Economic Area (EEA), Switzerland, and United Kingdom

If you are a resident of the EEA, Switzerland, or the UK, the following additional provisions apply:

·   Data Controller: XTIX is the data controller for personal data collected through our Services.

·   Supervisory Authority: You have the right to lodge a complaint with your local data protection authority if you are unsatisfied with our response to your concerns.

·   Data Transfer Mechanisms: For any transfers of data outside the EEA, Switzerland, or the UK, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.

16.2 California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

  • The right to know what personal information we collect about you
  • The right to request deletion of your personal information
  • The right to opt-out of the sale or sharing of your personal information
  • The right to limit the use of sensitive personal information

For more information or to exercise these rights, please contact us using the details in Section 15.

16.3 Other Jurisdictions

Additional region-specific supplements may be provided based on the locations from which we serve users.

If you reside in a jurisdiction with specific data protection laws (e.g., Brazil’s LGPD or Canada’s PIPEDA), additional rights or provisions may apply. Please contact us at support@xtix.ai for more information about your rights under your local laws.

16.4 Data Controller vs. Processor Clarification (Global)

For most transactions involving events, the Event Organizer is the data controller, and XTIX acts as a data processor providing technical infrastructure and services. If you want to understand how your personal data is processed for a specific event, please contact the respective Organizer, as they are responsible for managing and determining the scope of data processing.