Last Updated: April 18, 2025
At XTIX, we respect your privacy and are committed to protecting your personal data. This policy explains how we collect, use, and share your information when you use our platform for event organization or ticket purchasing. We only collect necessary data, use it to provide and improve our services, and share it with trusted partners under strict confidentiality. You have rights to access, correct, or delete your data, and we take strong security measures to keep it safe.
This Privacy Policy (the "Policy") describes how XTIX ("we," "us," "our," or the "Platform") collects, uses, and shares the personal information of users who interact with our websites, mobile applications, widgets, and related services (collectively, the "Services"). By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy.
Our mission is to provide a secure and user-friendly platform for event organization, ticket distribution, and related services. We take your privacy seriously and strive to handle your personal data responsibly, in accordance with applicable data protection laws.
Please note that XTIX acts primarily as a data processor with respect to personal data collected on behalf of Event Organizers. The Event Organizer is the data controller and determines which data is collected and how it is used in relation to each specific event. XTIX only processes this data to deliver technical services in accordance with the Organizer’s instructions.
This Privacy Policy (“Policy”) applies to personal data collected by XTIX (the “Platform”) in connection with your use of our websites, mobile applications, widgets, and related services (collectively, the “Services”). XTIX serves as a technical environment where:
XTIX does not participate in the negotiation or formation of contracts between Event Organizers and Ticket Buyers. Instead, the Platform provides a transactional interface through which organizers and buyers connect, and any resulting agreement or sale of tickets occurs directly between the two parties. Organizers bear responsibility for the terms and conditions of their events, and buyers enter into the purchase agreement with the organizer, not with XTIX.
By using our Services, you acknowledge that XTIX is not a contracting party to any transaction between Event Organizers and Ticket Buyers and that XTIX’s role is limited to providing the tools and technology necessary for facilitating such transactions. Please review organizers’ event pages and any contractual terms they provide, as those govern your relationship with the Event Organizer.
Account and Profile Information
Contact Information
We may collect your email address, phone number, and, in some cases, mailing address, if you provide them during account setup, ticket purchase, or other interactions with the Platform.
Payment Details
We do not store or process credit card numbers, billing addresses, or other financial information on our servers. Payment processing is handled through third-party providers (e.g., Stripe, Airwallex, Xendit). We only receive transaction status (e.g., successful, canceled).
Event Details
If you are an Event Organizer, we collect information about your event (e.g., venue, schedule). If you are a Ticket Buyer, the information required for ticketing and registration—typically name, phone number, and email address—may vary based on the Event Organizer’s specific needs.
Organizer-Defined Fields: Please note that the Event Organizer determines which data fields are required on tickets or registration forms. Typically, this includes your name, phone number, and email address for ticket issuance and communication. However, Organizers may request additional information relevant to their event, such as T-shirt size, dietary preferences, emergency contact details, accessibility needs, professional affiliations, government-issued identification documents, photographs, or social media profile links.
XTIX does not control, review, or dictate the content of these additional fields. If you have concerns about a specific field or the nature of the data requested, please carefully review the event’s description or contact the Event Organizer directly for clarification.
Support Requests
If you contact us for support (e.g., via email or a help desk form), we will collect any information you include in your request so we can properly address your question or issue.
IP Address and Device Information: We collect your IP address, operating system, browser type, device identifiers, and other technical details to ensure the security and proper functioning of our Services.
Usage Data: We track interactions on our websites, widgets, or apps, such as pages viewed, time spent, and navigation patterns, using analytics tools like Google Analytics, Yandex.Metrika, and others.
We use various types of cookies and similar technologies:
For users in regions with specific legal requirements (e.g., GDPR in the EU), we provide a cookie consent banner where you can manage your preferences. Outside of those regions, cookies can be managed through browser settings.
In addition to using cookies for personalized marketing, we may also use your contact details (such as your email address) to send relevant event recommendations and promotional content based on your activity on the Platform. These communications are part of our service offering and can be opted out of at any time.
For more detailed information about our use of cookies, including how to opt out, please see our Cookie Policy.
We use personal data for the following purposes:
We may use your email address and other contact details to send you promotional communications about other events or features available on the XTIX platform, based on our legitimate interest in improving our services and user engagement. You can opt out of such communications at any time by clicking the "unsubscribe" link in the message or contacting us at support@xtix.ai.
Where required by law (e.g., GDPR), we rely on specific legal grounds to process personal data, which include:
We do not sell personal data to third parties. However, we may share your data under the following circumstances:
We engage third parties to support our operations, including:
These Service Providers are contractually obligated to protect your data and use it solely for the purposes specified by XTIX, in accordance with our instructions and applicable data protection laws.
Event Organizers and Data Handling:
When you register for or purchase a ticket to an event through the XTIX Platform, your personal data—such as your name, email address, and any other fields requested by the Organizer—is collected and stored on XTIX systems. This information is made available to the respective Event Organizer via our platform tools.
The Organizer acts as the primary data controller, determining which data fields are collected and for what purposes. XTIX acts as a technical facilitator of the data collection and transmission process, and in some contexts may act as a joint controller for the purposes of data hosting, security, and regulatory compliance.
XTIX stores this data on behalf of Organizers and applies appropriate technical and organizational measures to ensure its protection in accordance with applicable data protection laws. However, XTIX does not determine the purposes or means of processing once the data is accessed or exported by the Organizer.
XTIX is not responsible for the Organizer’s handling of your personal data once it has been accessed or exported through the Platform. If you have concerns about how a specific Organizer uses your data, please refer to their privacy policy or contact them directly.
Certain data—such as your name or phone number—may be collected by the Organizer for specific purposes, including marketing. If such data is not necessary for the ticketing transaction, you will be given the option to opt out or refuse to provide it. XTIX encourages Organizers to only request data that is strictly necessary and lawful for their event management purposes.
We may disclose personal data if required by law, legal process, or governmental request.
In connection with a merger, acquisition, or asset sale, user data may be transferred to the acquiring entity, subject to appropriate confidentiality safeguards.
Currently, our servers are located in Indonesia, and we do not routinely transfer personal data to other countries. Should it become necessary to transfer data across borders, we will implement appropriate safeguards in accordance with applicable laws, which may include:
We are committed to ensuring that any international transfer of your personal data is conducted in a manner that provides adequate protection, such as through the use of Standard Contractual Clauses or adherence to recognized international data protection frameworks (e.g., the EU-US Data Privacy Framework, where applicable).
We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy. Specific retention periods include:
· Account Information: Personal data associated with active accounts is retained until the user requests deletion or account termination. Inactive accounts may be deleted after 24 months of inactivity.
· Transaction Records: Information related to ticket purchases or financial transactions is retained for 7 years to comply with tax, accounting, and legal requirements.
· Marketing Data: If you've opted into marketing communications, we retain this data until you unsubscribe or request deletion.
· Usage Data: Anonymized usage data may be retained indefinitely for analytical purposes.
Upon receiving a verified request to delete or anonymize data, we will act within 30 days, provided such deletion does not conflict with lawful obligations, such as tax, accounting, or other record-keeping requirements mandated by applicable laws.
Depending on your jurisdiction, you may have rights regarding your personal data:
· Access and Portability: Request a copy of personal data we hold about you in a machine-readable format.
· Rectification: Request corrections to inaccurate or incomplete data.
· Deletion: Request deletion of personal data where legally applicable.
· Restriction or Objection: Ask us to limit or stop certain types of processing.
· Consent Withdrawal: If you previously gave consent, you can withdraw it at any time by emailing support@xtix.ai with 'Withdraw Consent' in the subject line. Withdrawing consent will not affect the lawfulness of processing that occurred before the withdrawal.
You have the right to opt out of marketing communications from XTIX at any time by using the “unsubscribe” link included in our emails or by contacting us. This does not affect transactional or event-related messages (e.g., ticket confirmations, reminders).
To exercise these rights, please:
We will respond to all legitimate requests within 30 days. In some cases, we may require additional information to verify your identity before fulfilling your request.
We employ a variety of security measures to protect your data:
· Encryption: All passwords are stored using bcrypt with salt, and sensitive data is encrypted at rest using AES-256 encryption. Communications between your device and our servers are secured using SSL/TLS encryption. Additionally, we adhere to industry-standard security practices and regularly review our systems to maintain a high level of data protection.
· Access Controls: Role-based access control (RBAC) and API keys restrict unauthorized data access. Only authorized personnel have access to personal data.
· Regular Security Audits: We conduct internal and external reviews of our systems and processes to identify and address potential vulnerabilities.
· Employee Training: Our team members receive regular training on data protection and security practices.
· Incident Response Plan: We maintain procedures to handle potential data breaches promptly and effectively.
In the event of a data breach or suspected security incident:
· Investigation: We will promptly assess the scope of the breach, identifying compromised data or system vulnerabilities within 24 hours of discovery.
· Containment and Remediation: We will isolate affected systems, reset credentials if necessary, and reinforce security barriers to prevent further unauthorized access.
· Notification: If legally required (e.g., under GDPR’s 72-hour rule for EU residents or Indonesia’s data protection laws), we will notify the appropriate regulatory authorities, such as Indonesia’s data protection authority or the Information Commissioner’s Office (ICO) for UK users.
. We will also inform affected users without undue delay, providing clear information about:
· Follow-Up: We document all incidents, conduct post-breach reviews, and improve our security posture to prevent future occurrences.
Our Platform is not intended for independent use by anyone under the age of 18. Subject to Section 6.2 of our Terms of Use, if you are under 18 but at least 13 years of age, you may use the Platform only with the involvement and consent of a parent or legal guardian who agrees to be bound by these Terms. “Involvement” means that the parent or guardian:
We do not knowingly collect data from users under 13. If we discover that a child under 13 has registered or provided personal information without parental consent, we will promptly delete such information. While we do not actively verify age beyond self-reported information, we encourage parents and guardians to monitor their children’s online activities and contact us if they believe their child has provided data without consent.
If you are a parent or guardian and believe that your child has improperly provided us with personal information, please contact us at support@xtix.ai and we will promptly take appropriate action.
Our Services may contain links or integrations to third-party websites and services including:
Please note that we are not responsible for the privacy practices or content of these sites. We encourage you to review the privacy policies of any third-party services you access through our platform.
We may update or modify this Policy at our discretion. When we do, we will:
Your continued use of our Services after we post an updated version signifies your acceptance of the changes. We recommend checking this Policy periodically to stay informed about our data practices.
If you have any questions or concerns about this Policy, or if you wish to exercise your data protection rights, please contact us:
If you are a resident of the EEA, Switzerland, or the UK, the following additional provisions apply:
· Data Controller: XTIX is the data controller for personal data collected through our Services.
· Supervisory Authority: You have the right to lodge a complaint with your local data protection authority if you are unsatisfied with our response to your concerns.
· Data Transfer Mechanisms: For any transfers of data outside the EEA, Switzerland, or the UK, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:
For more information or to exercise these rights, please contact us using the details in Section 15.
Additional region-specific supplements may be provided based on the locations from which we serve users.
If you reside in a jurisdiction with specific data protection laws (e.g., Brazil’s LGPD or Canada’s PIPEDA), additional rights or provisions may apply. Please contact us at support@xtix.ai for more information about your rights under your local laws.
For most transactions involving events, the Event Organizer is the data controller, and XTIX acts as a data processor providing technical infrastructure and services. If you want to understand how your personal data is processed for a specific event, please contact the respective Organizer, as they are responsible for managing and determining the scope of data processing.