language
Version: 3.0
Effective Date: 2026-06-05
This Privacy Policy describes how XTIX collects, uses, and shares personal information of users interacting with our websites (https://xtix.ai and https://xtix.live), mobile applications, widgets, and related services (collectively, the “Services”). By accessing or using these Services, you acknowledge agreement to the practices described.
XTIX’s mission is providing a secure platform for event organization and ticket distribution. The company acts primarily as a data processor with respect to personal data collected on behalf of Event Organizers, who serve as data controllers determining which data is collected and how it’s used.
This Policy applies to personal data collected through XTIX’s websites, including:
as well as our mobile applications, widgets, and related services.
The Platform serves three user types:
XTIX does not participate in the negotiation or formation of contracts between Event Organizers and Ticket Buyers. The Platform provides a transactional interface where organizers and buyers connect directly. Any resulting agreement occurs between parties, not with XTIX.
Account and Profile Information
Business users provide company name, contact person details, email, and legal information. Individual users provide email addresses and optional information during account setup.
Contact Information
Email addresses, phone numbers, and mailing addresses collected during account setup, ticket purchase, or other Platform interactions.
Payment Details
XTIX does not store credit card numbers, billing addresses, or financial information on its servers. Third-party providers (Stripe, Unlimit, Airwallex, Xendit) handle payment processing. Only transaction status information is received.
Event Details
Event Organizers provide venue and schedule information. Ticket Buyers provide information required for ticketing — typically name, phone number, and email address — varying based on Organizer needs.
Organizer-Defined Fields
The Event Organizer determines which data fields are required on tickets or registration forms. While typically name, phone, and email are collected, Organizers may request additional information including T-shirt size, dietary preferences, emergency contacts, accessibility needs, professional affiliations, government-issued identification, photographs, or social media links.
XTIX does not control, review, or dictate the content of these additional fields.
Support Requests
Information included in support requests is collected to address questions or issues appropriately.
IP Address and Device Information
IP addresses, operating systems, browser types, device identifiers, and technical details are collected to ensure security and proper Service functioning.
Usage Data
Interactions tracked include pages viewed, time spent, and navigation patterns. We use the following analytics and tracking tools:
Event Interaction Data (xtix.live)
On https://xtix.live, we collect event-level interaction data to understand how Fans discover and purchase tickets. This includes:
This data may include non-personally-identifiable information such as event ID, ticket type, and transaction value. It is collected through GA4 and may be shared with advertising platforms (such as Meta) for ad measurement purposes, subject to your cookie consent preferences.
Essential Cookies: Required for Platform functionality (session cookies, CSRF protection, cookie consent preferences)
Analytics Cookies: Gather usage statistics and improve performance (Google Analytics 4)
Marketing Cookies: Used by advertising platforms for ad targeting and measurement:
Cookie Consent: On https://xtix.live, we use CookieYes as our cookie consent management platform to allow you to manage your cookie preferences in compliance with applicable data protection laws. For full details, see our Cookies Policy.
Contact details such as email addresses may be used to send relevant event recommendations and promotional content based on Platform activity. These communications can be opted out of anytime.
Email addresses and contact details may be used to send promotional communications about other events or features. Users can opt out of such communications at any time by clicking the “unsubscribe” link in the message or contacting us at support@xtix.ai.
Where required by law (GDPR), XTIX relies on specific legal grounds:
XTIX does not sell personal data to third parties but may share data in these circumstances:
Third parties supporting operations include:
- Payment processors (Stripe, Unlimit, Airwallex, Xendit)
- Analytics providers (Google Analytics 4)
- Tag management (Google Tag Manager)
- Advertising platforms (Meta/Facebook Pixel)
- Cookie consent management (CookieYes)
- Marketing services (Unisender, MailGun)
- CRM tools (Intercom, HubSpot)
- Scheduling tools (Calendly, Reclaim.ai)
Service Providers are contractually obligated to protect data and use it solely as specified by XTIX per applicable data protection laws.
When registering or purchasing event tickets, personal data such as name, email, and requested fields are collected and stored on XTIX systems, made available to respective Event Organizers.
The Organizer acts as primary data controller determining collected data fields and purposes. XTIX acts as technical facilitator of data collection/transmission and may act as joint controller for hosting, security, and regulatory compliance.
XTIX stores data on behalf of Organizers applying appropriate technical/organizational measures. However, XTIX does not determine the purposes or means of processing once the data is accessed or exported by the Organizer.
XTIX is not responsible for the Organizer’s handling of your personal data once it has been accessed or exported through the Platform.
Data such as names or phone numbers collected by Organizers for specific purposes — including marketing — may allow opt-out if not necessary for ticketing. XTIX encourages Organizers requesting only strictly necessary and lawful data.
Personal data may be disclosed if required by law, legal process, or governmental requests.
During mergers, acquisitions, or asset sales, user data may transfer to acquiring entities subject to appropriate confidentiality safeguards.
XTIX infrastructure and data are hosted in the European Union (Ireland). Payment processing for EU/UK transactions is handled by Stripe and Unlimit, both of which process data within the EEA.
For users in Indonesia, data may be processed locally through Xendit in accordance with Indonesian data protection laws.
Where cross-border data transfers occur, appropriate safeguards are implemented including:
Personal data is retained only as necessary for Policy-outlined purposes:
Account Information: Retained until user requests deletion or account termination. Inactive accounts may be deleted after 24 months of inactivity.
Transaction Records: Information related to purchases/transactions retained for 7 years for tax, accounting, and legal compliance.
Marketing Data: Retained until unsubscribe or deletion request if opted into marketing communications.
Usage Data: Anonymized usage data may be retained indefinitely for analytical purposes.
Upon receiving verified deletion/anonymization requests, XTIX acts within 30 days provided such deletion doesn’t conflict with lawful obligations like tax or record-keeping requirements.
Depending on jurisdiction, users may have rights regarding personal data:
Access and Portability: Request a copy of personal data we hold about you in a machine-readable format.
Rectification: Request corrections to inaccurate or incomplete data.
Deletion: Request deletion of personal data where legally applicable.
Restriction or Objection: Ask to limit or stop certain processing types.
Consent Withdrawal: If you previously gave consent, you can withdraw it at any time by emailing support@xtix.ai with “Withdraw Consent” in the subject line.
Cookie Preferences: You can manage your cookie preferences at any time through the CookieYes consent tool available on both https://xtix.ai and https://xtix.live, or through your browser settings.
Users have rights to opt out of marketing communications anytime using unsubscribe links or contacting the company. This doesn’t affect transactional or event-related messages.
To exercise rights: 1. Contact support team at support@xtix.ai 2. Provide sufficient identification information 3. Clearly specify relevant information or processing
XTIX responds to legitimate requests within 30 days, sometimes requiring additional identity verification information.
XTIX employs various security measures:
Encryption: All passwords are stored using bcrypt with salt, and sensitive data is encrypted at rest using AES-256 encryption. Communications between devices and servers use SSL/TLS encryption.
Access Controls: Role-based access control (RBAC) and API keys restrict unauthorized access. Only authorized personnel access personal data.
Regular Security Audits: Internal and external system/process reviews identify and address potential vulnerabilities.
Employee Training: Team members receive regular data protection and security training.
Incident Response Plan: Procedures exist for handling data breaches promptly and effectively.
Upon data breach or security incident:
Investigation: We will promptly assess the scope of the breach, identifying compromised data or system vulnerabilities within 24 hours of discovery.
Containment and Remediation: Isolate affected systems, reset credentials if necessary, reinforce security barriers preventing further unauthorized access.
Notification: Where legally required (GDPR’s 72-hour rule for EU residents or Indonesia’s data protection laws), appropriate regulatory authorities are notified including Indonesia’s data protection authority or Information Commissioner’s Office (ICO) for UK users. Affected users are informed without undue delay with information about:
Follow-Up: All incidents are documented with post-breach reviews improving security posture preventing future occurrences.
The Platform is not intended for independent use by anyone under 18. Per Section 6.2 of Terms of Service, users 13-17 may use the Platform only with parent/legal guardian involvement and consent. “Involvement” means the parent/guardian:
XTIX doesn’t knowingly collect data from users under 13. If discovery occurs that a child under 13 registered or provided personal information without parental consent, such information is promptly deleted. While age verification beyond self-reported information doesn’t occur actively, parents/guardians are encouraged monitoring children’s online activities.
Parents/guardians believing their child improperly provided personal information should contact support@xtix.ai for prompt appropriate action.
Services may contain links/integrations to third-party websites including: - Google Maps for location services - Calendly and Reclaim.ai for scheduling - Intercom and HubSpot for customer support/relationship management - Social media platforms for sharing/integration
XTIX is not responsible for the privacy practices or content of these sites. Users are encouraged reviewing privacy policies of third-party services accessed through the Platform.
XTIX may update or modify the Policy. When doing so, the company will: - Revise “Last Updated” date - Post notice on website for significant changes - Send email notifications to registered users for material changes
Continued Service use after updated versions signifies acceptance of changes. Users are recommended checking the Policy periodically for informed data practice understanding.
For questions/concerns about the Policy or exercising data protection rights:
Email: support@xtix.ai
For EEA, Switzerland, or UK residents:
Data Controller: XTIX is the data controller only for personal data whose purposes and means it determines itself — namely platform account data, security and fraud-prevention data, and XTIX’s own analytics and marketing. For personal data relating to events and attendees, the Event Organizer is the data controller and XTIX acts as data processor (and, where applicable, joint controller solely for hosting, security, and regulatory compliance), as described in Sections 1, 6, and 16.4.
Supervisory Authority: Residents have rights lodging complaints with local data protection authorities if unsatisfied with company responses.
Data Transfer Mechanisms: For data transfers outside EEA, Switzerland, or UK, appropriate safeguards including European Commission-approved Standard Contractual Clauses are implemented.
California residents may have additional rights under California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:
For exercising these rights, contact the company using Section 15 details.
Additional region-specific supplements may be provided based on user service locations.
Residents in jurisdictions with specific data protection laws (Brazil’s LGPD, Canada’s PIPEDA) may have additional rights/provisions. Contact support@xtix.ai for local law rights information.
For most event-involving transactions, the Event Organizer is the data controller, and XTIX acts as a data processor. For understanding personal data processing for specific events, contact respective Organizers responsible for managing and determining processing scope.
END OF DOCUMENT