Privacy Policy

1. Data Controller

2. Scope and Purposes of Processing

• Ticket purchase fulfilment: first name, last name, email, phone, number of tickets.
• Payment processing and accounting (VAT invoices).
• Sending transactional messages (tickets, confirmations).
• Handling potential complaints.

3. Newsletter & Marketing

• The Controller may process personal data (in particular email address and name) for the purpose of sending the Newsletter and conducting direct marketing of its own services, products and events, including the Carats & Supercars / Marbella Experience series.
• The legal basis for such processing is: (i) the User's consent (Art. 6(1)(a) GDPR), given in particular during ticket purchase by checking the appropriate box, and (ii) the legitimate interest of the Controller (Art. 6(1)(f) GDPR) in direct marketing to persons who have entered into a contract with the Controller.
• The Newsletter may contain information about current and upcoming events, special offers, promotions and other marketing activities of the Controller.
• With the User's separate, explicit consent, the Controller may also send commercial information about products and services of its business partners. This consent is voluntary and is not a condition of purchasing a ticket or receiving the Newsletter.
• The User may withdraw marketing consents at any time by clicking the unsubscribe link in the email footer or by contacting the Controller. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Personal data processed for marketing purposes is retained until the relevant consents are withdrawn or an objection to direct marketing processing is raised, and thereafter for the limitation period for any related claims.

4. Legal Bases

• Art. 6(1)(b) GDPR - performance of a contract (ticket purchase).
• Art. 6(1)(c) GDPR - legal obligations (invoice issuance).
• Art. 6(1)(f) GDPR - legitimate interests (claims, event security).

5. Recipients of Data

• Payment service providers (Stripe) - payment processing.
• Email and delivery service providers (e.g. Resend).
• IT and hosting service providers (Firebase, Google Cloud).

6. Transfers Outside the EEA

Data may be transferred to third countries in connection with the use of cloud service providers, exclusively with appropriate safeguards in accordance with GDPR.

7. Retention Period

• Transactional and accounting data - for the period required by law (e.g. 5 years).
• Other data - for the period necessary to fulfil the purposes, or until claims are time-barred.

8. Individual Rights

• Access to data, rectification, erasure, restriction of processing, data portability.
• Right to object to processing - in cases provided for by law.
• Right to lodge a complaint with the supervisory authority (PUODO, ul. Stawki 2, 00-193 Warsaw, Poland).

9. Cookies

The Service may use necessary cookies for proper functioning and analytics. Users can manage cookies through their browser settings.

10. Security

We apply appropriate organisational and technical measures to protect data against unauthorised access, loss or destruction.

11. Policy Updates

This Privacy Policy may be updated. The current version is published on the Service.