Privacy Statement
Last updated: 16 May 2026
1. Who we are
Zoticket is operated by Mennovation B.V., trading as Zoticket, with its registered office at Graaf Janlaan 73, 3708 GK Zeist, the Netherlands, Chamber of Commerce number 67231268 ("Zoticket", "we", "us" or "our").
You can contact us about privacy through the support form on the Zoticket website.
2. What this statement covers
This Privacy Statement explains how Zoticket handles personal data when organisers use Zoticket to create and manage events, sell tickets, issue tickets, validate access and receive support. It also explains how Zoticket handles personal data of website visitors and people who contact us.
Zoticket is a ticketing software provider. In the normal ticket sale flow, the event organiser decides which event is offered, which ticket types are sold, which attendee information is needed, who may enter the event, how refunds are handled and how attendee data is used for the event. For that event-specific processing, the organiser is the controller and Zoticket acts as processor on behalf of the organiser.
If you buy a ticket for an event, the organiser is responsible for telling you how it uses your personal data for that event. The organiser may provide its own privacy statement, for example on the event page, during checkout or through its own website.
3. Roles under data protection law
Zoticket as processor for organisers
For personal data of ticket buyers, ticket holders, attendees, invitees, guest-list members and scan records processed through the Zoticket service for an organiser, Zoticket generally acts as processor. This means that Zoticket processes this data on behalf of the organiser and in accordance with the organiser's instructions, as reflected in the Zoticket service settings, the agreement with the organiser, the Zoticket Terms and Conditions and any applicable data processing terms.
The organiser is responsible for choosing the lawful basis for processing, providing privacy information to attendees, handling event-specific communications, deciding which additional questions to ask, obtaining marketing consent where required, responding to data subject requests, and making sure it has the right to use the data in Zoticket.
Zoticket as controller for its own business and platform operations
Zoticket acts as an independent controller for personal data that it processes for its own business and platform purposes, such as organiser account administration, contracts, billing, service support, website operation, service security, fraud and misuse prevention, compliance with legal obligations, and limited product improvement. Zoticket does not use organiser attendee data to market Zoticket or unrelated events to ticket buyers.
Stripe and payments
Payments are processed through Stripe. Stripe may process personal data as a payment service provider, regulated financial service provider, processor or independent controller depending on the payment flow and applicable Stripe terms. Stripe may use data for payment processing, fraud prevention, dispute handling, compliance, identity verification, reporting and other payment-related purposes under its own privacy documentation.
4. Personal data processed through Zoticket
The exact data depends on how an organiser configures an event and how you use Zoticket. The main categories are:
| Category | Examples | Role usually applicable |
|---|---|---|
| Organiser account data | Name, business name, email address, authentication data, role/team permissions, organisation details, Stripe connection status, support history. | Zoticket as controller. |
| Event configuration data | Event name, location, date/time, ticket types, ticket prices, capacity, refund policy, public event page content, organiser contact information. | Organiser as controller; Zoticket as processor where it hosts and processes the event data for the organiser. Zoticket may also process limited configuration data as controller for account administration, security and service operation. |
| Buyer, attendee and order data | Buyer name, email address, order number, tickets purchased, ticket type, price, order status, refund status, confirmation and delivery records. | Organiser as controller; Zoticket as processor. |
| Ticket and scan data | QR/barcode identifier, ticket status, scan time, scan result, duplicate scan warnings, scanner account or device/session data where needed. | Organiser as controller; Zoticket as processor. Scanner account data may also be processed by Zoticket as controller for account and security purposes. |
| Payment data | Payment method type, payment status, transaction IDs, amount, currency, refunds, chargebacks/disputes and limited payment metadata. Zoticket should not store full card numbers. | Stripe according to its own role; organiser and/or Zoticket depending on the payment flow and records required. |
| Support and communications | Messages, email address, attachments, notes and issue history when an organiser, buyer or other person contacts Zoticket. | Zoticket as controller for operating support; Zoticket as processor where the request concerns event-specific attendee data. |
| Technical and security data | IP address, device/browser data, log-in events, timestamps, error logs, security logs, cookie identifiers and similar technical information. | Zoticket as controller for security, diagnostics and service operation; Zoticket as processor where logs are strictly tied to organiser event processing. |
| Marketing preference data | Newsletter consent, opt-in/opt-out status and campaign engagement if Zoticket marketing is enabled. | Zoticket as controller for its own marketing to organisers, prospects or other contacts. Zoticket does not use organiser attendee data for Zoticket marketing. |
| Organiser-provided custom data | Guest lists, custom checkout questions or other information an organiser chooses to collect. | Organiser as controller; Zoticket as processor. Organisers should not collect unnecessary or sensitive data through Zoticket unless they have a valid legal basis and have informed attendees properly. |
5. Purposes and legal bases
When Zoticket acts as processor for an organiser
For buyer, attendee, ticket, order, guest-list and event-specific scan data, the organiser determines the purposes and legal bases. Zoticket processes this data to provide the service requested by the organiser, for example to host event pages, run checkout, issue and deliver tickets, provide organiser dashboards, facilitate refunds, validate QR codes, prevent duplicate entry, provide operational support and maintain service security.
When Zoticket acts as controller
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide organiser accounts and the Zoticket service | Create accounts, authenticate users, manage roles, publish event pages and make the organiser portal and scanner available. | Performance of a contract; legitimate interests in operating the service. |
| Billing, finance and business administration | Invoices, transaction records, payout-related administration, accounting records and contract management. | Performance of a contract; legal obligations; legitimate interests. |
| Support and service communications | Answer questions, investigate issues, send operational notifications and notify users about service or security incidents. | Performance of a contract; legitimate interests. |
| Security, fraud prevention and misuse prevention | Protect accounts, investigate suspicious use, enforce terms, prevent fake tickets, unauthorised access or abuse of the platform. | Legitimate interests; legal obligations where applicable. |
| Legal compliance and dispute handling | Respond to lawful requests, keep required records, handle complaints, claims, chargebacks or disputes. | Legal obligations; legitimate interests. |
| Product improvement | Debug errors, monitor performance and improve checkout, scanning and organiser workflows, using aggregated or minimised data where practical. | Legitimate interests. |
| Zoticket marketing | Send product updates or newsletters to organisers, prospects or other contacts where allowed. | Consent where required; legitimate interests for limited B2B communications where allowed. Recipients can opt out. |
| Website and cookie operation | Provide the website, remember necessary settings, maintain security and prevent abuse. | Legitimate interests; consent where required for non-essential cookies. |
6. Sharing personal data and subprocessors
When Zoticket acts as processor, we make personal data available to the organiser and its authorised team members as needed to run the event, manage orders, provide entry validation, handle refunds and provide support. The organiser decides who it authorises to access the data.
Zoticket may use subprocessors and service providers to operate the service. These may include hosting, database, email delivery, monitoring, customer support, analytics, security, payment, accounting and professional service providers. Where required, Zoticket enters into data protection terms with subprocessors and remains responsible for their processing under the applicable processor terms.
We may also share data with public authorities, regulators, courts or law enforcement where we are legally required to do so or where this is necessary to protect rights, safety, security or prevent fraud.
Zoticket does not sell buyer or attendee personal data. Zoticket does not use organiser attendee data to send Zoticket marketing or marketing for unrelated events.
7. International transfers
Zoticket aims to use EU/EEA-based infrastructure where practical. Some providers, including Stripe and other service providers, may process personal data in countries outside the EEA. Where this happens, Zoticket relies on appropriate safeguards such as adequacy decisions, standard contractual clauses, data processing terms and technical or organisational protection measures where required.
8. Cookies and similar technologies
Zoticket uses cookies and similar technologies that are necessary to provide the website, login, organiser portal, checkout, security and scanner functionality. If Zoticket introduces non-essential analytics, advertising or marketing cookies, Zoticket will provide cookie details and request consent where required.
9. How long data is kept
When Zoticket acts as processor, event, order, ticket, attendee, guest-list and scan data are kept according to the organiser's instructions, the Zoticket service settings and applicable processor terms. At the end of the service, Zoticket will delete or return personal data as required by the applicable agreement, unless continued retention is required by law, payment processing, security, backup rotation or dispute handling.
When Zoticket acts as controller, we use the following default retention approach:
| Data type | Default retention approach |
|---|---|
| Organiser account data | For as long as the account is active and then for a reasonable period after closure, unless longer retention is needed for legal, tax, dispute, security or backup reasons. |
| Financial, contract and administration records | For as long as required for accounting, tax and legal purposes. Dutch tax administration records may need to be retained for 7 years. |
| Support records | For as long as needed to handle the issue and maintain a reasonable service history, normally up to 24 months after the last contact, unless longer retention is necessary for a legal, security or dispute reason. |
| Technical and security logs | For the period needed for security, diagnostics and abuse prevention, normally up to 180 days depending on the log type, unless an incident requires longer retention. |
| Marketing preferences | Until the person unsubscribes or the data is no longer needed to prove consent or suppression status. |
| Backups | Deleted data may remain in backups for a limited period until backup rotation, subject to access restrictions. |
10. Security
Zoticket uses technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse or alteration. Measures may include encrypted transport, access controls, role-based permissions, logging, secure authentication, provider due diligence and backups.
Organisers and scan staff must keep account credentials secure, use appropriate devices and promptly report suspected unauthorised access. No internet service is completely risk-free.
11. Your rights
If your request concerns ticket, attendee, order, guest-list or event-specific data, the organiser is usually the controller. You should normally contact the organiser first. If you contact Zoticket through the support form, we may forward your request to the organiser or assist the organiser in responding to your request.
If your request concerns personal data for which Zoticket is controller, such as your organiser account, Zoticket support history, website use or Zoticket marketing preferences, you can contact us through the support form on the Zoticket website. Depending on your situation and the legal basis for processing, you may have the right to request access, correction, deletion, restriction, portability or objection to processing. Where processing is based on consent, you may withdraw consent at any time without affecting earlier lawful processing. We may need to verify your identity before responding.
12. Data Protection Officer and EU representative
Mennovation B.V. has not appointed a Data Protection Officer. Based on Zoticket's current activities, Mennovation B.V. is not a public authority, does not have core activities consisting of large-scale regular and systematic monitoring, and does not have core activities consisting of large-scale processing of special category or criminal offence data. If this changes, we will review whether a Data Protection Officer is required.
Because Mennovation B.V. is established in the Netherlands, no EU representative is required.
13. Complaints
You can contact us first through the support form on the Zoticket website. You also have the right to lodge a complaint with your local supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens.
14. Children
Zoticket organiser accounts are not intended for children. If an organiser sells tickets for events involving children or collects data about children, the organiser is responsible for the appropriate legal basis, parental involvement where required, event-specific age limits and admission rules. Zoticket processes such data on behalf of the organiser where it is entered into the service.
15. Changes to this Privacy Statement
We may update this Privacy Statement when Zoticket changes, when our providers or legal obligations change, or when we improve the text. The latest version will be published on the Zoticket website with its effective date.