Privacy

PRIVACY POLICY

Second level privacy policy

Hellotickets

INDEX

1. Objective of the Privacy Policy

2. Definition of personal data

3. Identity of the Data Controller

4. Applicable laws and regulations

5. Principles applicable to the processing of personal data

6. Security measures

7. Purposes of processing

8. Legal basis for processing

9. Recipients of your data

10. Data processing activities carried out

11. Personal data of minors

12. Source and types of data processed

13. Rights of data subjects

14. Modification

1. Objective of the policy

At Hello Ticket, S.L (hereinafter, Hellotickets), we respect your privacy and protect your personal data. This policy details how we collect, use, and share your information in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR).

This privacy policy applies to the website http://www.hellotickets.es. If you do not provide us with your personal data, no processing of your information will be carried out.

We will inform you about the purposes of the processing, the entities that may access your data, and your rights as the data subject. Some processing activities may be based on legal obligations, contracts, or legitimate interests, without requiring your explicit consent.

If the website uses cookies, we will clearly notify you in our Cookies Policy, where you can obtain more information about the use of cookies and how to manage your preferences.

This policy ensures transparency and is designed so that you can know and exercise your rights clearly.

2. Definition of personal data

Personal data: Personal data is understood as any information relating to an identified or identifiable natural person ("Website user"). An identifiable natural person is considered to be anyone whose identity can be determined, directly or indirectly, via identifiers such as a name, an identification number, location data, an online identifier, or through elements specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

3. Identity of the data controller

Who collects and processes your data?

The Data Controller is:

Hello Ticket, S.L NIF/DNI B87643680

How can you contact us?

Postal address and our offices: Tomás Bretón 52 (Coworking area). 28045, Madrid (Madrid), Spain
Registered office: Plaza Santa María de La Cabeza, 42 bis. 28045, Madrid (Madrid), Spain
Email: [email protected] - Phone: +34657 762 372

Who can help you with our Data Protection Policy?

We have a person or entity specialized in data protection, responsible for ensuring compliance with the legislation and regulations in force within our organization. This person is known as the Data Protection Officer, and if you need it, you can contact them as follows:

[email protected]

4. Applicable laws and regulations

This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:

Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Hereinafter GDPR.
Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights. Hereinafter LOPD/GDD.
Law 34/2002, of July 11, on Information Society Services and Electronic Commerce. Hereinafter LSSICE.

5. Principles applicable to the processing of personal data

At Hellotickets, we process personal data in accordance with the principles established in the current regulations, ensuring that the processing is:

Lawful, fair, and transparent: We provide clear and accessible information about how data is collected and used.
Limited to specific purposes: Data is collected for legitimate purposes and not used for other purposes.
Data minimization: We only request the strictly necessary data.
Accuracy: We keep data up-to-date and correct inaccuracies.
Storage limitation: Data is retained only for the time necessary for the indicated purposes.
Integrity and confidentiality: We apply appropriate security measures to protect the data.
Proactive accountability: We assume responsibility for complying with and demonstrating compliance with these principles.

6. Security measures

What do we do to ensure your data privacy?

At Hellotickets, we have implemented the necessary technical and organizational measures to ensure the security of the personal data we process. These measures are designed to prevent alteration, loss, unauthorized access, or improper processing of data, adapting to the state of technology and potential risks.

Among the measures, we highlight:

Confidentiality: Only authorized persons can access the information.
Integrity: The information is kept accurate and protected against unauthorized modifications.
Availability: We ensure that data is accessible to authorized persons at all times.
Continuous evaluation: We regularly review and improve our security measures to adapt to new threats and technological advances.
Pseudonymization and encryption: We apply these techniques to reinforce data protection, especially sensitive data.

7. Purposes of processing

Why do we want to process your data?

Below we detail the intended uses and purposes:

Behavior analysis on the web using recording and heatmap tools (Clarity)

Evaluate how users interact with different elements of the website to identify experience, design, and navigation improvements through session recordings and heatmap generation.

User web behavior analysis

Customer service via web form

The web contact form is integrated within the HelloTickets Help Center. This system initially recommends related articles based on the text entered by the user, attempting to resolve the issue automatically. If the user continues with form submission, a ticket is automatically created on the Zendesk platform, where it is handled by the Customer Service team according to internal protocols. This channel allows efficient, orderly, and documented interaction between HelloTickets and its customers.

Attend, manage, and respond to inquiries, complaints, or requests received via the web form, allowing contact traceability, issue classification, escalation, and case closure.

Automation of responses in Zendesk linked to the database

This activity allows the HelloTickets customer service team to receive response suggestions or autocompletion based on: - textual content of the ticket, - semantic matches with previous inquiries, - customer history (e.g., previous orders), - data retrieved from the internal system (admin or Typeform). The goal is to improve average response time, ensure consistency in issue resolution, and use prior knowledge to offer faster and more accurate service. Automation does not replace human intervention but acts as support for the agent's activity.

Automation of the customer service process through integrated functionalities in Zendesk that allow suggesting personalized and semi-automated responses based on customer data, interaction history, and inquiry content.

Control and management of cookies and advertising pixels on the web

User consent management: Record and apply user choices regarding the use of cookies and equivalent technologies, according to GDPR requirements and the AEPD Cookies Guide.

Audience measurement: Obtain metrics on visits, sessions, duration, and browsing behavior to improve website design and usability.

Personalized advertising: Show the user ads tailored to their browsing profile through third-party platforms (Meta Ads, Google Ads, Bing Ads, etc.).

Retargeting and affiliation: Identify users who have interacted with previous campaigns or affiliate networks (e.g., Impact Radius) for attribution and remarketing.

Automated sending of reminder emails after cart abandonment

Optimize commercial conversion through the automated sending of personalized communications to users who have shown explicit interest in a product but have not completed their purchase. This action is based on tracking immediate transactional behavior.

Automated sending of reminders after cart abandonment

Management of advertising campaigns and personalized audiences on digital platforms

Create and optimize personalized digital advertising campaigns, improve advertising spend efficiency, and conduct customer behavior analysis based on their previous interactions with Hello Tickets.

Conversion optimization

Advanced advertising segmentation

Management of personal customer data in payment gateways

The activity allows securely transmitting the necessary data for external payment platforms to process purchases made by customers on HelloTickets. It is also used to manage refunds, disputes, or fraud, as well as financial reconciliation. It is strictly limited to the data essential for the transaction.

Confirm or deny the operation result and ensure commercial traceability

Execute the payment transaction for products or services by the customer

Send the necessary data to payment gateways to process the purchase

Management of Ticket Purchase and Reservation on the Hellotickets Platform

Accredit compliance with the legal conditions of the service

Activate notifications of updates, changes, or cancellations

Apply discounts, promotions, or active offers

Issue digital tickets and confirm the operation

Formalize and manage the user's commercial transaction

Manage secure payments through authorized third parties

Preserve purchase receipts for potential claims or inspections

Track the experience to ensure service compliance

Validate the identity of the buyer and other travelers

Verify availability and conditions of the contracted product

Management of Selection Processes through Teamtailor

Automation of initial candidate filtering and classification

Retention of CVs for future vacancies if there is explicit consent

Reception and analysis of applications in selection processes

Curricular and communicative evaluation of profiles

Management of Selection Processes and Applications

Process applications submitted through forms or referrals, register and evaluate competencies, manage the selection cycle through Teamtailor, contact candidates, and manage the talent database.

Evaluate the suitability of candidates for open positions at HelloTickets, manage interviews and selection processes, temporarily retain candidate information for future vacancies.

Management of affiliation programs and referral platforms (Tapfiliate, Trade Tracker, Impact)

Analysis of affiliate campaign performance: Evaluation of the effectiveness of different channels and referral platforms through traffic, conversion, and return on investment (ROI) metrics, to optimize acquisition strategies.

Sales attribution and commission calculation: Linking purchases made by customers to affiliate links or codes, to calculate corresponding commissions and maintain accurate conversion traceability.

Contractual and fiscal management of collaborators: Formalization of agreements with individual affiliates or agencies, monitoring commercial conditions, and compliance with tax obligations arising from commission payments.

Affiliates management: Administration of registered affiliate profiles in Tapfiliate or captured by networks like Trade Tracker and Impact, including validation, registration, and monitoring of their promotional activity.

Management of contact requests and customer service through chat (Hellobot) and web forms

Allow personalized attention to users and customers through automated and human tools, ensuring response to support inquiries, technical issues, reservation changes, ticket access, billing, and other topics related to HelloTickets' commercial activity. It includes post-analysis of tickets or interactions to detect product or process improvements.

Attend to inquiries, issues, and requests from users regarding the services provided

Management of data protection rights requests (right of access, deletion, rectification, etc.)

HelloTickets allows the exercise of rights through the contact email or other enabled channels (form or Help Center channels). Once the request is received, the data protection staff verifies the identity of the requester, analyzes the feasibility of the right, and executes the requested action or justifies its denial, if applicable. Responses are documented and retained for the legally stipulated period, along with evidence of the management carried out.

Manage data subjects' rights requests securely, transparently, and traceably, as well as their documentation for proof or legal defense purposes

Management of customer requests and issues through Zendesk

The processing aims to ensure an effective response to all interactions initiated by customers through the channels integrated into the Zendesk platform. This management includes requests about order status, issues, changes, accessibility requests, and other management related to the purchase experience. Agents access and respond from Zendesk, without operating directly from external tools (email or WhatsApp), ensuring traceability, security, and data centralization in a single controlled environment.

Attend, manage, and resolve inquiries, complaints, issues, or requests made by HelloTickets customers related to the purchase, delivery, or use of tickets acquired through the web platform.

Management of Web Texts and Content

Ensure the availability, clarity, and legality of the texts that structure the web platform, favoring user understanding and regulatory compliance.

Generation and maintenance of visible content on the HelloTickets website

Management and storage of resolved and open support tickets

HelloTickets retains resolved or open tickets generated through Zendesk, including information provided by customers and recorded by agents. This information may include name, email, order number, descriptions of issues, requests, or comments that may eventually contain sensitive data (e.g., reduced mobility, accessibility). The history serves to maintain consistency in service, analyze improvement points, and implement automated solutions based on system learning (AI). Old tickets may be stored anonymously for statistical analysis.

Structured storage of technical support tickets to ensure interaction traceability, evaluate recurring issues, and preserve evidence of communications with data subjects

Use of Zendesk bot ("Hello Bot") to resolve basic tickets

The bot acts as the first point of contact in the customer support area. It collects basic user data (name, email, event of interest), interprets the query using defined rules and patterns, offers a response or guide based on help center articles, and generates an automated ticket if the issue is not resolved. It does not make decisions with legal or significant effects without human intervention.

Automatically attend to recurring user inquiries and requests using the "Hello Bot" pre-classify issues, refer those requiring human intervention, and optimize the support process

Use of external tools for text translation in Zendesk (Swifteq Limited)

The integration of Swifteq with Zendesk allows automatic translation of knowledge base articles and communications with users, ensuring consistency and quality in translations.

Facilitate the translation of help center content and support tickets to provide assistance in multiple languages to users.

How long do we keep your data?

We use your data for the time strictly necessary to fulfill the purposes indicated above. Unless there is a legal obligation or requirement, the retention periods provided are:

Behavior analysis on the web using recording and heatmap tools (Clarity): For a period of 1 month from the last confirmation of interest. For a period of 1 month from collection (according to default retention in Clarity)

Customer service via web form: For a period of 1 year from the last confirmation of interest. Tickets generated from the web form will be retained for a maximum period of 12 months from resolution, unless there is a legal obligation or ongoing claim.

After this period, blocking and subsequent deletion will be carried out in accordance with the internal retention policy.

Automation of responses in Zendesk linked to the database: Suggested responses are not stored as autonomous personal data but are the result of rules and patterns on the existing base.

The ticket content is retained according to the criteria defined in the activity of "Management and storage of tickets."

Control and management of cookies and advertising pixels on the web: For a period of 1 year from the last confirmation of interest. The state of consent and preferences is stored using identifiers (e.g., _clsk, _clck, _gcl_au) linked to the user for a defined period (e.g., 1 month, 1 year) depending on the specific cookie.

Automated sending of reminder emails after cart abandonment: For a period of 1 year from the last confirmation of interest. Automatic deletion of abandoned cart data if no conversion occurs within a maximum of 30 days. Subsequent aggregated and anonymized retention for statistical purposes.

Management of advertising campaigns and personalized audiences on digital platforms: While not requested for deletion by the data subject. Automatic deletion of data uploaded to advertising platforms once their purpose is fulfilled, in accordance with retention criteria established by Google and Microsoft.

Management of personal customer data in payment gateways: For a period of 5 years from the last confirmation of interest. HelloTickets does not directly store bank data. The minimum necessary is retained to comply with tax and commercial traceability obligations: transaction ID, amounts, contact email, method used, and operation date, for a period of 5 years for legal defense and audits.

Management of Ticket Purchase and Reservation on the Hellotickets Platform: While the commercial relationship is maintained. Personal data linked to a purchase will be retained for the time necessary to:

Properly manage the reservation and delivery of the ticket.

Address issues or claims related to the experience.

Comply with the legal document retention periods in fiscal, accounting, and consumer protection matters (generally 4-6 years).

Ensure traceability in the use of payment gateways and for potential audits.

Subsequently, data will be blocked and deleted in accordance with HelloTickets' internal policy and the regulations in force.

Management of Selection Processes through Teamtailor: 6 months after the process closure if there is no additional consent. Prolongation only if the candidate has given explicit consent.

Management of Selection Processes and Applications: 6 months after the process closure if the candidate is not selected (by default in the ATS). If there is explicit consent, extended retention (up to 1-2 years).

Management of affiliation programs and referral platforms (Tapfiliate, Trade Tracker, Impact): While the commercial or contractual relationship is maintained. Automatic deletion after affiliate deregistration, partial anonymization for statistical purposes, retention of tax data for 5 years.

Management of contact requests and customer service through chat (Hellobot) and web forms: While not requested for deletion by the data subject

Management of data protection rights requests (right of access, deletion, rectification, etc.): For a period of 5 years from the last confirmation of interest. 5 years from the management of the request, in accordance with the prescription periods established in art. 74 LOPDGDD and for defense purposes against possible claims

Management of customer requests and issues through Zendesk: For a period of 1 year from the last confirmation of interest. Active tickets: retained until resolution. Resolved tickets: retained for up to 12 months, extendable in specific cases of analysis or claims. Possibility of temporary blocking before definitive deletion

Management of Web Texts and Content: While the commercial or contractual relationship is maintained. Active retention while texts are published; archived in internal history for editorial traceability.

Management and storage of resolved and open support tickets: Open tickets: retained until resolution. Resolved tickets: retained for 12 months unless they contain sensitive data, in which case they will be anonymized or deleted after 6 months. Possibility of prior anonymization for analysis purposes. Unnecessary attachments: deleted after 30 days.

Use of Zendesk bot ("Hello Bot") to resolve basic tickets: For a period of 1 year from the last confirmation of interest. Application of periodic review policy and deletion of logs of automated conversations not linked to real tickets. Up to 12 months from the last interaction, or earlier if transformed into a manually managed ticket

Use of external tools for text translation in Zendesk (Swifteq Limited): While the commercial or contractual relationship is maintained. Personal data processed during the translation process is retained for the time necessary to complete the translation and ensure the quality of the translated content.

8. Legal basis for processing

Why do we process your data?

The collection and processing of your data are always legitimized by one or more legal bases, which we detail below:

Behavior analysis on the web using recording and heatmap tools (Clarity)

(Art. 6.1.a GDPR) Consent of the data subject
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Customer service via web form

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Automation of responses in Zendesk linked to the database

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Control and management of cookies and advertising pixels on the web

(Art. 6.1.a GDPR) Consent of the data subject

Automated sending of reminder emails after cart abandonment

(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Management of advertising campaigns and personalized audiences on digital platforms

(Art. 6.1.a GDPR) Consent of the data subject
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Management of personal customer data in payment gateways

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract
(Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller

Management of Ticket Purchase and Reservation on the Hellotickets Platform

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract

Management of Selection Processes through Teamtailor

(Art. 6.1.a GDPR) Consent of the data subject

Management of Selection Processes and Applications

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract

Management of affiliation programs and referral platforms (Tapfiliate, Trade Tracker, Impact)

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Management of contact requests and customer service through chat (Hellobot) and web forms

(Art. 6.1.a GDPR) Consent of the data subject

Management of data protection rights requests (right of access, deletion, rectification, etc.)

(Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Management of customer requests and issues through Zendesk

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract

Management of Web Texts and Content

(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Management and storage of resolved and open support tickets

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract
(Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller

Use of Zendesk bot ("Hello Bot") to resolve basic tickets

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Use of external tools for text translation in Zendesk (Swifteq Limited)

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract

9. Recipients of your data

To whom do we transfer your data within the European Union?

On occasions, to comply with our legal obligations and our contractual commitment to you, we are obliged and need to transfer some of your data to certain categories of recipients, which we specify below:

Management of advertising campaigns and personalized audiences on digital platforms. Transfers are made exclusively to technology providers such as Google and Microsoft, under their privacy policies and in compliance with GDPR. In any case, data is anonymized or pseudonymized before loading to minimize risks.

Management of Ticket Purchase and Reservation on the Hellotickets Platform. Payment service providers. Ticketing platforms/experience operators. Cloud and messaging service providers. Competent authorities if legally required

Do we perform International Transfers of your data outside the European Union?

In the context of our data processing activities, we may use external services that involve storing and/or processing your data by organizations outside the European Union. This involves performing international transfers of your data.

10. Data Processing Activities

The data processing activities carried out through http://www.hellotickets.es are described below, specifying:

Activity: Name of the data processing activity.
Purposes: Uses and processing performed with the collected data.
Legal basis: Legal basis that legitimizes data processing.
Data processed: Types of data processed.
Source: Source of the data.
Retention: Data retention period.
Recipients: Third parties to whom the data is transferred.
International transfers: Data transfers outside the European Union.

10.1 -Processing Activities

These are data processing activities whose purposes are necessary for the provision of services.

Customer service via web form

Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Purposes To attend, manage, and respond to inquiries, complaints, or requests received through the web form, allowing traceability of contact, issue classification, escalation, and case closure; The web contact form is integrated within the HelloTickets Help Center. This system initially recommends related articles based on the text entered by the user, in an attempt to resolve the issue automatically. If the user proceeds with submitting the form, a ticket is automatically created on the Zendesk platform, where it is handled by the Customer Service team, according to internal protocols. This channel allows efficient, orderly, and documented interaction between HelloTickets and its customers

Categories of data and groups HelloTickets customers (ticket buyers) (Identifying data; Other categories)

Category of recipients None planned

International transfer None planned

Retention period For a period of 1 year from the last confirmation of interest. Tickets generated from the web form will be retained for a maximum period of 12 months from their resolution, unless there is a legal obligation or ongoing claim. After this period, they will be blocked and subsequently deleted according to the internal retention policy.

Security measures Restricted access to authorized personnel.

Encryption of communications (HTTPS and TLS).

Access and processing logs registration.

Access control policy by profiles.

Incident and security breach management procedures.

Automation of responses in Zendesk linked to the database

Purposes Automation of the customer service process through functionalities integrated into Zendesk that allow suggesting personalized and semi-automated responses based on the customer's data, interaction history, and query content.; This activity allows the HelloTickets customer service team to receive response or autocomplete suggestions based on: - textual content of the ticket, - semantic matches with previous queries, - customer history (e.g. previous orders), - data retrieved from the internal system (admin or Typeform). The goal is to improve average response time, ensure consistency in issue resolution, and use prior knowledge to offer faster and more accurate service. Automation does not replace human intervention but acts as support for the agent's activity.

Categories of data and groups Employees (Identifying data)

Category of recipients None planned

International transfer None planned

Retention period Suggested responses are not stored as autonomous personal data but are the result of rules and patterns on the already existing base. The content of the ticket is retained according to the criteria defined in the activity of Ticket Management and Storage.

Security measures Restricted access to authorized users through hierarchical profiles.

Traceability and activity logging of agents in the use of suggested responses.

Periodic evaluation of the automation engine to verify the absence of biases or improper correlation errors.

Deactivation or blocking of suggestions involving sensitive data.

Encryption of interactions between the database and the Zendesk interface.

Supervision of the use of AI/contextual help systems to ensure regulatory compliance.

Automated sending of reminder emails after cart abandonment

Legal bases (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Purposes Automated sending of reminders after cart abandonment; Optimize commercial conversion through the automated sending of personalized communications to users who have shown explicit interest in a product but have not completed their purchase. This action is based on tracking immediate transactional behavior.

Categories of data and groups HelloTickets web users (Identifying data)

Source of data The data subject themselves or their legal representative; Publicly accessible sources; The information is obtained directly from the user through their interaction with the web, analysis or marketing cookies, non-transactional forms, and automated assistance tools. It may also come from publicly accessible sources such as social networks if the user interacts with embedded content.

Category of recipients None planned

International transfer None planned

Retention period For a period of 1 year from the last confirmation of interest. Automatic deletion of abandoned cart data if no conversion occurs within a maximum period of 30 days. Subsequent aggregated and anonymized retention for statistical purposes.

Security measures -

Pseudonymization of data in analysis environments.

Restricted access to authorized personnel (marketing and technology team).
Periodic monitoring and auditing of accesses.
Encryption in transit of email content.
Limited retention policy and automatic deletion of unfinished carts.

Management of personal data of customers in payment gateways

Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller

Purposes Confirm or deny the result of the operation and ensure commercial traceability; Execute the payment transaction for products or services by the customer; Send the necessary data to payment gateways to process the purchase; The activity allows securely sending the necessary data for external payment platforms to process purchases made by HelloTickets customers. It is also used to manage refunds, disputes, or fraud, as well as financial reconciliation. It is strictly limited to the data essential for the transaction

Categories of data and groups HelloTickets customers (ticket buyers) (Identifying data; Credit information)

Category of recipients None planned

International transfer None planned

Retention period For a period of 5 years from the last confirmation of interest. HelloTickets does not directly store bank data. The minimum necessary is retained to comply with tax obligations and commercial traceability: transaction ID, amounts, contact email, method used, and operation date, for a period of 5 years for legal defense and audits.

Security measures -

No storage of card or bank account data on own servers

Secure integration via encrypted API TLS 1.2 or higher
Periodic supervision of contractual conditions with payment providers
Ensuring that gateways comply with PCI-DSS and GDPR
Registration of each transaction with traceability for support and dispute resolution
Contractual review of each party's roles (avoid false assumption of responsibility)
Limitation of internal access to transactional information

Management of Ticket Purchase and Reservation on the Hellotickets Platform

Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

Purposes Certify compliance with the legal conditions of the service; Activate notifications of updates, changes, or cancellations; Apply discounts, promotions, or active offers; Issue digital tickets and confirm the operation; Formalize and manage the user's commercial transaction; Manage secure payments through authorized third parties; Preserve purchase receipts for potential claims or inspections; Monitor the experience to ensure service compliance; Validate the identity of the buyer and other travelers; Verify availability and conditions of the contracted product

Categories of data and groups HelloTickets customers (ticket buyers) (Identifying data; Academic and professional; Special categories of data; Other categories; Credit information)

Category of recipients Payment service providers. Ticketing platforms/experience operators. Cloud and messaging service providers. Competent authorities if legally required

International transfer None planned

Retention period While the commercial relationship is maintained. Personal data linked to a purchase will be retained for the necessary time to; Properly manage the reservation and ticket delivery. Address incidents or claims related to the experience. Comply with legal document retention periods in tax, accounting, and consumer protection matters (generally 4-6 years). Ensure traceability in the use of payment gateways and during potential audits. Subsequently, the data will be blocked and deleted according to HelloTickets' internal policy and current regulations.

Security measures -

SSL/TLS encryption on all forms and payment gateways.

Card tokenization through PCI DSS providers (e.g. Stripe, Adyen).
Role-based access control (RBAC) for employees with access logs.
Two-factor authentication for administrators.
Secure deletion of data after retention periods.
Fraud and anomaly detection through automatic tools.
Periodic internal audits of data security and protection.
Encrypted backups stored on secure servers.
Integrity of transaction and data operation logs.

Management of Selection Processes and Applications

Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

Purposes Evaluate the suitability of candidates for open positions at HelloTickets, manage interviews and selection processes, temporarily retain candidate information for future openings.; Process applications submitted through forms or referrals, register and assess competencies, manage the selection cycle through Teamtailor, contact candidates, and manage the talent database.

Categories of data and groups Employees (Identifying data; Academic and professional). Job candidates (Identifying data; Academic and professional; Personal characteristics; Social circumstances; Employment details)

Category of recipients None planned

International transfer None planned

Retention period 6 months after process closure if the candidate is not selected (default in the ATS). If there is explicit consent, extended retention (up to 1-2 years).

Security measures Limited access by credentials, role configuration in Teamtailor, automated retention policies, manual review of consents, encrypted storage.

Management of affiliation programs and referral platforms (Tapfiliate, Trade Tracker, Impact)

Purposes Performance analysis of affiliation campaigns: Evaluation of the effectiveness of different channels and referral platforms through traffic metrics, conversions, and return on investment (ROI), to optimize acquisition strategies; Sales attribution and commission calculation: Linking purchases made by customers to affiliate links or codes, to calculate corresponding commissions and maintain accurate conversion traceability; Contractual and fiscal management of collaborators: Formalization of agreements with individual affiliates or agencies, monitoring commercial conditions, and compliance with tax obligations arising from commission payments; Affiliate management: Administration of affiliate profiles registered in Tapfiliate or captured by networks like Trade Tracker and Impact, including validation, registration, and monitoring of their promotional activity

Categories of data and groups HelloTickets customers (ticket buyers) (Identifying data; Commercial information; Other categories). Providers of professional and technological services (Identifying data; Academic and professional; Economic, financial, and insurance; Commercial information)

Source of data The data subject themselves or their legal representative; Private entity; The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data provided by the customer through external forms.; The data is collected through service provision contracts, provider registration forms, contractual communications, and other lawful sources in accordance with the GDPR.

Category of recipients None planned

International transfer None planned

Retention period While the commercial or contractual relationship is maintained. Automatic deletion after affiliate deregistration, partial anonymization for statistical purposes, retention of tax data for 5 years.

Security measures -

Limited access by profile to the backoffice and affiliation platforms.

Secure passwords and two-step authentication.
Access logs and activity records.
Confidentiality agreements with direct affiliates.
Data encryption in transit and permission control in Tapfiliate/Impact/TradeTracker.
Periodic risk assessments for integrations with external platforms.

Management of data protection rights requests (right of access, deletion, rectification, etc.)

Legal bases (Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller; (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Purposes Manage securely, transparently, and traceably the rights requests exercised by data subjects, as well as their documentation for evidence or legal defense purposes; HelloTickets allows the exercise of rights through the contact email or other enabled ways (form or Help Center channels). Once the request is received, the data protection staff verifies the applicant's identity, analyzes the feasibility of the right, and executes the requested action or justifies its denial, if applicable. The responses are documented and retained for the legally provided period, along with evidence of the management performed.

Categories of data and groups Employees (Identifying data; Academic and professional; Personal characteristics; Employment details; Economic, financial, and insurance; Goods and services transactions; Special categories of data). HelloTickets customers (ticket buyers) (Identifying data; Other categories)

Source of data The data subject themselves or their legal representative; Other people different from the data subject or their representative; The data is collected directly from the employee through hiring forms, during the employment relationship, and through authorized sources (such as Social Security, banks, or professional training).; Private entity; The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data provided by the customer through external forms.

Category of recipients None planned

International transfer None planned

Retention period For a period of 5 years from the last confirmation of interest. 5 years from the management of the request, according to the prescription periods established in art. 74 LOPDGDD and for defense criteria against possible claims

Security measures Identification and authentication of the applicant using data linked to the order or previous interaction.

Restricted access to authorized personnel to verify and respond to rights.

Registration of the request and the treatment given to it (entry date, response time, resolution).

Documentation of responses to demonstrate compliance in case of an audit or AEPD requirement.

Elimination of unnecessary copies and minimization of the content exposed in the response.

Management of customer requests and incidents through Zendesk

Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

Purposes Attend, manage, and resolve inquiries, complaints, incidents, or requests raised by HelloTickets customers related to the purchase process, delivery, or use of tickets acquired through the web platform.; The treatment aims to ensure an effective response to all interactions initiated by customers through the channels integrated into the Zendesk platform. This management includes requests about order status, incidents, changes, accessibility requests, and other management related to the purchase experience. Agents access and respond from Zendesk, without operating directly from external tools (email or WhatsApp), ensuring traceability, security, and data centralization in a single controlled environment.

Categories of data and groups HelloTickets customers (ticket buyers) (Identifying data; Academic and professional; Economic, financial, and insurance; Special categories of data; Credit information; Other categories)

Category of recipients None planned

International transfer None planned

Retention period For a period of 1 year from the last confirmation of interest. Active tickets: retained until resolved. Resolved tickets: retained for up to 12 months, extendable in specific cases of analysis or claims. Possibility of temporary blocking before final deletion

Security measures Restricted access to authorized personnel through differentiated profiles.

Access and modification traceability and logging.

Encryption in transit (TLS) and authentication measures.

Periodic evaluation of permissions and control of active sessions.

Automated deletion policy of old tickets.

Backups and log registration on a secure platform.

Control of automated templates (WhatsApp and email) according to defined rules and managed access

Management of Web Texts and Content

Legal bases (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Purposes Generation and maintenance of visible content on the HelloTickets website; Ensure the availability, clarity, and legality of the texts structuring the web platform, favoring user understanding and regulatory compliance.

Categories of data and groups Employees (Identifying data)

Category of recipients None planned

International transfer None planned

Retention period While the commercial or contractual relationship is maintained. Active retention while texts are published; archived in internal history for editorial traceability.

Security measures Implemented security measures:

Access control to content managers (CMS) through OnePassword.
Peer review for sensitive texts (legal, official communication).
Tools validated by IT for translation and editing.
Training of editors on the responsible use of external tools and privacy implications.
Limited and reviewed use of generative AI in visible content.

Management and storage of resolved and open support tickets

Purposes Structured storage of technical support tickets to ensure traceability of interactions, evaluate recurring incidents, and preserve evidence of communications with data subjects; HelloTickets retains resolved or open tickets generated through Zendesk, including information provided by customers and recorded by agents. This information may include name, email, order number, incident descriptions, requests, or comments that may eventually contain sensitive data (e.g., reduced mobility, accessibility). The history serves to maintain consistency in service, analyze improvement points, and implement automated solutions based on system learning (AI). Old tickets may be stored in anonymized form for statistical analysis

Categories of data and groups Employees (Identifying data)

Category of recipients None planned

International transfer None planned

Retention period Open tickets: retained until resolved. Resolved tickets: retained for 12 months unless they contain sensitive data, in which case they will be anonymized or deleted after 6 months. Possibility of prior anonymization for analysis purposes. Unnecessary attachments: deleted after 30 days.

Security measures Access control with enhanced authentication and differentiated profiles.

Encryption in transit (TLS) and storage on Zendesk servers.

Access and modification logs registration on tickets.

Retention and automatic deletion policies of old tickets according to criteria defined by HelloTickets.

Periodic deletion of old attachments and unnecessary sensitive data.

Continuous review of ticket use by agents with AI functionalities for analysis.

Audit and blocking of sensitive tickets before being used for AI training.

Use of Zendesk bot (Hello Bot) to resolve basic tickets

Purposes Automatically attend to recurring user inquiries and requests using the Hello Bot, pre-classify incidents, refer those requiring human intervention, and optimize the support process; The bot acts as the first point of contact in the customer support area. It collects basic user data (name, email, event of interest), interprets the query using defined rules and patterns, offers a response or guide based on help center articles, and generates an automated ticket if the issue is not resolved. It does not make decisions with legal or significant effects without human intervention

Categories of data and groups Employees (Identifying data). HelloTickets customers (ticket buyers) (Identifying data; Academic and professional; Economic, financial, and insurance; Commercial information; Special categories of data; Credit information; Other categories)

Category of recipients None planned

International transfer None planned

Retention period For a period of 1 year from the last confirmation of interest. Application of periodic review policy and deletion of automated conversation logs not linked to real tickets. Up to 12 months from the last interaction, or earlier if transformed into a manually managed ticket

Security measures Restricted access to technical administrators of the tool.

Identification of authenticated users accessing the automated service.

TLS encryption of data sent through the interactive form.

Log control policy of conversations and manual supervision of automatically resolved tickets.

Evaluation of bot effectiveness and its impact on data subject rights (aimed at avoiding unauthorized automated decisions).

Temporary retention of logs for service monitoring and improvement, with blocking of unnecessary sensitive data.

Use of external tools for text translation in Zendesk (Swifteq Limited)

Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

Purposes Facilitate the translation of help center content and support tickets to provide assistance in multiple languages to users.; The integration of Swifteq with Zendesk allows automatic translation of knowledge base articles and communications with users, ensuring consistency and quality in translations.

Categories of data and groups Employees (Identifying data)

Category of recipients None planned

International transfer None planned

Retention period While the commercial or contractual relationship is maintained. Personal data processed during the translation process is retained for the necessary time to complete the translation and ensure the quality of the translated content.

Security measures Secure integration via API between Zendesk and Swifteq.

Data encryption in transit and at rest according to Swifteq's security policies.

Restricted access to authorized personnel for translation management.

Registration and monitoring of activities related to content translation.

Web behavior analysis using recording and heatmap tools (Clarity)

Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Purposes Web user behavior analysis; Evaluate how users interact with various elements of the web to identify improvements in experience, design, and navigation, through session recording and heatmap generation.

Categories of data and groups HelloTickets customers (ticket buyers) (Commercial information)

Category of recipients None planned

International transfer None planned

Retention period For a period of 1 month from the last confirmation of interest. For a period of 1 month from collection (according to default retention in Clarity)

Security measures -

Restricted and authenticated access to the Clarity tool.

Partial IP anonymization.
Internal role control for recording visualization.
Access only through corporate VPN.
Exclusion of sensitive data or forms through exclusion filters.
Periodic session review protocol by authorized personnel.
Access and traceability logging.
Automatic retention policy limited to 30 days in Clarity.

Control and management of cookies and advertising pixels on the web

Legal bases (Art. 6.1.a GDPR) Consent of the data subject

Purposes User consent management: Register and apply user choices regarding the use of cookies and equivalent technologies, in accordance with GDPR requirements and AEPD's Cookie Guide; Audience measurement: Obtain metrics of visits, sessions, duration, and browsing behavior to improve website design and usability; Personalized advertising: Display ads to the user adapted to their browsing profile through third-party platforms (Meta Ads, Google Ads, Bing Ads, etc).; Retargeting and affiliation: Identify users who have interacted with previous campaigns or affiliate networks (e.g. Impact Radius) for attribution and remarketing.

Categories of data and groups HelloTickets web users (Identifying data; Commercial information; Other categories)

Category of recipients None planned

International transfer None planned

Retention period For a period of 1 year from the last confirmation of interest. The consent state and preferences are stored using identifiers (e.g. _clsk, _clck, _gcl_au) linked to the user for a defined period (e.g. 1 month, 1 year) depending on the specific cookie.

Security measures -

Implementation of granular cookie management panel through CMP (Consent Management Platform) tool.

Automatic script blocking until express user acceptance.
Traceable consent registration and technical activation logs.
Periodic review and audit of active scripts on the site (by engineering team).
Strict control by the tag manager to prevent improper activations (95% of scripts are manually validated by the technical manager).
Configuration of anonymization in analytics tools where feasible (e.g. Google Analytics IP Anonymization).
Use of pseudonymization and access control in advertising platforms.

Management of advertising campaigns and personalized audiences on digital platforms

Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties

Purposes Optimization of conversions; Advanced advertising segmentation; Create and optimize personalized digital advertising campaigns, improve advertising spending efficiency, and conduct customer behavior analysis based on their previous interactions with Hello Tickets.

Categories of data and groups HelloTickets customers (ticket buyers) (Commercial information)

Category of recipients Transfers are made exclusively to technology providers such as Google and Microsoft, under their privacy policies and in compliance with GDPR. In any case, the data is anonymized or pseudonymized before loading to minimize risks.

International transfer None planned

Retention period While the data subject does not request its deletion. Automatic deletion of data loaded on advertising platforms once their purpose is fulfilled, according to retention criteria established by Google and Microsoft.

Security measures -

Restricted access to authorized profiles through multifactor authentication.

Pseudonymization of lists before loading to advertising platforms.
Access and traceability logs registration.
Contracts with platforms regulating data use and retention.
Integrity control and periodic review of generated audiences.

Management of Selection Processes through Teamtailor

Legal bases (Art. 6.1.a GDPR) Consent of the data subject

Purposes Automation of filters and initial candidate classification; Retention of CVs for future openings if explicit consent exists; Reception and analysis of applications in selection processes; Curricular and communicative evaluation of profiles

Categories of data and groups Job candidates (Identifying data; Academic and professional; Personal characteristics; Social circumstances; Employment details)

Source of data The data subject themselves or their legal representative

Category of recipients None planned

International transfer None planned

Retention period 6 months after process closure if no additional consent. Prolongation only if the candidate has given explicit consent.

Security measures Limited access to the People team. Protocol for automatic or manual data deletion after the period. Inclusion of HelloTickets' privacy policy directly on the career page. Centralization of all resumes in the ATS system (avoids dispersion). Periodic review of forms and legal texts inserted in the system.

Management of contact requests and customer service through chat (Hellobot) and web forms

Legal bases (Art. 6.1.a GDPR) Consent of the data subject

Purposes Attend to user inquiries, incidents, and requests related to the services provided; Allow personalized attention to users and customers through automated and human tools, ensuring response to support queries, technical incidents, reservation changes, ticket access, billing, and other topics related to HelloTickets' commercial activity. Includes the subsequent analysis of tickets or interactions to detect product or process improvements.

Categories of data and groups HelloTickets web users (Identifying data; Commercial information; Other categories)

Category of recipients None planned

International transfer None planned

Retention period While the data subject does not request its deletion

Security measures -

TLS encryption of communications between the browser and the server.

Access control to Zendesk panels by roles.
Access and action logging.
Robust passwords and multifactor authentication (MFA) for employees.
Anonymization or pseudonymization of data in aggregated analysis.
Limited retention according to internal retention policy.

11. Data of Minors

How do we handle minors' data?

Minors under 14 years of age cannot use the services offered through our website without prior authorization from their parents, guardians, or legal representatives. They will be solely responsible for all actions performed through the website by the minors in their charge, including completing online forms with minors' personal data and, if applicable, selecting the corresponding checkboxes.

According to Article 8 of the GDPR and Article 7 of the LOPD/GDD, only those over 14 years of age can give their consent for the lawful processing of their personal data by Hellotickets.

12. Origin and Types of Data Processed

Where did we obtain your data from?

Web behavior analysis via recording tools and heat maps (Clarity)

HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.

Customer service via web form

HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.

Automation of responses in Zendesk linked to the database

Employees: The data subject themselves or their legal representative; Other persons different from the data subject or their representative. The data is collected directly from the employee through hiring forms, during the employment relationship, and through authorized sources (such as Social Security, banks, or professional training).

Control and management of cookies and advertising pixels on the web

HelloTickets web users: The data subject themselves or their legal representative; Publicly accessible sources. The information is obtained directly from the user through their interaction with the web, analysis or marketing cookies, non-transactional forms, and automated assistance tools. It may also come from publicly accessible sources such as social media if the user interacts with embedded content.

Automated sending of reminder emails after cart abandonment

HelloTickets web users: The data subject themselves or their legal representative; Publicly accessible sources. The information is obtained directly from the user through their interaction with the web, analysis or marketing cookies, non-transactional forms, and automated assistance tools. It may also come from publicly accessible sources such as social media if the user interacts with embedded content.

Management of advertising campaigns and personalized audiences on digital platforms

HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.

Management of customers' personal data in payment gateways

HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.

Management of Ticket Purchase and Reservation on the Hellotickets Platform

HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.

Management of Selection Processes through Teamtailor

Job candidates: The data subject themselves or their legal representative

Management of Selection Processes and Applications

Employees: The data subject themselves or their legal representative; Other persons different from the data subject or their representative. The data is collected directly from the employee through hiring forms, during the employment relationship, and through authorized sources (such as Social Security, banks, or professional training).
Job candidates: The data subject themselves or their legal representative

Management of affiliate programs and referral platforms (Tapfiliate, Trade Tracker, Impact)

HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.
Providers of professional and technological services: The data subject themselves or their legal representative; Private entity. The data is collected through service provision contracts, supplier registration forms, contractual communications, and other lawful sources in accordance with the GDPR.

Management of contact requests and customer service through chat (Hellobot) and web forms

HelloTickets web users: The data subject themselves or their legal representative; Publicly accessible sources. The information is obtained directly from the user through their interaction with the web, analysis or marketing cookies, non-transactional forms, and automated assistance tools. It may also come from publicly accessible sources such as social media if the user interacts with embedded content.

Management of data protection rights requests (right of access, deletion, rectification, etc.)

Employees: The data subject themselves or their legal representative; Other persons different from the data subject or their representative. The data is collected directly from the employee through hiring forms, during the employment relationship, and through authorized sources (such as Social Security, banks, or professional training).
HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.

Management of customer requests and incidents through Zendesk

HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.

Management of Web Texts and Content

Employees: The data subject themselves or their legal representative; Other persons different from the data subject or their representative. The data is collected directly from the employee through hiring forms, during the employment relationship, and through authorized sources (such as Social Security, banks, or professional training).

Management and storage of resolved and open support tickets

Employees: The data subject themselves or their legal representative; Other persons different from the data subject or their representative. The data is collected directly from the employee through hiring forms, during the employment relationship, and through authorized sources (such as Social Security, banks, or professional training).

Use of Zendesk bot ("Hello Bot") to resolve basic tickets

Employees: The data subject themselves or their legal representative; Other persons different from the data subject or their representative. The data is collected directly from the employee through hiring forms, during the employment relationship, and through authorized sources (such as Social Security, banks, or professional training).
HelloTickets customers (ticket buyers): The data subject themselves or their legal representative; Private entity. The data is provided directly by the data subjects during the purchase process, through web forms or service channels. In certain events, organizers or providers may require additional data, which is provided by the customer through external forms.

Use of external tools for text translation in Zendesk (Swifteq Limited)

Employees: The data subject themselves or their legal representative; Other persons different from the data subject or their representative. The data is collected directly from the employee through hiring forms, during the employment relationship, and through authorized sources (such as Social Security, banks, or professional training).

What types of your data have we collected and processed?

Web behavior analysis via recording tools and heat maps (Clarity)

HelloTickets customers (ticket buyers)

Commercial information (Screen resolution, device type, operating system, browsing information (clicks, scroll, time on page, mouse movements), session errors, loading failures, visited page, and navigation path.)

Customer service via web form

HelloTickets customers (ticket buyers)

Identification data (Email address; Name and surname)
Other categories (Event information or ticket purchased: date, location, logistical preferences)

Automation of responses in Zendesk linked to the database

Employees

Identification data (Email address; Name and surname)

Control and management of cookies and advertising pixels on the web

HelloTickets web users

Identification data (IP address)
Commercial information (Data obtained through cookies, pixels, or similar instruments, if applicable.)
Other categories (ID generated by the Pixel or Cookie)

Automated sending of reminder emails after cart abandonment

HelloTickets web users

Identification data (Email address)

Management of advertising campaigns and personalized audiences on digital platforms

HelloTickets customers (ticket buyers)

Commercial information (Digital behavior data and commercial preferences)

Management of customers' personal data in payment gateways

HelloTickets customers (ticket buyers)

Identification data (Name and surname)
Credit information (Bank card data (debit or credit))

Management of Ticket Purchase and Reservation on the Hellotickets Platform

HelloTickets customers (ticket buyers)

Identification data (Email address; Name and surname; Country)
Academic and professional (Mobile phone)
Special categories of data (Special requests: Allergies, accessibility, dietary needs, etc.)
Other categories (Event information or ticket purchased: date, location, logistical preferences)
Credit information (Bank card data (debit or credit))

Management of Selection Processes through Teamtailor

Job candidates

Identification data (Email address; Postal address; Name and surname; Phone)
Academic and professional (Curriculum Vitae; Professional experience; Student history; Qualifications)
Personal characteristics (Marital status data; Date of birth; Mother tongue; Nationality; Gender)
Social circumstances (Licenses, permits, and authorizations)
Employment details (Worker history; Profession)

Management of Selection Processes and Applications

Employees

Identification data (Name and surname)
Academic and professional (Professional experience)

Job candidates

Identification data (Email address; Postal address; Name and surname; Phone)
Academic and professional (Curriculum Vitae; Professional experience; Qualifications)
Personal characteristics (Marital status data; Date of birth; Mother tongue; Nationality; Gender)
Social circumstances (Licenses, permits, and authorizations)
Employment details (Worker history; Profession)

Management of affiliate programs and referral platforms (Tapfiliate, Trade Tracker, Impact)

HelloTickets customers (ticket buyers)

Identification data (Email address)
Commercial information (Digital behavior data and commercial preferences)
Other categories (Event information or ticket purchased: date, location, logistical preferences)

Providers of professional and technological services

Identification data (Company identification number /CIF; Email address)
Academic and professional (Mobile phone)
Economic, financial, and insurance (Payment method and bank details; Invoices)
Commercial information (Billing details)

Management of contact requests and customer service through chat (Hellobot) and web forms

HelloTickets web users

Identification data (Name and surname; Phone; Email address; Message sent)
Commercial information (Screen resolution, device type, operating system, browsing information (clicks, scroll, time on page, mouse movements), session errors, loading failures, visited page, and navigation path.)
Other categories (Documents attached by the user)

Management of data protection rights requests (right of access, deletion, rectification, etc.)

Employees

Identification data (Email address; Postal address; Image; NIF / NIE / Passport; Social Security / Mutuality Number; Name and surname; Phone)
Academic and professional (Professional experience)
Personal characteristics (Marital status data; Date of birth; Nationality; Gender)
Employment details (Fit / Not fit for the job; Non-economic payroll data; Worker history; Profession; Job positions)
Economic, financial, and insurance (Bank data; Economic payroll data)
Goods and services transactions (Financial transactions)
Special categories of data (Union membership)

HelloTickets customers (ticket buyers)

Identification data (Email address; Name and surname; DNI or Passport)
Other categories (Event information or ticket purchased: date, location, logistical preferences)

Management of customer requests and incidents through Zendesk

HelloTickets customers (ticket buyers)

Identification data (Email address; Name and surname; Country; DNI or Passport)
Academic and professional (Mobile phone)
Economic, financial, and insurance (Invoices)
Special categories of data (Special requests: Allergies, accessibility, dietary needs, etc.)
Credit information (Bank card data (debit or credit))
Other categories (Event information or ticket purchased: date, location, logistical preferences)

Management of Web Texts and Content

Employees

Identification data (Email address; Name and surname)

Management and storage of resolved and open support tickets

Employees

Identification data (Email address; Name and surname)

Use of Zendesk bot ("Hello Bot") to resolve basic tickets

Employees

Identification data (Email address)

HelloTickets customers (ticket buyers)

Identification data (Email address; Name and surname; Country; DNI or Passport)
Academic and professional (Mobile phone)
Economic, financial, and insurance (Invoices)
Commercial information (Affiliate code or assigned ID)
Special categories of data (Special requests: Allergies, accessibility, dietary needs, etc.)
Credit information (Bank card data (debit or credit))
Other categories (Event information or ticket purchased: date, location, logistical preferences)

Use of external tools for text translation in Zendesk (Swifteq Limited)

Employees

Identification data (Email address)

13. Data Subject Rights

What are your rights regarding your data?

Data protection regulations grant you specific rights that you can exercise in relation to the processing of your data. These rights are personal and non-transferable, meaning that only you, as the data subject, can exercise them after verifying your identity.

Your rights are described below:

-Right of access: You can request confirmation of whether Hellotickets is processing your data and access the information related to its processing.

-Right of rectification: If your personal data is inaccurate or incomplete, you can request its correction.

-Right to erasure ("right to be forgotten"): You may request the deletion of your data when it is no longer needed for the purposes for which it was collected, or if you withdraw your consent. The user may unsubscribe from commercial communications at any time via the link provided in each message or through the contact channels indicated in this Policy. Deactivation will take effect immediately in our subscription management system. However, the user should be aware that, for technical or logistical reasons — especially when a mass mailing has already been scheduled prior to the request — they may receive an additional message within a few days. These cases will be exceptional, and the company will take all reasonable measures to minimize any delay.

-Right to restriction of processing: You can request the restriction of the processing of your data, for example, while its accuracy is being verified or in other cases provided by law.

-Right to data portability: You have the right to receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller.

-Right to object: You can object to the processing of your data for reasons related to your particular situation, or when the processing is based on a legitimate interest.

-Right not to be subject to automated decisions: You can request not to be subject to decisions based solely on automated processing of your data, including profiling.

-Right to withdraw consent: You can withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

-Right to lodge a complaint: If you believe that your rights have not been respected, you can lodge a complaint with the relevant supervisory authority: Spanish Data Protection Agency [email protected] https://www.aepd.es

To exercise any of these rights, you can contact Hellotickets using the following contact information:

Controller: Hello Ticket, S.L
Address: Tomás Bretón 52 (Area coworking). 28045, Madrid (Madrid), Spain
Phone: +34657 762 372
Email: [email protected]
Website: http://www.hellotickets.es

How can you exercise your rights regarding your data?

To exercise your rights of access, rectification, erasure, restriction, or objection, portability, and withdrawal of your consent, you can do so by sending an email to these addresses: [email protected] / [email protected] or a postal mail to: Tomás Bretón 52 (Area coworking). 28045, Madrid (Madrid), Spain

How can you lodge a complaint if you believe your rights are not being respected?

If you believe that the processing of your personal data does not comply with data protection regulations, you have the right to lodge a complaint with the relevant Supervisory Authority in your country of residence or place of activity.

Depending on your location, you can contact the competent authority in your country. For example:

-In Germany, you can contact the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

-In France, the competent authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).

The specific contact details for Spain are as follows:

Spanish Data Protection Agency

C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain

Email: [email protected] Phone: 900293183

Web: https://www.aepd.es

If you are unsure of which authority corresponds to you or need information about other supervisory authorities, you can consult the article on Data Protection Supervisory Authorities, where you will find contact details and links according to your location.

14. Modification and Principle of Information

This document ensures that you understand how we process your personal data. By using our website or services, you confirm that you have been informed about the terms of our Privacy Policy, in accordance with the information principle established in Article 13 of the GDPR. The legal bases for processing your personal data are set out in Article 6 of the GDPR and may include the execution of a contract, compliance with legal obligations, or legitimate interest, among others.

This policy has been drafted with the collaboration of Auratech Legal, a law firm specializing in data protection, and will be reviewed periodically to ensure its adequacy and compliance.

Hellotickets reserves the right to modify this Privacy Policy based on legislative, jurisprudential, or guidelines from supervisory authorities. Any relevant modification affecting the purposes of processing, retention periods, or user rights will be communicated explicitly.