Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:

SyncSeats UG (haftungsbeschränkt)
Staffelstr. 3A
94051 Hauzenberg
Germany
Email: contact@syncseats.com

Managing Directors: Sascha Wohlert, Marcello De Liso

2. General Information on Data Processing

We only process personal data of our users to the extent necessary to provide a functional platform and our content and services. The processing of personal data regularly takes place only with the user's consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of data is permitted by law.

3. Legal Basis for Processing

Where we obtain consent for the processing of personal data, Art. 6(1)(a) GDPR serves as the legal basis.

For the processing of personal data necessary for the performance of a contract, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required for the implementation of pre-contractual measures.

Where processing of personal data is necessary for compliance with a legal obligation, Art. 6(1)(c) GDPR serves as the legal basis.

Where processing is necessary for the purposes of the legitimate interests pursued by our company or a third party, and where such interests are not overridden by the interests, fundamental rights, or fundamental freedoms of the data subject, Art. 6(1)(f) GDPR serves as the legal basis.

4. Collection and Storage of Personal Data

When using our SyncSeats platform, we collect the following personal data:

a) During registration and account management:

• First and last name
• Email address
• Password (stored encrypted using bcrypt hashing)
• Phone number (if provided)
• Company information (if provided)
• Address – street, postal code, city, country (if provided)
• Date of birth (if provided)

b) During identity verification (KYC):

• Identity documents (ID card, passport, or similar)
• Selfie images for identity verification
• Verification status and timestamp

c) During use of the platform:

• Transaction data (ticket purchase and sale information)
• Listing data (created offers and prices)
• Communication data (messages via the platform and support tickets)
• Usage data (interactions with the platform)
• Uploaded files (e.g., proof of purchase, proof of transfer)

d) Payout data:

• Account holder name
• Bank name
• IBAN (stored encrypted using AES-256-GCM)
• BIC / SWIFT code

e) External marketplace account data:

• Marketplace account username
• Marketplace account password (stored encrypted using AES-256-GCM)
• Marketplace affiliation

f) Automatically collected data when visiting the website:

• IP address
• Date and time of the request
• Browser type and version
• Operating system
• Referrer URL
• Pages visited

g) Security-related data during login:

• IP address at login
• Historical login IP addresses (up to 10)
• Device information (device, browser, operating system)
• Timestamp of last login
• Two-factor authentication data (stored encrypted)

5. Purpose of Data Processing

We process your personal data for the following purposes:

• Provision and operation of the SyncSeats platform (contract performance, Art. 6(1)(b) GDPR)
• Management of your user account and authentication
• Conducting identity verification (KYC) to fulfil legal due diligence obligations (Art. 6(1)(c) GDPR)
• Execution and processing of ticket transactions
• Synchronization of your listings across multiple marketplaces
• Connection and management of external marketplace accounts
• Provision of analytics and financial overviews
• Processing of payouts
• Communication regarding your account, transactions, and support requests
• Compliance with legal obligations (e.g., tax retention requirements, Art. 6(1)(c) GDPR)
• Detection and prevention of fraud and abuse (legitimate interest, Art. 6(1)(f) GDPR)
• Login security and device management (legitimate interest, Art. 6(1)(f) GDPR)
• Improvement and further development of our services (legitimate interest, Art. 6(1)(f) GDPR)

6. Disclosure of Data to Third Parties

Your personal data will only be transmitted to third parties if:

• You have given your explicit consent (Art. 6(1)(a) GDPR),
• the disclosure is necessary for the performance of a contract (Art. 6(1)(b) GDPR),
• there is a legal obligation to do so (Art. 6(1)(c) GDPR), or
• the disclosure is necessary for the purposes of legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data (Art. 6(1)(f) GDPR).

7. Use of Data Processors and Third-Party Services

We use the following data processors and third-party services:

a) Hosting – Vercel Inc.

Our platform is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Vercel processes server log data generated during the use of the platform on our behalf (IP addresses, access timestamps, browser information). Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of our platform). A Data Processing Agreement pursuant to Art. 28 GDPR is in place. For transfers to the USA, we rely on the EU-U.S. Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR) and supplementarily on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). More information: vercel.com/legal/dpa

b) Database Hosting – vServer.site

We operate database servers (MongoDB) hosted by vServer.site with locations in Frankfurt am Main and Düsseldorf, Germany, for storing user data. Processing takes place exclusively within the European Union. A data processing agreement pursuant to Art. 28 GDPR is in place. The legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in secure data storage). No transfer to third countries takes place.

c) Database Backups – Hetzner Online GmbH

Backups of our database are stored in encrypted form (AES-256-GCM) by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, in so-called Storage Boxes. Processing takes place exclusively within Germany. A data processing agreement pursuant to Art. 28 GDPR is in place. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in data backup and recoverability). No transfer to third countries takes place.

d) File Storage – Cloudflare Inc. (R2)

We use Cloudflare R2 (Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA) with a storage location in Western Europe (WEUR) for storing uploaded files (e.g., proof of purchase, proof of transfer). User data is stored exclusively within the European Union. A data processing agreement pursuant to Art. 28 GDPR is in place. The legal basis is Art. 6(1)(b) GDPR (contract performance). For the transfer of management and metadata to the USA, we rely on the EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses.

e) Email Delivery – Resend Inc.

We use Resend (Resend Inc., USA) for sending transactional emails (e.g., registration confirmations, email verification, password resets, sale notifications, security alerts). Email addresses and message contents are processed. The legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in account security). A data processing agreement is in place, and EU Standard Contractual Clauses as well as the EU-U.S. Data Privacy Framework apply to transfers to the USA.

f) Identity Verification (KYC) – Sumsub

For identity verification (Know Your Customer, KYC), we use the service Sumsub (Sum and Substance Ltd., United Kingdom). Sumsub processes personal data on our behalf, including name, date of birth, identity documents, and biometric data (selfie images) for identity verification purposes. The legal basis is Art. 6(1)(b) GDPR (contract performance – identity verification is a prerequisite for using the platform) and Art. 6(1)(c) GDPR (compliance with legal obligations). Where special categories of personal data (biometric data) are processed, the legal basis is Art. 9(2)(a) GDPR (explicit consent). A data processing agreement pursuant to Art. 28 GDPR is in place. For data transfers to the United Kingdom, we rely on the adequacy decision of the European Commission; for any further third country transfers, EU Standard Contractual Clauses apply.

g) Authentication – Google Ireland Limited

If you register or sign in using the "Sign in with Google" button, data is exchanged with Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Your name, email address, and profile picture are transmitted from Google to us. The legal basis is Art. 6(1)(b) GDPR (contract performance). The use of Google OAuth is voluntary; alternatively, you can register with an email address and password. More information on data protection at Google: policies.google.com/privacy

h) Bot Protection – Cloudflare Inc. (Turnstile)

To protect against automated access and abuse, we use Cloudflare Turnstile (Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA) as a CAPTCHA alternative during registration and login. IP addresses and browser metadata may be transmitted to and processed by Cloudflare. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in protecting the platform from abuse). For transfers to the USA, we rely on the EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses.

i) Marketplace Integration

For connecting to ticket marketplaces (e.g., StubHub, Viagogo, Ticketmaster, and others), we use a specialised marketplace integration service provider based in the USA. Through this service provider, listing data (event, seats, prices), sales data, and proof of transfer are processed. If you connect an external marketplace account, your credentials are transmitted to the service provider in encrypted form (AES-256-GCM) to import ticket inventory. The legal basis is Art. 6(1)(b) GDPR (contract performance). A data processing agreement pursuant to Art. 28 GDPR is in place. For transfers to the USA, we rely on EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework. The specific name of the service provider will be disclosed to you upon request pursuant to Art. 15(1)(c) GDPR.

j) Web Analytics – Vercel Analytics

We use Vercel Analytics to analyze the usage of our platform. Vercel Analytics collects anonymized data without the use of cookies and without storing personal data. No individual user profiles are created. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in analyzing website usage to improve our offering).

8. Cookies and Storage Technologies

Our platform uses cookies. Cookies are text files that are stored in or by the internet browser on the user's computer system.

Strictly Necessary Cookies

We exclusively use strictly necessary cookies within the meaning of § 25(2) No. 2 TTDSG (German Telecommunications Digital Services Data Protection Act) that are essential for the operation of the platform. These include:

• Session cookie – for authentication and login sessions (duration: until end of browser session or as per JWT lifetime)
• CSRF token cookie – for protection against cross-site request forgery attacks
• Affiliate referral cookie – stores a referral code when registering via an affiliate link so the attribution is maintained across page changes (duration: 30 days)
• Sidebar state cookie – stores the display preference of the side navigation (duration: 7 days)

The legal basis for the processing of strictly necessary cookies is § 25(2) No. 2 TTDSG in conjunction with Art. 6(1)(f) GDPR. Our legitimate interest lies in the provision of a functional platform.

We do not use any analytics, marketing, or tracking cookies. Vercel Analytics operates entirely without the use of cookies.

You can configure your browser to inform you about the setting of cookies and to allow cookies only on a case-by-case basis, to exclude the acceptance of cookies for specific cases or in general. Disabling cookies may limit the functionality of the platform.

9. Login Security and Session Management

To protect your account, we store security-relevant data with each login:

• IP address at login
• Device information (device, browser, operating system)
• Login timestamp

We store up to 10 historical login IP addresses. When a login occurs from a previously unknown IP address, we send you a security notification by email. You can view active sessions in your account settings and revoke individual sessions.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the security of your account and the detection of unauthorized access).

Additionally, we offer optional two-factor authentication (2FA) using TOTP (Time-based One-Time Password). The data required for this (encrypted 2FA secret, hashed recovery codes) is stored in your user account. The legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in account security).

10. Data Security

We employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures include in particular:

• Encryption of data transmission via TLS/SSL
• Encrypted storage of passwords (bcrypt hashing)
• Encryption of sensitive data (IBAN, 2FA secrets, marketplace credentials) using AES-256-GCM
• Encrypted database backups (AES-256-GCM)
• Access restrictions to personal data on a need-to-know basis
• Rate limiting for protection against brute-force attacks
• Cloudflare Turnstile for protection against automated access
• Account lockout mechanism after repeated failed login attempts
• Regular review and updating of our security measures

11. Data Retention and Deletion

We store your personal data only for as long as necessary to fulfil the purposes for which it is processed or as required by statutory retention periods. Once the respective purpose ceases to apply or after the statutory retention periods expire, the data will be routinely blocked or deleted.

Statutory retention periods arise in particular from:

• Commercial and tax law retention obligations (§§ 147 AO, 257 HGB under German law): up to 10 years
• Account data after account deletion: deleted after expiration of any applicable statutory retention periods
• KYC verification data: retained in accordance with legal requirements, then deleted
• Uploaded files (proof of purchase/transfer): deleted after completion of the associated transaction and expiry of any retention obligations
• Login security data (IP addresses, device data): retained for the duration of the contractual relationship; historical IP addresses are limited to a rolling maximum of 10 entries

12. International Data Transfers

In the course of using the third-party services mentioned in Section 7, personal data may be transferred to third countries. This particularly concerns the following services and service provider categories based in the USA: Vercel Inc. (hosting), Resend Inc. (email delivery), Cloudflare Inc. (file storage and bot protection), and a specialised marketplace integration service provider (marketplace connection). In addition, data is transferred to Sum and Substance Ltd. in the United Kingdom (KYC).

Such transfers are based on:

• EU-U.S. Data Privacy Framework (adequacy decision of the European Commission pursuant to Art. 45 GDPR) – for US recipients certified under the DPF
• EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) – as supplementary or sole transfer mechanism
• Adequacy decision of the European Commission for the United Kingdom

The database (vServer.site, Frankfurt/Düsseldorf) and database backups (Hetzner, Germany) as well as user data in Cloudflare R2 (Western Europe) are processed exclusively within the EU/EEA; no third country transfer takes place in this regard.

13. Your Rights as a Data Subject

You have the following rights with regard to the personal data concerning you:

• Right of access (Art. 15 GDPR): You can request information about the personal data we process about you.
• Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate or the completion of incomplete data.
• Right to erasure (Art. 17 GDPR): You can request the deletion of your personal data, provided no statutory retention obligations apply.
• Right to restriction of processing (Art. 18 GDPR): You can request the restriction of processing of your data.
• Right to data portability (Art. 20 GDPR): You can request to receive your data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21 GDPR): You can object to the processing of your data at any time where processing is based on Art. 6(1)(f) GDPR.
• Right to withdraw consent (Art. 7(3) GDPR): You can withdraw any given consent at any time with effect for the future.

To exercise your rights, please contact us at: contact@syncseats.com

14. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority responsible for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany
Website: www.lda.bayern.de

15. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy to ensure it always complies with current legal requirements or to implement changes to our services in the Privacy Policy, e.g., when introducing new features. Your subsequent visit will be subject to the updated Privacy Policy.