PRIVACY NOTICE

Before we dive into the legal details, here are a few core principles:

We welcome the EU General Data Protection Regulation (GDPR) — your privacy deserves protection.

Ticket Gretchen is an Austrian company. From day one, our aim has been to protect our customers’ data. The world of culture is exciting and enriching, so we enthusiastically keep you informed and recommend what we consider the most unmissable events.

What we do:

 

• We provide information about cultural events in your city.
• We generate recommendations based on your usage so you can discover events you may also like — and we show these in the app. We may also send you matching information. If you no longer wish to receive these messages, you can disable them at any time under “My menu”.
• If you book tickets via the app, the relevant cultural organisation (the organiser) is informed that you will attend, so they can react quickly in case of cancellations.
• We earn our living from ticket sales — we never sell your data.

 

Don’t want us to contact you any more? Email us at support@ticketgretchen.com or adjust the relevant settings in the app under “My menu”.

Our services are operated in and for Austria.

Online services for recommending (cultural) events and for purchasing tickets for (cultural) events.

Ticket Gretchen GmbH, Mariahilferstraße 109/20, 1060 Vienna
T: +43 (1) 3613030  E: support@ticketgretchen.com

When you buy a ticket, a separate “event contract” arises between you and the organiser. The organiser alone is responsible (as the controller) for performing and administering that contract. The organiser is identified during the ticket purchase. Transmitting the data necessary for performing the purchase contract to the organiser is essential for fulfilling the contract. In administering ticket purchases, Ticket Gretchen GmbH acts as the organiser’s processor on the basis of a data processing agreement.

• Making available information about (cultural) events
• Providing services that recommend events based on your interests (with an opt-out available at any time)
• Making available organisers’ online shops for the purchase of tickets (see the explanations in section 4)
• Providing communication channels to distribute content and service the customer relationship
• Fulfilling contractual obligations under the service contract with the controller
• Fulfilling contractual obligations under the purchase and event contract concluded with the organiser

 

 

• Distributing/displaying (including promotional) information about services and events by means of direct marketing, where permitted by law
• Maintaining and improving customer satisfaction and loyalty by analysing usage patterns to enhance our services, using Clevertap and Google Analytics
• Providing (promotional) newsletters to customers on the legal basis of § 107(3) TKG (with an opt-out available at any time)
• Transmitting users’ electronic identification data to third-party providers in order to embed content via social networks (e.g. YouTube) and other applications (e.g. Google Maps).

 

1) Performance of a contract

• Online: Your use of our online services is based on a contract within the meaning of Article 6(1)(b) GDPR; by registering, a registration relationship is formed.
• Ticket purchase contracts: Where you buy tickets, the organiser’s processing is based on the purchase contract and serves its performance (see the explanations in section 4).

2) Additional services — consent: For certain services (e.g. newsletters) the controller explicitly collects your consent. You can withdraw consent at any time with effect for the future.

3) Legitimate interests: Processing on the basis of legitimate interests as described in the section “Description of legitimate interests”.

 

Purpose — IT security We store IP addresses of website-only visitors for 7 days to defend against targeted attacks such as denial-of-service and other system harm. We have a legitimate interest in this processing to maintain the functionality of our online services (Recital 49 GDPR).

Purpose — information distribution/direct marketing We process customer data (not children’s data, nor special categories of personal data per Article 9 GDPR) to conduct direct marketing for additional offers from the controller. We have a legitimate interest in processing personal data for direct marketing (GDPR Recital 47, last sentence). Only customer data arising from an existing contractual relationship and still within its retention period are processed; retention periods are not extended by this processing. The primary goal is customer acquisition. We rely on our constitutionally protected freedom to conduct a business (Art. 6 Austrian Basic Law — StGG) and freedom of communication (in particular Art. 10 ECHR, which also protects advertising). This includes the rights

• to send postal advertising; and
• to send electronic messages after consent and pursuant to § 107(3) TKG.

We comply with the communications law requirements, in particular § 107 TKG, when using this data.

 

Purpose — retargeting Facebook uses the “Facebook Pixel” implemented in our services to place cookies on users’ devices, read existing cookies/other identifiers and enrich the profile associated with the identifier or user. We do not have access to the data collected by Facebook, but we use it to display advertising to audiences interested in our services.

Information distribution/advertising: We also process customers’ personal data for the purposes of information distribution/direct marketing and retargeting. We use this to inform about our own services and about organisers’ events and to promote them. For these purposes, we do not disclose your data to any third party acting as its own controller. This is compatible with the original purpose of collection. You may object to the use of your personal data for direct marketing at any time, without giving reasons.

To provide tailored recommendations within the contractual purpose, we analyse and assess your usage and demand behaviour. We use these assessments to send you targeted recommendations that match your interests.

There is no obligation to provide data in order to use the services. During purchase, however, the fields required to complete the purchase must be filled in truthfully.

You are not subject to any automated decision-making that produces legal effects concerning you.

Provided by you

• Area of interest
• Name
• Email address
• Date of birth (optional, for special offers)
• Payment and card details; voucher details
• Content of messages or reviews you submit
• For special offers (e.g. U27): copies of ID. Relevant metadata such as ID number, ID type, validity, place and date of issue, and date of birth are extracted and stored. The ID copy is then deleted immediately.

 

Additionally collected by the controller

• IP addresses (log files)
• User ID, push token, device ID, localisation (language setting)
• WebView used
• Device used
• Communication protocol
• Account-usage information (e.g. creation date, number of logins, date of last request)
• Information about purchased tickets
• User behaviour data (e.g. event viewed, favourited, added to basket, purchased, reviewed)

 

(where not provided by you or collected by the controller)

• Email delivery “Mailchimp”: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. Data types: IP location, preferred email client, source of subscription, campaign details (receipt, opens, clicks).
• Facebook Login: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304. Facebook ID and email address.
• Analytics and push notifications “Clevertap”: Push token, device ID, user behaviour data (e.g. event viewed, basket, purchase, review), device, operating system, user agent, localisation.
• Attribution of download source: Branch and Appsflyer SDK to identify from which source a user downloaded the app; required for referral and deep linking. For attribution the following identifiers are collected: iOS Identifier for Advertising (IDFA), iOS Identifier for Vendors (IDFV), Android Advertising ID (GAID), Android ID, Branch Cookie ID, IP address, application version, device model, manufacturer, operating system and version, screen size and resolution, session start/stop time, mobile network status (Wi-Fi, etc.), application install time, update time, device locale (country and language), local IP address, mobile platform, Branch SDK version, developer ID.

 

A) Third-party services embedded in the platform: transmission of electronic identifiers, in particular IP address:

• Instagram LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA, https://help.instagram.com/
• Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, https://de-de.facebook.com/about/basics
• Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA, https://twitter.com/de/privacy
• YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, https://support.google.com/youtube/answer/7671399?hl=de
• Vimeo: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, https://privacy.google.com/#
• Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, https://policy.pinterest.com/de/privacy-policy

 

B) Organisers (identified during the purchase process): email, first name, surname, newsletter subscription for the respective organiser (separate opt-in), order details and, where applicable (e.g. U27), date of birth.

C) Processors

• Hosting — server location Frankfurt: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, United States.
• Google Analytics (with IP anonymisation): Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
• Email campaigns “Mailchimp”: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.
• Payment service: Stripe, 510 Townsend Street, San Francisco, CA 94103, USA — gateway for card payments and SOFORT bank transfer. Stripe processes personal data under the EU Standard Contractual Clauses.
• Payment service: BS PAYONE GmbH, Lyoner Straße 9, D-60528 Frankfurt/Main — critical payment data (e.g. card information) are sent directly by the customer to the payment service; Ticket Gretchen GmbH servers do not store these data. Only pseudonymised data are stored with Ticket Gretchen.
• Payment service: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg — payment is made directly with PayPal; only order-relevant data (amount, status) are collected.
• Payment service: Blue Code International AG, Gartenstrasse 5, 8853 Lachen, Switzerland — processes Bluecode payments.
• Payment service — SOFORT transfer: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden — payment is made directly with the provider; a bank transfer from the end customer to Ticket Gretchen is triggered.
• ID verification for special offers (e.g. U27): AriadNEXT, ZAC des Champs Blancs, 1219 Avenue des Champs Blancs, 35510 Cesson-Sévigné, France.
• Analytics — Clevertap (servers in the EEA): WizRocket Inc., 440 N Wolfe Rd, Sunnyvale, CA 94085, USA. Hosting and processing take place exclusively within the EEA in Amazon Web Services data centres.
• Attribution — Branch (servers in the USA): Branch Metrics Inc., 2443 Ash Street, Palo Alto, California 94306, USA.
• Analytics: Graf Moser Management GmbH, Mariahilferstraße 109/20, 1060 Vienna — hosting in data centres located in Germany.
• Server monitoring — server location USA: Rollbar, 221 Main St., Suite 780, San Francisco, CA 94105, USA.

We expressly reserve the right to engage additional processors. These will be listed in the update to this Privacy Notice following the start of their engagement. Processing by processors takes place under the controller’s responsibility.

 

• System administration
• Specialist departments
• Management

 

The following data are transferred to countries outside the EU as part of processing:

• Google (EU Standard Contractual Clauses)
  Country: USA
  Data types — Google Analytics: anonymised IP address, website title, browser-specific information, information about website use
  Data types — Google Maps: electronic identifiers
• Mailchimp (EU Standard Contractual Clauses)
  Country: USA
  Data types: email address, name, user type
• Branch Metrics (EU Standard Contractual Clauses)
  Country: USA
  Data types — website: IP address, clicked download link, user agent, referrer, cookie, phone number when using the “Text-Me-The-App” feature on the website
  Data types — app SDK: iOS Identifier for Advertising (IDFA), iOS Identifier for Vendors (IDFV), Android Advertising ID (GAID), Android ID, Branch Cookie ID, IP address, application version, device model, manufacturer, operating system and version, screen size, screen resolution, session start/stop time, mobile network status (Wi-Fi, etc.), application install time, application update time, device locale (country and language), local IP address, mobile platform, Branch SDK version, developer ID
• Rollbar (EU Standard Contractual Clauses)
  Country: USA
  Data types: in the event of an error, the Ticket Gretchen user ID and metadata about the error (e.g. performance affected, error message). Data are automatically deleted after 7 days.
• Facebook SDK (EU Standard Contractual Clauses)
  Country: USA
  Data types: Explicit events — information from tracked events (e.g. view event, basket, purchase). Implicit events — events logged when using other SDK features such as Facebook Login or the “Like” button. Automatically logged events — basic in-app interactions (e.g. app installs, app starts) and system events (e.g. SDK load, SDK performance). Developers can disable automatic logging and log explicit events manually (instructions exist for iOS and Android). Facebook App ID — unique ID assigned by Facebook to the advertiser’s website and mobile app. Mobile advertising ID — iOS IDFA or Android Advertising ID. Request metadata — type and version of the mobile OS, SDK version, app name and version, device opt-out setting, user-agent string and client IP address. The SDK also collects device metrics such as time zone, device OS, device model, carrier, screen size, CPU cores, total storage and free space.

 

We maintain our own online presences on social-media channels for advertising and customer communication. On these presences, your data may be processed outside the European Union, which can carry an increased risk of a privacy breach. Where based in the USA, the operators of these channels have largely committed to the EU Standard Contractual Clauses.

These presences are operated within the technical environment of the respective platform. The social-media operators use your visit for their own purposes, in particular to display interest-based advertising. They place cookies on your device, read existing cookies/identifiers and infer your interests from your behaviour in order to enrich your profile. The aim is to display interest-based advertising to you, including on third-party websites you visit later.

Processing is based on our legitimate interests in advertising and customer communication, protected by the freedom to conduct a business (Art. 6 StGG) and freedom of communication (in particular Art. 10 ECHR, which also protects advertising). If you are a user of the relevant social-media channel, your consent may also be the legal basis.

We do not have access to your social-media data. To exercise your rights of access, rectification, erasure, restriction, objection and data portability, please contact the respective social-media platform directly. Users can also change their privacy settings on those platforms. We will support you if needed.

Further information: Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) — Privacy: https://www.facebook.com/about/privacy/ — Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com
Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) — Privacy: https://twitter.com/de/privacy — Opt-out: https://twitter.com/personalization
Google/YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — Privacy: https://policies.google.com/privacy — Opt-out: https://adssettings.google.com/authenticated
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA) — Privacy/opt-out: http://instagram.com/about/legal/privacy/
Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA 94301, USA) — Privacy/opt-out: https://about.pinterest.com/de/privacy-policy
LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) — Privacy: https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacy-policy

Legal basis — contractual relationship: On the legal basis described above, we generally process personal data until 40 months after the end of the contractual relationship (= 36 months for potential contractual damages claims + up to 4 months for service of proceedings). Where a statutory retention duty applies, in particular under § 132(1) Austrian Federal Fiscal Code (BAO), we continue to process billing-relevant data until the end of the statutory retention period (currently generally 7 years after the end of the financial year in which the data arose).

• Article 15 GDPR — access
  You have the right to obtain confirmation as to whether we process personal data concerning you, and access to that data.
• Article 16 GDPR — rectification
  You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you or to have incomplete data completed.
• Article 17 GDPR — erasure
  You have the right to obtain the erasure of personal data concerning you without undue delay where the grounds in Article 17(1) GDPR apply.
• Article 18 GDPR — restriction
  You have the right to obtain restriction of processing where the grounds in Article 18(1) GDPR apply.
• Article 21 GDPR — objection
  You have the right to object, on grounds relating to your particular situation, to processing based on our legitimate interests.
• Article 20 GDPR — data portability
  You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format.

Article 77 GDPR; § 24 DSG (Austrian Data Protection Act)
Every customer has the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data concerning them infringes this Regulation.

Austrian Data Protection Authority (Datenschutzbehörde)
Wickenburggasse 8–10, A-1080 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at