Privacy Policy

Last updated: 1 January 2025 · HIBilet B.V., Amsterdam, Netherlands

Summary: HIBilet is designed with privacy by default. We collect only what is necessary, never sell your data, and fully comply with GDPR and PSD2 regulations. Organizers retain 100% ownership of their attendee data.

1. Who We Are

HIBilet B.V. ("HIBilet", "we", "us", "our") is a company registered in Amsterdam, the Netherlands. We operate a white-label ticketing platform accessible at hibilet.com and through licensed deployments. As a data controller, we are responsible for how your personal data is processed when you use our services.

Contact: privacy@hibilet.com

2. What Data We Collect

We collect personal data in the following contexts:

Event organizers: Name, email address, company name, Stripe account information, VAT number (where applicable), and activity data on our platform (events created, sales, configurations).
Ticket buyers: Name, email address, payment information (processed via Stripe, not stored by HIBilet), and ticket data. Note: buyer data belongs to the organizer, not to HIBilet.
Website visitors: IP address, browser type, pages visited, and session data via cookies and analytics tools (e.g. Google Analytics 4).
Support inquiries: Any information you provide when contacting us by email or through our contact form.

3. How We Use Your Data

To provide and operate the HIBilet platform and associated services.
To process subscriptions, invoices, and account management.
To communicate with you about your account, service updates, or support requests.
To improve our platform through aggregated, anonymized analytics.
To comply with legal obligations under Dutch and EU law.

We do not sell, rent, or broker your personal data to third parties.

4. Organizer Data & Attendee Ownership

HIBilet is built on the principle of data sovereignty. When an organizer collects attendee data through HIBilet's ticketing system, that data belongs entirely to the organizer. HIBilet acts as a data processor on behalf of the organizer — not as an independent data controller for attendee information.

Organizers are responsible for complying with GDPR requirements towards their own attendees, including providing appropriate privacy notices at checkout.

5. Payment Processing

All payments are processed via Stripe through Stripe Connect. HIBilet does not store card numbers, bank account details, or any raw payment data. Stripe is PCI DSS Level 1 certified. Stripe's privacy policy applies to all payment processing activities.

6. Cookies

We use cookies and similar technologies for:

Essential cookies: Required for the platform to function (session authentication, CSRF protection).
Analytics cookies: Google Analytics 4 (anonymized, IP anonymization enabled) to understand platform usage.
Marketing cookies: Only placed on organizer-configured sales portals where the organizer has enabled Meta Pixel, TikTok Pixel, or GA4. These are controlled entirely by the organizer.

You can manage cookie preferences through your browser settings or by contacting us.

7. Data Sharing

We share data with the following categories of third parties only as necessary to provide our service:

Stripe: For payment processing and organizer payouts.
Hosting providers: Our infrastructure is hosted on EU-based cloud providers.
Email delivery services: For transactional emails (ticket delivery, receipts).
Legal or regulatory authorities: If required by law.

8. Data Retention

We retain your personal data for as long as your account is active, plus the period required for legal compliance (typically 7 years for financial records under Dutch tax law). You may request deletion of your account and associated data at any time, subject to legal retention requirements.

9. Your Rights Under GDPR

As a resident of the EU/EEA, you have the following rights regarding your personal data:

Right of access: Request a copy of the data we hold about you.
Right to rectification: Correct inaccurate or incomplete data.
Right to erasure: Request deletion of your data ("right to be forgotten").
Right to restriction: Limit how we process your data.
Right to data portability: Receive your data in a machine-readable format.
Right to object: Object to processing based on legitimate interests or for direct marketing.

To exercise any of these rights, contact us at privacy@hibilet.com. We will respond within 30 days.

10. Security

We implement industry-standard security measures including TLS encryption for all data in transit, encryption at rest, role-based access controls, and regular security audits. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority (Autoriteit Persoonsgegevens) within 72 hours as required by GDPR.

11. International Transfers

HIBilet processes and stores data within the European Economic Area (EEA). Where any third-party service providers are based outside the EEA, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses as approved by the European Commission).

12. Children's Privacy

HIBilet's services are not directed at children under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered organizers by email and update the "Last updated" date above. Continued use of HIBilet after such changes constitutes acceptance of the updated policy.

14. Contact & Complaints

For any privacy-related questions or to file a complaint: privacy@hibilet.com

You also have the right to lodge a complaint with the Dutch Data Protection Authority: autoriteitpersoonsgegevens.nl