1. Introduction

This Privacy Policy explains how Be Or8 (“Company”, “we”, “us” or “our”) collects, uses, stores, shares, and otherwise processes personal data when users access or use the Platform, buy tickets, create organiser accounts, run events, contact support, or interact with our services.

This Privacy Policy applies to:

• visitors to our website and app;
• ticket buyers and attendees;
• event organisers and their staff;
• customer support contacts;
• marketing subscribers; and
• any other individuals whose personal data we process in connection with the Platform.

Under UK law, data protection in the UK is governed by the UK GDPR and the Data Protection Act 2018, and organisations using personal data must process it fairly, lawfully, transparently, and securely.

2. Who We Are

The data controller for the personal data described in this Privacy Policy is:

Be Or8
Registered office: Contact for information
Email: [email protected]

If you have appointed a data protection officer or privacy lead, include their contact details here.

The ICO states that privacy information should include the organisation’s identity, purposes for processing, retention periods, and sharing arrangements, and it should be provided in clear and accessible language.​

3. Scope and Roles

We may process personal data in different roles depending on how the Platform is used.

• When we operate user accounts, manage platform security, process checkout flows, provide customer support, run analytics, or send our own service messages, we will usually act as a data controller.
• When we process attendee data on behalf of an event organiser for event administration, communications, check-in, or reporting, the organiser may also be a data controller in their own right, or in some cases we may act as a processor for that organiser depending on the feature and contractual setup.
• Event ticketing commonly involves data sharing with organisers so they can operate the event, manage attendees, and handle admissions.

This Privacy Policy describes the Company’s own processing. Organisers may also have separate privacy notices that apply to their use of attendee data.

4. Personal Data We Collect

We may collect and process the following categories of personal data:

4.1 Account and identity data

• full name;
• username or login credentials;
• date of birth where needed for age-restricted events;
• business or trading name for organisers;
• account preferences and profile information.

4.2 Contact data

• email address;
• telephone number;
• billing address;
• postal address; and
• customer support correspondence.

4.3 Order and ticketing data

• event selections;
• ticket type, quantity, and order details;
• booking reference numbers;
• attendance status, check-in information, and scan history;
• refund, exchange, transfer, and cancellation records;
• purchase history and basket history.

4.4 Payment and transaction data

• payment status;
• card type, masked payment details, or payment tokens supplied by our payment providers;
• VAT or tax information where relevant;
• chargeback and anti-fraud information.

We generally do not store full card numbers ourselves where a third-party payment processor handles payment information directly.

4.5 Technical and usage data

• IP address;
• device identifiers;
• browser type and version;
• operating system;
• session data;
• referral URLs;
• log files;
• cookie identifiers;
• platform interaction data and analytics events.

4.6 Marketing and communications data

• email preferences;
• consent records;
• campaign engagement data such as opens, clicks, and unsubscribes;
• survey responses;
• promotional preference settings.

4.7 Organiser and business data

• organiser account details;
• payout and invoicing information;
• event setup information;
• customer service records;
• fraud and verification records;
• documents used for legal, compliance, or identity checks.

4.8 Special category data

We ask users not to provide special category personal data unless it is strictly necessary. In limited cases, accessibility, health, or dietary data may be processed where required for event access or service delivery. UK law gives stronger protection to sensitive categories of data such as health, biometrics used for identification, religion, ethnicity, and sexual orientation.​

5. How We Collect Personal Data

We collect personal data:

• directly from you when you create an account, buy a ticket, complete forms, sign up for emails, contact support, or list an event;
• from organisers, venues, or other users where they submit attendee details or transfer tickets;
• from payment providers, identity verification providers, fraud prevention providers, analytics providers, and customer support tools;
• through cookies, pixels, SDKs, server logs, and similar technologies when you use the Platform; and
• from publicly available sources or regulators where necessary for compliance, dispute handling, or fraud prevention.

The ICO states that where personal data is not collected directly from the individual, privacy information should still be provided within a reasonable period and no later than one month, subject to limited exceptions.​

6. Why We Use Personal Data and Our Lawful Bases

The ICO requires organisations to tell individuals why their personal data is being processed, who it will be shared with, and how long it will be kept.​

We may process personal data for the following purposes and on the following lawful bases:

6.1 To provide the Platform and complete ticket purchases

This includes creating accounts, processing orders, issuing tickets, handling payments, sending booking confirmations, facilitating check-in, managing cancellations, and providing event-related service communications.

Lawful basis: performance of a contract, or steps taken at the request of the individual before entering into a contract.

6.2 To operate organiser accounts and event management tools

This includes onboarding organisers, hosting event listings, managing customer data within the organiser dashboard, reconciling sales, and facilitating attendee administration.

Lawful basis: performance of a contract; legitimate interests in operating the Platform.

6.3 To provide customer support and resolve complaints

This includes responding to support requests, investigating disputes, handling refunds, and maintaining support records.

Lawful basis: performance of a contract; legitimate interests in customer service and dispute management; legal obligation where complaint-handling records must be retained.

6.4 To prevent fraud, abuse, and security incidents

This includes account monitoring, login security, chargeback investigation, anti-bot controls, risk scoring, device or transaction analysis, and legal enforcement.

Lawful basis: legitimate interests in protecting the Platform, users, organisers, and payment systems; legal obligation where required.

6.5 To comply with legal, tax, accounting, and regulatory obligations

This includes maintaining financial records, responding to law enforcement or regulator requests, enforcing sanctions compliance, and keeping records needed under applicable law.

Lawful basis: legal obligation.

6.6 To send service communications

This includes order emails, event updates, security alerts, transactional notices, and important policy or account changes.

Lawful basis: performance of a contract; legal obligation in some cases; legitimate interests in operating a reliable service.

6.7 To send marketing communications

This includes newsletters, promotions, product updates, event recommendations, and organiser marketing where permitted.

Lawful basis: consent where required; legitimate interests where permitted by law and subject to your right to object.

The ICO notes that privacy notices should explain people’s information rights, including the right to withdraw consent where consent is the lawful basis.​

6.8 To improve the Platform and measure performance

This includes analytics, reporting, troubleshooting, A/B testing, service monitoring, and product development.

Lawful basis: legitimate interests in improving and securing the Platform; consent where cookies or similar technologies require consent.

7. Sharing Personal Data

We may share personal data with the following categories of recipients:

• Event organisers and venues, so they can administer events, manage attendees, verify admission, deal with customer requests, and comply with health, safety, or legal obligations;
• Payment processors, gateways, banks, and fraud screening providers;
• Technology suppliers, such as hosting, email delivery, CRM, analytics, ticket scanning, support desk, identity verification, and infrastructure providers;
• Professional advisers, such as solicitors, accountants, insurers, and auditors;
• Regulators, courts, law enforcement, and public authorities where required or permitted by law;
• Corporate transaction counterparties where relevant to a merger, acquisition, financing, restructuring, or sale of assets; and
• Other parties with your consent or at your direction.

The ICO requires organisations to tell individuals who their personal data will be shared with, and event ticketing privacy policies commonly disclose sharing with organisers so they can run the event for which tickets were purchased.

We do not sell personal data in the ordinary sense of selling customer lists for unrelated third-party use.

8. Marketing and Sponsor Sharing

Where event organisers want to use attendee data for marketing, sponsor sharing, or promotional follow-up, the legal basis and controller relationship should be made clear at the point of data collection.

If we rely on consent for organiser marketing, sponsor communications, or similar optional processing, consent should be specific, informed, and separately presented rather than bundled into ticket purchase terms.

You can unsubscribe from marketing emails at any time using the unsubscribe link in the message or by contacting us.

9. Cookies and Similar Technologies

We may use cookies, pixels, local device identifiers, analytics tools, and similar technologies to operate the Platform, remember preferences, measure traffic, prevent fraud, and improve performance.

Privacy notices should explain cookie-related processing and can be supported by a separate Cookie Policy with more detailed information.

Where legally required, we will ask for consent before placing non-essential cookies or similar technologies on your device.

You should link this Privacy Policy to a separate Cookie Policy or Cookie Notice that explains:

• what cookies are used;
• whether they are essential, analytics, advertising, or functionality cookies;
• their duration;
• their provider; and
• how users can manage consent.

10. International Transfers

Your personal data may be stored or processed in the UK, the EEA, or other countries where our service providers operate.

Where we transfer personal data outside the UK and such transfer is restricted under data protection law, we will use a valid transfer mechanism, such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful safeguard.

Privacy notices should explain whether data is stored outside the UK or EEA and how such transfers are protected.​

11. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, including legal, tax, accounting, fraud prevention, dispute resolution, and reporting purposes.

The ICO specifically says privacy information should include retention periods for personal data.​

A practical retention schedule for a ticketing platform may include:

• account data: while the account is active and for a defined period after closure;
• order and transaction records: for at least the period required for tax, accounting, audit, and dispute purposes;
• support records: for as long as reasonably necessary to manage complaints and recurring issues;
• marketing consent and suppression records: for as long as needed to demonstrate compliance and respect opt-out requests;
• security and fraud logs: for as long as reasonably necessary to investigate misuse, prevent abuse, and comply with legal obligations.

You should replace this section with your actual retention table once your systems and legal requirements are confirmed.

12. Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

UK data protection law requires personal data to be handled in a way that ensures appropriate security, including protection against unauthorised processing, loss, destruction, or damage.​

Appropriate measures may include access controls, role-based permissions, encryption in transit, secure development practices, logging, backups, staff confidentiality obligations, and vendor due diligence.

No method of transmission or storage is completely secure, so absolute security cannot be guaranteed.

13. Your Rights

Subject to applicable law, you may have the right to:

• be informed about how your data is used;
• access your personal data;
• have inaccurate data corrected;
• have your data erased;
• restrict processing;
• object to processing;
• receive your data in a portable format; and
• ask for human review of certain automated decisions.

GOV.UK lists these rights under UK data protection legislation, including the rights to be informed, access data, rectify data, erase data, restrict processing, object, and data portability, along with rights related to automated decision-making and profiling.​

To exercise any of these rights, contact us using the details in this Privacy Policy. We may need to verify your identity before responding.

You also have the right to withdraw consent at any time where consent is the lawful basis. This does not affect the lawfulness of processing carried out before withdrawal.

14. Complaints

If you have concerns about how we use personal data, please contact us first so we can try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office. GOV.UK directs individuals with concerns about personal data handling to contact the ICO.​

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: ICO
Telephone: 0303 123 1113

15. Children’s Data

Our Platform is not directed at children unless clearly stated for a specific event or service.

If an event is intended for children or family audiences, we may process limited child data where necessary for ticketing, safeguarding, age verification, accessibility, or attendance management.

Where consent is relied on in relation to children’s data, the Company should obtain it in a legally valid way and present information clearly for the relevant audience. This section should be tailored if the Platform knowingly targets children or schools.

16. Third-Party Links and Integrations

The Platform may contain links to third-party websites, payment pages, video services, maps, social plugins, or integrations.

We are not responsible for the privacy practices of those third parties, and users should review their policies separately.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, guidance, business operations, or platform functionality.

The ICO states that organisations should review and update privacy information regularly and bring new uses of personal data to people’s attention before starting the processing.​

The latest version will be posted on the Platform with an updated effective date. Where legally required, we will also provide additional notice.

18. Contact Us

Questions, requests, or complaints about this Privacy Policy or our use of personal data should be sent through our contact form