Legal

Privacy Policy

Last updated: May 2026

1. Who we are

Ithas Fire ("we", "us", "our") operates the Ithas Fire platform for event discovery, ticketing, and payments. This policy explains how we collect, use, and protect personal data when you use our website and mobile applications.

For the purposes of the EU and UK General Data Protection Regulations, Ithas Fire is the data controller of personal data collected through the platform. Event organisers using Ithas Fire to sell tickets are independent controllers of the attendee data they receive from us; their own privacy notices govern that processing.

Privacy enquiries, data-subject requests, and our Data Protection contact: [email protected]. We aim to respond within 30 days as required by Article 12(3) GDPR.

2. Data we collect

  • Account data— name, email address, profile picture, and authentication credentials when you create an account.
  • Phone number (optional)— if you choose to verify a mobile number for two-factor authentication or volunteer shift reminders, we store the number and a verification status. SMS consent is captured explicitly at the point of collection and is revocable at any time by replying STOP to any message or contacting support. We do not use phone numbers for marketing.
  • Transaction data— order details, payment method identifiers (processed by Stripe), and payout information for event organisers.
  • Usage data— pages visited, features used, device type, browser, IP address, and approximate location derived from IP.
  • Cookies & similar technologies — see our Cookie Policy for details.

3. How we use your data

  • To provide, maintain, and improve the platform.
  • To process ticket purchases and payouts.
  • To send transactional emails (order confirmations, receipts).
  • To send transactional SMS messages where you have explicitly opted in — two-factor authentication codes and volunteer shift reminders. Standard message and data rates may apply. Reply STOP to any message to opt out, or HELP for help.
  • To detect fraud and enforce our terms of service.
  • To analyse usage trends (when you consent to analytics cookies).

4. Legal bases (GDPR)

We process personal data on the following legal bases: contract (to fulfil ticket purchases), legitimate interest (fraud prevention, platform security), and consent (analytics and marketing cookies).

5. Data sharing

We share data only as necessary: with Stripe for payment processing, with event organisers so they can fulfil your tickets, and with infrastructure providers that host our systems. We do not sell personal data.

We also use two third-party diagnostics services. Sentry receives application error reports under our legitimate interest in platform reliability; if you accept all cookies, Sentry additionally records a masked session replay (text and inputs are masked by default) and may receive your IP address. Google Analytics only receives data after you accept analytics cookies, and operates under Google Consent Mode v2 until then. See our Cookie Policy for details and how to opt out.

6. Data retention

We retain account and transaction data for as long as your account is active, plus any period required by law (e.g. tax records). Usage data and logs are retained for up to 12 months. Support chat conversations are deleted 12 months after the conversation is resolved.

7. Your rights

Depending on your jurisdiction you may have the right to access, correct, delete, or port your personal data. You can also withdraw consent for optional cookies at any time by clearing the th-consent cookie. To exercise your rights, contact us at [email protected].

We keep a record of your consent decisions — timestamp, the policy version in effect, the device's anonymous identifier, and a one-way hash of your network address — so we can demonstrate compliance with Article 7(1) GDPR. The raw IP itself is not retained. Email [email protected] to request a copy of your consent history or to have it deleted.

8. International data transfers

Some of our processors are located in the United States — specifically Stripe (payments), Sentry (error diagnostics), and Google (analytics, when you consent). When personal data is transferred from the EU/EEA, UK, or Switzerland to a third country, we rely on one of the following Article 46 GDPR mechanisms:

  • The EU–US Data Privacy Framework for transfers to certified US-based processors (Google, Sentry).
  • The European Commission's Standard Contractual Clauses (2021/914) where the DPF does not apply, supplemented by the UK International Data Transfer Addendum where required.

You can request a copy of the safeguards in place by contacting [email protected].

9. Security

We use encryption in transit (TLS), hashed credentials, and scoped access controls to protect your data. Stripe handles all payment-card data; we never store card numbers directly.

10. Lodging a complaint

If you are in the EU/EEA, UK, or Switzerland and believe our processing infringes data-protection law, you have the right to lodge a complaint with your local supervisory authority. A list of EU authorities is available at edpb.europa.eu; UK residents can contact the Information Commissioner's Office. We'd appreciate the chance to address your concern first — please contact us at [email protected].

11. Contact

For privacy-related questions, reach us at [email protected].