Secure tickets selling and exchanging platform | Retix

Menu
Sell Tickets

Retixx Privacy Policy (Ticket Resale – Global)

Effective Date: May 22, 2025
Headquarters: Amman, Jordan
Contact: privacy@retixx.com

1. Introduction

Retixx (“Retixx”, “we”, “our”, or “us”) operates a global online marketplace that enables users to list, discover, buy, and resell tickets for events (including concerts, sports, theater, exhibitions, and other live or digital events). This Privacy Policy explains how we collect, use, disclose, transfer, and safeguard personal data when you access or use our websites, mobile applications, APIs, and any related services (collectively, the “Services”).

Because ticket reselling involves identity verification, payment processing, fraud prevention, and dispute handling among users in different countries and jurisdictions, our processing activities are global in scope. This Policy is designed to be transparent and to satisfy core principles in major data-protection frameworks worldwide, including Jordanian law, the EU/EEA General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), Canada’s PIPEDA, and other applicable national or regional laws where our users reside. Where a local rule requires stricter protection, we will apply that stricter standard to the extent required by law.

If you do not agree with this Policy, please do not use the Services. By using the Services, you acknowledge that you have read and understood this Policy.

2. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”), including but not limited to name, email address, device identifiers, government ID numbers, payment instrument tokens, or transaction metadata.

“Processing” means any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.

“Controller” (or “Data Controller”) means the entity that determines the purposes and means of Processing Personal Data. For the Services, Retixx is the Controller for most activities described herein, except where a third party separately determines purposes and means (e.g., an external payment provider acting as its own controller for compliance checks).

“Processor” (or “Service Provider”) means any third party that Processes Personal Data on behalf of the Controller pursuant to written instructions and appropriate safeguards.

“Sensitive Personal Data” (also called “Special Category Data”) includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning a person’s sex life or sexual orientation, where protected by law.

“KYC/AML” refers to Know-Your-Customer and Anti-Money Laundering controls and other sanctions/financial‑crime screening measures we may implement to prevent fraud and unlawful activity in secondary‑market ticket transactions.

3. Scope of This Policy

This Policy applies to all Personal Data processed by Retixx when you visit our websites, create an account, list or purchase tickets, receive customer support, or otherwise interact with the Services. This Policy does not cover the privacy practices of third-party sites, apps, wallets, payment gateways, or event organizers that are not under our control; we encourage you to review their policies separately.

4. Personal Data We Collect

We collect the categories below. The exact data depends on how you use the Services and your region’s requirements.

4.1 Account & Identity Data: Full name, username, password (hashed), email, phone, country of residence, preferred language. For sellers and high‑value buyers we may request government ID (e.g., passport or national ID), proof of address, date of birth, and selfie verification (biometric templates are not stored unless required by law; where used, we minimize retention and apply strict access controls).

4.2 Contact & Communications Data: Messages you send to us, support tickets, marketing preferences, notification settings, and communication receipts (timestamps, delivery status).

4.3 Transaction & Payment Data: Order history, ticket listings, prices, fees, taxes, discount codes, refunds, chargeback details, payout account information (e.g., bank IBAN or e‑wallet token). Payment card data are handled by PCI‑compliant processors; we store only tokens and last four digits where needed.

4.4 Technical & Device Data: IP address, device identifiers, browser type/version, operating system, app version, locale settings, time zone, crash logs, and performance diagnostics.

4.5 Location Data: Country/region inferred from IP, and, if you enable precise location services in the app, GPS‑based location for features like local event discovery or seller verification.

4.6 Fraud‑Prevention Signals: Device fingerprinting, behavioral analytics (e.g., abnormal login velocity, multi‑account patterns), blacklist/greylist flags, and results from sanctions/PEP screenings where legally required.

4.7 Marketing & Preference Data: Your opt‑in/opt‑out choices, interests you select, cookies, pixels, and beacons tracking engagement with emails or in‑app messages.

4.8 Content Data: Images or files uploaded to verify tickets, proof of purchase, or to resolve disputes; event‑related metadata; and, where applicable, barcode or tokenized ticket identifiers.

4.9 Optional Promotional Data: For birthday or loyalty offers, you may choose to provide date of birth and similar details; these are always optional and never required to use our core Services.

5. Sources of Personal Data

We obtain Personal Data from: (a) you directly; (b) automated means such as cookies and SDKs; (c) third‑party partners (payment processors, ID verification vendors, fraud‑prevention providers); and (d) event organizers, primary ticketing platforms, and courier/logistics partners when necessary to validate listings or fulfill deliveries.

6. Cookies, SDKs, and Similar Technologies

6.1 Overview and Purpose

Retixx uses cookies, software development kits (SDKs), and similar tracking technologies to provide, protect, and improve our ticket resale platform. These technologies help us:

  • Enable secure login sessions for users buying or selling tickets.
  • Remember your settings (e.g., preferred currency, event category preferences).
  • Prevent fraudulent transactions and detect suspicious activity.
  • Measure website and app performance.
  • Deliver relevant event recommendations and marketing messages.

Cookies and related technologies are small data files or code snippets that store or access information on your device (computer, smartphone, tablet). Some are set directly by Retixx (“first-party cookies”) while others are set by trusted partners (“third-party cookies”).

 

6.2 Types of Cookies We Use

(i) Essential / Strictly Necessary Cookies
Required for our platform to function, including:

  • Keeping you logged in during your session.
  • Processing your ticket listings and purchases securely.
  • Ensuring correct page navigation during checkout.
    Example:retixx_session_id – stores encrypted session identifier until you log out or close the browser.

(ii) Functional Cookies
Improve your experience by remembering preferences:

  • Language and currency settings.
  • Saved search filters for events.
  • Displaying relevant events based on your past browsing.

(iii) Performance / Analytics Cookies
Help us understand usage patterns and improve performance:

  • Tracking which event categories users visit most.
  • Measuring page load times.
  • Identifying features users interact with most in our app.
    Example:Google Analytics or Mixpanel cookies for page visit statistics.

(iv) Marketing / Advertising Cookies
Enable us and our partners to:

  • Show relevant event ads across the web and in apps.
  • Measure the effectiveness of campaigns.
  • Avoid showing you irrelevant or repetitive ads.
    Example:Facebook Pixel or Google Ads Remarketing cookies.

 

6.3 SDKs, Pixels, and Beacons

In our mobile apps, we use SDKs (software development kits) from analytics and marketing partners to track in-app activity (e.g., which ticket listings you view) and to send push notifications.

  • Tracking Pixels– 1×1 transparent images embedded in emails or pages to detect when they are opened.
  • Web Beacons– scripts or image requests used to record your interaction with certain content (e.g., whether you clicked on a promotional banner).

 

6.4 Third-Party Tracking Technologies

We work with trusted third parties to provide analytics, fraud detection, and advertising services. These partners may set their own cookies or SDKs on your device.
Examples include:

  • Analytics: Google Analytics, Mixpanel, Amplitude.
  • Fraud Prevention: ThreatMetrix, Sift, or similar device fingerprinting services.
  • Marketing: Google Ads, Meta (Facebook/Instagram), TikTok Ads, Twitter/X Ads.

 

6.5 Cookies and Ticket Resale Fraud Prevention

We use cookies to identify unusual login or payment activity, such as:

  • Multiple logins from different countries in a short time.
  • High-value ticket sales from a newly created account.
  • Rapid automated browsing that may indicate ticket scalping bots.

These fraud prevention cookies are crucial for maintaining marketplace integrity and protecting both buyers and sellers.

 

6.6 Your Choices and Controls

You can control cookies and tracking technologies in several ways:

  1. Browser Settings– Most browsers let you block or delete cookies.
  2. Cookie Banners / Consent Tools– We display a consent banner in regions requiring opt-in (e.g., EU, UK).
  3. Do Not Track (DNT)– We respect browser DNT signals where required by law.
  4. Ad Preferences– You can opt out of interest-based advertising via industry tools like the Network Advertising Initiative (NAI) or YourAdChoices.
  5. Mobile Device Settings– Limit ad tracking or reset advertising IDs in iOS/Android settings.

 

6.7 Regional Compliance

  • EU/EEA & UK– We comply with the GDPR and ePrivacy Directive, requiring prior consent for non-essential cookies.
  • California (CCPA/CPRA)– You may opt out of “sharing” for cross-context behavioral advertising.
  • Canada (PIPEDA)– We obtain implied or express consent depending on the sensitivity of the data collected.
  • Middle East / Jordan– We adhere to applicable local laws regarding online tracking and data protection.

 

6.8 Cookie Retention Periods

The retention period for cookies depends on their purpose:

  • Session cookies– Deleted when you close your browser.
  • Persistent cookies– Remain on your device until they expire or you delete them.
    Example: Analytics cookies may last from 30 days to 2 years depending on the provider’s policy.

A detailed cookie table with names, purposes, and durations is available in our Cookie Notice on the website.

7. Legal Basis for Processing (Global)

Our legal bases vary by jurisdiction and purpose. Common bases include: (a) performance of a contract (e.g., processing your order); (b) legitimate interests (e.g., fraud prevention, service improvement); (c) consent (e.g., marketing emails, precise location services); and (d) legal obligation (e.g., AML, tax reporting). Where GDPR/UK GDPR applies, we rely on these bases consistent with Articles 6 and, if applicable, 9.

8. How We Use Personal Data

We use Personal Data to: create and manage accounts; enable ticket listing, sale, purchase, delivery, and transfer; process payments and payouts; verify identities; detect and prevent fraud; resolve disputes; provide support; personalize content; run analytics; comply with legal obligations; and communicate service announcements and marketing (where permitted).

9. Identity Verification, KYC/AML & Fraud Prevention 

9.1 Purpose of Verification

Retixx operates as a global marketplace for the resale of event tickets, where trust and security are fundamental to ensuring fair transactions for both buyers and sellers.
Because ticket resale can be a target for fraudulent activities such as stolen credit card use, counterfeit ticket uploads, and “scalping” operations that hoard and inflate ticket prices, Retixx enforces a rigorous Identity Verification and Know Your Customer / Anti-Money Laundering (KYC/AML) process.

Our goals are to:

  • Ensure that all sellers are legitimate and authorized to resell the tickets they list.
  • Reduce the risk of buyers being denied entry due to fraudulent or invalid tickets.
  • Prevent money laundering, terrorist financing, and other financial crimes in accordance withJordanian lawinternational AML directives, and applicable local regulations in users’ jurisdictions.

 

9.2 Legal Basis for Processing Verification Data

Depending on your jurisdiction, Retixx processes verification-related data under the following legal bases:

  • Legal Obligation– where applicable laws require AML checks, sanctions screening, and fraud prevention.
  • Contractual Necessity– to verify that parties to a ticket transaction are genuine and able to fulfill their contractual obligations.
  • Legitimate Interests– to protect the safety, integrity, and trust of our marketplace, which benefits all users.
  • Consent– where biometric verification or certain enhanced checks are not legally mandatory, we will request your consent before processing.

 

9.3 Types of Verification Checks

(i) Government-issued ID Validation
We may request a scanned copy or high-resolution photo of an official ID document, such as:

  • Passport
  • National ID card
  • Driver’s license
    This may be required for sellers who wish to list high-value tickets, receive payouts above a certain threshold, or operate as frequent resellers.

(ii) Proof of Address
Acceptable documents include:

  • Utility bill (issued within last 3 months)
  • Bank or credit card statement
  • Government-issued residency document

(iii) Biometric / Liveness Verification
For high-risk transactions or where required by local law, we may request a live “selfie” video or facial scan to match against the photo on your ID.

  • We donot store raw biometric data unless strictly necessary for compliance.
  • Any biometric templates are securely stored in encrypted form and deleted according to our retention schedule.

(iv) Sanctions & Politically Exposed Person (PEP) Screening
We screen user information against:

  • United Nations sanctions lists
  • European Union consolidated lists
  • US OFAC SDN list
  • Jordanian government watchlists
  • Commercial PEP databases
    This ensures we do not facilitate transactions with sanctioned individuals or entities.

(v) Behavioral & Transactional Analysis
We monitor usage patterns for anomalies, such as:

  • Sudden listing of multiple identical tickets
  • Login attempts from different countries within short timeframes
  • Abnormally high resale prices inconsistent with market trends
  • Repeated failed payment attempts using different cards

 

9.4 Fraud and Scalping Prevention Measures

Retixx employs advanced technology and internal review procedures to prevent:

  • Credit Card Fraud– detection of stolen or compromised cards.
  • Ticket Counterfeiting– verifying ticket barcodes and metadata with primary ticketing systems.
  • Scalping & Automated Bots– detecting suspicious purchase behavior or automated account creation.

We may withhold payouts or suspend accounts while investigating such activities.

 

9.5 Data Handling & Security

Verification data is handled with the highest confidentiality and is:

  • Stored in encrypted form in secure servers located in jurisdictions with adequate data protection laws.
  • Accessible only to trained personnel with appropriate clearance.
  • Shared only with vetted third-party verification providers under strict data protection contracts.

 

9.6 Retention & Deletion of Verification Data

  • Standard retention: Up to5 years after account closure, in line with AML regulations in many jurisdictions.
  • High-risk cases: Up to10 years, where legally required or relevant to an unresolved investigation.
  • Upon expiry of the retention period, verification data will be securely deleted or anonymized.

 

9.7 Your Responsibilities

By using Retixx, you agree to:

  • Provide accurate and truthful information during verification.
  • Not submit forged or altered documents.
  • Update your verification details promptly if they change.

Failure to pass verification checks or refusal to provide requested information may result in:

  • Suspension of your account
  • Withholding of payouts
  • Cancellation of pending transactions
  • Permanent ban from the platform

 

9.8 Third-Party Providers

We partner with internationally recognized identity verification and fraud prevention vendors who are contractually bound to:

  • Use your data only for the purpose of verification.
  • Apply security measures equal to or greater than those described in this Policy.
  • Comply with applicable privacy laws in your jurisdiction.

10. Sharing and Disclosure

We share Personal Data only as necessary and with safeguards:

10.1 Service Providers/Processors: ID verification vendors, payment processors, cloud hosting, analytics, customer support tools, anti‑fraud providers, logistics and courier partners.

10.2 Event Organizers & Primary Ticketing Platforms: To validate tickets, comply with venue rules, and facilitate transfers or reissues.

10.3 Buyers & Sellers: Limited data are shared between transacting parties (e.g., first name initial, city, anonymized chat) to complete a transaction or resolve a dispute; contact details are masked where feasible.

10.4 Legal & Compliance: We may disclose information to authorities where legally required, to enforce our terms, or to protect rights, property, or safety of users or the public.

10.5 Business Transfers: In mergers, acquisitions, or insolvency, data may be transferred subject to this Policy and applicable laws.

11. International Data Transfers

Given the cross‑border nature of ticket reselling, your Personal Data may be transferred to, stored, or processed in countries other than your own. Where required (e.g., for EU/UK residents), we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures. We also assess local laws and apply risk‑based controls to protect your data.

12. Security Measures

We implement technical and organizational measures aligned with industry standards: encryption in transit and at rest where appropriate; key management and tokenization for payment data (handled by PCI‑compliant partners); role‑based access controls; multi‑factor authentication for employee accounts; security training; vendor due‑diligence; vulnerability management and logging/monitoring. No system is 100% secure; please use strong, unique passwords and enable available security features.

13. Data Retention

We retain Personal Data for the period necessary to fulfill the purposes outlined in this Policy, including tax/accounting obligations, regulatory retention (e.g., AML records), dispute resolution timeframes, and to enforce our terms. Illustrative schedule: (a) account data – for the life of the account and up to 3 years after closure; (b) transaction records – 7 years; (c) KYC documents – 5 to 10 years, subject to local law; (d) marketing preferences – until you opt out.

14. Children’s Privacy

The Services are intended for individuals 18+ (or the age of majority in your jurisdiction). We do not knowingly collect data from children. If you believe a child provided data, contact privacy@retixx.com to request deletion.

15. Your Privacy Rights (Global Overview)

Depending on your location, you may have rights to: access; rectify; erase; restrict or object to processing; portability; withdraw consent; and lodge a complaint with a supervisory authority. Requesting these rights will not result in discriminatory treatment. We may request proof of identity to protect your account.

16. How to Exercise Your Rights

Submit a request to privacy@retixx.com describing the right you wish to exercise and the relevant account or transaction numbers. We will respond within the timeframe required by applicable law. If we cannot comply (e.g., where retention is legally required), we will explain the reasons.

17. Marketing Communications

We send marketing communications only with your consent where required by law. You can opt out via links in emails, in‑app settings, or by contacting privacy@retixx.com. Transactional messages (e.g., receipts, security alerts, policy updates) are not marketing and you may still receive them even if you opt out of marketing.

18. Profiling & Automated Decision-Making

We may use limited profiling to detect fraud (e.g., risk scoring based on device reputation, payment anomalies) and to personalize content. Where automated decisions produce legal or similarly significant effects and your local law grants protections, you can request human review and contest the decision.

19. Disputes, Chargebacks & Enforcement

In the secondary ticket market, disputes may arise regarding validity, entry denial, or delivery. We process relevant Personal Data (evidence uploads, chat transcripts, timestamps, courier proofs) to investigate and resolve claims. We may share limited data with payment networks and banks to contest or process chargebacks in accordance with network rules and applicable law.

20. Regional Addenda

20.1 EU/EEA & UK: For GDPR/UK GDPR, Retixx is the Controller. Legal bases include consent, contract, legal obligation, and legitimate interests. You have rights under Articles 15–22. International transfers rely on SCCs or adequacy decisions where available. You may lodge a complaint with your local supervisory authority.

20.2 California (CCPA/CPRA): California residents may request to know categories/specific pieces of Personal Data, delete data, correct inaccuracies, and opt out of sale/share of Personal Data for cross‑context behavioral advertising. We do not sell Personal Data for money; where “sharing” under CPRA applies (e.g., ad tech), you can opt out via our “Do Not Sell or Share My Personal Information” link (where required).

20.3 Canada (PIPEDA): You have rights to access and challenge the accuracy of Personal Information. Transfers to service providers may occur across borders with appropriate safeguards.

20.4 Middle East (incl. Jordan): We process in accordance with applicable Jordanian laws and other regional regulations (e.g., UAE/DIFC, KSA PDPL) as relevant to users in those jurisdictions. We will honor stricter local requirements where applicable concerning consent, retention, data localization, or breach notification.

20.5 Other Regions: Where local privacy law grants additional rights or imposes specific obligations, we will comply as required and will publish updates in this Policy or a regional notice.

21. Security Incident & Data Breach Response

We maintain incident‑response procedures covering identification, containment, investigation, remediation, and notification. If a breach likely results in a risk to individuals, we will notify affected users and, where required, relevant authorities within applicable statutory timelines.

22. Records, Audits & Accountability

We maintain records of processing activities, data protection impact assessments where necessary (e.g., for high‑risk fraud analytics), vendor due‑diligence files, and training logs. We periodically audit access controls and review retention schedules for alignment with legal and business needs.

23. Employees, Contractors & Confidentiality

Employees and contractors with access to Personal Data are bound by confidentiality obligations, role‑based access, and disciplinary measures for violations. We provide periodic privacy and security training.

24. Changes to This Policy

We may update this Policy to reflect changes to our practices or legal requirements. Material changes will be highlighted on our website or communicated through the Services. The “Effective Date” at the top indicates when the latest version took effect.

25. Contact Us

Retixx
Amman, Jordan
Email: privacy@retixx.com
If you have questions, concerns, or complaints about this Policy or our privacy practices, please contact us. If your concern remains unresolved, you may have the right to contact a competent data protection authority in your region.

Appendix A – Detailed Retention Schedule (Illustrative)

– Account identifiers (name, email, phone): life of account + up to 3 years after closure.
– Login logs and security events: 2 years.
– Ticket transaction records (orders, payouts, delivery proofs): 7 years.
– KYC documents (ID, proof of address): 5–10 years depending on jurisdictional AML rules.
– Customer support transcripts and dispute files: 3–6 years.
– Marketing consent logs: duration of subscription + 2 years.
– Device fingerprints and fraud risk scores: 2–5 years, minimized and periodically re‑hashed.
– Cookies/SDK identifiers: per cookie policy and OS settings.

Appendix B – Processors & Partners (Categories)

  • Cloud hosting & CDN providers • Payment processors & gateways • ID verification & KYC/AML screening • Email/SMS and in‑app messaging • Analytics and crash reporting • Customer support platforms • Logistics/courier and printing/fulfillment • Ad tech/measurement providers (subject to opt‑out where required) • Event organizer/primary ticketing integrations for validation and reissuance.

Appendix C – Cookie Categories & Examples

Essential (session tokens, CSRF protection); Functional (language, region); Analytics (page views, session diagnostics); Marketing (ad attribution, retargeting); Mobile SDK identifiers (IDFA/AAID). Manage via browser/app settings; see our Cookie Notice for full list and lifetimes.

Appendix D – Exercising Rights (Workflow)

1) Submit request to privacy@retixx.com; 2) Verify identity (email or government ID for sensitive requests); 3) We search systems and vendors; 4) We respond within the legal timeframe; 5) If denied (e.g., retention legally required), we provide reasons and appeal options; 6) We log the request for accountability.

Appendix E – Glossary

“Ad Tech” – technologies facilitating advertising delivery and measurement.
“Device Fingerprinting” – evaluating technical attributes to identify devices and combat fraud.
“Event Organizer” – the entity responsible for staging or managing an event.
“Marketplace” – the platform enabling peer‑to‑peer ticket resale.
“PEP” – politically exposed person subject to enhanced due diligence.
“SCCs” – Standard Contractual Clauses approved for international transfers.

Scroll to Top