Legal

Privacy & Data Protection Notice

Last updated: 5 June 2026

This notice explains how Altaera Creative LTD("we", "us") collects, uses, and protects personal data, and your rights under the UK GDPR and EU GDPR. We are the data controller for the personal data described here. For data that our business customers store in the platform about their own customers and staff, those customers are the controller and we act as their processor.

1. What we collect

• Account data: name, email, and login credentials (passwords are hashed by our auth provider).
• Customer & contact data: names, emails, phone numbers, and addresses entered into the platform.
• Order & ticket data: purchases, ticket buyer/attendee names and emails, amounts, and timestamps.
• Staff/HR data (where the HR module is used): employee details and uploaded documents, which may include health information (a special category of data).
• Technical data: IP address and basic request metadata, used for security and rate limiting.
• We do not store full card details, payments are handled by our payment processors.

2. Why we use it, and our lawful bases

• To provide the service (accounts, orders, tickets), performance of a contract.
• Security, fraud prevention, rate limiting, legitimate interests.
• Transactional emails (confirmations, receipts), contract / legitimate interests.
• Marketing emails, if any, consent (you can withdraw it at any time).
• Legal & accounting obligations (retaining transaction records), legal obligation.
• Special-category (health) data is processed only where necessary for employment purposes and with an appropriate condition under Article 9.

3. Who we share it with (sub-processors)

We use trusted providers to run the service, each under a data-processing agreement. These currently include:

• Supabase, database, authentication, and file storage (Data Processing Agreement).
• Stripe, payment processing for ticket sales.
• Square, payment processing for click & collect orders.
• Resend, transactional email delivery.
• DocuSeal, electronic signatures (where used).
• Vercel, application hosting.
• Cloudflare, bot protection (Turnstile).

We do not sell personal data.

4. International transfers

We aim to keep personal data hosted in the UK/EEA. Where a provider processes data outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / EU Standard Contractual Clauses.

5. How long we keep it

We keep personal data only as long as needed for the purposes above. Transaction records are retained for the period required by tax and accounting law, after which personal details within them are anonymised. Other data is deleted or anonymised when no longer needed or on a valid erasure request.

6. Your rights

Under data-protection law you have the right to:

• Access a copy of your personal data;
• Rectify inaccurate data;
• Erase your data ("right to be forgotten"), subject to legal retention;
• Restrict or object to processing;
• Data portability;
• Withdraw consent at any time (for consent-based processing).

To exercise any of these, contact us at admin@altaeracreative.com. We respond within one month. When you ask us to erase your data, we anonymise your personal details across our systems while retaining any records we're legally required to keep.

7. How we protect it

We use encryption in transit and at rest, strict per-tenant access controls (row-level security), least-privilege database access, encrypted payment credentials, signed payment webhooks, and rate limiting and bot protection on public endpoints.

8. Cookies

We use essential cookies needed to sign in and keep you logged in. On public ticket and order checkout pages we use Cloudflare Turnstile, which may set non-essential cookies to verify you are human, we ask for your consent before these are set. We also collect aggregated, server-side usage data (for example ticket page views and checkout starts) to operate and improve the service; this does not use advertising or third-party tracking cookies.

9. Changes

We may update this notice; the "last updated" date above shows the latest version.

10. Contact & complaints

Data controller: Altaera Creative LTD, RG4 8LD, United Kingdom.
DPO / data protection contact: Joshua Hines - admin@altaeracreative.com, +44 7427 868406.
If you're in the UK and unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk.