This is our privacy policy
Please read this legal document carefully. You will not find unexpected surprises – TIXATOR does not share data with anybody but technical services used in our operations. No reselling, no data sharing, no tracking.
─ Matthias Boller, CEO, PLANIS E3, Creators of TIXATOR
Effective date: 2025-11-11
Version: 1.0
1) Who we are (PLANIS)
Controller: PLANIS E3 Empathy Engineering GmbH, Am Kiel-Kanal 2-4, 24106 Kiel, Germany
Commercial register / VAT ID: Amtsgericht Kiel HRB 23630 / CEO Matthias Boller
Email: support@tixator.com
Data Protection Officer: Matthias Boller, CEO
Supervisory authority competent for us: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, Eingang: Alt-Moabit 60. You may lodge a complaint with any EU/EEA supervisory authority.
2) Scope of this Policy
This Policy applies to:
Website: Tixator.com and subpages.
Shopify App (merchant dashboard): the app we provide to Shopify merchants (“App”).
Ticket‑scanning mobile app: used to validate entries at events (“Scanner App”).
Role mapping under GDPR:
We act as controller for website visitors and for merchant account/billing/admin data.
For ticket buyers/attendees processed through the App, we act as a processor on behalf of the merchant. In that case the merchant remains the controller. A Data Processing Agreement (DPA) forms part of our merchant terms.
3) Categories of data we process
A) Website visitors
Identification and contact data you submit (forms, newsletter): name, email, company, message.
Device/usage data: IP address, timestamps, URLs, user agent, language, referrer, campaign parameters.
Cookies/SDK identifiers and consent signals (see Cookies section).
B) Merchants using the App (controller = us)
Account data: name, email, role, store domain, Shopify merchant ID, timezone, locale.
Subscription/billing: plan, status, invoices, payment reference from Shopify Billing; we do not receive or store full payment card numbers.
Support data: tickets, chat transcripts, attachments, audit logs.
C) Buyers/Attendees processed via the App (controller = merchant; processor = us)
Order and ticket data received from Shopify: name, email, order/ticket IDs, product/variant, event information, quantity, price, status, metadata.
Check‑in data via Scanner App: ticket ID, check‑in timestamp, user performing the scan, device/app identifiers; optional fields you configure (e.g., seat number).
We do not need payment card details for attendees; payment processing is handled by the merchant’s provider (e.g., Shopify Payments/PSP).
D) Sources
You (forms, account signup), your Shopify store via APIs/webhooks, our logging/monitoring systems, and processors we use to provide the services.
4) Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Provide and operate the Website, App, and Scanner App; create merchant accounts; process app subscriptions | Contract performance, Art. 6(1)(b) GDPR; legitimate interests to run and improve services, Art. 6(1)(f) |
| Merchant support, incident handling, communications | Art. 6(1)(b) and (f) |
| Security, fraud prevention, abuse detection, logging | Art. 6(1)(f) |
| Marketing communications (newsletter, product updates not strictly necessary to the service) | Consent, Art. 6(1)(a); you can withdraw any time |
| Legal compliance (tax, accounting, regulatory requests) | Legal obligation, Art. 6(1)(c) |
| Analytics and A/B testing on the website or merchant UI, if non‑essential | Consent, Art. 6(1)(a) |
You can withdraw consent at any time; this does not affect processing carried out before withdrawal. Data subject information duties and rights apply as set out in Arts. 13–22 GDPR.
5) Cookies and similar technologies
We use strictly necessary cookies to deliver the site and log you into dashboards. We only set non‑essential cookies (e.g., analytics, marketing) with your prior consent. Under German law storing or accessing information on your device requires consent unless it is strictly necessary for a service you requested. We record and honor your choices via our Consent Management Platform (CMP). You can change or revoke consent at any time via the “Cookie settings” link in the footer.
Legal basis: § 25 TDDDG (former TTDSG) for device access, and Art. 6(1)(a) GDPR for processing personal data from non‑essential cookies. If only strictly necessary cookies are used, consent is not required.
6) Recipients and categories of recipients
We share personal data with:
Hosting and infrastructure providers (e.g., cloud/IaaS, CDN, email delivery, error monitoring).
Shopify (to the extent necessary for app installation, billing, scopes and webhooks visible during install).
Support and communications tools (ticketing, CRM, in‑app messaging).
Analytics providers (if consented).
Payment/billing processors for app subscriptions via Shopify Billing.
Professional advisors (legal, tax) and authorities when required by law.
We are going to maintain a current list of processors/sub‑processors in the future at: https://tixator.com/legal/subprocessors
7) International data transfers
If we transfer personal data outside the EU/EEA:
We use adequacy decisions where available (e.g., Canada for commercial organizations; United States for organizations participating in the EU‑U.S. Data Privacy Framework).
Otherwise we rely on the European Commission’s Standard Contractual Clauses (SCCs) 2021/914, plus supplementary measures as needed.
If a recipient claims participation in the EU‑U.S. Data Privacy Framework, we verify status and ensure appropriate safeguards. Recent EU case law has upheld the lawfulness of the DPF adequacy decision; appeals may still follow.
8) Retention periods
We retain personal data only as long as necessary for the purposes above, then delete or anonymize it unless longer retention is required by law.
Merchant account and contract data: for the term of the contract and standard limitation periods after termination.
Support tickets and logs: typically [12–36] months, unless needed for incident, fraud or legal claims.
Marketing data: until you withdraw consent or after [24] months of inactivity.
Tax and commercial records (Germany): statutory retention applies. We apply the period applicable when a record is created and any transitional rules.
9) Your rights
Under GDPR you have the right to:
request access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object (Art. 21); and
withdraw consent at any time (Art. 7).
You also have the right to lodge a complaint with a supervisory authority.
Exercising your rights: Email support@tixator.com. We may need to verify your identity. If your request concerns attendee data processed on behalf of a merchant, we will inform the merchant (controller) and support their response.
10) Children
Our services are not directed at children under 16. Merchants organizing youth events are responsible for ensuring a suitable legal basis (e.g., parental consent where required).
11) Security
We use appropriate technical and organizational measures, including encryption in transit, access control, least‑privilege, and logging. We regularly review vendors and implement data protection by design and by default (Art. 25 GDPR).
12) Shopify App specifics
We request only the Shopify API scopes needed for event ticketing, order sync, and check‑in features. The exact scopes are shown during installation and in the App settings.
We receive order and customer data from your Shopify store via Shopify APIs/webhooks to provide the service you request.
App billing is processed via Shopify; we do not store full payment card details.
For attendees, we act as processor and follow your instructions in the DPA.
13) Automated decision‑making
We do not carry out automated decision‑making producing legal or similarly significant effects under Art. 22 GDPR.
14) Changes to this Policy
We may update this Policy. Material changes will be notified via email or in‑app. The “Effective date” above shows the current version.
15) Contact
For questions or requests about this Policy or your data:
Email: support@tixator.com
Postal: PLANIS E3 Empathy Engineering GmbH,
Am Kiel-Kanal 2-4, 24106 Kiel, Germany.