Privacy Policy

1. Introduction and scope

When you use Melomaniac's services, you entrust us with your personal data that is necessary for the gig organiser ('Organiser') or the shop owner ('Shop Owner'). We take data privacy seriously and only collect them to the extent that is necessary for us to provide services for you. We process personal data in compliance with the EU General Data Protection Regulation (GDPR, EU 2016/679) and the laws of the Republic of Estonia. Melomaniac does not process data that has been defined by the GDPR as sensitive personal data.

Our privacy policy, which is part of the Melomaniac's Terms and Conditions, explains how and why we collect and process personal data.

2. Role of the parties (data controller and joint controllership)

In accordance with Articles 4 and 26 of the GDPR, the role of Melomaniac depends on the specific processing activity.

Melomaniac acts as an independent data controller for personal data processed in connection with:

• Operation, security and development of the platform;
• Payment processing and fraud prevention;
• Customer support and communications;
• Analytics and service improvement;
• Compliance with legal obligations;
• Marketing communications where Melomaniac determines the purposes and means of processing.

For personal data processed in connection with ticket sales and event participation, Melomaniac and the Organiser act as joint data controllers, as both parties determine the purposes and means of processing such data. The Organiser remains responsible for defining any additional data fields requested for a specific event and for ensuring a lawful basis for collecting such data.

Where Melomaniac processes personal data strictly on the documented instructions of the Organiser (for example, organiser-defined registration fields), Melomaniac acts as a data processor.

The essence of the joint controllership arrangement is available upon request.

3. What kinds of data do we collect?

To provide services, we collect data as asked by the Organiser and the Shop Owner in the following two ways:

3.1 Data that you provide to us

When you purchase tickets, you submit different bits of information about yourself:

• E-mail address;
• Name;
• Address;
• Types, prices and quantities of purchased tickets;
• A discount code used when making the purchase;
• Possible additional fields that have been added to the registration form by the organiser.

The Shop Owner forwards personal data to the transport service provider in order to deliver the merchandise.

3.2 Data that we collect when you use our services

For example, if you present your ticket to get into the event, we save information about its use. To make using the service possible, we collect the following data:

• Purchase status;
• Time of purchase;
• Purchase IP address and information about cookies;
• Language used to make the purchase;
• Marketing channel that led to the purchase;
• Type of browser used and operating system;
• Name of the payer;
• Payment type and name of bank used;
• Payment status;
• Time of using the ticket.

The Organisers might ask you for additional personal data depending on the objectives and needs of their event.

3.3 Requirement to provide data

Providing certain personal data is contractually required in order to purchase tickets or merchandise and to access events. If required personal data is not provided, we may be unable to complete the transaction or provide the requested services.

4. Why do we collect and process personal data?

To purchase tickets for the Organisers' events with the help of our service, we need to process your personal data. Without processing personal data, it is not possible to mediate tickets for you and fulfil the related duties. We use all information collected from service provision to offer, administer, protect and improve our services, as well as to develop new services.

We collect and process personal data at the request of the Organiser for the following purposes:

• To issue a ticket;
• To receive payment for the ticket;
• To avoid repeat use of the ticket;
• For business analysis and service improvement;
• To offer user support;
• To fulfil legal obligations;
• For marketing purposes (newsletters).

5. Legal bases for processing personal data

We process personal data only where we have a lawful basis under Article 6 of the GDPR. Depending on the context, processing is based on one or more of the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR);
• Compliance with legal obligations (Art. 6(1)(c) GDPR);
• Legitimate interests (Art. 6(1)(f) GDPR), such as ensuring platform security, preventing fraud, improving our services and conducting analytics, provided that such interests are not overridden by your rights and freedoms;
• Consent (Art. 6(1)(a) GDPR), where required, for example for newsletters or non-essential cookies.

Where processing is based on consent, consent may be withdrawn at any time.

6. Marketing communications

Melomaniac sends newsletters to the user's e-mail address only if the user has expressed their wish to receive them by entering their e-mail address on the website and indicating their desire to receive newsletters. The user is able to opt out of newsletters at any time by following the instructions in the e-mail or by contacting us.

Before using data for any other purposes than those outlined in this privacy policy, we will ask for your expressed consent.

7. To whom is your data disclosed?

We handle personal data as confidential and disclose it only to the extent necessary to provide the service.

We do not disclose data to companies, organisations or persons outside of Melomaniac, except in the following cases:

• The Organiser of the event, acting as a data controller, has the right to process personal data collected through the Melomaniac's website;
• Payments are processed by Stripe. When you make a payment, certain personal data such as payment card or bank details, transaction information, payer name, and IP address are processed by Stripe for the purposes of payment processing, fraud prevention, and compliance with legal obligations. Stripe acts as an independent data controller for this processing. Stripe may process personal data outside the European Economic Area. Where applicable, such transfers are safeguarded in accordance with the GDPR, including through adequacy decisions or standard contractual clauses. Further information is available in Stripe's privacy policy.
• Disclosure is required by law;
• In the case of mergers or acquisitions involving Melomaniac;
• To external service providers providing hosting, IT, analytics or support services, subject to appropriate safeguards;
• Where you have given explicit consent.

8. Data security

We work to protect your data from unauthorised access, modification, publication or destruction. Measures include:

• Treating all personal data as confidential;
• Using SSL encryption where possible;
• Restricting access to authorised personnel and partners subject to confidentiality obligations;
• Predominantly digital storage with monitored access;
• Appropriate technical and organisational security measures.

While we apply strict security measures, no internet transmission is completely secure and data transmission is at your own risk.

8.1 Automated decision-making

We do not use personal data for automated decision-making, including profiling, within the meaning of Article 22 GDPR.

9. Your rights and how to exercise them

You have the right to:

• Access your personal data;
• Request correction;
• Request erasure;
• Request restriction of processing;
• Request data portability;
• Withdraw consent;
• Object to processing, including profiling.

9.1 Exercising your rights

Where Melomaniac acts as a data controller or joint controller, you may exercise your rights by contacting us using the details below. Where processing is carried out solely by the Organiser, requests may be forwarded to the relevant Organiser.

Exercising certain rights may result in partial or complete cessation of services.

10. Complaints and supervisory authority

You have the right to lodge a complaint with a supervisory authority. In Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). We cooperate with supervisory authorities in resolving complaints.

11. How long do we store your data?

Personal data is stored only as long as necessary for service provision and as required by law.

11.1 Data retention criteria

• Transaction and accounting data: retained in accordance with applicable tax and accounting laws;
• Customer support and platform usage data: retained as long as necessary to provide services and resolve disputes;
• Marketing data: retained until consent is withdrawn.

Non-personal data may be stored indefinitely.

12. Privacy policy changes

By using Melomaniac's services, you acknowledge this privacy policy. We may update this policy from time to time. We will not reduce your rights without your explicit consent and will notify users of significant changes.

13. Contact us

If you have questions or concerns regarding this privacy policy, please contact:

Melomaniac
melomaniac@melomaniac.live

For event-specific data, please contact the relevant Organiser whose details are available on the event page or in your ticket confirmation.

14. Cookie policy

We use cookies to ensure the functionality of our services and to improve user experience.

14.1 Consent for cookies

Essential cookies are used without consent. Non-essential cookies, including analytics cookies, are used only with your prior consent, which can be managed through our cookie consent tool. You may withdraw or modify your consent at any time. Further details are available in our cookie breakdown.

14.2 The Cookies we use