tickadoo Privacy Policy

This Privacy Policy explains how your personal data is collected, used, shared, and protected when you use www.tickadoo.com, our mobile applications, or any related services (collectively, the "Platform") to book theatre tickets, tours, attractions, and experiences worldwide.

The Platform is operated by tickadoo Inc., registered at 447 Broadway, New York, NY 10013, United States. tickadoo Inc. is the data controller responsible for your personal data.

We comply with applicable data protection laws, including the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA), and other relevant legislation.

Our Data Protection Officer can be reached at dpo@tickadoo.com.

We collect the following categories of personal data depending on how you interact with the Platform — whether you are browsing things to do, booking West End tickets, reserving a guided tour, or managing your account:

Account and identity data

• Full name, email address, phone number
• Account credentials (passwords are stored in hashed form only)
• Profile preferences, language, and currency settings

Booking and transaction data

• Experience booked, date, time, ticket type, number of participants
• Booking reference numbers and confirmation details
• Cancellation and refund history
• Gift voucher purchases and redemptions

Payment data

• Payment card details are processed directly by our PCI-DSS Level 1 certified payment processor and are never stored on tickadoo's servers
• We retain transaction records including amount paid, currency, payment method type, and transaction identifiers

Usage and device data

• Pages visited, search queries, experiences viewed, AI recommendations and mood filters interacted with
• Device type, browser, operating system, screen resolution
• IP address and approximate geographic location derived from IP
• Referral source and attribution data

Communications data

• Messages sent to our customer support team
• Email interaction data (opens, clicks) for transactional and marketing emails

Accessibility data

• If you voluntarily disclose accessibility requirements during booking, we collect this to ensure your needs are communicated to the experience supplier

We use your personal data for the following purposes:

• Fulfilling your bookings — processing payments, issuing e-tickets, sending booking confirmations, and communicating booking updates for theatre tickets, tours, attractions, and other experiences
• Account management — creating and maintaining your tickadoo account, managing your preferences and booking history
• Customer support — responding to enquiries, processing cancellation and refund requests, resolving disputes
• Fraud prevention and security — detecting and preventing fraudulent transactions, unauthorised account access, and payment disputes
• AI-powered personalisation — providing personalised experience recommendations, mood-based search results, and curated city guides using automated systems. These recommendations are generated algorithmically and provided on an "as is" basis. You are not subject to decisions based solely on automated processing that produce legal or similarly significant effects
• Analytics and service improvement — understanding how the Platform is used, identifying technical issues, and improving our features and user experience
• Marketing communications — sending promotional emails about deals on tickets, upcoming events, and new destinations where you have given consent or where we have a legitimate interest (with an easy opt-out)
• Legal compliance — meeting tax, accounting, and regulatory obligations, and responding to lawful requests from authorities

Under the UK GDPR and EU GDPR, we process your personal data on the following legal bases:

• Performance of a contract — processing bookings, issuing tickets, processing payments, delivering booking confirmations, and providing customer support related to your booking
• Legitimate interests — fraud detection and prevention, Platform security, analytics and service improvement, and direct marketing to existing customers (where permitted). Our legitimate interests do not override your fundamental rights and freedoms
• Consent — marketing communications to non-customers, placement of non-essential cookies, and processing of any special category data (such as accessibility needs)
• Legal obligation — retaining transaction records for tax and accounting purposes, complying with court orders or regulatory requests

Where we rely on consent, you may withdraw it at any time by contacting us or using the unsubscribe link in marketing emails. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

We share your personal data only where necessary and with appropriate safeguards in place:

Experience suppliers

When you book tickets or experiences, we share relevant details (your name, booking date, number of participants, and any accessibility requirements) with the supplier responsible for delivering the experience. Suppliers are contractually required to handle your data appropriately and only for the purpose of fulfilling your booking.

Service providers

We use carefully selected third-party service providers who process data on our behalf for the following purposes:

• Payment processing — our payment processor handles your card details directly and is PCI-DSS Level 1 certified. Your payment card data never touches tickadoo's servers
• Hosting and infrastructure — website hosting, content delivery, edge computing, and security (DDoS protection, web application firewall)
• Database services — secure hosting of booking and account records
• Analytics — product analytics and usage tracking to improve the Platform
• Email delivery — transactional email (booking confirmations, password resets) and marketing communications

All service providers are bound by data processing agreements and are required to process your data only in accordance with our instructions.

Legal and regulatory disclosure

We may disclose your data where required by law, court order, or regulatory authority, or where necessary to protect our legal rights, enforce our terms, or prevent fraud.

Business transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to the applicable privacy terms.

We use the following categories of cookies on the Platform:

• Essential cookies — required for the Platform to function, including session management, authentication, security tokens, and language/currency preferences. These cannot be disabled
• Analytics cookies — used to understand how visitors interact with the Platform, including pages visited, search behaviour, and conversion events. These help us identify and fix issues and improve the booking experience
• Attribution cookies — used to track referral sources and attribute bookings to the correct marketing channel or hospitality partner

You can manage your cookie preferences through the cookie banner displayed on your first visit. Essential cookies cannot be disabled as they are necessary for the Platform to operate. You can also control cookies through your browser settings, though this may affect Platform functionality.

We retain your personal data for the following periods:

• Booking and transaction records — 7 years from the booking date, as required for accounting, tax, and legal compliance purposes
• Account data — for the duration of your account, plus 3 years after account closure or deletion request
• Analytics data — identifiable session data is retained for up to 24 months. Aggregated and anonymised analytics data may be retained indefinitely
• Marketing data — until you withdraw consent or request deletion
• Customer support records — 3 years from the date of the most recent interaction

When retention periods expire, data is securely deleted or irreversibly anonymised. Where a legal obligation requires longer retention (e.g. an active dispute or regulatory investigation), we will retain the relevant data until the obligation is resolved.

tickadoo operates globally, helping you discover and book experiences in over 1,400 cities. Your personal data may be transferred to and stored in the United States and other countries where our service providers operate.

Where data is transferred outside the UK or the European Economic Area (EEA) to a country that has not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK International Data Transfer Agreement (IDTA)
• Data processing agreements with all service providers that include appropriate transfer mechanisms
• Where applicable, adequacy decisions by the UK Secretary of State or the European Commission

You may request a copy of the relevant safeguards by contacting us at privacy@tickadoo.com.

UK and EEA residents (UK GDPR / EU GDPR)

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your data where there is no compelling reason for continued processing
• Restriction — request that we limit processing of your data in certain circumstances
• Data portability — receive your data in a structured, commonly used, machine-readable format
• Object — object to processing based on legitimate interests, including direct marketing
• Withdraw consent — where processing is based on consent, withdraw it at any time
• Lodge a complaint — with the Information Commissioner's Office (ICO) at ico.org.uk if you are in the UK, or your local supervisory authority if you are in the EEA

California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know — request disclosure of the categories and specific pieces of personal information we have collected about you
• Delete — request deletion of your personal information, subject to certain exceptions
• Opt out of sale — tickadoo does not sell your personal information to third parties. We do not engage in the sale of personal data as defined by the CCPA
• Non-discrimination — exercise your privacy rights without receiving discriminatory treatment

To exercise any of these rights, contact us at privacy@tickadoo.com. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Access controls restricting data access to authorised personnel on a need-to-know basis
• Regular security assessments and monitoring
• PCI-DSS compliant payment processing (payment card data never touches our servers)
• Automated fraud detection and prevention systems

No system can guarantee absolute security. If you believe your account or data has been compromised, please contact us immediately at security@tickadoo.com.

The Platform is not directed at children under 16 years of age (or the relevant minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data without appropriate parental consent, please contact us at privacy@tickadoo.com and we will take steps to delete the data.

The Platform may contain links to third-party websites, including venue websites, supplier booking pages, and social media platforms. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data to them.

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date at the top of this page and, where appropriate, notify you by email or by a prominent notice on the Platform. Your continued use of the Platform after any changes constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how your data is handled, please contact us:

• Data Protection Officer: dpo@tickadoo.com
• Privacy enquiries: privacy@tickadoo.com
• General support: support@tickadoo.com

tickadoo Inc., 447 Broadway, New York, NY 10013, United States

UK supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk