Privacy Policy

Effective Date: April 18, 2026 · Last updated: April 18, 2026 · Mega Tickets USA Inc.

1. Introduction

Mega Tickets USA Inc. ("Mega Tickets", "we", "our", "us") operates a global self-service marketplace for event tickets at megaticketsusa.com. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and the rights you have under applicable privacy laws — including the EU/UK GDPR, the California CCPA/CPRA, Brazil's LGPD, Mexico's LFPDPPP, and similar laws in Argentina, Colombia, and Chile.

By using the Service, you acknowledge that you have read this Policy. Where we rely on consent (for example, for marketing or non-essential cookies), we ask you to consent separately.

2. Information We Collect

Account and profile information you give us: name, email, phone number, password (hashed), date of birth, profile photo, language, country.

Transaction information: tickets purchased or listed, event details, order history, billing and shipping details, and payment metadata. We never store full card numbers on our servers. Card data is tokenized and processed by our PCI-DSS compliant processors (Square and Stripe).

Identity verification ("KYC"): for Organizers, government ID, business registration, and bank/payout information collected by Square or Stripe to comply with anti-money-laundering and tax laws.

Device and technical data: IP address, browser/user-agent, operating system, device identifiers, crash logs, and approximate location derived from IP.

Cookies and similar technologies: see our Cookie Policy.

Precise location (latitude/longitude) only when you explicitly enable it for event check-in verification.

Social-integration data (if you sign in via Google, Apple, or Facebook): basic profile data that provider shares per your settings.

Communications: emails, support tickets, survey answers, and feedback.

3. How We Use Information

• Provide the Service — create accounts, process ticket purchases, issue QR codes, deliver payouts, run check-in;
• Secure the Service — prevent fraud, chargeback abuse, account takeover, and bot purchases (including via rotating HMAC-SHA256 signed QR codes);
• Customer support — respond to requests, debug issues, handle refunds and disputes;
• Analytics and product improvement — understand feature usage, measure performance, run A/B tests;
• Marketing (with your consent where required) — send newsletters, event recommendations, and promotions. You can unsubscribe at any time;
• Legal and compliance — comply with tax, KYC/AML, sanctions, consumer-protection, and court orders.

4. Legal Basis for Processing

For users in the EU/UK (GDPR art. 6) and in Brazil (LGPD art. 7) and other jurisdictions with analogous frameworks, we rely on the following bases:

• Performance of a contract — to provide the Service you asked for (buying and delivering tickets, Organizer payouts);
• Legitimate interests — fraud prevention, information security, product analytics, protecting our legal rights. We balance these interests against your rights;
• Consent — for marketing communications, non-essential cookies, precise location sharing, and any special-category data;
• Legal obligation — tax reporting (e.g. U.S. IRS 1099-K, 1099-NEC), KYC/AML, responding to lawful requests;
• Vital interests / public interest — where applicable (e.g., safety incidents at events).

5. How We Share Information

We share personal data only as described below, and never sell it in the everyday sense of the word. Some of these activities may be classified as "sale" or "sharing" under the California CCPA/CPRA — see Section 10 for your opt-out right.

• With Organizers — when you buy a ticket, we share your name, email, ticket type, and order metadata with the Organizer, who becomes an independent controller under their own privacy policy;
• With payment processors — Square (for Organizers in US, Canada, UK, Australia, Ireland, France, Spain, Japan) and Stripe Connect (for Organizers elsewhere) to process payments, run KYC, and issue tax forms;
• With service providers — cloud hosting (Supabase; AWS in the future), email delivery, customer support, fraud-prevention, and analytics vendors, all bound by data-processing agreements;
• With advertising / measurement partners — Google Analytics and Meta (Facebook) Pixel for website analytics and ad measurement, subject to your cookie preferences;
• For legal reasons — to comply with a subpoena, court order, or governmental request, enforce our Terms, prevent fraud, or protect rights, property, or safety;
• In a corporate transaction — merger, acquisition, financing, or sale of assets, with advance notice where required;
• With your explicit consent — for anything else.

6. International Data Transfers

Mega Tickets is based in the United States. When you use the Service from outside the U.S., your data will be transferred to and processed in the U.S. and in other countries where our service providers operate (primarily U.S., EU, and Latin America).

For transfers from the EU/UK or Brazil, we rely on the European Commission's Standard Contractual Clauses (Module 1 or 2, as applicable), the UK International Data Transfer Addendum, and ANPD-approved mechanisms under LGPD art. 33, supplemented by technical measures such as encryption in transit and at rest.

7. Data Retention

We keep personal data for as long as your account is active and as needed to provide the Service. Specific retention periods:

• Account data: until you delete the account, then permanently removed within 30 days, except where retention is required by law;
• Transaction records: up to 7 years for tax, accounting, and anti-fraud purposes;
• Location pings (check-in): automatically deleted within 48 hours;
• Security and audit logs: up to 12 months;
• Aggregated, anonymized analytics that cannot identify you: may be kept indefinitely.

8. Security

We use industry-standard safeguards: TLS 1.2+ in transit, encryption at rest, Row-Level-Security on our database, hashed passwords, MFA for staff admins, and PCI-DSS compliance via our processors. QR codes rotate every 30 seconds and are signed with HMAC-SHA256 to make screenshots useless for entry.

No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant authorities within the timelines required by law (e.g., 72 hours under GDPR art. 33, and "in a reasonable time frame" under LGPD art. 48).

9. Children's Privacy

The Service is intended for users 18 years of age or older. We do not knowingly create accounts for children, and additional rules apply by jurisdiction:

• United States (COPPA): we do not knowingly collect personal information from children under 13. If we learn we have, we will delete it;
• European Union / UK (GDPR art. 8): processing of a child's data based on consent requires parental consent if the child is under 16 (or under the age set by the member state, between 13 and 16);
• Brazil (LGPD art. 14): processing of data of children under 12 requires specific, prominent parental consent. Adolescents aged 12–18 are processed under the best-interest standard;
• Mexico and other LatAm countries: similar parental-consent rules apply under local law.

If you believe a minor has created an account, contact privacy@megaticketsusa.com and we will delete it.

10. Your Rights

Depending on where you live, you have the rights below. To exercise any right, email privacy@megaticketsusa.com. We will respond within 30 days (GDPR/LGPD), 45 days (CCPA), or any shorter period required by local law. We may need to verify your identity first.

10.1 EU / UK (GDPR)

• Right of access to your data (art. 15);
• Right to rectification of inaccurate data (art. 16);
• Right to erasure / "right to be forgotten" (art. 17);
• Right to restriction of processing (art. 18);
• Right to data portability (art. 20);
• Right to object to processing, including for direct marketing (art. 21);
• Right not to be subject to solely automated decisions with legal effects (art. 22);
• Right to withdraw consent and to lodge a complaint with a supervisory authority.

10.2 California (CCPA / CPRA)

• Right to know what personal information we collect, use, disclose, and "share";
• Right to delete personal information, subject to exceptions;
• Right to correct inaccurate personal information;
• Right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. See our "Do Not Sell or Share My Personal Information" link in the footer and in our Cookie Policy;
• Right to limit use of Sensitive Personal Information;
• Right to non-discrimination for exercising these rights.

10.3 Brazil (LGPD art. 18)

• Confirmation that processing exists and access to the data;
• Correction of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with LGPD;
• Portability of data to another provider;
• Deletion of data processed based on your consent;
• Information about the public and private entities with which we have shared your data;
• Information about the possibility of refusing consent and the consequences;
• Revocation of consent;
• Right to petition the ANPD against the controller.

10.4 Mexico (LFPDPPP — "ARCO")

• Acceso (access), Rectificación (rectification), Cancelación (cancellation/deletion), Oposición (objection) — plus revocation of consent and limitation of use and disclosure.

10.5 Argentina (Ley 25.326)

• Free access every 6 months, rectification, updating, and deletion (supresión) of data; right to petition the AAIP.

10.6 Colombia (Ley 1581/2012)

• To know, update, rectify, and revoke authorization; right to obtain proof of the authorization; right to petition the SIC.

10.7 Chile (Ley 19.628)

• Access, modification, deletion, and blocking of personal data.

11. Cookies and Tracking

We use cookies and similar technologies on our website. For a full list, including analytics and advertising cookies (Google Analytics, Meta Pixel) and how to manage your preferences, see our Cookie Policy.

12. Do Not Track

Most browsers send a "Do Not Track" signal. Because there is no industry consensus on how to interpret the signal, we currently do not respond to DNT signals. We do honor the Global Privacy Control (GPC) signal from California residents as an opt-out of "sale" and "sharing" for cross-context behavioral advertising.

13. Data Protection Officer / Encarregado / DPO

You can reach our privacy team at privacy@megaticketsusa.com.

• LGPD Encarregado (Brazil): appointed — contact via the privacy email above. [Denis to confirm individual's name before publication.]
• GDPR DPO: a formal DPO is not strictly mandatory for Mega Tickets at our current scale, but the privacy email is monitored by the responsible individual.

14. Supervisory Authorities

If you believe we have not adequately handled your request, you may contact your local data-protection authority:

• Brazil — ANPD: gov.br/anpd
• California — Attorney General / CPPA: oag.ca.gov/privacy · cppa.ca.gov
• United Kingdom — ICO: ico.org.uk
• European Union — your national DPA: see the list at edpb.europa.eu
• Mexico — INAI: inai.org.mx
• Argentina — AAIP: argentina.gob.ar/aaip
• Colombia — SIC: sic.gov.co
• Chile — Consejo para la Transparencia (provisional): consejotransparencia.cl

15. Updates to This Policy

We may update this Policy. If the change is material, we will give at least 30 days' notice by email or prominent notice in the Service before it takes effect. Your continued use after the effective date means you accept the updated Policy.

16. Contact Us

• Privacy team: privacy@megaticketsusa.com
• Company: Mega Tickets USA Inc., 3334 Concert Ln, Margate, FL 33063, United States
• Website: megaticketsusa.com