Privacy & security
Your guests’ data belongs to you — and stays in Europe. The first part of this page explains plainly how ticketYoo protects it; the second part gives IT and data protection officers the hard details.
At ticketYoo, data protection isn’t an add-on — it’s built in.
Storage and processing exclusively in Germany — no default transfer to third countries.
Sensitive data and file uploads — including guest photos — are encrypted with AES-256-GCM; transport via TLS.
Conclude the Art. 28 GDPR data processing agreement directly in ticketYoo — no paperwork.
Two-factor login (TOTP), role-based permissions and strict tenant isolation between teams.
Networking requires mutual consent, granular field sharing and per-scan revocation — privacy by design.
Rule-based retention: past guest and contact data is automatically anonymized or deleted.
For IT & data protection officers
So your assessment is quick — open and without marketing fog.
The core platform works without US data transfer. Optional features involve additional services — only if you enable them:
The full, current list of processors is part of the DPA.
Questions about data processing or privacy are answered by our external data protection officer. We provide a DPA draft, TOM overview and privacy policy on request.
FAQ
Exclusively in a data center in Germany and therefore within the EU.
Yes, online directly in ticketYoo. On request we provide the draft in advance for review.
Not the core platform. Only optional services you enable (e.g. online payment via Stripe) then process their own data — listed transparently in the DPA.
Via team-configurable retention periods: past guest and contact data is automatically anonymized or deleted, with exceptions by consent.
Yes. The sub-processor list and technical-organizational measures are part of the DPA and provided on request.