PRIVACY POLICY
Last updated: November 25, 2025
1. Who is the controller of your personal data?
We process your data exclusively for the following purposes:
3. What is the lawful basis for processing your data?
The legitimate interest for transactional communications has been balanced against your rights and freedoms through a legitimate interest assessment (only essential service-related messages are sent; no commercial advertising).
4. Which personal data do we process?
We do not sell or transfer your data to third parties for commercial purposes.Data is only shared in the following cases:
Yes, limited to:
8. What are your rights?
You may exercise the following rights free of charge:
9. Cookies and tracking technologies
We use strictly necessary first-party cookies (essential for website operation and ticket purchase) and third-party Google Ads cookies to measure advertising campaign performance and enable remarketing (showing ads related to events you have viewed).Non-essential cookies are only installed after you have given your consent through our cookie banner.You can find full information and manage your preferences in our Cookie Policy.Among others, we use:
10. Data security
We have implemented appropriate technical and organisational measures (HTTPS encryption, payment tokenisation, restricted access, periodic security reviews) to protect your data against loss, alteration, unauthorised access or disclosure.
11. Changes to this policy
We may update this policy to reflect changes in legislation or our services. Significant changes will be notified (via website notice or email if appropriate).We recommend reviewing this page periodically.
Last updated: November 25, 2025
1. Who is the controller of your personal data?
- Controller: Appatone Studio S.L./ walatickets, with Tax ID (CIF/NIF): B2599963
- Registered address: L'Albera, 17458 Fornells de la Selva, Girona
- Contact email: info@appatone.com
- Data Protection Officer: “No Data Protection Officer has been appointed as it is not mandatory under Article 37 GDPR”
We process your data exclusively for the following purposes:
- Managing the purchase of tickets and the contractual relationship with you (issuing e-tickets, sending purchase confirmation, payment processing, handling purchase-related incidents).
- Complying with legal obligations (invoicing, accounting, fraud prevention, tax obligations).
- Sending strictly transactional communications related to your purchase (order confirmation, event reminders, changes to date/venue, refunds if applicable) → no marketing communications are sent unless you give separate explicit consent.
- Measuring the performance of our advertising campaigns through Google Ads cookies (conversion tracking and remarketing), only if you have accepted non-essential cookies.
3. What is the lawful basis for processing your data?
| Purpose | Lawful basis | Mandatory? |
|---|---|---|
| Purchase management & contract performance | Performance of a contract (Art. 6.1.b GDPR) | Yes |
| Compliance with legal obligations | Legal obligation (Art. 6.1.c GDPR) | Yes |
| Transactional post-purchase communications | Legitimate interest (Art. 6.1.f GDPR) | Yes |
| Google Ads tracking cookies | Consent (Art. 6.1.a GDPR) | No |
The legitimate interest for transactional communications has been balanced against your rights and freedoms through a legitimate interest assessment (only essential service-related messages are sent; no commercial advertising).
4. Which personal data do we process?
- Full name
- Email address
- Telephone number
- Postal address (only if necessary for physical delivery or verification)
- Payment data (processed directly by the secure payment gateway – we do not store full card numbers)
- IP address and browsing data (solely for fraud prevention and accepted cookies)
- Purchase data: 6 years from the event date (statute of limitations for commercial and tax obligations – Art. 30 Code of Commerce and General Tax Law).
- Invoicing records: 6–10 years depending on the document type.
- Navigation logs and cookies: up to 26 months (standard Google Analytics / Ads retention) or the period you configure in your Google Ads panel.
- Once legal retention periods expire, data will be deleted or irreversibly anonymised.
We do not sell or transfer your data to third parties for commercial purposes.Data is only shared in the following cases:
- Financial institutions and payment gateways (Stripe, Redsys, PayPal, etc.) → solely to process payments.
- Ticketing / ticket issuance provider (if you use a third-party service such as Eventbrite, Ticketmaster, or your own solution → specify name).
- Google Ireland Limited (advertising tracking cookies) → only if you accept marketing cookies.
- Public authorities when there is a legal obligation.
- Law enforcement or judicial authorities upon formal request.
Yes, limited to:
- Google Ireland Limited → Google Ads and Google Marketing Platform (covered by the EU-U.S. Data Privacy Framework and/or updated Standard Contractual Clauses – Art. 46 GDPR).
- Payment gateways that may have servers outside the EEA (usually covered by Standard Contractual Clauses or DPF).
8. What are your rights?
You may exercise the following rights free of charge:
- Access
- Rectification
- Erasure
- Restriction of processing
- Data portability
- Object
9. Cookies and tracking technologies
We use strictly necessary first-party cookies (essential for website operation and ticket purchase) and third-party Google Ads cookies to measure advertising campaign performance and enable remarketing (showing ads related to events you have viewed).Non-essential cookies are only installed after you have given your consent through our cookie banner.You can find full information and manage your preferences in our Cookie Policy.Among others, we use:
- Google Ads conversion and remarketing cookies → lawful basis: consent.
- You may withdraw consent or configure your browser to reject them at any time.
10. Data security
We have implemented appropriate technical and organisational measures (HTTPS encryption, payment tokenisation, restricted access, periodic security reviews) to protect your data against loss, alteration, unauthorised access or disclosure.
11. Changes to this policy
We may update this policy to reflect changes in legislation or our services. Significant changes will be notified (via website notice or email if appropriate).We recommend reviewing this page periodically.