Privacy Policy

Last updated: [DATE — to be set on first production deploy]

Dragon Den ("Platform", "we", "us") is an event ticketing platform operated by KyoTech. This Privacy Policy describes how we collect, use, and disclose your personal information when you use our services, and the rights you have regarding that information.

Categories of Personal Information We Collect

Categories of Personal Information We Collect
CategoryExamplesPurposeRetention
Account identityEmail address, display nameAuthentication, account management, event communicationsDuration of account + 90 days
Profile informationProfile photo, description, social media links, public contact email (organizers)Public profile display on event pagesDuration of account + 90 days
Organizer-collected contactEmail address and phone number (both optional) that an organizer enters about lineup members, crew, sponsors, or other event entities they list on their event. Not shown publicly. Collected and held by the organizer for their own event-coordination records.Organizer event coordination; not used for platform-side communicationsDuration of associated event; purged 12 months post-event
Payment informationPayment card details, or crypto wallet information (for organizers who accept stablecoin payments) — all processed by Stripe and its sub-processors. We never see or store card numbers or wallet keys.Transaction processingManaged by Stripe per their retention policy
Transaction recordsOrders, tickets, refunds, commission recordsOrder fulfillment, financial record-keeping, dispute resolution7 years from transaction date (tax/legal compliance)
Event attendanceTicket purchases, check-in status, event historyEvent access, organizer management, analytics12 months post-event
Attribution dataReferral tokens, source labels (e.g., "Instagram", "Flyer")Promoter attribution, organizer analyticsDuration of associated order record
Ticket transfer dataRecipient email, transfer statusFacilitate ticket transfers; send claim emails to recipients (including non-account holders)Deleted when parent event ends
Follow graphFollower → followed user pairs (your follows, and who follows you). When you follow someone, your display name and profile photo are shown to them in their followers list; your email address is not shared, and there is no follower export. Following is a relationship inside the platform, not a mailing list.Personal feed (the Following view on /events); letting an organizer see and follow you back, and reach you through on-platform channels (their event feed and notifications). The platform does not email followers about new events and does not disclose follower email addresses to organizers.Duration of account; deleted on account deletion (both directions)
Saved eventsEvents you privately bookmark ("Save"). Visible only to you — never shared with anyone, and there is no public save count.Your private Saved list on your profile (shows upcoming saved events)Until you un-save or the event passes (a nightly sweep clears saves for ended/cancelled events); deleted on account deletion
Opt-in attendance sharingTwo independent toggles, both default off: "Show events I'm attending on my public profile" (surfaces events you have non-cancelled tickets to on your profile and in followers' feeds); "Show me on event guest lists" (surfaces your display name + photo on the Going tab inside the event hub for events where the organizer has enabled the attending count). You can flip either off at any time on /account; future visibility stops, but anything already seen by other users cannot be retroactively hidden.Social discovery; opt-in onlyTied to your tickets and account; visibility stops when you flip the toggle off or delete your account

Sources of Personal Information

  • Directly from you — when you create an account, fill out your profile, purchase tickets, or contact us
  • Automatically — device information, browser type, and usage data collected through cookies and similar technologies when you use the platform
  • From third-party identity providers — when you sign in with Google, we receive your email address and display name from Google. We use the Google name only to identify your account; it is not published as your public display name, which stays blank until you set it yourself.
  • From event organizers and other users — when an organizer issues a complimentary ticket, adds you to an event roster, or when another user transfers a ticket to you, your email address is provided to us to send transactional emails (e.g., claim notifications). If you do not have an account, we use this email solely to deliver the notification and do not retain it beyond the associated transaction.

Service Providers

We share personal information only with service providers who process data on our behalf under contract. We do not sell or share your personal information with third parties for advertising or marketing.

Third-party service providers
ProviderRole
StripePayment processing (the event organizer is the merchant of record). Depending on the payment method you choose and the methods the organizer has enabled for the event, Stripe may involve its own sub-processors — including crypto.stripe.com for stablecoin payments. We do not interact with these sub-processors directly.
ResendTransactional email delivery
SupabaseDatabase hosting, authentication, file storage
VercelApplication hosting
UpstashRate limiting
MapboxVenue search autocomplete and static map images (processes search queries and IP address)
GoogleOAuth sign-in (processes email and name during authentication)
CloudflareBot protection (Turnstile challenge on sign-in)
SentryError tracking and performance monitoring (PII scrubbed from reports)

Data Shared with Event Organizers and Staff

When you purchase a ticket, your display name and email address are provided to the event organizer to fulfill your order — the same as any marketplace where the seller receives buyer information to complete a transaction. Organizers may access this data through their event dashboard and may download it for event management purposes (check-in, communications about the event).

Organizers may delegate event operations to staff members they add to the event, gated by a per-staff box-office access level (a cumulative ladder, organizer-granted per staff member per event and revocable at any time). Scan staff see a ticket holder's display name when scanning their QR code to admit them; Check-in staff can additionally look up and manually admit attendees by name or email (display names shown); Door Sales staff can additionally capture a buyer's email during cash or card door-sale checkout. Each level includes the ones below it.

The organizer's (and their staff's) use of your information after it is provided to them is governed by their own privacy practices, not ours. Dragon Den is not responsible for how organizers or staff use, store, or share attendee data. If you believe an organizer is misusing your data, you can report it to us — organizers who misuse attendee data may have their platform access revoked at our discretion.

Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out — but we state this affirmatively as required by California law (CPRA). Note: when you purchase a ticket, your display name and email are provided to the event organizer to fulfill your order — this is transaction fulfillment, not "sharing" or "selling" under CPRA.

Cookies & Tracking

We use a limited set of cookies — no advertising or cross-site trackers:

  • Supabase Auth session cookies — required for sign-in and session management
  • Stripe.js cookies — required for secure payment processing
  • Referral attribution cookie— a first-party cookie that records the referral token and optional source label from a promoter or organizer share link, scoped per event, so a ticket purchase can be credited to whoever drove it. It stores only a random referral token and an optional channel label (e.g., "Instagram"), contains no directly identifying information, and expires after 90 days.

We do not use third-party tracking cookies, advertising pixels, or cross-site analytics. We honor Global Privacy Control (GPC) browser signals as a valid opt-out of any future sale or sharing of personal information.

Your Privacy Rights

Depending on where you live, you may have the following rights regarding your personal information:

Right to Know / Access

You can request a copy of all personal information we hold about you. We will provide it in a portable, machine-readable JSON format. Use the data export feature in your Account settings, or contact us. We will respond within 45 days.

Right to Delete

You can request deletion of your account and personal information. We will de-identify your profile data and delete stored files. Transaction records (orders, tickets, commissions) are retained for 7 years per tax and legal obligations — we will inform you of what is retained and why. Your permanent referral token is preserved alongside these records so historical orders remain attributable for tax and commission integrity; the token is a random identifier with no personal information attached. Use the account deletion feature in your Account settings, or contact us.

Right to Correct

You can update your profile information at any time via your Account page. For data you cannot self-correct (e.g., order records, commission history), contact us and we will investigate and correct inaccuracies.

Right to Limit Use of Sensitive Personal Information

We use profile photos and any organizer-collected contact info (entity / sponsor email and phone) only for the purposes described above (public profile display, organizer event coordination). We do not use sensitive personal information for purposes beyond what is necessary to provide our services.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights.

Data Security

We implement reasonable security measures to protect your personal information, including encrypted connections (HTTPS), row-level security on our database, role-based access controls, and secure authentication via email OTP codes and Google OAuth (no passwords stored). Payment card data is handled entirely by Stripe and never touches our servers.

Children's Privacy

You must be at least 18 years old to create an account or use Dragon Den (see our Terms of Service). We do not knowingly collect personal information from users under 18 years of age. If you believe someone under 18 has created an account, please contact us and we will terminate the account and delete their data.

Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to submit a data subject request, contact us at admin@kyo.tech. You may also exercise your Right to Know and Right to Delete directly from your Account settings.

We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days.

Sensitive Personal Information

We do not collect sensitive personal information as defined by CPRA (Social Security numbers, financial account credentials, precise geolocation, biometric data, etc.). Phone numbers are not collected as profile-level data; organizers may optionally enter a phone number for lineup members, sponsors, or other event entities they list, used only for their own event-coordination records, not for authentication, verification, or platform-side messaging.

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law (NY SHIELD Act, California Civil Code § 1798.82). We maintain an incident response plan and will provide notification as promptly as possible.

International Data Transfers

Dragon Den is based in the United States. Your personal information is stored and processed in the United States by our service providers (Supabase, Vercel, Stripe). If you access the platform from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

Third-Party Links

The platform may contain links to third-party websites (event venue sites, social media profiles, external chat rooms). We are not responsible for the privacy practices or content of these external sites. We encourage you to review their privacy policies before providing them with your information.

Verifying Your Identity for Data Requests

When you submit a request to access, delete, or correct your personal information, we verify your identity by confirming you are logged in to the account associated with the request. If you submit a request via email, we may ask you to verify ownership of the email address on file. We do not require you to create an account solely for the purpose of submitting a data request.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

See also our Terms of Service.