Privacy Policy
Last updated: [DATE — to be set on first production deploy]
Dragon Den ("Platform", "we", "us") is an event ticketing platform operated by KyoTech. This Privacy Policy describes how we collect, use, and disclose your personal information when you use our services, and the rights you have regarding that information.
Categories of Personal Information We Collect
Sources of Personal Information
- Directly from you — when you create an account, fill out your profile, purchase tickets, or contact us
- Automatically — device information, browser type, and usage data collected through cookies and similar technologies when you use the platform
- From third-party identity providers — when you sign in with Google, we receive your email address and display name from Google. We use the Google name only to identify your account; it is not published as your public display name, which stays blank until you set it yourself.
- From event organizers and other users — when an organizer issues a complimentary ticket, adds you to an event roster, or when another user transfers a ticket to you, your email address is provided to us to send transactional emails (e.g., claim notifications). If you do not have an account, we use this email solely to deliver the notification and do not retain it beyond the associated transaction.
Service Providers
We share personal information only with service providers who process data on our behalf under contract. We do not sell or share your personal information with third parties for advertising or marketing.
Data Shared with Event Organizers and Staff
When you purchase a ticket, your display name and email address are provided to the event organizer to fulfill your order — the same as any marketplace where the seller receives buyer information to complete a transaction. Organizers may access this data through their event dashboard and may download it for event management purposes (check-in, communications about the event).
Organizers may delegate event operations to staff members they add to the event, gated by a per-staff box-office access level (a cumulative ladder, organizer-granted per staff member per event and revocable at any time). Scan staff see a ticket holder's display name when scanning their QR code to admit them; Check-in staff can additionally look up and manually admit attendees by name or email (display names shown); Door Sales staff can additionally capture a buyer's email during cash or card door-sale checkout. Each level includes the ones below it.
The organizer's (and their staff's) use of your information after it is provided to them is governed by their own privacy practices, not ours. Dragon Den is not responsible for how organizers or staff use, store, or share attendee data. If you believe an organizer is misusing your data, you can report it to us — organizers who misuse attendee data may have their platform access revoked at our discretion.
Do Not Sell or Share My Personal Information
We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out — but we state this affirmatively as required by California law (CPRA). Note: when you purchase a ticket, your display name and email are provided to the event organizer to fulfill your order — this is transaction fulfillment, not "sharing" or "selling" under CPRA.
Cookies & Tracking
We use a limited set of cookies — no advertising or cross-site trackers:
- Supabase Auth session cookies — required for sign-in and session management
- Stripe.js cookies — required for secure payment processing
- Referral attribution cookie— a first-party cookie that records the referral token and optional source label from a promoter or organizer share link, scoped per event, so a ticket purchase can be credited to whoever drove it. It stores only a random referral token and an optional channel label (e.g., "Instagram"), contains no directly identifying information, and expires after 90 days.
We do not use third-party tracking cookies, advertising pixels, or cross-site analytics. We honor Global Privacy Control (GPC) browser signals as a valid opt-out of any future sale or sharing of personal information.
Your Privacy Rights
Depending on where you live, you may have the following rights regarding your personal information:
Right to Know / Access
You can request a copy of all personal information we hold about you. We will provide it in a portable, machine-readable JSON format. Use the data export feature in your Account settings, or contact us. We will respond within 45 days.
Right to Delete
You can request deletion of your account and personal information. We will de-identify your profile data and delete stored files. Transaction records (orders, tickets, commissions) are retained for 7 years per tax and legal obligations — we will inform you of what is retained and why. Your permanent referral token is preserved alongside these records so historical orders remain attributable for tax and commission integrity; the token is a random identifier with no personal information attached. Use the account deletion feature in your Account settings, or contact us.
Right to Correct
You can update your profile information at any time via your Account page. For data you cannot self-correct (e.g., order records, commission history), contact us and we will investigate and correct inaccuracies.
Right to Limit Use of Sensitive Personal Information
We use profile photos and any organizer-collected contact info (entity / sponsor email and phone) only for the purposes described above (public profile display, organizer event coordination). We do not use sensitive personal information for purposes beyond what is necessary to provide our services.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights.
Data Security
We implement reasonable security measures to protect your personal information, including encrypted connections (HTTPS), row-level security on our database, role-based access controls, and secure authentication via email OTP codes and Google OAuth (no passwords stored). Payment card data is handled entirely by Stripe and never touches our servers.
Children's Privacy
You must be at least 18 years old to create an account or use Dragon Den (see our Terms of Service). We do not knowingly collect personal information from users under 18 years of age. If you believe someone under 18 has created an account, please contact us and we will terminate the account and delete their data.
Contact Us
For questions about this Privacy Policy, to exercise your data rights, or to submit a data subject request, contact us at admin@kyo.tech. You may also exercise your Right to Know and Right to Delete directly from your Account settings.
We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days.
Sensitive Personal Information
We do not collect sensitive personal information as defined by CPRA (Social Security numbers, financial account credentials, precise geolocation, biometric data, etc.). Phone numbers are not collected as profile-level data; organizers may optionally enter a phone number for lineup members, sponsors, or other event entities they list, used only for their own event-coordination records, not for authentication, verification, or platform-side messaging.
Data Breach Notification
In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law (NY SHIELD Act, California Civil Code § 1798.82). We maintain an incident response plan and will provide notification as promptly as possible.
International Data Transfers
Dragon Den is based in the United States. Your personal information is stored and processed in the United States by our service providers (Supabase, Vercel, Stripe). If you access the platform from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.
Third-Party Links
The platform may contain links to third-party websites (event venue sites, social media profiles, external chat rooms). We are not responsible for the privacy practices or content of these external sites. We encourage you to review their privacy policies before providing them with your information.
Verifying Your Identity for Data Requests
When you submit a request to access, delete, or correct your personal information, we verify your identity by confirming you are logged in to the account associated with the request. If you submit a request via email, we may ask you to verify ownership of the email address on file. We do not require you to create an account solely for the purpose of submitting a data request.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.
See also our Terms of Service.