PeerTix System and PeerTix Mobile Application Privacy Notice, version effective from 1 January 2024

“Arvenis Szolgáltató és Tanácsadó Korlátolt Felelősségű Társaság (registered office: H-2131 Göd, Erkel Ferenc utca 6., tax number: 14000618-2-13, registration body: Company Registry Court of the Budapest Environs Regional Court, registration number: 13-09-174739, hereinafter: “Arvenis”) discloses the following privacy notice in connection with the use of the PeerTix event and ticket management system (hereinafter: “System”) and the PeerTix mobile application (“Application”).

The purpose of the System and the Application is to make the storage, use and further utilization of event access tickets more secure and traceable (by authorised persons), based on a contract with each ticket issuer.

In order to use the System and the Application, you should register in the System in advance (user ID, email, displayed user name, date of birth). You do not have to, but you may provide your gender or date of birth to start using the System.

The purchase ID sent by the ticket issuer in a message after the ticket purchase will allow you to link the ticket to your System account via the App.

The System consists of two elements:

(a) the registration database (“Registration Element”); and

(b) the digital ledger system (“Ledger System”), which is based on a non-public blockchain application that is a proprietary intellectual property of Arvenis.

The Ledger System is a blockchain application, as part of which ticket issuers store in the Ledger System the ticket data specified by them, that do not contain personal data.

The Ledger System is also accessible to persons who control access to the events by means of a unique code (QR code) displayed with the help of the Application and the content of the Ledger System. Arvenis has no information about the data accessible by the persons verifying the ticket, and the relationship between the person verifying the ticket and the issuer of the ticket is beyond the responsibility of Arvenis.

The Ledger System itself does not store personal data, the Ledger System stores a unique reference (order identifier) to the ticket to ensure the matching of the ticket between the System and the ticket issuer and data related to the ticket and its usability (ticket type, event identifier, location, site identifier, price, validity, ticket status, QR code identifier for verification, holder identifier).

Arvenis will involve the following contributors in the operation of the System:

a Google subsidiary based in a country in the European Economic Area, currently Google Cloud EMEA Limited, when using regions (data centre) in a country in the European Economic Area.

The purpose of the Application is to allow you to present the ticket to the person or device performing the ticket verification. The Application runs and stores data only on the device you specify, and we do not send any data from the Application to ourselves, the ticket manager or the ticket verifier. Only the following data flows will take place:

(a) end-to-end encrypted communication between the Application and the System, when the Application retrieves and updates data changes related to the linked ID (new tickets issued, changes in ticket data and status, etc.) at installation and then at certain intervals;

(b) encrypted communication between the ticket issuer and the System, when the ticket issuer transmits data changes related to the ticket (issuance of new tickets, changes in ticket data and status, etc.) and retrieves the transfers initiated in the System;

(c) when the ticket is verified, the ticket verifier scans the QR code presented by the user using the Application run by the ticket verifier;

(d) end-to-end encrypted communication between the Application run by the ticket verifier and the Ledger System, when the ticket verifier compares the data in the Application with the data in the Ledger System (not yet technically activated capability).

In the course of the operation of the System, Arvenis will make the data of the Ledger System available only to the issuers of the tickets and the verifiers of the tickets.

The purposes of the Application are as follows:

(a) to allow you to store your ticket securely in your mobile device and present your ticket at the time of verification, and have the validity of your ticket checked by the ticket verifier; and

(b) to allow you to be informed of the most important changes in the status of your ticket,

(c) to facilitate the tracking by the issuer of the ticket the transfer (gifting, resale, etc.) of the ticket.

When you present the ticket, you show a QR code to the ticket verifier, who can scan the QR code to check the status of your ticket (valid or not), the unique identifier of the event associated with your ticket, the category of your ticket, the standing or seating place identifier of your ticket. The ticket verifier does not have access to any other information through the Application, but Arvenis has no control over what additional information the issuer of the ticket provides to the ticket verifier.

1 To use the Application, you need to register with the System, and by scanning the QR code of the purchase ID sent by the ticket issuer via email, the Application will download your tickets for the relevant purchase and the following data related to the ticket: the ticket issuer’s order ID, unique identifiers linking the ticket issuing system and the Ledger System, the event ID and location and date of the event covered by the ticket, the receipt ID, and data related to the ticket type, such as ticket category, seat or standing type, seating place, validity status, etc.

Arvenis shall act as an independent data controller in the processing of the data provided by you in the course of the operation of the Registration Element. Data processing shall be carried out under three different legal titles:

(a) performance of the user agreement,

(b) Your consent related to the data that can be provided voluntarily (your gender or date of birth), and

(c) the following legitimate interests of Arvenis in connection with the performance of the user agreement: the detection of misuse of the System and the preservation of identifiers (network and user) that have been rejected for security reasons, the preservation of evidence related to the contractual performance.

In the case of data provided voluntarily, the period of data processing lasts until you withdraw your consent, but not later than the termination of the user agreement.

For the other legal titles, the period of processing is the end of the sixth year following the termination of the user agreement (with regard to the limitation period for any claims) or, if a dispute has been initiated before the end of this period, one year following the final conclusion of the dispute.

Only the issuer of the ticket can link the ticket identifier with personal data that can personally identify you.

2 Arvenis acts as an independent data controller for the following data in the Ledger System, which may also be considered personal data: the holder identifier as a pseudonymous identifier, and event identifiers, locations, location identifiers, price, validity and ticket status data that can be linked to the same holder identifier, as well as QR code identifiers for verification purposes.

The information stored in the Ledger System (such as unique identifiers and ticket statuses) can never be permanently overwritten or deleted due to the technical operation of the Ledger System, therefore the deletion of data in the System, which may be considered personal data, shall be provided for by the ticket issuer or the ticket verifier by deleting from its own records the data linked to the unique identifier in the Ledger System. As a consequence, the data stored in the Ledger System will be kept for the entire period of the Ledger System’s operational lifetime, which is expected to be no longer than eight years.

For the purposes of monitoring the lawfulness of data transfers and informing the data subjects, Arvenis shall keep a data transfer register, which contains the data necessary to identify the ticket issuer that transferred the data to Arvenis and to whom Arvenis transferred the data (recipient), the date of the transfer of personal data, the legal basis for the transfer and the scope of the personal data transferred.

The purpose of this processing by Arvenis is to perform the user agreement necessary for the use of the System and the Application.

You may access the user agreement here.

With regard to the security of data processing, we will ensure that your personal data can only be accessed in the cases and in the ways described in the terms and conditions of data processing, that only the data flows described above (such as the ticket issuer and the ticket verifier) can take place, and that only identified users acting on behalf of Arvenis can access your personal data, excluding unauthorised persons. Excluding unauthorised access includes preventing unauthorised persons from reading, modifying or deleting your personal data. In the IT environment of the implementation, we will ensure that data is backed up regularly and that access to backups is protected in the same way as set out above, and that the use of each medium used in the performance is controlled throughout its lifecycle in such a way that your personal data cannot be accessed through such media by unauthorised persons. We have IT security measures in place to ensure that data stored at Arvenis is not subject to unintentional or accidental change or loss.

Arvenis is entitled to modify these terms and conditions at any time by disclosing the new terms and conditions after the modification has entered into force and by specifying in the terms and conditions when the new version will take effect. Arvenis will notify users of significant changes via the mobile application at least 30 days before the change takes effect.

Previous (archived) versions of the privacy notice are available here.

You may send any further questions about the privacy notice to Arvenis by clicking here. The Data Controller will only consider a request for information sent by e-mail as authentic if it is sent from the registered e-mail address. We will provide you with information on the request within a maximum of 30 days of its submission. The information requested is free of charge if you have not already submitted a request for information for the same set of data in the same calendar year. In other cases, Arvenis may make the provision of information subject to the payment of a fee.

In relation to the present processing, the data subject has the following rights:

Right to access personal data: You have the right to be informed by Arvenis at the above address whether or not your personal data is being processed and, if such processing is taking place, to have access to the personal data and to the information required by law. You therefore have the right to contact Arvenis and request information about the processing of your data and access to the personal data processed by Arvenis.

Right to the rectification of data: In the event of a change to your data, you may request the rectification of your data at any time by providing us with the correct data.

Right to the erasure of data: You have the right to request Arvenis to erase your data if the processing is no longer necessary for the purposes for which the data were collected, if the processing is unlawful or if the erasure of data is required by law.

Right to the restriction of data processing: You may request restriction of processing if the processing is unlawful, if the controller no longer needs the data for the purpose for which they were collected, but you intend to use them to submit a legal claim. Restriction of processing means that the data may only be stored until the restriction is lifted and may only be used for the purpose of submitting a legal claim.

Right to object to processing: You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. In such a case, Arvenis will examine whether there is a legitimate ground justifying the need for the processing.

Right to data portability: You have the right to receive from Arvenis personal data concerning you that it processes in a structured, commonly used, machine-readable format, and you have the right to transfer this data to another controller without Arvenis preventing you from doing so. In exercising your right to data portability, you have the right to request, where technically feasible, the direct transfer of personal data between controllers.

Right to lodge a complaint with the supervisory authority: You have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information. (Contact: H-1055 Budapest, Falk Miksa utca 9-11., H-1363 Budapest, Pf. 9., +36-1-391-1400, [email protected]).

Enforcing a claim in court: You have the right to take legal action if you believe that Arvenis or a data processor acting on its behalf or under its instructions is processing your personal data in breach of the rules on the processing of personal data.

We may only reject any of your requests in the cases specified in the Act CXII of 2011, in which case we will inform you within 30 days of the basis for the rejection and that you may take the matter to court or to the National Authority for Data Protection and Freedom of Information.”