1. Your rights, in brief
Access
A copy of the data we hold about you.
Rectification
Correction of inaccurate or incomplete data.
Erasure
Deletion of your data, with the exceptions in section 6.
Restriction
Temporary suspension of processing, without deletion.
Portability
Receiving your data in a structured format (see section 7).
Objection
Object to processing based on legitimate interest or marketing.
Withdrawal of consent
For any processing based on consent (e.g. marketing).
Automated decisions
The right not to be subject to a decision based solely on automated processing with significant effects — see section 9.
2. How to submit a request
Write to [DE COMPLETAT ÎNAINTE DE PUBLICARE], with the subject "Personal data request — [right requested]".
Mention the name and email address associated with your account (or used at purchase, if you ordered as a guest).
Clearly describe what you want: a copy of the data, correcting information, deleting the account, etc.
You will receive an acknowledgement of receipt and, later, a response within the timelines in section 4.
3. Identity verification
We verify your identity in a manner proportionate to the request. If you write from the email address associated with your account, this confirmation is usually sufficient. We do not automatically request a copy of an ID document — we ask for additional information only when necessary and proportionate to prevent disclosing data to another person (for example, for a request sent from an email address other than the one on the account).
4. Legal response timelines
1 month from receipt of the request — the standard timeline under Art. 12(3) GDPR.
+2 additional months if the request is complex or there are multiple simultaneous requests — in that case we will inform you, within the first month, of the reason for the extension.
5. When a request may be refused or charged
Exercising GDPR rights is free of charge. If a request is manifestly unfounded or excessive (for example, unjustifiably repetitive), we may charge a reasonable administrative fee or refuse the request, with reasons given in writing, under Art. 12(5) GDPR.
6. Data that cannot be deleted immediately
Some data cannot be deleted immediately upon request, due to the platform's legal obligations:
- ›Fiscal documents (receipts, invoices) — kept for the period required by financial/accounting legislation.
- ›Data needed for an ongoing dispute or a confirmed fraud investigation.
The rest of the account's identifying data is anonymized under the process described in section 8.
7. Exporting data from the application
The platform has a data export feature (account profile, orders, tickets, and consents), generated in JSON format.
The export file is made available via a temporary link, valid for 24 hours from generation.
8. Account deletion and anonymization
Upon an account deletion request, the platform applies a 30-day waiting period, during which you can withdraw the request. After this period expires, the account's identifying data (name, email, phone, password, tokens) is automatically anonymized, and ticket/order records are disassociated from your identity, except for financial data kept under section 6.
9. Automated decisions
The system may automatically flag a ticket scan as suspicious, but there is currently no decision based solely on automated processing with significant legal effects on you, taken without the possibility of human intervention.
10. Contact and resolution of requests
For any question about your request, reply to the message you received or contact us using the address indicated on this page. We will re-examine the request and try to clarify the situation directly, within the limits and timelines provided by law.
Your legal right to contact the supervisory authority remains unaffected. For Romania, official information is available at dataprotection.ro.
draft v0.1 — unpublished — technical legal draft prepared for attorney review.
Contact: [TO BE COMPLETED BEFORE PUBLICATION]