Data Protection

Data Security is of paramount importance to us

Doc Parsons avatar
Written by Doc Parsons
Updated over a week ago

Tito's role

Data Security is of paramount importance to us.

In terms of what we do with data, we simply hold it, store it and present it to perform the tasks our software does. If you are someone buying tickets from an organiser who uses Tito, you can do so safe in the knowledge that we are not doing anything with your data: we don’t share it, we don’t sell it, and we don’t try to claim it as our own.

GDPR

GDPR aligns with our core philosophy at Tito when it comes to data: respect people’s data.

In GDPR terms, for anyone who signs up to our service—event organisers and their teams—we act as a data controller. This means we are responsible for how the data is used, and for getting permission on how we use it.

For anyone who registers a ticket via Tito, we are the data processor for their data. Anything we do with this, we do on behalf of our customers, who act as the data controller.

GDPR will have an effect on how event organisers run their events. Both organisers in the EU and organisers outside of the EU who have EU-based customers. A lot of this boils down to transparency and being clear about what is done with data once it is submitted, and crucially, getting consent from the person submitting it.

We have created “A Helpful Guide to GDPR For Conference Organisers” which you can download for free here.

Is Tito GDPR compliant?

Yes. We and our data are located within the EU, in Ireland. All access to our web services is over a secure https connection.

As long as you have a Tito account, your data is retained, and we will delete personal data on request by contacting support@tito.io.

If you would like to find out more about our data protection policies you can contact us at security@tito.io.

Edit your Data Protection settings

To help with the GDPR compliance for organisers we’ve added a number of fields that will be shown on a public page. These should be filled by all organisers.

You can add these for each Tito account you are an admin of and the information can be overridden at the event level if there are any differences for specific events.

Click on your account name, and then on Account Settings then on Data Protection to get set up. You will need to be an admin on the account to edit this data.

Once you have populated the information, your public data protection page will be available at: https://tito.io/[account]/[event]/smallprint.

It looks like this:

A screenshot of an example data protection page.

Organiser and Data Protection Contact

These are straightforward and give your customers contact information in the case they need to get in touch. The organiser can also act as the Data Protection Contact for smaller event teams.

Consent Statement

This is the most important part of your compliance, giving your customers a clear statement of how their data will be used. It could be something like:

The data that is collected will be used by the Organiser to plan and manage the event for which you registered, as well as email you relevant details about the event.

This is how it appears during checkout:

When a customer registers a ticket they will need to consent to this statement once when placing the order, and once when assigning a ticket.

Data Retention Policy

GDPR states that you should only hold on to information as long as you have a legal business case for holding it. Please ensure that you have communicated clearly with your customers how long you are holding on to their data, and what you are using it for.

Terms & Conditions

At the very minimum, we recommend having a code of conduct for your event that your attendees agree to. The one at Conf Code of Conduct is a great starting point. If you wish to get more formal, we recommend contacting a legal advisor to tailor terms of service specific to your events.

Privacy Policy

We recommend that you read about what to include in your privacy policy and ensure that it is concise and easy to understand.

Third Party Services

As part of GDPR you will be required to list any third party services that your customer data is passed to. This might be a Customer Relationship Manager, such as Salesforce, an email marketing tool, such as MailChimp, or a workflow automation service, such as Zapier. It’s fine to use these tools so long as you name them. If you are using some of our in-built tracking options (Google Analytics, Facebook, etc.) you should list them here too.

This covers data that is exported manually via our .csv and .xlsx exports, shared via our Webhooks, or shared via our API.


Still need help? Search our FAQs for instant answers. You can also leave a message for our support team by email or in-app, and we'll get back to you by the next working day.


Did this answer your question?