Data Security is of paramount importance to us—there is nothing more valuable than the data you entrust to us.
In terms of what we do with data, we simply hold it, store it and present it to perform the tasks our software does. If you are someone buying tickets from an organiser who uses Tito, you can do so safe in the knowledge that we are not doing anything with your data: we don’t share it, we don’t sell it, we don’t try to claim it as our own.
GDPR aligns with our core philosophy at Tito when it comes to data: respect people’s data.
In GDPR terms, for anyone who signs up to our service: event organisers and their teams, we act as a data controller. This means we are responsible for how the data is used, and for getting permission on how we use it.
For anyone who registers a ticket via Tito, we are the data processor for their data. Anything we do with this, we do on behalf of our customers, who act as the data controller.
GDPR will have an effect on how event organisers run their events. Both organisers in the EU and organisers outside of the EU who have EU-based customers. A lot of this boils down to transparency and being clear about what is done with data once it is submitted, and crucially, getting consent from the person submitting it.
We have created “A Helpful Guide to GDPR For Conference Organisers” which you can download for free here: https://ti.to/gdpr
Yes. We and our data are located within the EU, in Ireland. All access to our web services is over a secure https connection.
Our Data Protection Officer is Cillian O’Ruanaidh and can be contacted at firstname.lastname@example.org
As long as you have a Tito account, your data is retained, and we will delete personal data by request email@example.com.
Our Terms of Service can be found here: https://ti.to/terms
Our Security Policy can be found here: https://github.com/teamtito/tito-gdpr-compliance/blob/master/security-policy.md
Our list of 3rd Party Services can be found here: https://github.com/teamtito/tito-gdpr-compliance/blob/master/third-parties.md
To help with the GDPR compliance for organisers we’ve added a number of fields that will be shown on a public page. These should be filled by all organisers.
You can add these for each Tito account you are an admin of and the information can be overridden at the event level if there are any differences for specific events.
Your public pages will be available at: https://tito.io/[account]/[event]/smallprint once you enable the settings.
These are straightforward and give your customers contact information in the case they need to get in touch. The organiser can also act as the Data Protection Contact for smaller event teams.
This is the most important part of your compliance, giving your customers a clear statement of how their data will be used. We propose the following text:
The data that is collected will be used by the Organiser to plan and manage the event for which you registered, as well as email you relevant details about the event.
When a customer registers a ticket they will need to consent to this statement once when placing the order, and once when assigning a ticket.
GDPR states that you should only hold on to information as long as you have a legal business case for holding it. Please ensure that you have communicated clearly with your customers how long you are holding on to their data, and what you are using it for.
At the very minimum, we recommend having a code of conduct for your event that your attendees agree to. Conf Code of Conduct is a great start. If you want to get more formal, we recommend contacting a legal advisor to tailor terms of service specific to your events.
As part of GDPR you will be required to list any third party services that your customer data is passed to. This might be a Customer Relationship Manager, such as Salesforce, an email marketing tool, such as MailChimp, or a workflow automation service, such as Zapier. It’s fine to use these tools so long as you name them. If you are using some of our in-built tracking options (Google Analytics, Facebook, etc.) you should list them here too.
This covers data that is exported manaually via our csv/xls exports, shared via our webhooks, or shared via our API.