Sign in
Legal · UK GDPR & Data Protection Act 2018

Privacy Policy

Last updated · 13 May 2026

This is a plain-English run-through of what data TixPredict collects, why we keep it, and how you get it back or have it deleted. The legal frame is UK GDPR plus the UK Data Protection Act 2018. If you live in the EU your rights are essentially the same under EU GDPR.

The short version: we only collect what we need to run the service. We don't sell your data. We don't run ad networks. Stripe handles your card, not us.

Who runs this site

TixPredict is operated from the United Kingdom. For any privacy question, write to privacy@tixpredict.com and a real person will reply. We aim to come back within five working days.

What we collect

There are four buckets. We collect:

  • Account data.When you sign in with Google we receive your email address, your name on Google, and a profile picture URL. That's it. Auth.js stores this in our database alongside a hashed session record. If you sign in by magic link (when that's enabled) we just keep the email.
  • Subscription data.If you pay for Pro or Edge, Stripe takes the payment. We never see your card number. Stripe sends us a customer ID, the plan you're on, and the status (active, past due, canceled). That ID lives in our Subscription table. Your invoices live with Stripe.
  • Usage data.Our host (Vercel) writes a request log every time someone hits the site. That log contains your IP address, the URL you asked for, the user agent string of your browser, and a timestamp. Vercel rolls those logs after a short retention window (see "How long we keep things" below). We don't run PostHog, Google Analytics, Plausible or any other behavioural tracker.
  • What you do inside the app.The artists you follow, the alerts you set, the dashboard filters you choose. We need this to actually deliver the product. It's tied to your account.

We do not collect special-category data (health, religion, politics, sexuality, biometrics). We don't want it. Please don't send it.

Note on listing data: TixPredict reads public ticket listings from Viagogo, StubHub and Gigsberg. Those listings are about events and prices, not about you. They aren't personal data and they don't end up in your profile.

Why we collect each thing

Under UK GDPR every use of your data needs a lawful basis. Here's ours, per bucket:

  • Account data: contract(Article 6(1)(b)). We can't give you a logged-in product without it.
  • Subscription data: contract (Article 6(1)(b)) for the bits we need to bill you, and legal obligation (Article 6(1)(c)) for tax records we have to keep.
  • Server logs (IP, user agent, paths): legitimate interests(Article 6(1)(f)). The interest is keeping the service up and stopping abuse. You can object to this in writing and we'll consider it.
  • Alerts and saved artists: contract. Without these the alerts feature simply doesn't work.

Who we share it with

Running a SaaS in 2026 means using other companies for things like payments and hosting. Each of these has a written data processing agreement with us. Here's the full list:

  • Google. If you sign in with Google, Google sees that you signed into TixPredict. We use Google OAuth to read your email and basic profile. Google's privacy policy.
  • Stripe. Handles all card payments and subscription billing. Your card never touches our servers. Stripe is the controller for your payment details. Stripe's privacy policy.
  • Vercel. Hosts the website and writes the request logs mentioned above. Vercel's privacy policy.
  • Neon. Hosts the Postgres database. Your account row, subscription row and saved artists live there. Region: AWS eu-central-1 (Frankfurt). Neon's privacy policy.
  • Resend. Sends alert emails when a listing drops below a target you set. Resend sees your email address, the alert subject and body. No marketing emails go through here. Resend's privacy policy.

We don't sell, rent or trade your data. Ever. If we ever add a new processor we'll update this list and bump the date at the top.

Where your data lives

The database sits in the EU (Frankfurt). Vercel and Stripe and Resend are global by design and may process your data in the US under standard contractual clauses (UK ICO addendum where relevant). UK GDPR allows this transfer mechanism. If you don't want your data leaving the EU, the honest answer is we can't fully promise that today, because our payment processor is American. Let us know and we'll talk through what's possible.

How long we keep things

  • Your account row and saved artists: for as long as you keep the account. Delete the account and we remove them.
  • Subscription records: kept for six years after you stop paying, because HMRC says so.
  • Vercel request logs: typically 30 days of recent logs, with older data aggregated and then dropped. Worst case 90 days.
  • Alert email content: not stored. Once the email is sent, Resend keeps a metadata record (delivered, bounced, opened) that rolls off on their schedule.
  • Old sessions: cleared on logout, expired ones are pruned automatically.

Your rights

Under UK GDPR Articles 15 through 22 you have the following rights. We'll honour any of them at no charge, normally within one month.

  • Access (Art. 15).Ask for a copy of what we hold on you and we'll send it.
  • Rectification (Art. 16).If something we hold is wrong, tell us and we'll fix it.
  • Erasure (Art. 17).Often called "the right to be forgotten". Ask us to delete you and we'll remove your account, saved artists, alerts and sessions. Subscription records we have to keep for HMRC stay, but with personal identifiers minimised.
  • Restriction (Art. 18). Ask us to pause any use of your data while we work something out.
  • Portability (Art. 20). Get the account and alerts data as a machine-readable JSON file.
  • Objection (Art. 21).If we're relying on legitimate interests (the request logs, basically), you can object. Tell us why.
  • Automated decisions (Art. 22).We don't run automated decisions that produce legal effects about you. Our scanner shows public listings and compares them to a 90-day median. You decide what to do with that.

To exercise any of these, write to privacy@tixpredict.com. We may ask you to confirm your identity from the email attached to the account, to make sure we're not handing your data to someone else.

Children

TixPredict is not for under-18s. Don't use it if you're under 18, don't sign up an account, and don't pay for anything. If you're a parent or guardian and you think a child has signed up, email privacy@tixpredict.com and we'll delete the account.

Cookies

The site uses a small number of cookies. Most are strictly necessary (you can't sign in without them). The cookie policy lives at /cookies and lists every one.

Security

All traffic is over HTTPS. Passwords aren't stored, we use OAuth via Google. Sessions are signed and rotated. The database has access controls and TLS in transit. We follow standard practice and we won't pretend we're unhackable, because nobody is. If we ever have a breach that affects you, we'll tell you within 72 hours, the same window UK GDPR puts on the ICO notification.

Changes to this policy

When we change something material we'll bump the date at the top and, if the change is significant, email everyone with an active account. If you don't agree with a change, you can close your account before it takes effect.

Complaints

First port of call: write to us at privacy@tixpredict.com. If we can't put it right, you have the right to complain to the UK Information Commissioner's Office (the ICO). Their site is ico.org.uk/make-a-complaint and their helpline is 0303 123 1113.