Privacy Policy

1.Scope & who we are

This Privacy Policy explains how SmartRobot Pty Ltd, operating Zatabox Tickets (“Zatabox”, “we”, “us”), collects, uses, shares, and protects personal data. It covers the websites at zatabox.com and organizer.zatabox.com, the API and MCP endpoints at api.zatabox.com and mcp.zatabox.com, our consumer mobile apps, and the embeddable widgets and SDKs we provide (together, the “Service”).

For the data described in this policy, SmartRobot Pty Ltd is the controller we decide how and why it is processed. Organizers are independent controllers of their attendee lists: when you buy a ticket, the event’s organizer receives your order details and is separately responsible for how they use them for example, their own marketing. Their privacy practices are their own; this policy does not govern what organizers do with data outside the Service.

If you use Zatabox through a white-label or partner integration, that partner’s privacy policy applies to the experience they control, and this policy applies to the processing Zatabox performs underneath it.

2.Data we collect

Account & identity

• ▸Account data name, email address, phone number, password hash, and profile settings, for organizers, attendees, and scanner staff alike.
• ▸Organizer KYC identity documents, business registration details, and bank or payout account details, collected and processed so we can verify organizers and send payouts as the law requires.

Activity on the platform

• ▸Transactions orders, tickets, refunds, transfers, amounts, currencies, and the fee breakdown for each sale.
• ▸Check-in data scan timestamps, the gate used, the scanning device’s ID, and, where the organizer enables it, the approximate location of the scan.
• ▸Messages & reviews messages between buyers and organizers, and reviews you post after attending an event.

Device & usage

• ▸Technical data IP address, user agent, device and browser type, pages viewed, referral source, and approximate location derived from IP.
• ▸Cookies & localStorage small identifiers kept in your browser for sign-in sessions, preferences, and analytics, described in section 7.

3.How we use it

We use personal data to:

• ▸Provide the Service create accounts, list events, sell and deliver tickets, validate entry at the door, and run organizer dashboards.
• ▸Process payments and payouts move money through our payment providers, verify organizer identity, and keep wallet balances accurate.
• ▸Prevent fraud and abuse detect counterfeit tickets, suspicious purchasing patterns, account takeovers, and payment fraud.
• ▸Validate check-ins confirm that a presented QR code matches a live, unused ticket at the right event.
• ▸Support you answer questions, investigate problems, and arbitrate refund disputes when they are escalated to us.
• ▸Improve the product analyze usage in aggregate to understand what works and fix what does not.
• ▸Meet legal obligations tax, accounting, anti-money-laundering, and lawful requests from authorities.

We send transactional email, SMS, and push notifications order confirmations, tickets, refund updates, security alerts, event changes because the Service does not work without them. Marketing email is sent only with your consent, and every marketing message includes a working unsubscribe link.

4.Payment data

Card details go directly from your browser or app to the payment provider NOWPayments, Paystack, or Flutterwave and are never stored on Zatabox servers. The checkout form is the provider’s own secure surface; full card numbers, CVVs, and bank credentials do not pass through or rest on our infrastructure.

What we keep is the minimum needed to operate: the provider’s payment token or reference, the card’s last four digits and brand for display on receipts, and the transaction’s status and amounts. Each provider processes your payment data under its own privacy policy, which we encourage you to read.

5.Processors & sharing

We share personal data with service providers that process it on our behalf, under contracts that restrict what they may do with it:

• ▸NOWPayments, Paystack, Flutterwave payment processing and payouts.
• ▸SendGrid transactional and (with consent) marketing email.
• ▸Twilio SMS delivery.
• ▸Firebase push notifications and app infrastructure.
• ▸Google Cloud Storage file storage, including event images and KYC documents.
• ▸Sentry error monitoring and crash reports.
• ▸Google Analytics & Microsoft Clarity site analytics (see section 7 for opting out).
• ▸Smartsupp live chat support on the website.

Organizers receive attendee data name, email, ticket and check-in details for their own events only, so they can run the event, manage entry, and meet their own obligations to you. They never receive your payment credentials or your activity at other organizers’ events.

We may also disclose data when the law requires it, to protect the rights and safety of users or the platform, or as part of a merger, acquisition, or asset sale in which case this policy continues to apply to the data until it is amended with notice. We never sell personal data.

6.AI agents & automation

Zatabox exposes an MCP server so account holders can delegate actions to AI agents. For security, attribution, and the 7-day reversal window, every MCP tool call is logged: the tool name, a hash of the arguments, the token that made the call, and the principal (account) that token belongs to.

Agent traffic is subject to the same privacy rules as human traffic. An agent acting under your token can only reach data its scopes allow, its access is recorded in the same audit logs you can review, and nothing about delegating to an agent expands what Zatabox itself does with your data. We use these logs for security monitoring, abuse prevention, and supporting reversals not for advertising.

7.Cookies & analytics

We use two kinds of browser storage:

• ▸Essential sign-in sessions, security tokens, checkout state, and preferences. The Service cannot function without these, so they cannot be switched off.
• ▸Analytics Google Analytics and Microsoft Clarity help us understand how the site is used (pages, clicks, scrolls, approximate location). These are optional.

You can opt out of analytics through the cookie controls on the site, by using your browser’s settings or extensions to block analytics scripts, or through the vendors’ own opt-out tools (such as Google’s Analytics opt-out browser add-on). Where your browser sends a Do Not Track or similar signal, we honor it for analytics where it is technically feasible to do so.

8.Retention

We keep personal data only as long as it is needed for the purposes above, then delete or anonymize it:

• ▸Account and transaction data kept while your account is active, then as long as tax, accounting, and anti-money-laundering law requires us to retain transaction records.
• ▸KYC documents retained for the period required by the legal framework under which they were collected, then deleted.
• ▸Audit logs including MCP tool-call logs, retained for 7 years to support security investigations, dispute resolution, and legal compliance.
• ▸Analytics data retained per the vendor configuration, in aggregate or pseudonymized form wherever possible.

You can request deletion of your data at any time (section 9). Deletion is subject to the retention obligations above where we must keep a record, we keep only what the obligation requires and continue to protect it under this policy.

9.Your rights

Depending on where you live, data-protection law including GDPR-style and POPIA-style frameworks gives you rights over your personal data. We honor these for all users where applicable:

• ▸Access ask for a copy of the personal data we hold about you.
• ▸Correction fix inaccurate or incomplete data; most account data can be edited directly in your settings.
• ▸Deletion ask us to erase your data, subject to the retention obligations in section 8.
• ▸Export receive your data in a structured, machine-readable format.
• ▸Objection & restriction object to or restrict certain processing, including any processing based on legitimate interests.
• ▸Consent withdrawal withdraw consent at any time where processing is based on it (for example, marketing email), without affecting processing that happened before withdrawal.

To exercise any of these rights, email [email protected]. We will verify the request comes from the account holder and respond within the timeframe the applicable law sets. If you believe we have not handled your data lawfully, you also have the right to complain to your data-protection authority.

Requests about data an organizer holds as an independent controller for example, removal from their marketing list should go to that organizer; we will help route them where we can.

10.International transfers

Zatabox serves organizers and attendees in multiple countries, and the processors listed in section 5 operate globally. Your data may therefore be processed in countries other than the one where you live, including countries with different data-protection standards.

Where data crosses borders, we rely on contractual safeguards including data-processing agreements and, where required, standard contractual clauses or equivalent mechanisms so that your data receives a consistent level of protection wherever it is processed.

11.Security

We protect personal data with technical and organizational measures proportionate to the risk:

• ▸Encryption in transit all traffic to the Service runs over TLS.
• ▸Scoped credentials API keys and MCP tokens carry only the permissions they are granted, and can be rotated or revoked at any time.
• ▸Audit trails sensitive actions, including every agent tool call, are logged and reviewable.
• ▸Least-privilege access internal access to personal data is restricted to the people who need it for their role, and is itself logged.

No system is perfectly secure. If a breach occurs that affects your personal data, we will notify you and the relevant authorities as applicable law requires, and tell you what happened, what data was involved, and what we are doing about it.

12.Children

The Service is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has created an account or that we hold a child’s data, contact [email protected] and we will delete it.

Organizers running events for younger audiences are responsible for ensuring their events, ticket sales, and any data they collect from attendees are age-appropriate and lawful including obtaining any parental consents their jurisdiction requires.

13.Changes & contact

We may update this policy as the Service or the law changes. For material changes we will give notice by email, by a notice in the product, or both before the change takes effect, and the “Last updated” date at the top of this page always reflects the current version. Continued use of the Service after a change takes effect means the updated policy applies.

Questions, requests, and complaints about privacy can be sent to our privacy team:

SmartRobot Pty Ltd, trading as Zatabox Tickets. Our Terms of Service are available at zatabox.com/terms.