Privacy Policy

1. Information we collect

1.1 Information you give us

• Account details: name, email, password (hashed), phone (optional).
• Attendee details: name, email, and phone of each ticket holder, plus any optional notes you provide at checkout.
• Payment metadata: we receive payment confirmation tokens from Razorpay (order id, payment id, signature). We do not store full card numbers, CVV, or UPI PINs — Razorpay handles those directly.
• Communications: messages you send via our contact form or support email.

1.2 Information we collect automatically

• Server logs (IP address, user agent, request path, timestamp) for security, debugging, and rate-limiting.
• Cookies / local storage strictly necessary for sign-in sessions (Auth.js) and the TUG cart state. We do not use third-party advertising cookies.

2. How we use your information

• To create and operate your account.
• To process ticket bookings, payments, refunds, and entry.
• To send transactional emails (confirmations, QR passes, event updates, refund notices). These are essential to your booking and not marketing.
• To respond to support requests submitted via Contact.
• To prevent fraud, protect the Platform, and comply with legal obligations.
• With your explicit consent only, to send occasional newsletters about upcoming events. You can unsubscribe at any time.

3. Sharing & disclosure

We share data only as needed to run the service:

• Event Organisers: receive your attendee details (name, email, phone) to manage entry and event-related communications.
• Payment processor: Razorpay (orders, refunds, signature verification).
• Infrastructure: Vercel (hosting), Neon (database), Vercel Blob (event images), Resend (transactional email).
• Authorities: if required by law, court order, or to protect lawful rights, safety, or property.

We do not sell your personal data. Ever.

4. Data retention

• Account data: retained while your account is active. Deleted within 90 days of account closure unless we are required by law to retain it longer.
• Booking & payment records: retained for up to 8 years to comply with financial and tax regulations.
• Server logs: retained for up to 90 days.

5. Security

We use industry-standard protections including TLS in transit, bcrypt password hashing, HMAC-verified payment signatures, and principle-of-least-privilege access. No method is 100% secure — if you suspect unauthorised access to your account, contact us at theurbangalaofficial@gmail.com immediately.

6. Your rights

Subject to local law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or outdated information.
• Request deletion of your data (subject to legal retention).
• Withdraw consent for marketing emails at any time.
• Export your data in a portable format (booking history, profile).
• Lodge a complaint with the data protection regulator in your jurisdiction.

To exercise any of these rights, email theurbangalaofficial@gmail.com. We respond within 30 days.

7. Children

TUG is not directed at children under 13, and we do not knowingly collect data from them. If you believe a child has shared data with us, contact us and we will delete it promptly.

8. International transfers

Our processors may store data in regions outside India (e.g. the EU or US). Where they do, they are bound by Standard Contractual Clauses or equivalent safeguards.

9. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced on this page or via email. The "Last updated" date at the top indicates the current version.

10. Contact

For any privacy-related questions, write to theurbangalaofficial@gmail.com.