Privacy Policy

Last updated: 26 April 2026

This Privacy Policy explains how Eventim Global Events GmbH (“we”, “us”, “our”), a company registered in Switzerland, collects, uses, and protects your personal data when you use the Qtrackr platform at qtrackr.io and any associated subdomains (“the Service”).

We take your privacy seriously. This policy is written in plain language so you can actually understand it.

1. Who we are

Eventim Global Events GmbH
Registered in Switzerland
Contact: hello@qtrackr.io

We operate Qtrackr, a queue management and ticket distribution platform for live events. For the purposes of applicable data protection law (including the Swiss Federal Act on Data Protection and the EU General Data Protection Regulation where applicable), we are the data controller.

2. What data we collect

Data you provide directly

  • Queue sign-up data: first name, email address, phone number (optional), ticket preferences, number of tickets requested, and any custom form fields configured by the event organiser
  • Contact form data: name, email, company, message content
  • Admin account data: name, email address, role, and authentication credentials
  • Billing data: when you subscribe to a paid plan, your payment is processed by Paddle (our Merchant of Record). We do not collect or store your credit card number, bank account details, or other payment credentials — Paddle handles this directly. We receive from Paddle: your name, email, billing country, subscription plan, transaction IDs, and invoice history

Data we collect automatically

  • Device and browser information: browser type, operating system, screen resolution
  • Usage data: pages visited, timestamps, referring URL
  • Location data: approximate location via IP address; precise GPS location only when geofenced sign-up is enabled and you grant permission
  • Cookies: we use essential cookies for authentication and session management. We do not use advertising or tracking cookies.

3. How we use your data

We use your personal data to:

  • Operate the queue and distribute tickets for events you've joined
  • Send you transactional emails (verification codes, queue confirmations, ticket notifications)
  • Send you SMS notifications when configured by the event organiser
  • Verify your identity via one-time email codes (OTP)
  • Enforce geofencing restrictions when enabled
  • Allow you to view and edit your queue details on your status page
  • Process and manage your subscription billing (via Paddle)
  • Respond to contact form enquiries
  • Improve and maintain the Service

We process your data on the basis of: (a) performance of a contract (providing the queue service), (b) legitimate interests (improving the Service, preventing abuse), and (c) your consent where required.

4. Who we share data with

We share your data only where necessary:

  • Event organisers: the client who created the queue can see your sign-up data, queue position, and ticket assignment status. They need this to run their event.
  • Email delivery: we use third-party email services to send transactional emails
  • SMS delivery: SMS is sent via Twilio, configured per event by the organiser. Your phone number is shared with Twilio solely for message delivery.
  • Hosting: our infrastructure is hosted on Vercel and Google Cloud (Firebase). Data may be processed in the US and EU.
  • Payment processing: subscription payments are handled by Paddle.com Market Limited, who acts as our Merchant of Record. Paddle receives your name, email, billing address, and payment details to process transactions and issue invoices. See Paddle's Privacy Policy.

We do not sell your personal data. We do not share it with advertisers. Full stop.

5. International data transfers

As a Swiss company using global infrastructure, your data may be transferred to and processed in countries outside Switzerland and the EEA — primarily the United States. Where such transfers occur, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and the Swiss-US Data Privacy Framework.

6. How long we keep your data

  • Queue data: retained for the duration of the event plus 12 months, unless the event organiser requests earlier deletion
  • Contact form submissions: retained for up to 24 months
  • Admin accounts: retained for as long as the account is active, plus 6 months after deletion
  • Billing and subscription data: retained for as long as your subscription is active, plus up to 7 years after cancellation as required by Swiss tax and accounting law. Payment credentials (card numbers, bank details) are held by Paddle, not by us.

After these periods, data is permanently deleted or anonymised.

7. Your rights

Under applicable data protection law (including the Swiss FADP and GDPR where applicable), you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data (you can also do this directly from your status page)
  • Request deletion of your data
  • Object to or restrict certain processing
  • Request data portability
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email us at hello@qtrackr.io. We'll respond within 30 days.

8. Data security

We don't just say “industry-standard security” and leave it at that. Here's what we actually do:

Encryption in transit

All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). This applies to every page, every API call, and every file upload — no exceptions. Connections to our database and third-party services (Firebase, Twilio, email delivery) are also encrypted in transit.

Encryption at rest

All data stored in our database (Google Cloud Firestore) is encrypted at rest using AES-256 encryption, managed by Google Cloud's infrastructure. This includes customer details, queue data, ticket assignments, and all event configuration. Encryption keys are managed by Google and rotated automatically — we never handle raw encryption keys ourselves.

Authentication & verification codes

One-time verification codes (OTPs) are generated using a cryptographically secure random number generator and hashed with SHA-256 before storage. The plain-text code is never stored in our database — only the hash. Verification attempts are limited to 5 per session, and codes expire after a short time window.

Admin access controls

Admin authentication is handled by Firebase Authentication — we never store admin passwords in our database. All admin API endpoints require a verified authentication token, checked on every request. Role-based access controls (master admin, client admin, team user) limit what each person can see and do. Firestore security rules enforce these permissions at the database level, so even a compromised API couldn't bypass them.

Input validation

Every API endpoint validates incoming data against a strict schema before processing it. Malformed requests are rejected immediately. This protects against injection attacks and data corruption.

Geolocation privacy

When geofenced sign-up is enabled, your location is checked in your browser to verify you're within the event radius. Your precise coordinates are never sent to our servers or stored in our database. The check happens entirely on your device.

Infrastructure

Qtrackr is hosted on Vercel (application) and Google Cloud Platform (database and authentication). Both providers maintain SOC 2, ISO 27001, and other security certifications. Our Firebase project credentials are stored as encrypted environment variables, never committed to source code or exposed to client-side code.

No system is 100% secure — anyone who tells you otherwise is selling something. If you discover a vulnerability, please contact us immediately at hello@qtrackr.io. We take reports seriously and will respond promptly.

9. Children

Qtrackr is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we'll delete it promptly.

10. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll update the “Last updated” date at the top. For significant changes, we'll make reasonable efforts to notify you (e.g. via a banner on the site).

11. Contact

Questions, concerns, or just want to say hi?

Eventim Global Events GmbH
Email: hello@qtrackr.io
Web: qtrackr.io

If you're not satisfied with our response, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local supervisory authority.