legit.events

Privacy Policy

Last updated: 10 June 2026

This Privacy Policy explains how legit.events (“we”, “us”) collects, uses, and protects personal data when you use our event ticketing platform at https://legit.events. Events are run by organising bodies (“Organisers”); for data you submit to a specific event, the Organiser is the data controller and we act as their processor. We are the controller for your platform account data.

Information we collect

  • Account & sign-in: your name and email address. If you sign in with Google, we receive your email, name, and profile picture from your Google account. If you use a password, we store only a salted hash of it.
  • Registration data: when you register for an event — your name, email, and (if applicable) approval and check-in status.
  • Tickets: a unique ticket code and timestamps for issuance, email delivery, and door check-in.
  • Technical data: IP address and basic request logs, used for security and to operate the service.

How we use information

  • To authenticate you and operate organiser and attendee accounts.
  • To issue and email QR tickets and manage entry at events.
  • To let Organisers review registrations and run their events.
  • To secure the service, prevent abuse, and meet legal obligations.

Google user data

When you choose “Sign in with Google”, we access your basic Google profile (email, name, profile picture) solely to create your registration or staff account and to display your name and avatar within the relevant event. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We do not use Google user data for advertising, and we do not sell it or transfer it to others except as described below to provide the service.

How we share information

  • With the Organiser of an event you register for, so they can manage their attendees.
  • Service providers who process data on our behalf: Mailgun (email delivery), Google Cloud (hosting), and Cloudflare (network/TLS). They may only use the data to provide their service to us.
  • When required by law, or to protect the rights and safety of users.

We do not sell personal data.

Cookies

We use a single, essential session cookie to keep you signed in. We do not use advertising or third-party tracking cookies.

Retention & deletion

We retain personal data for as long as your account or the relevant event remains active, and as needed for legal and security purposes. You may request access to, correction of, or deletion of your data at any time by emailing [email protected]. You can also revoke Google access from your Google Account permissions.

Security

Data is transmitted over TLS, passwords are stored only as salted hashes, and ticket codes are cryptographically signed. Access to attendee data is restricted by role.

Your rights

Depending on your location, you may have rights to access, rectify, erase, or restrict processing of your personal data, and to object or request portability. Contact us to exercise these rights.

Children

The service is not directed to children under 16.

Changes

We may update this policy; material changes will be reflected by the “Last updated” date above.

Contact

Questions about this policy: [email protected].