Privacy Policy

Version 1.3 — Effective date: 27 March 2026 | Last updated: 27 March 2026

1. Introduction

This Privacy Policy explains how Outpeek processes personal data when you use the App and related services. It covers what data we collect, why we collect it, how we use it, who we share it with, and how long we keep it.

We encourage you to read this policy before creating an account or making any purchase through the App.

2. Who We Are / Data Controller

The data controller for personal data processed through the Outpeek mobile application is:

Outpeek S.R.L.
Corso Re Umberto, 56
Torino (TO), Italy
P.IVA 13326820019

For any privacy-related question, request, or complaint, you can contact us at:

Email: support@outpeek.it
PEC: outpeeksrl@pec.it

3. Scope of This Policy

This policy applies to all personal data we process in connection with:

  • the Outpeek mobile application (iOS and Android);
  • account creation, login, and profile management;
  • event discovery, ticketing, ticket wallet, and check-in flows;
  • organiser-facing features within the App;
  • push notifications and transactional communications;
  • location-based features within the App;
  • support or contact submissions made through the App.

This policy does not govern the independent data processing carried out by event organisers in connection with their own events, or by third-party platforms whose listings may appear in the App as External Events. Outpeek's obligations regarding the data it shares with organisers are described in Section 8.

4. Categories of Personal Data We Collect

4.1 Account and Profile Data

  • Full name
  • Email address
  • Password (stored as a hashed credential; never stored in plain text)
  • Profile picture (optional; uploaded and stored on cloud media infrastructure)
  • Bio (optional)
  • Event interest preferences (selected during onboarding and editable in profile settings)
  • Language preference
  • Organiser/creator profile data, where applicable (public name, public bio, website URL, social handle)

4.2 Authentication and Session Data

  • OAuth provider identifier and associated email address, where you sign in via Google or Apple
  • JSON Web Tokens (JWTs) used to maintain your authenticated session
  • Login timestamps

4.3 Event and Ticketing Data

  • Ticket purchase records, including event details, ticket type, and ticket status
  • QR code data associated with your tickets
  • Attendance and check-in records
  • Payment-related metadata received from our payment provider (see Section 8)

4.4 Device and Technical Data

  • Push notification device token (Expo push token, platform: iOS or Android)
  • Device platform, collected when registering for push notifications
  • App-side preferences stored in device local storage (theme, language); these do not leave your device

4.5 Location Data

  • Your approximate device location, collected in the foreground only and solely when you grant location permission, to show you nearby events (see Section 9)

4.6 Support and Communications Data

  • Messages and enquiries submitted through the in-app support/contact form. These are provided voluntarily and may include message content, account-related information, ticket or event details, information relating to disputes, refunds, or event access issues, any attachments, and any other information you choose to provide.
  • Transactional email communications (e.g. email verification codes, password reset codes, booking confirmations)

4.7 Operational Metrics

We use limited internal operational metrics and admin-dashboard data to monitor platform stability, API performance, error rates, and basic usage patterns. We have not adopted external analytics tools at launch. No external behavioural profiling or advertising tracking is performed.

5. How We Collect Data

We collect personal data in the following ways:

  • Directly from you — when you create an account, complete onboarding, update your profile, purchase a ticket, register for an event, submit a support message, or use other features of the App.
  • Via OAuth providers — if you register or log in with Google Sign-In or Apple Sign-In, we receive the information needed to identify and create your account (typically name and email address). The identity token is verified via Firebase Authentication.
  • Automatically — when you use the App, we may collect technical data as part of normal platform operations, including session management, push notification registration, and API interactions.
  • Via permission-based features — location data is collected only when you grant foreground location permission. Push notification tokens are collected when you grant notification permission.
  • From third-party service providers — we may receive limited transactional metadata from our payment processor in connection with a ticket purchase.

6. Purposes of Processing

We process personal data for the following purposes:

6.1 Providing and operating the App

  • Creating and managing user accounts
  • Authenticating users via email/password or OAuth
  • Personalising the event feed based on your stated interests and, where enabled, your location;
  • Enabling ticket purchase, registration, and the ticket wallet
  • Delivering QR-based ticket validation and check-in
  • Operating organiser tools and check-in flows
  • Running session-based and real-time features where active

6.2 Processing payments

  • Facilitating payment for ticketed events through our integrated payment provider
  • Associating payment metadata with your purchase records

6.3 Communications

  • Sending transactional emails (email verification, password reset, booking confirmation)
  • Sending push notifications relating to tickets, event reminders, and platform activity

6.4 Platform integrity and fraud prevention

  • Detecting and preventing fraud, abuse, or manipulation of the ticketing or purchase flow
  • Maintaining records for legal, financial, and dispute-resolution purposes

6.5 Customer support

  • Responding to support requests submitted through the App

6.6 Legal compliance

  • Complying with applicable laws, including Italian and EU data protection law, consumer law, and accounting and tax requirements

7. Legal Bases for Processing

We rely on the following legal bases under the EU General Data Protection Regulation (GDPR) and applicable Italian law:

7.1 Performance of a contract (Art. 6(1)(b) GDPR)

Processing necessary to provide the App and its features to you. This includes:

  • creating and managing your account, and authenticating you when you log in;
  • facilitating ticket purchases, managing your ticket wallet, and enabling QR-based validation and check-in;
  • sharing limited attendee data with organisers for event operations where you have registered or purchased a ticket;
  • sending transactional communications required to operate your account (verification codes, booking confirmations).

7.2 Legitimate interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate operational interests, where those interests are not overridden by your rights. This includes:

  • platform security, fraud prevention, and detection of abuse in the ticketing or purchase flow;
  • maintaining push notification token registrations and managing session integrity;
  • retaining transactional and accounting records for dispute resolution and business continuity;
  • internal operational monitoring and platform stability.

7.3 Compliance with a legal obligation (Art. 6(1)(c) GDPR)

Processing required by law, including Italian and EU accounting, tax, and data retention obligations.

7.4 Consent (Art. 6(1)(a) GDPR)

Where we rely on consent — for example, for foreground location access and, if introduced in future, optional marketing communications — we request your consent separately and clearly. You may withdraw consent at any time without affecting prior processing.

8. Ticketing, Payments, and Organiser Data Sharing

8.1 Role of the Organiser

For Native Ticketed Events, the event organiser is the seller of the ticket and your contractual counterparty for the event itself. Outpeek provides platform infrastructure and operational support. Outpeek is not the seller by default and is not the merchant of record for Native Ticketed Events unless expressly stated otherwise for a specific event.

8.2 Payment Processing

Payments for Native Ticketed Events are processed through Stripe, an integrated third-party payment provider. Outpeek does not store your payment card data. Stripe processes payment card data directly under Stripe's own terms and privacy policy. Outpeek may receive limited payment-related metadata — such as payment status, transaction identifiers, and payout-related records — for booking confirmation, platform fee reconciliation, and fraud prevention purposes.

Organisers who collect payments through the App are subject to Stripe Connect onboarding and Stripe's requirements. Stripe handles payouts to organisers independently of Outpeek.

8.3 Sharing of Attendee Data with Organisers

When you purchase a ticket or register for a Native Ticketed Event, certain limited personal data may be made available to the organiser solely for the purposes of managing that event. This may include:

  • your name;
  • your profile picture (for identity verification at the point of entry);
  • your ticket status;
  • your QR validation status.

This data is shared only to the extent necessary for check-in, access control, identity verification at entry, attendance tracking, and event administration. You are informed of this sharing within the App before completing a purchase or registration.

Organisers are not permitted to use this data for unrelated purposes such as marketing, profiling, or commercial outreach, unless you have separately agreed to such use. Organisers are contractually required to handle attendee data in accordance with applicable data protection law and to retain it only for as long as reasonably necessary for the management of the event and any directly related post-event administration.

8.4 Organiser Data Controller Status

Where an organiser uses the attendee data they receive through the App to manage their own event, they act as an independent data controller for that processing under applicable data protection law. Each organiser is solely responsible for ensuring that their own processing of attendee data complies with applicable law. Outpeek defines and limits the scope of data shared with organisers through the App, but does not control and is not responsible for any processing carried out independently by organisers beyond that scope.

8.5 Profile Picture in the Check-in Context

Your profile picture is displayed to the organiser or their authorised staff through the App's check-in interface solely for identity verification at the event entrance. It is not shared with organisers for any other purpose.

9. Location Data

The App requests foreground-only location permission on your device. We do not request or collect background location.

If you grant location permission, your approximate device coordinates are used to show you events near your current location and to support distance-based sorting in the event discovery feed. If permission is not granted or coordinates are not available, the App defaults to a reference location for distance-based queries.

Location data is used transiently for query purposes. We do not maintain a persistent location history. You can revoke location permission at any time through your device settings.

10. Notifications and Communications

10.1 Push Notifications

If you grant notification permission, the App registers your device and stores an Expo push notification token linked to your account. This token is used to deliver push notifications via Expo's push notification infrastructure, which in turn uses APNs (Apple) or FCM (Google Firebase) as the underlying delivery layer.

Push notifications may include ticket purchase confirmations, event reminders, and other notifications related to your use of the App. You can manage notification preferences through your device settings.

10.2 Transactional Emails

We send transactional emails via Amazon SES in connection with: email address verification, password reset codes, change-of-email verification, and booking or registration confirmations. These communications are necessary for the operation of your account.

11. Account Management and Deletion

11.1 Managing Your Account

You can update your profile, interests, bio, and profile picture from within the App. If you signed up with email and password, you can change your email address via the in-app flow. This option is not available for accounts created via Google or Apple OAuth.

11.2 Account Deletion

You can request deletion of your account from within the App. Deletion may be restricted or blocked in certain cases:

  • If you are a registered organiser with upcoming events that have active ticket holders, deletion will be blocked until those obligations are resolved.
  • If you hold valid tickets for upcoming events, deletion may be blocked to protect refund logic and ensure organiser guest lists remain accurate.

Where deletion proceeds, it is implemented as a soft-delete: your account is deactivated and made inaccessible to you, but certain records are retained for the periods described in Section 14 for legal, accounting, fraud-prevention, ticketing, and dispute-handling reasons.

12. Sharing of Personal Data

We do not sell your personal data. We share data only as described below.

12.1 Event Organisers

As described in Section 8.3, limited attendee data may be shared with organisers for event operations, subject to the conditions described in that section.

12.2 Service Providers

We use third-party service providers who process data on our behalf under data processing agreements. These providers act as data processors on our behalf, except where they operate as independent controllers under their own terms. These include:

  • Amazon Web Services (AWS) — cloud infrastructure, including Amazon RDS (database), Amazon S3 (media and image storage), Amazon SES (transactional email), Amazon ElastiCache/Redis (caching and session management), and Amazon ECS/Fargate (compute);
  • Stripe — payment processing, Stripe Connect onboarding, and payout services;
  • Google Firebase / Firebase Authentication — OAuth identity token verification for Google Sign-In and Apple Sign-In flows;
  • Expo / EAS (Expo Application Services) — push notification delivery infrastructure;
  • Apple Push Notification service (APNs) and Google Firebase Cloud Messaging (FCM) — underlying mobile push delivery;
  • Mapbox — map and location display within the App.

12.3 Legal and Safety Disclosures

We may disclose personal data where required by law, court order, or other legal obligation, or where necessary to protect the rights, safety, or property of Outpeek, our users, or the public.

12.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent protections.

13. International Transfers

Outpeek is established in Italy. Our infrastructure relies on cloud and third-party services that may store or process data outside the European Economic Area (EEA), including in the United States.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards under applicable law — including, where relevant, Standard Contractual Clauses adopted by the European Commission, or other recognised transfer mechanisms. Our service providers maintain their own transfer safeguards and, where applicable, rely on adequacy decisions or equivalent mechanisms.

You can request further information about the safeguards applicable to a specific transfer by contacting us at support@outpeek.it.

14. Data Retention

We retain personal data for as long as necessary for the purposes described in this policy, or as required by law. The following periods apply:

14.1 Account and profile data

Retained while your account is active. Following a deletion request, the account is soft-deleted and deactivated; residual account data is retained for up to 30 days before further deletion or anonymisation, except where longer retention is required for legal, accounting, fraud-prevention, ticketing, or dispute-handling reasons.

14.2 Transaction, payment, and ticket data

Retained for up to 10 years where required for accounting, tax, legal, and dispute-related purposes under applicable Italian and EU law.

14.3 Support messages

Retained for up to 24 months after the closure of the relevant support request.

14.4 Push notification tokens

Retained while your account is active and the token remains valid. Tokens are removed or deactivated when they become invalid, when you disable notifications, when you log out, or through periodic cleanup as part of routine maintenance.

14.5 Location data

Used transiently for query purposes only. We do not store a persistent location history.

14.6 Organiser access to attendee data

Attendee data made available to organisers through the App is accessible only for event management purposes and for as long as reasonably necessary for event management and related post-event activities, including support, disputes, refunds, and legal obligations. Organisers are required not to use or retain attendee data beyond what is necessary for those purposes.

14.7 Security and fraud logs

Retained for up to 12 months.

15. Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include:

  • passwords stored as hashed credentials, never in plain text;
  • short-lived cryptographically signed tokens for authentication; sessions can be explicitly invalidated;
  • API communications encrypted in transit (HTTPS/TLS) and WebSocket connections over WSS;
  • restricted access to cloud infrastructure and stored data;
  • payment card data not stored by Outpeek — processed directly by Stripe;
  • profile pictures and media assets stored in cloud object storage with access controls.

No system is completely secure. If you believe your account has been compromised, please contact us immediately at support@outpeek.it.

16. Your Rights

Under the GDPR and applicable Italian law, you have the following rights in relation to your personal data:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may ask us to correct inaccurate or incomplete data. Many profile fields can be updated directly in the App.
  • Right to erasure — you may request deletion of your data, subject to the restrictions in Section 11.2 and to legal retention obligations.
  • Right to restriction of processing — you may ask us to restrict processing in certain circumstances.
  • Right to data portability — you may request your data in a structured, machine-readable format, where technically feasible.
  • Right to object — you may object to processing based on legitimate interests; we will assess whether our interests override your rights in the specific case.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at support@outpeek.it or outpeeksrl@pec.it. We will respond within the timeframe required by applicable law (generally within 30 days). We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with the Italian data protection authority, the Garante per la protezione dei dati personali (www.garanteprivacy.it), or with the supervisory authority in your place of habitual residence.

17. Children and Age Restrictions

Outpeek is not intended for use by persons under the age of 16. We do not knowingly collect personal data from individuals under 16.

If we become aware that we have collected personal data from a person under 16 without an appropriate legal basis, we will take steps to delete that data. If you believe a child under 16 has created an account or provided personal data to us, please contact us at support@outpeek.it.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, the App, or applicable law. When we make material changes, we will notify you through the App or by other appropriate means before the changes take effect. The updated policy will be published at outpeek.it/privacy with the new effective date.

The updated policy will apply from its effective date. If you have questions about any changes, or if you do not wish to continue using the App under the revised policy, you may request deletion of your account as described in Section 11.

19. Contact

For any question, concern, or request relating to this Privacy Policy or to our data processing practices, please contact us:

Outpeek S.R.L.
Corso Re Umberto, 56
Torino (TO), Italy
Email: support@outpeek.it
PEC: outpeeksrl@pec.it