St Andrews Tickets

Legal

Privacy policy.

Last updated: April 28, 2026

1. Introduction

This Privacy Policy explains what personal data St Andrews Tickets collects, how we use it, who we share it with, and your rights under the UK General Data Protection Regulation.

2. Who we are

St Andrews Tickets is operated by Evan Patel, a student of the University of St Andrews. For privacy queries, contact: evanpatel3826+support@gmail.com.

3. What data we collect

Information you provide

  • Email address (must be @st-andrews.ac.uk)
  • Display name (a generated pseudonym)
  • Optional WhatsApp number
  • Optional full name
  • Listing details
  • Messages exchanged with other Users

Information collected automatically

  • IP address
  • Browser type
  • Pages visited
  • Cookies and session tokens
  • Approximate location (used only for fraud detection)

Information from third parties

Stripe collects and stores your payment details directly. We do NOT store credit card numbers, bank details, or other financial information.

4. How we use your data

We use your data to:

  • Authenticate you
  • Display your listings
  • Process payments via Stripe
  • Resolve disputes
  • Detect fraud
  • Communicate transaction updates
  • Comply with legal obligations

We do NOT sell your data, use it for advertising, or share it with anyone except as described in Section 5.

5. Who we share data with

  • Stripe receives payment information for processing transactions.
  • Supabase stores your account data and listings.
  • Other Users see your pseudonym and listings; after a purchase, your WhatsApp number (if added) is revealed to the other party as a clickable link only.
  • Law enforcement may receive data only if legally required.

6. Cookies

We use essential cookies for authentication. We do NOT use advertising cookies or third-party tracking pixels.

7. How long we keep your data

  • Active accounts: as long as your account is active
  • Closed accounts: 12 months for fraud detection
  • Order records: 6 years for UK tax compliance
  • Messages: 12 months after order completion

8. Where your data is stored

Supabase (database), Vercel (hosting), and Stripe (payments). When data is transferred to the US, it is protected under the EU-US Data Privacy Framework.

9. Your rights under UK GDPR

You have the right to access, correct, delete, export, restrict, or object to processing of your data. You may also withdraw consent or lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).

To exercise any rights, contact evanpatel3826+support@gmail.com. We will respond within 30 days.

10. Children’s data

The Platform is intended for users aged 18 and over. Users aged 16–17 may use the Platform with parental consent.

11. Security

We use:

  • HTTPS encryption
  • Encrypted database storage
  • Row-level security policies
  • Supabase’s secure session system

If a data breach occurs that affects your personal data, we will notify affected Users within 72 hours.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform.

13. Contact

For privacy questions, data requests, or complaints: evanpatel3826+support@gmail.com.

Data protection authority: UK Information Commissioner’s Office (ICO) at ico.org.uk.