Privacy Policy

2. Privacy Policy - Application Users

This policy is provided in a layered format so you can click through to the specific areas set out.

2.1. Who We Are

XO ENTERTAINMENT LTD, a private limited company duly registered in the Republic of Cyprus [register number: HE 449501], referred to as “XO,” “us,” “our,” or “we,” is the data controller responsible for your personal data collected through the XO platform and its associated services (collectively, the “Platform”).

This privacy and cookie policy (“Policy”) outlines the types of personal data we may collect about you when you use our Platform and how we manage your personal data.

2.2. What Personal Data We Collect

Where this Policy refers to ‘personal data’, it is referring to data about you from which you could be identified – such as your name, your date of birth, your contact details and even your IP address. This section includes details on your personal data types and categories that XO ENTERTAINMENT LTD may process.

We may collect, use, store and transfer different kinds of personal data about you as follows:

·       Identity Data which includes your first name, last name, maiden name, username or similar identifier, marital status, title, date of birth and gender.

·       Contact Data which includes your e-mail address, billing address, delivery address, and telephone numbers.

·       Financial Data which includes bank accounts and payment card details.

·       Transaction Data which includes details about payments to and from you and other details or services you have purchased from us.

·       Technical Data which includes your IP address, your login data and browser type and version.

·       Device Data which includes the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, and time zone setting.

·       Profile Data which includes your login credentials (email and password), in-App purchase history, your interests, preferences, feedback and survey responses.

·       Content Data which includes information stored on your Device, including friends' lists, photos, videos or other digital content, and check-ins.

·       Usage Data which includes information about how you use the Site.

·       Marketing and Communications Data which includes your preferences in receiving marketing from us and our associated third parties or, if we are running a competition or prize draw, we will collect your contact details such as name, and email address when you enter the competition.

·       Location data which includes your current location disclosed by GPS or other technology.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific App feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

Where you are required to pay a deposit to secure a booking, we use a third-party payment services provider to collect and process any financial data (which includes your bank account and payment card details), and manage the transfer of funds. We have a contractual agreement in place with that payment services provider, which is directly responsible for the collection and processing of the financial data that you provide to it, and for executing the transfer of funds. We do not directly collect or process any of your financial data, nor do we handle any of the funds that you may send to venues/event organizers to secure bookings. That data will be processed by our payment services provider and your deposit remitted to the venues/event organizers directly.

We do not collect any special categories of personal data about you (this includes sensitive data and details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Additionally, we do not collect any information about criminal convictions and offenses.

By using our services, you agree that it is your responsibility to ensure that any individual to whom you transfer or share tickets, entries, or add to your booking is of the legal age of consent in the respective country or region where the entertainment event or venue booking is taking place. XO ENTERTAINMENT LTD is not liable for any consequences arising from the failure to comply with this responsibility.

By law, all organizations who process your personal data are obliged to process it in certain ways and to ensure that you are given an appropriate amount of information about how they use it. You also have various rights to seek information from those organizations about how they are using your data, and to prevent them from processing it unlawfully. For more information about these rights, please see the “Data Subject Rights” section of this Policy.

2.3. How We Collect Your Personal Data

We collect your personal information through direct interactions with you when you use the Site to create an account, utilize our app, complete booking and location requirements, make reservations, pay deposits, order services, transfer tickets and passes/entries, add to bookings, engage with loyalty and rewards programs, contact us via email or post, request marketing communications, participate in competitions or prize draws, or simply browse the Site.

Specifically, we will collect and process the following data about you:

·       Information you give us: This is information (including Identity, Contact, Financial, and Marketing and Communications Data) you consent to giving us about you by filling in forms on the App Site and the Services Sites (together Our Sites), or by corresponding with us (for example, by email or chat). It includes information you provide when you register to use the App Site, download or register an App, subscribe to any of our Services, search for an App or Service, make an in-App purchase, share data via an App's social media functions, enter a competition, promotion or survey, or any other activities commonly carried out in connection with the App or Our Sites and when you report a problem with an App, our Services, or any of Our Sites. If you contact us, we will keep a record of that correspondence.

·       Information we collect about you and your device: Each time you visit one of Our Sites or use one of our Apps we will automatically collect personal data including Device, Content and Usage Data. We collect this data using cookies and other similar technologies. Please see our Cookie Policy for further details.

·       Location Data: We also use GPS technology to determine your current location. Some of our location-enabled Services require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by disabling Location Data in your settings.

Information may also be retrieved from other sources including third parties and publicly available sources. third-party services such as Apple, Google, Facebook, and others, which may provide us with your email address, first name, and last name, among other data.

Specifically, we will collect and process the following data about you:

·       Your email address, first name, and last name, which may be provided to us by third-party services such as Apple, Google, Facebook, and others.

·       Device Data, which may be provided to us by analytics providers such as Google based outside the Republic of Cyprus.

·       Unique application numbers: When you want to install or uninstall a Service containing a unique application number or when such a Service searches for automatic updates, that number and information about your installation, for example, the type of operating system, may be sent to us.

2.4. Purposes

2.4.1. Lawful Bases

We will only use your personal data when the law allows us to do so. Specifically, your personal data will be used in accordance with the following lawful bases for processing, as these are defined in the EU/UK GDPR:

·       Where you have consented before the processing (Art. 6 (a), GDPR).

·       Where we need to perform a contract, we are about to enter or have entered with you (Art. 6 (b), GDPR).

·       Where we need to comply with a legal or regulatory obligation (Art. 6 (c), GDPR).

·       Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (Art. 6 (f), GDPR).

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis allowing us to do so.

2.4.2. Marketing and Communications

We will only send you direct marketing communications by email or text if we have your consent. You have the right to withdraw that consent at any time by contacting us.

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Where you opt-in to receive alerts (either by specifically requesting particular types of alerts or communication, or by way of a ‘soft opt-in’ where you turn down the option to be removed from a particular mailing list), we will send you communications of the type that you have indicated you wish to receive. Those communications will, depending on your selection, include in app alerts, emails, and/or text messages (i.e., SMS, WhatsApp, Viber, social media).

In addition to notifying you of news and promotions that relates to XO and the services, we will (where you have validly opted-in) send you similar news and promotions about venues/events which feature on the app. This may include suggesting venues/events that we believe will be of interest to you, notifying you of promotions being offered by venues/event organizers, and similar direct marketing communications. Those communications are sent to you by XO and not by the venues/event organizers.

Please note that if you provide your contact details to third parties independently of the app, for example by participating in a promotion, then XO will have no control over or responsibility for any subsequent direct marketing materials that the third party may send to you. You will need to contact the third party directly in order to opt-out.

We will use in-app alerts and emails to deliver messages to you that relate to services that you request via the app. In simple terms that means that we will deliver messages to you to notify you about venues/events responding to your requests for a Reservation, as well as to notify you about updates or changes to Reservations that you have made (for example, if a cancellation occurs).

Some venues/events/event organizers will use their own technologies to deliver those updates to you. Typically, those venues/events/event organizers will do that using a broader set of technologies which they use to manage and list their vacancies and reservations. To ensure that you receive updates about your Reservations as promptly and as efficiently possible, and to streamline the process of identifying potential vacancies at venues/events, we enable venues/event organizers to do this where they have the necessary technologies in place. In those cases, you will receive email and/or text messages (i.e., SMS, WhatsApp, Viber, social media) about your reservation request directly from the venues/event organizers at which you have requested a reservation. Your data is provided to venues/event organizers in this way solely to enable them to manage and alert you about your reservation.

Please note that XO does not provide venues/events/event organizers with your details for use in promotional mailing lists.

If you believe that a venue/event organizer has sent you promotional emails or text messages (i.e., SMS, WhatsApp, Viber, social media) using details received by XO, then please contact us to make us aware and to enable us to resolve the issue.

2.4.3. Opting Out of Marketing

To unsubscribe from marketing emails sent by XO at any time, please click on the unsubscribe link at the bottom of any marketing email and update your account preferences. You may also contact us directly if you do not wish to receive any marketing materials from us.

Please note that opting out of marketing emails will not exclude your email from receiving communication in regard to validating your email, as well as emails that are of transactional nature (i.e., confirming a user's booking, changes to an event, etc.).

2.4.4. Profiling

The application engages in profiling of individual and demographic trends based on the events/venues you have attended or expressed interest in, with your consent. This profiling helps us provide personalized recommendations of similar events/venues that may interest you. We achieve this by making informed assumptions through the analysis of the data we hold, which includes events/venues you have viewed, and events/venues you have attended. Your participation is voluntary, and you can withdraw your consent at any time. The data collected will only be used to enhance your experience and tailor event recommendations to your preferences.

2.5. Data Transfers

2.5.1. Disclosures

When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the third parties set out below for the purposes set out in Purposes section:

·       Internal Third Parties as set out in section Key Terms.

·       External Third Parties as set out in section Key Terms.

We may also disclose your personal data to third parties in the following events:

·       if we were to sell or buy any business or assets, in which case we might disclose your personal data to the prospective seller or buyer of such business or assets as part of that transaction;

·       if XO or substantially all of its assets are acquired by a third party, in which case personal data held by us about our customers and contacts will be one of the transferred assets;

·       if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or if we are asked to provide your details to a lawful authority in order to aid in the investigation of crime or disorder; and/or

·       in order to enforce or apply the Site’s terms of use or terms and conditions of sale; or to protect the rights, property, or safety of our company, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

Depending on how and why you provide us with your personal data we may share it in the following ways:

·       with venues/events/event organizers so that they can inform us whether they can accommodate your request (we will share your name and reservation requirements, we may share your contact details to venues/events/event organizers which manage reservation alerts directly as described in Marketing and Communications section);

·       with the general public if we want to publicize the success of a competition which you have won a prize in (we will only share your name and details of the competition, we will never share your contact details or location with the general public);

·       with selected third parties to which we sub-contract to provide various services and/or aspects of the Site’s functionality, such as where third-party plugins provide functionality such as message boards or image hosting services; and

·       with analytics and search engine providers that assist us in the improvement and optimization of this Site as described above.

Please note that in all cases above, your personal data may be shared in the same way as set out in this privacy policy.

2.5.2. International Transfers

Many of our external third parties are based outside the Republic of Cyprus and/or EU so their processing of your personal data will involve a transfer of data outside the Republic of Cyprus and/or EU.

Whenever we transfer your personal data out of the Republic of Cyprus and/or EU, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

·       We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.

·       Where we use certain service providers, we may use specific contracts (Binding Corporate Rules / Standard Contractual Clauses) approved by the Republic of Cyprus and/or EU which give personal data the same protection it has in the Republic of Cyprus and/or EU.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the Republic of Cyprus and/or EU.

2.6. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Specifically, Identity, Contact, Transaction and Financial Data are retained for six (6) years as mandated by legal requirements (tax purposes).

In the event that you do not use the App for a period of two (2) years, then we will treat the account as expired and your personal data may be deleted.

Data subjects have the right to request the deletion of their personal data (see Section Data Subject Rights). The company will comply with such requests, provided that the data is not required for legal obligations, contractual commitments, or other regulatory purposes that necessitate its retention.

Please note that in some circumstances we may use data anonymization techniques. In such cases, we may use this information indefinitely for research or statistical purposes, without further notice to you.

2.7. Links to Third-Party Websites

Our Sites may occasionally include links to the websites of our partner networks, advertisers, and affiliates, which have their own privacy policies. We do not accept any responsibility or liability for these policies or for any personal data, such as Contact and Location Data, that may be collected through these external websites or services. Additionally, links to third-party websites, plug-ins, and applications that are not affiliated with our Site are outside our control and are not covered by this Policy. If you choose to access these third-party sites using the provided links, be aware that the operators of those sites may collect personal data from you in accordance with their own privacy policies. We encourage you to review these policies before submitting any personal data.

2.8. Data Subject Rights

2.8.1. Your Rights Under GDPR

This section outlines your rights under the General Data Protection Regulation (GDPR), designed to empower you with greater control over your personal data and ensure your privacy is respected and protected.

Right to be informed: The right to information allows you to know what personal data is collected about you, why, who is collecting data, for how long, how you can file a complaint, and if there is data sharing involved.

Right to request access to your personal data: You have the right to request and receive confirmation of whether we hold your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Right to request rectification of your data: You have the right to have your personal data amended where it is inaccurate or added to where it is incomplete. This enables you to have any data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

Right to request erasure of your personal data: This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Right to request restriction of processing of your personal data: This enables you to ask us to suspend the processing of your personal data in the following scenarios:

·       if you want us to establish the data's accuracy;

·       where our use of the data is unlawful but you do not want us to erase it;

·       where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or

·       you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Right to request the transfer of your personal data to you or to a third party: We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Right to object to processing of your personal data: Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to ask us not to continue to process your personal data for marketing purposes.

Rights in relation to automated decision-making and profiling: This encompasses different types of profiling, such as personal preferences, interests, behaviour, or location, if it produces a legal effect that significantly affects you. However, it does not apply if the processing is necessary for the performance of a contract, if it is authorized by the law, or if the processing is based on explicit consent.

Additionally, you have the right to withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

2.8.2. How to Exercise your Rights

You can exercise any of the rights set out above at any time by contacting us at contact@thexo.app.

Additional contact details of our company are the following:

Full name of legal entity: XO ENTERTAINMENT LTD

Postal address: 20 Annis Komninis, Apartment 602, 1061, Nicosia, Cyprus

Also, you have the right to make a complaint at any time to the Cyprus Data Protection Commissioner’s Office (DPCO), the supervisory authority in the Republic of Cyprus, which can provide further information about your rights and our obligations regarding your personal data, as well as address any complaints you may have about our processing of your personal data. Please contact them using the details set out below:

Data Protection Commissioner

Kypranoros 15, 1061 Nicosia

P.O. Box 23378, 1682 Nicosia

Tel: +35722818456

Fax: +35722304565

Email: commissioner@dataprotection.gov.cy

2.9. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.

We faithfully apply the "Need-to-Know" fundamental principle, which limits the handling and knowledge of information and data to only those staff members who absolutely require it. Access to your personal data is restricted to employees, agents, contractors, and other third parties who have a legitimate business need to know (i.e., venues/events/event organizers and their staff members). These individuals will only process your personal data in accordance with our instructions and are bound by a duty of confidentiality.

We conduct Risk Assessments and Data Protection Impact Assessments to identify and evaluate the potential effects on confidentiality, integrity, and availability in the event of a security breach. This process also assesses the impact on Data Subjects, identifies threats and vulnerabilities, and determines the appropriate security controls to mitigate the identified risks.

All information you provide to us is stored on our secure servers. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be encrypted using Secure Sockets Layer (SSL) technology or an equivalent encryption technology. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our Sites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Once we have received your information, we will implement strict procedures and security features to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way. These measures include, but are not limited to, firewalls, intrusion detection systems, and regular security audits to assess vulnerabilities. We also utilize encryption for sensitive data both at rest and in transit to further protect your information.

We will collect and store personal data on your Device using application data caches, browser web storage (including HTML5), and other secure technologies.

We ensure that staff receive ongoing information regarding security matters, placing special emphasis on the importance of upholding credibility and commitment to IT-related responsibilities. We regularly review our processes and procedures to protect against unauthorized access to our systems.

Certain Services may include social networking, chat room, or forum features. Please ensure that when using these features, you do not submit any personal data that you do not wish to be seen, collected, or used by other users.

While the company takes all reasonable security measures, it cannot guarantee that these measures will always prevent cybersecurity breaches. We consider that there is a limitation of liability in cases of unauthorized access that occurs despite our reasonable security measures.

We have established procedures to address any suspected personal data breaches and will notify you and any applicable regulator when we are legally required to do so. Specifically, in the event of a data breach compromising personal data, XO Entertainment Ltd will:

·       Notify Affected Users: Notify affected users promptly, within 72 hours of becoming aware of the breach, describing the nature of the breach and steps taken to mitigate its impact.

·       Regulatory Notification: Comply with legal and regulatory requirements regarding data breach notifications.

2.10. Cookies

We use cookies and/or other tracking technologies to distinguish you from other users of the App, App Site, the distribution platform (Appstore) or Services Sites and to remember your preferences. This helps us to provide you with a good experience when you use the App or browse any of Our Sites and also allows us to improve the App and Our Sites.

Cookies are small text files that are stored on your device by a web server. XO uses cookies to remember users' settings (e.g., language preference), for authentication, and for analytics purposes. Please note that we may use trusted third-party services that track this information on our behalf, like Google Analytics, but all data used will be anonymized.

Types of cookies we use include:

·       Session Cookies: These are temporary and deleted when you close your browser.

·       Persistent Cookies: These remain on your device for a set period specified in the cookie. We use these to remember your preferences and actions across multiple visits.

·       Essential Cookies: Necessary for the provision of our website and services.

·       Performance Cookies: Help understand how visitors interact with our website, providing information about the areas visited, the time spent on the site, and any issues encountered, such as error messages.

·       Functionality Cookies: Enhance functionality and personalization, such as remembering your choices and preferences.

·       Advertising Cookies: Used to make advertising messages more relevant to you and your interests.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Each browser is a little different, so look at your browser’s Help menu to learn the correct way to modify your cookies. Please note that disabling some types of cookies may lead to limited functionality or unavailability of certain services on our platform.

2.11. Changes to the Privacy Policy

We regularly review our privacy policy, with the most recent update occurring on 26/11/2024. Changes to the policy will be posted on this page and, when appropriate, communicated to you upon your next access of the App or login to one of the Services Sites. The updated policy may appear on-screen, and you may need to read and accept the changes to continue using the App or Services. Additionally, we may update this Cookie and Privacy Policy to reflect changes in our information practices, and if any material modifications are made, we will notify you via email (sent to the address associated with your account) or through a notice on our website prior to the changes taking effect. We encourage you to check this page occasionally to ensure you are satisfied with any updates to our policy.

2.12. Compliance

This Privacy Policy will be enforced by XO and all its operational divisions and subsidiaries. We have established mechanisms to ensure continuous compliance with this Privacy Policy. Any employee who breaches this Privacy Policy will face disciplinary actions.