Privacy Policy
How we handle your data on FunTicket — what, why, for how long, with which rights.
Last updated ·
1. Who we are
Toxicode is the data controller for the personal data collected through the FunTicket app (iOS and Android) and through the site funticket.musme.app. Reach us at it.funticket@gmail.com for any question about this policy or to exercise your rights.
2. The short version: what we don’t do
Before the legalese, the actual commitments:
- Photos of your tickets stay on your phone. OCR (text recognition) and the parsers (IATA BCBP, TicketOne, Live Nation) run entirely on-device via Apple ML Kit and our native module. We don’t ship those images to our servers to “read” them.
- We don’t sell your data to anyone. Ever. It’s not the business model.
- No third-party advertising trackers in the app. No Google Analytics, Facebook Pixel, AppsFlyer, or similar.
- No mandatory account. You can use FunTicket in guest mode: tickets stay only on the device.
3. What we collect
3.1 Account (only if you register or sign in via SSO)
When you create an account, manually or with Sign in with Apple / Google Sign-In (via native idToken, no browser redirect), we receive:
- Email address (needed for sign-in and password recovery)
- Name / display name (optional, editable in Settings)
- SSO provider (apple/google, if used)
- Unique user identifier (UUID we generate at first sign-in)
For users migrated from the legacy Firebase setup we also keep the original firebase_uid to preserve continuity of their tickets.
3.2 What you create
- Tickets (title, date, venue, section, seat, flight/cinema-specific fields)
- Customisations (colours, picked fonts, selected template)
- Ticket images (photos uploaded after registration are synced to Supabase Storage behind signed URLs)
- Notifications and scheduled reminders
3.3 Technical data
When the app talks to our backend for sync and template downloads, we log — for security and debugging:
- IP address (masked after 30 days)
- User-Agent
- Timestamp of requests
- Errors (code, path, correlated request id from our internal logger)
These logs are rotated and deleted after 30 days.
4. What we don’t collect
- GPS location. The app never asks for location permissions.
- Contacts, calendar, photos from other albums (only the images you choose to import).
- Audio / microphone (permissions are declared in the manifest only because the camera SDK requires them, but the microphone is never activated).
- Web browsing history.
5. Why we process your data (GDPR legal basis)
| Purpose | Legal basis |
|---|---|
| Service delivery (login, ticket sync, notifications) | Contract performance (art. 6.1.b GDPR) |
| Security, anti-abuse, error logging | Legitimate interest (art. 6.1.f GDPR) |
| Legal compliance (e.g. lawful requests) | Legal obligation (art. 6.1.c GDPR) |
| Promotional communications (we send none today) | Explicit consent (art. 6.1.a GDPR) |
6. Where your data lives
All user data is hosted on self-hosted Supabase on servers in the European Union. No extra-EU transfers for user content. The only exceptions are:
- Apple / Google SSO: the initial auth flow touches their servers (United States), but we only receive the
idTokenand the verified email. - Apple Push Notification Service / Firebase Cloud Messaging: required for push notifications, handled by Apple/Google under their standards.
7. Retention
| Data type | Retention |
|---|---|
| Active user profile | As long as you keep the account |
| Tickets and customisations | Until you delete them |
| Account after deletion | Wiped within 30 days (cloud tickets immediately) |
| Technical logs (IP, UA) | 30 days |
| Security backups | Up to 90 days after deletion |
8. Your rights
Under GDPR articles 15-22 you can at any time:
- Access your personal data
- Rectify inaccurate data
- Erase (“right to be forgotten”)
- Restrict processing
- Portability (export your tickets as JSON from the app, Settings → Export data)
- Object to legitimate-interest processing
- Lodge a complaint with the Italian DPA (www.gpdp.it) or your local supervisory authority
Email it.funticket@gmail.com to exercise any of these. We answer within 30 days.
9. Security
- End-to-end TLS 1.3 in transit
- JWT HS256 with rotating access/refresh tokens, native secure storage (Keychain on iOS / EncryptedSharedPreferences on Android)
- Postgres Row Level Security on every piece of user content — even if our backend got breached, RLS prevents cross-user reads
- On-device OCR and parsing: images never leave your phone to be interpreted
- Audited backend, 91 integration tests cover sensitive flows on every release
10. Changes
We update this policy when the practices change. The “Last updated” date at the top is authoritative. Substantial changes are announced via email (if you have an account) and via in-app banner.
11. Contact
Toxicode — for any question about personal data processing: it.funticket@gmail.com
We didn’t appoint a mandatory DPO (the criteria under GDPR art. 37 don’t apply), but the email above is the official channel for any privacy-related request.