Privacy Policy

This Privacy Policy provides information on the processing of personal data carried out by the data controller in connection with the operation of its website, provision of services, and communication with users and partners. The controller ensures that all processing of personal data is carried out in compliance with the General Data Protection Regulation (GDPR) and applicable national data protection legislation.

The purpose of this document is to ensure transparency regarding the types of data collected, the legal grounds and purposes of processing, the measures taken to safeguard personal data, and the rights available to data subjects. Personal data are processed lawfully, fairly, and in a manner that guarantees appropriate security, confidentiality, and integrity.

By providing this Privacy Policy, the controller aims to inform all data subjects about the essential aspects of data protection and the procedures established to ensure compliance with legal obligations and best practices in data management.

Section I - Controller and Contact Details

Art. 1 (1) This tickets sale website  is managed and administered by.
Name: Parnassus Immersive GmbH

Headquarters and registered office: Günthergasse 3 Top 5a 1090 Wien

Address for correspondence: Günthergasse 3 Top 5a 1090 Wien

Email: office@light-of-creation.com
Tel: +43 1 376 3399

(2) Information about the regulatory authority for personal data protection
Name: Austrian Data Protection Authority (Datenschutzbehörde)

Address: Barichgasse 40–42, 1030 Vienna, Austria

Phone: +43 1 52 152-0

Website:https://www.dsb.gv.at

Email:dsb@dsb.gv.at

Section II - Definition of terms

Art. 2 For the Privacy Policy, the following words shall be interpreted and understood following each definition.

  1. Personal Data: Refers to any information that can identify a living individual, either directly or indirectly. This includes details like name, home address, email address, ID number, IP address, or any information that could reveal a specific person’s identity.
  2. Website: This is a unique digital platform accessible globally via a unified URL (through protocols like HTTP or HTTPS) that hosts our resources, including files, databases, text content, and visuals aimed at promoting our business.
  3. Processing: Any activity involving personal data, whether manually or automated. This can include collecting, recording, organizing, storing, adapting, retrieving, using, sharing, or deleting data.
  4. Data Controller (Administrator): The individual or organization responsible for collecting, managing, and processing personal data. This could be a public authority, company, agency, or entity working alone or with others.
  5. Privacy Notices: These are disclosures informing individuals about how their data is used. They may be general, such as notices on our website, or specific to certain processing activities.
  6. Consent: An informed, specific, and unambiguous indication by the individual that they agree to process their data. Consent can be provided through a written or verbal statement or unambiguous affirmative action.
  7. Anonymized Data: Personal data that has been altered so the individual can no longer be identified.
  8. Data Subject: The individual whose personal data is collected, stored, or processed by us. This is the person to whom the data directly relates.
  9. Data Processor: Any business or individual who handles or processes personal data for us, strictly following our instructions. They might help with data storage, analytics, or customer support but don’t use the data for their purposes.
  10. Data Retention: This is how long we keep your personal information. We only hold onto data for as long as necessary to fulfill its purpose, whether providing you with a service or meeting legal obligations. Once the data is no longer needed, it’s deleted or anonymized.
  11. Security Measures: We protect your information from unauthorized access or misuse. From secure servers to encryption, we use industry-standard practices to safeguard and keep your data safe.
  12. Rights of Data Subjects: You have certain rights related to your personal information. This includes the right to know what data we have about you, to correct it if it’s wrong, to request its deletion, and to ask us to limit or stop using it in specific ways. We’re here to help you exercise these rights.
  13. Cross-Border Data Transfer: Your data may be stored or processed in countries other than yours that have different data protection laws. When we do this, we ensure your information stays safe and is handled as securely as it would be within your country.

Section III - Principles of Data Processing

Art. 3 (1) The Controller processes all personal data in accordance with the basic rules set out in Regulation (EU) 2016/679 and the laws of the country in question. These rules govern all actions involving the gathering, use, and safeguarding of personal information on the ticketing platform.

(2) The Controller only processes personal data when there is a good legal reason and in a way that is fair to the Data Subject. The information about how and why data are used is written in a way that is easy to understand. For example, when a customer buys a ticket, the Controller tells them that the information is needed to print the ticket, process the payment, and make sure they can get into the event.

(3) Personal data are collected for defined, clear, and lawful purposes and are not subsequently processed in a manner that contravenes those purposes. For instance, the information you give when you buy a ticket is only used to confirm your order, check your payment, and help you with any problems. It is not used for any other marketing purposes unless you give separate permission.

Art. 4 (1) The Controller makes sure that only the data needed to meet the stated goals is collected and processed. In practice, this means that only the most important information is needed for ticket delivery. This includes the person's name, contact information, and delivery address. No extra information, like medical records or personal preferences, is asked for.

(2) The Controller does what it can to make sure that all stored personal data is accurate and up to date. For instance, if a customer changes their phone number, the old one is replaced so that they don't get notifications that their delivery failed.

(3) Unless the law says otherwise, personal data is only kept as long as it is needed to meet the goals for which it was collected. When the relevant retention period is over, the data are either securely deleted or made anonymous. For instance, data related to completed ticket sales is kept only for accounting and legal purposes and is then deleted after the law says they must be.

Art. 5 The Controller is fully accountable for complying with these principles and can provide evidence of that compliance through some combination of written policies, staff guidance, and technical audit trails. Internal audit reviews are performed periodically to ensure that practices involving data are aligned with legal and ethical obligations.

(2) Consistency in applying these principles will show the Controller's commitment to protecting personal data and nurturing trust with Data Subjects. Every interaction (for example, from ticket purchase to after-sales communication) is intended to respect individual privacy while delivering the highest possible data protection standards.

Section IV - Categories of Personal Data, Purposes and Legal Bases

Art. 6 (1) The Controller will process various types of personal data, each of which will be linked to a specific purpose, a legal basis, and a source. The descriptions below explain how each type of data is used in practice and what measures are in place to protect that usage. 

  1. Identification and Contact Data 

Examples: full name, mailing address, email address, telephone number. 

Purpose: to fulfill ticket orders, to confirm payment, and to provide receipts. 

Legal Basis: Article 6(1)(b) GDPR – performance of a contract. 

Source: directly from the Data Subject upon registration or during checkout.

  1. Payment and Transaction Data

Examples include: method of payment, transaction ID, billing address, and last four digits of the card number (masked).

Purpose: for payment processing, fraud prevention, and fulfilling financial compliance obligations.

Legal basis: Article 6(1)(b) – necessary for the performance of a contract; Article 6(1)(c) – to comply with a legal obligation for accounting and tax purposes.

Source: from the Data Subject and securely transmitted via licensed payment processors.

Mitigation measure: payment data should never be stored in plain text, and only vetted processors will be used that adhere to the PCI DSS model.

  1. Technical and Device Data

Examples include: IP address, browser type, operating system, device identifiers, cookies,and log data.

Purpose: to maintain website security, preserve system integrity, and measure website performance.

Legal basis: Article 6(1)(f) – legitimate interest in securing and optimizing online services. 

Source: by automatic collection from the Data Subject's device.

Legitimate interest: such data facilitates fraud prevention, and system and performance enhancements, without the further identification of individuals beyond necessary. 

  1. Marketing and Communication Choices

Examples: newsletter sign-up, notifications for events, agreeing to receive marketing communications, and desired language of communication.

Purpose: to provide marketing information and tailored updates based on your expressed choices.

Legal basis: Article 6(1)(a) - consent. 

Source: directly from the Data Subject through the website.

Withdrawal: You can withdraw consent at any time through the unsubscribe link, without impact on how you use the service.

  1. Customer Support Data

Examples: history of communication, complaints made, content of feedback or suggestion.

Purpose: to answer queries, provide technical support, or resolve disputes.

Legal basis: Article 6(1)(b) - necessary for the performance of a contract; Article 6(1)(f) - legitimate interest in improvements to the customer experience. 

Source: directly from the Data Subject through email or chat-related communication. 

Balancing Test: the processing is necessary to effectively provide services and/or user satisfaction, while such processing helps satisfy confidentiality by limiting access to authorized individuals and limiting retention of data.

Section V - Special Categories of Personal Data

Art. 7 (1) The Controller DOES NOT collect or process any special categories of personal data as defined by Article 9 of Regulation (EU) 2016/679, including, without limitation, any data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in a trade union, genetic data, biometric data for uniquely identifying a person, data concerning health or data concerning a person's sex life or sexual orientation.

(2) For the sake of clarity, examples of data falling into special categories include, but are not limited to, medical records, vaccination status, disability diagnosis, results of genetic tests, and biometric templates used for identification, and statements regarding religious beliefs. Sensitive data is treated with more regulations and technical requirements when processing is necessary by law.

(3) No Collection Principle. The Controller will only request data that is necessary for ticketing, payment, delivery, and customer support. Personal information not required for those purposes, including any of the special categories listed above, is not requested, stored, or used as part of any normal processing activity

(4) Third-Party Requests and Event Organisers. In the case of an event organiser requesting information to provide special services (e.g., venue accessibility arrangements), the Controller will neither request nor retain detailed sensitive information. Rather, the Controller will require the event organiser to directly obtain any sensitive information necessary from the Data Subject and provide the Controller only confirmation of adequate arrangements without forwarding sensitive, detailed information. At all times, the Controller will, if necessary, only act on limited verifiable information and will not retain sensitive information.

Art. 8 In the assumed event the Controller processes special category data, such processing will only occur where some specified lawful ground under Article 9(2) GDPR is established (e.g., explicit consent under Art. 9(2)(a) or, where applicable, substantial public interest reason permitted by relevant law). Any processing will be subject to documented justification or a purpose-limited scope and, at a minimum, will include the following additional safeguards:

  1. encryption of data at rest and in transit with strong, industry-standard encrypting algorithms;
  2. strict role-based access controls limiting visible data to named, authorized staff only;          
  3. retention period limited to minimal necessity and immediate deletion after expiration or withdrawal of consent; and
  4. logging and audit trails to establish access and processing actions.

Art. 9 (1) Because the Controller does not collect sensitive categories as a matter of routine, no general consent mechanisms are used for such data. If processing on the basis of explicit consent were ever required, the Controller would obtain a separate, documented consent that is specific, unambiguous, and freely given, and would record who consented, when, and for what exact purpose.

(2) Data Subjects are informed that they may contact the Controller to confirm whether any sensitive data is held, to request erasure where applicable, and to exercise all other rights under applicable data protection law. Contact details and instructions for such requests are set out elsewhere in this Policy.

(3) By design, the Controller’s ticketing operations avoid the collection and retention of sensitive personal data. This approach reduces privacy risk for Data Subjects and supports straightforward compliance with the requirements of Article 9 GDPR.

Art. 10 (1) The Controller does not engage in any automation that makes decisions producing legal consequences for the Data Subject or that otherwise significantly affects the Data Subject, as outlined in Article 22 of Regulation (EU) 2016/679.

(2) There are no algorithmic decisions made that are binding in nature, such as determining event access, payment approvals, or processing ticket prices that exclude a human. Each transaction and confirmation for an order undergoes a quality assurance process conducted by authorized personnel or integrated systems that implement fixed, non-discriminatory rules.

Art. 11 (1) The Controller may use some limited automated processing with respect to the profiling of service provision. This includes remembering preferred categories of events, promoting similar concerts, or identifying event venues based on prior purchases. Such processing is limited to enhancing user experience and has no implications on legal standing or contract status.

(2) The underlying logic of these automated recommendations is simple: data are evaluated based on basic purchasing history or browsing behaviors, and relevant offerings are provided to the user for their discretion. No special categories of data are engaged, and the recommendations are voluntary.

(3) The legal basis for this type of profiling is Article 6(1)(f) GDPR — the Controller’s legitimate interest in presenting relevant content to users. The potential impact on Data Subjects is minimal because the system’s actions do not affect prices, availability, or rights. Data Subjects can ignore or opt out of such recommendations at any time through privacy settings or by contacting the Controller.

(4) To maintain fairness, the Controller conducts internal audits of these automated systems to ensure that they do not result in unfairness or bias. The profiling logic will not rely on information such as gender, national origin, religion, or other safeguarded categories. The data used for these functions will be pseudonymised wherever possible and will be segregated under strict access controls.

(5) The Data Subject has the right to object to the use of profiling for marketing or recommendation. Upon objection, the Controller will disable the immediately related automated processing for the subject and will confirm it was 'turned off' without delay.

(6)  At present, the Controller confirms that none of the automated functions within its ticketing operations produce effects that fall under Article 22 GDPR. All automated features serve solely for convenience and service improvement and remain under human oversight.

Section VI - Retention Periods

Art. 12 (1) The Controller establishes the duration for which each category of personal data is retained based on the characteristics of the information and the purpose of its collection. The retention period adheres to any legal or contractual obligations, as applicable. The broad principle is that data are only stored while there is a legitimate and clear purpose.

(2) In practice, personal data for ticket sales, payment transactions, and customer interactions is assessed under a defined retention schedule. Each category will either have an established maximum retention period or, if not feasible, objective criteria for data deletion or anonymization.

(3) The Controller applies these retention periods uniformly but does allow for variation if contractual terms, laws, or legitimate interests require that data be retained for longer or shorter periods.

Art. 13 (1) Identifying and contact information, including name, address, and email, will be retained for a period of five years from the date of purchase fulfilment. This period is reflective of the applicable limitation period for the majority of contractual claims, and for the continued provision of customer support for any post-purchase questions or requests for refunds.

(2) Payment and invoicing information is kept for the past seven years, consistent with national accounting laws. Payment data may include masked card references and transaction identifiers. After seven years, data will be deleted from both active systems and secure archives.

(4) Ticketing records are retained for five years after the end of the event, including order confirmations, event details, and delivery tracking. This is to ensure the Controller is able to verify attendance or respond to possible disputes later. 

Art. 14 (1) Marketing and communication preferences will be retained based on consent until the Data Subject withdraws consent, or it has been three years of inactivity. As soon as the consent is withdrawn, the controller will cease sending promotional material and retain only an anonymised record of the Data Subject on a suppression list to ensure the Data Subject is not contacted again.

(2) Analytical identifiers and technical logs are subject to much shorter retention. Session cookies expire once the browser closes, while persistent cookies and analytics identifiers last no longer than twenty-four months. Server logs are deleted after ninety days unless an investigation requires preservation..

(3) Customer communications will be saved for a period of three years after the case is closed to carry out quality checks and show that there was appropriate handling of the request. 

Art. 15 (1) Upon expiration of the retention period, the Controller will either delete the data permanently or turn it into de-identified data that is impractical to trace back to a data subject. Whenever possible to do so, the deletion will happen automatically and will be manually inspected in archived systems. 

(2) Under limited circumstances, data that is not yet eligible for deletion per tax audit or other legal reasons may be transferred to encrypted archived storage with limited access, while the legal reason exists. Upon the expiration of the legal reason, the archived data will be deleted without delay.

(3) To ensure accountability, there are details of all deletions and anonymisation procedures logged and reviewed as part of the internal audit process. 

(4) Aggregated data that has already been de-identified can be retained indefinitely, as the data will no longer meet the definition of personal data and cannot affect the privacy of data subjects.

Art. 16 (1) Should a Data Subject request termination before the standard period, the Controller will assess if there are underlying legal reasons to hinder immediate deletion. If the termination cannot be established, they will suspend access to the data, and that information will remain locked until deletion is permitted by law

(2) In addition, if a Data Subject is requesting deletion of their data, they may request that a copy of their data be provided in a structured format, contingent upon the conditions for data portability being met.

(3) All requests for deletion or access will be internally recorded by the Controller to demonstrate compliance as well as prevent the reprocessing of the deleted data.

Art. 17 (1) Backup systems, which may also contain personal data, are retained solely to assist in the restoration of data in the event of a technical failure or cyber incident. Any backups are encrypted and are housed independently of operational databases. The retention period for a backup copy of the file is typically six months, and the file will automatically be overwritten at that time.

(2) If legal proceedings or official investigations arise, the Controller may suspend deletion for the records relevant to the case, until a duration thereafter if necessary to fulfill an obligation or defend a claim.

(3) Once this matter is resolved, the suspended records will be deleted according to the scheduled time-frame, and documentation will be retained that documents the reason for the hold. 

Art. 18 (1) Retention periods are variable. The Controller will review retention periods whenever the law is modified or when business processes are altered. If shorter periods satisfy the lawful and operational purposes of storage, the retention schedule will then be amended.

(2) Other documentation about the reviews will include documentation of the rationale for the retention period or modifications, which will fall under the Controller's documentation obligations established under Article 5(2) GDPR.

(3) This framework permits the Controller to demonstrate that personal data is not being held longer than required, transparency in processing of the documentation, and a recorded, verifiable deletion process.

Section VII - Rights of Data Subjects

Art. 19 (1) Every Data Subject has a set of rights under Regulation (EU) 2016/679 designed to protect personal information and to give individuals control over how their data is used. These rights can be exercised easily and without charge. The Controller responds to all valid requests within one month of receipt. In complex cases or when many requests are received at the same time, this period may be extended by up to two additional months, and the Data Subject will be informed of the reason for the delay.

(2) The Controller takes seriously its obligation to facilitate the exercise of these rights. Multiple accessible channels have been established for submitting requests, and reasonable verification procedures are in place to confirm the identity of the requester before releasing personal information or making changes to records.

(3) Exercising any of the rights described below does not affect access to the core ticket purchasing services provided through the Platform. The Controller will never penalize or discriminate against individuals who choose to exercise their legal rights.

Art. 20 (1) The Data Subject has the right to obtain confirmation from the Controller as to whether personal data concerning them are being processed. This right allows individuals to know if their information is held and used by the Controller.

(2) Where personal data are being processed, the Data Subject has the right to access those data and to receive information about:

  1. The purposes for which the data are being processed;
  2. The categories of personal data involved;
  3. The recipients or categories of recipients to whom the data have been or will be disclosed;
  4. The expected period for which the data will be stored, or the criteria used to determine that period;
  5. The existence of other rights such as rectification, erasure, restriction, or objection;
  6. The right to lodge a complaint with the Commission for Personal Data Protection;
  7. Where the data were not collected directly from the Data Subject, any available information about their source;
  8. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

(3) A copy of the personal data undergoing processing will be provided free of charge. For any additional copies requested by the same Data Subject, the Controller may charge a reasonable fee based on administrative costs.

(4) The Controller may request additional information to verify the identity of the requester, particularly when the request is submitted through a different email address, which isn’t included in the database. This verification step protects against unauthorized disclosure of personal data to third parties.

Art. 21 (1) The Data Subject has the right to obtain from the Controller the rectification of inaccurate personal data without undue delay. This right ensures that records remain accurate and up to date.

(2) The Controller will communicate any rectification to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the Data Subject will be informed about those recipients.

Art. 22 (1) The Data Subject has the right to obtain from the Controller the erasure of personal data without undue delay. This right is sometimes referred to as "the right to be forgotten." The Controller is obliged to erase personal data when one of the following grounds applies:

  1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. The Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
  3. The Data Subject objects to processing based on legitimate interests, and there are no overriding legitimate grounds for the processing;
  4. The Data Subject objects to processing for direct marketing purposes;
  5. The personal data have been unlawfully processed;
  6. The personal data must be erased for compliance with a legal obligation under Austrian or European Union law.

(2) The right to erasure does not apply to the extent that processing is necessary for:

  1. Compliance with a legal obligation which requires processing under EU or Austrian law;
  2. The establishment, exercise, or defense of legal claims;
  3. Archiving purposes in the public interest, scientific or historical research, or statistical purposes, where erasure would likely render impossible or seriously impair the achievement of those objectives.

(3) Before processing an erasure request, the Controller may ask the Data Subject to confirm their identity and the scope of the deletion to prevent accidental or fraudulent erasure of data belonging to others.

(4) Following a successful erasure, the Controller will notify the Data Subject in writing that the requested data have been deleted, and will inform any third parties to whom the data were disclosed, unless such notification is impossible or requires disproportionate effort.

Art. 23 (1) The Data Subject has the right to obtain from the Controller restriction of processing where one of the following applies:

  1. The accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the data;
  2. The processing is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use instead;
  3. The Controller no longer needs the personal data for the purposes of processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims;
  4. The Data Subject has objected to processing based on legitimate interests pending verification as to whether the Controller's legitimate grounds override those of the Data Subject.

(2) Where processing has been restricted under paragraph (1), such personal data shall, except for storage, only be processed with the Data Subject's consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest.

Art. 24 (1) The Data Subject has the right to receive personal data concerning them, which they have provided to the Controller, in a structured, commonly used, and machine-readable format. Furthermore, the Data Subject has the right to transmit those data to another controller without hindrance from the Controller, where:

  1. The processing is based on consent or on a contract; and
  2. The processing is carried out by automated means.

(2) In exercising the right to data portability, the Data Subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

(3) The data provided under this right include only personal data that the Data Subject has actively provided or that have been observed through the use of the service. The right does not extend to derived or inferred data created by the Controller through analysis or algorithms.

(4) The following formats are typically used for data portability:

  1. CSV (Comma-Separated Values) for tabular data such as purchase history;
  2. JSON (JavaScript Object Notation) for structured data that can be easily imported into other systems;
  3. XML (Extensible Markup Language) where specifically requested;
  4. PDF format may be offered as a human-readable supplement, though it is not considered machine-readable for portability purposes.

(6) The Controller will provide the requested data within one month of receiving the request. For large datasets or complex extraction processes, this period may be extended by two additional months, with prior notification to the Data Subject.

Art. 25 (1) The Data Subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data based on legitimate interests or the performance of a task carried out in the public interest. The Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims.

(2) Where personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to processing of personal data concerning them for such marketing. This right is absolute, and the Controller must cease processing for these purposes immediately upon receiving an objection.

(3) For objections to processing based on legitimate interests, the Controller will assess the request within one month and inform the Data Subject of the outcome. If the objection is upheld, processing will cease. If compelling legitimate grounds exist that override the objection, the Controller will explain these grounds in detail.

(4) When data are collected from the Data Subject directly, the right to object shall be explicitly brought to their attention at the latest at the time of the first communication, and shall be presented clearly and separately from other information.

Art. 26 (1) The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right protects individuals from potentially harmful decisions made without human intervention.

(2) The prohibition in paragraph (1) does not apply if the decision:

  1. Is necessary for entering into, or performance of, a contract between the Data Subject and the Controller;
  2. Is authorized by Union or Member State law to which the Controller is subject and which lays down suitable measures to safeguard the Data Subject's rights and freedoms;
  3. Is based on the Data Subject's explicit consent.

(3) In cases where automated decision-making is used based on explicit consent or contractual necessity, the Controller shall implement suitable measures to safeguard the Data Subject's rights, including at least the right to obtain human intervention, to express their point of view, and to contest the decision.

Art. 27 (1) Where processing is based on consent, the Data Subject has the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

(2) It shall be as easy to withdraw consent as it is to give consent. This principle ensures that individuals are not discouraged from exercising control over their data through burdensome procedures.

(3) The Controller processes withdrawal requests immediately upon receipt. For email marketing, unsubscribe requests are typically processed within 48 hours. For other types of consent withdrawal, processing ceases within five business days.

(4) After consent is withdrawn, the Controller will:

  1. Immediately stop the processing activity that was based on that consent;
  2. Send confirmation to the Data Subject that the withdrawal has been processed;
  3. Continue to process data only if another legal basis applies (such as contractual necessity or legal obligation);
  4. Delete data that were collected solely based on the withdrawn consent, unless retention is required by law.

(5) Withdrawing consent does not affect access to core services provided by the Platform. For instance, withdrawing consent to marketing emails does not prevent the Data Subject from purchasing tickets or receiving transactional communications necessary for order fulfillment.

Art. 28 (1) All rights described in this Section are exercisable free of charge. The Controller does not impose any fees for processing legitimate requests to access, rectify, erase, restrict, port, or object to the processing of personal data.

(2) However, if requests from a Data Subject are manifestly unfounded or excessive, particularly because of their repetitive character, the Controller may either:

  1. Charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or
  2. Refuse to act on the request.

(3) The Controller bears the burden of demonstrating that any request is manifestly unfounded or excessive.

(4) The Controller may request additional information necessary to confirm the identity of the Data Subject making the request. This measure protects personal data from being disclosed to unauthorized persons and ensures that changes are made only by the legitimate Data Subject.

Art. 29 (1) If a request is refused, the Controller will inform the Data Subject of the reasons for the refusal and of the possibility of lodging a complaint with the Commission for Personal Data Protection and seeking judicial remedy.

(2) The Controller provides clear explanations for any limitations or refusals, citing the specific legal provisions that apply. Transparency in such situations maintains trust even when a request cannot be fully granted.

Art. 30 (1) The Controller has established internal procedures to track all Data Subject rights requests, ensuring timely responses and proper documentation. These procedures include:

  1. A dedicated mailbox (office@light-of-creation.com) monitored daily;
  2. A ticketing system that assigns each request a unique reference number;
  3. Automated acknowledgment sent to the Data Subject within 48 hours of receipt;
  4. Regular training for staff who handle rights requests to ensure consistent and lawful treatment;
  5. Escalation protocols for complex cases or disputes.

(2) The Controller maintains records of all rights requests and responses for a period of three years for accountability purposes and to demonstrate compliance with data protection obligations.

Section VIII - Data Recipients and Disclosure to Third Parties

Art. 31 (1) The Controller shall only make personal data available to third parties where those third parties require that information to accomplish the purposes of processing summary described at Section IV, and where there is legal basis for such disclosure. The Controller warrants that all recipients of personal data are qualified Data Processors and provide sufficient assurances it has put in place appropriate technical and organizational measures to protect that personal data.

(2) Relationships with Data Processors shall be formalized by written arrangements (Data Processing Agreements) that obligate recipients to comply with Regulation (EU) 2016/679, and process only information as documented by the Controller.

(3) At this time, the Controller does not engage in any joint controller arrangements under Article 26 of the GDPR. If joint inbound controller is contemplated in the future, information in this Policy will be updated to provide the identity of the joint controllers, and the contact information and the key allocation of responsibilities under Article 26, as well as which joint controller can be contacted to exercise rights.

Art. 32 (1) The following types of recipients will process personal data on behalf of the Controller in order to fulfill the contract according to Article 6(1)(b) of the GDPR.

  1. Payment processing service providers: These recipients will receive data needed to process and authenticate financial transactions made when purchasing tickets. The data given will typically be: the Data Subject's name and email address, the amount of the transaction and the details of the payment method used. Payment processors will be acting as independent data controllers for payment processing and fraud prevention purposes under their own legal obligations in connection with informed consent. The Controller does not keep complete payment card details; these will be collected and processed directly by PCI-certified payment service providers, following their own confidentiality agreements with customers.
  2. Hosting and IT infrastructure providers: Technical services providers host the servers and databases of the Platform, ensuring ongoing availability and performance of the system. These providers will have access to all categories of data stored on the Platform; this includes, but is not limited to, contact details, purchase history, and technical data, such as IP addresses and session logs. These providers will act as Data Processors, following the Controller's instructions, under contract to undertake industry standard measures to protect data, including, but not limited to, encryption, access controls, and regular security audits.

(2) The Controller conducts regular assessments of all processor agreements to ensure their ongoing compliance with data protection obligations and adequate safeguards.

Art. 33 (1) The following recipients carry out processing of personal data for the purpose of assisting the Controller in complying with legal obligations, in accordance with Article 6(1)(c) of the GDPR: 

  1. Providers of accounting and bookkeeping services: External accounting firms receive personal data contained in invoices and transaction records, which includes names, addresses, and information regarding the financial details of the Controller. This processing is necessary for the Controller to comply with its legal obligations related to tax and accounting laws in accordance with Austrian law which stipulates that financial records must be kept for defined periods as per the tax and accounting obligations. Accounting providers act in the capacity of Data Processors and do so subject to professional confidentiality duties alongside data protection compliance requirements imposed by contract. 
  2. Providers of legal advisory services: Law firms or legal consultants may receive personal data including names, contact details, letters, and transaction activity when the Controller requires legally based advice in regard to their legal compliance, contractual dispute, or legally based establishment, exercising or defending a legal claim. Legal advisors are under obligations of professional secrecy and are therefore only permitted to process data based on the documented instructions of the Controller.
  3. State authorities and regulatory bodies: The Controller will disclose personal data to state authorities, including the Commission for Personal Data Protection, the National Revenue Agency, or in the judicial system, only to the extent of what is required under applicable law and procedures where warranted to comply. Disclosure occurs within the confines of applicable law and only as necessary for the public body to exercise its lawful powers.

Art. 34 (1) The following recipients are connected to the Controller's legitimate interests, under Article 6(1)(f) of the GDPR:

  1. Providers of Customer Relationship Management (CRM) platforms: Some software companies provide CRM software solutions that allow them to access limited information contact details, purchase history and interaction reports with customers, to manage those customer relationships more efficiently, ensure orders are sent correctly, and ensure service is working efficiently on an organizational level in maintaining information about the customers. The legitimate interests relate to maintaining organized records of customers and efficiently promote responsive service. The CRM service companies are acting as Data Processors with limited access rights and are prohibited from using personal data for their own purposes.
  2. Analytics and performance monitoring services: The Controller uses analytics tools to monitor how the Platform is utilized and to identify any technical issues or difficulties for potential enhancements. These analytics tools collect technical data including IP addresses, browser types, page views, and user journeys. The Controller's legitimate interest is to ensure the Platform operates properly, is secure, and provides an optimal experience for users. These service providers act as Data Processors and process the data in pseudonymized form wherever feasible.

(2) In relation to all processing of Data Subjects' personal data based on legitimate interests, the Controller has performed a balancing test and determined that the Controller's interests do not override the interests and fundamental rights and freedoms of Data Subjects. There are safeguards in place such as contractual obligations, technical limitations on data exposure, and clearly notifying Data Subjects about the processing of their data related to these interests.

Art. 35 (1) The following recipients are able to process personal data based on a Data Subject's explicit consent, pursuant to Article 6(1)(a) of the GDPR:

  1. Marketing and email communications platforms: When a Data Subject consents to receiving a newsletter, promotional offering, or an event notice, their email address and name will be shared with a designated email marketing and communications provider. The role of the email marketing communications service provider is the sending, tracking, and managing of marketing communications. Consent can be withdrawn at any time through the unsubscribe link in each marketing email that is sent, and doing so will result in an immediate cessation of data sharing for marketing communication purposes without re-engaging in consent.

(2) No data is shared with marketing or advertising partners, or third parties, without prior explicit consent. The Controller does not sell or rent personal data to third parties for use in independent marketing or advertising.

Art. 36 (1) All Data Processors and recipients are obliged to the Controller by contract to:

  1. Process personal data only on documented instructions from the Controller;
  2. Have persons authorized to process personal data bound by confidentiality;
  3. Implement the requisite technical and organizational security measures; 
  4. Assist the Controller with responses to Data Subject rights requests;
  5. Upon completion of the services, delete or return all personal data, unless a retention requirement exists;
  6. Make available to the Controller and its designated auditors all information reasonably necessary to demonstrate compliance and audit;
  7. Promptly notify the Controller of any security or data breach incidents, etc.

(2) The Controller performs a due diligence assessment of each prospective Data Processor prior to engaging the Data Processor, reviewing their technical capabilities, established security and privacy practices and procedures, compliance track-record, and contract terms.

Art. 37 (1) Data Subjects have the right to request information regarding the specific recipients to whom their personal data has been disclosed. The Data Controller will respond to these requests in accordance with the right of access proceedings set out in Section VIII. 

(2) If the recipient is located outside of the European Economic Area, additional safeguards apply. See Section IX regarding international transfers.

Section IX - International Transfers

Art. 38 (1) The Controller seeks to only process personal data within the territory of the European Union and European Economic Area which would provide a uniform set of data protection under Regulation (EU) 2016/679. This approach reduces some risks of cross-border flows of data and provides a more consistent arrangement.

(2) Nevertheless, some technical service providers used by the Controller have facilities or operations in countries outside of the EEA. When transfers do occur, the Controller puts in place guarantees not to undermine the level of data protection and enforcement of Data Subjects' rights.

(3) Transfers to third countries are only carried out based upon one of the legal avenues defined in Chapter V of the GDPR and following consideration of the legal regime and practical implementations in the receiving country.

Art. 39 (1) The following third countries or regions may receive personal data related to the services described in this Policy:

  1. United States of America: Some of the software platforms, cloud infrastructure, and hosting providers used by the Controller have their servers or facilities for processing personal data located in the USA. The data that may be transferred to the USA includes contact information, purchase history, technical logs, and user-generated content the cloud-hosted platforms require to function for the user. 
  2. United Kingdom: Following its exit from the European Union, transfers to the UK are now governed by the European Commission's adequacy decision, which confirms the UK provides a sufficient level of data protection. A UK-based service provider may process communications pertaining to customer support and technical data. 
  3. Other jurisdictions: If the Controller retains other service providers in additional third countries or jurisdictions, this Policy will be amended as necessary and informed based on the new transfer locations and the mechanisms and safeguards being employed. 

(2) The countries listed above may change as the Controller assesses and selects service providers. Data Subjects will be notified of substantive changes that affect international transfers through updates to this Policy.

Art. 40 (1) In the case of transfers to countries without an adequacy decision from the European Commission, the Controller relies on the following legal mechanisms - Standard Contractual Clauses (SCCs): The Controller has adopted the European Commission's Standard Contractual Clauses on June 4, 2021 (Commission Implementing Decision 2021/914) with all Data Processors located in third countries. Standard Contractual Clauses (SCCs) are legally binding contracts that obligate the recipient of the personal data to protect such data in accordance with European law and provide enforceable rights to Data Subjects.

(2) The Controller also applies technical, organizational and/or contractual supplementary measures to respond to risks identified with the Transfer Impact Assessments, and in particular, the considerations that the Court of Justice imposed in Schrems II (Case C-311/18).

(3) The Controller does not rely on mechanisms that were declared invalid, or are no longer adequate such as the EU-U.S. Privacy Shield framework.

Art. 41 (1) Before transferring to any third country, the Controller utilizes the Transition Impact Assessment process to examine the legal framework of the receiving country to determine whether there is adequate protection in practice. The assessment considers:

  1. The legislation regulating access by public authorities, intelligence services and law enforcement to personal data transferred to that country;
  2. The extent of effective legal remedies for Data Subjects in case of unlawful access or processing;
  3. The practical application and enforcement of such laws based on documented cases, reports from supervisory authorities and reports from independent experts;
  4. The effectiveness of contractual and technical measures to prevent or mitigate unauthorized access by governmental authorities.

(2) In relation to transfers to the United States, the Controller has specifically assessed the consequences of the US surveillance laws, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, in determining that the supplementary measures are sufficient to provide essentially equivalent protection.

(3) The Controller will review and update the Transfer Impact Assessments no less than twice per year, or immediately when any legislation is enacted in the destination country that may have an impact on data protection guarantees. Documentation of the assessments shall be maintained for record purposes and be made available to the supervisory authority at that authority's request.

Section XI - Security Measures

Art. 42 (1) The Controller adopts appropriate technical and organizational measures for a level of security that is appropriate to the risk, which puts appropriate safeguards against unauthorized or unlawful processing and against accidental loss, destruction or damage.

(2) The security approach is to constantly appraise risks to the rights and freedoms of Data Subjects, considering the nature, scope, context, and purpose of processing as well as the likelihood and severity of potential risks. 

(3) On a regular basis, the security measures will be reconsidered, and improved where necessary, taking account of technological development, new threats, as well as lessons learned within the sector given any security incidents. Further the Controller will commit adequate resources to maintain and enhance data protection capabilities.

Art. 43 (1) The Controller applies the following technical security measures:

  1. Encryption: All data transmitted between Data Subjects' devices and the Platform are protected through SSL/TLS protocols, ensuring secure communication channels. Sensitive personal data stored in databases are encrypted using industry-standard algorithms to render them unintelligible to unauthorized parties.
  2. Sensitive personal information contained in databases is encrypted using industry-standard encryption algorithms to eliminate the likelihood of becoming readable to unauthorized individuals.
  3. Access controls: Access to personal data is limited through personal user credentials through usernames and strong passwords. Authentication processes are in place to confirm the identity of individuals attempting to access systems containing personal data. Access is given based on the principles of least-privilege meaning that employees will only be given access to data that they need to perform the requirements of their job functions.
  4. System integrity and availability: The Controller uses firewalls, intrusion detection systems, and anti-malware software to provide protection from external attacks and unauthorized access. Regular updates of computer software and security updates/patches are done in a timely manner for known vulnerabilities.
  5. Back-up and recovery: Regular automated back-up procedures are performed to ensure personal data can be back-up in a timely manner in the event of system failure, data corruption, or security attacks. 

Article 44 (1) The Controller has established the following organizational security measures:

  1. Access minimization: Staff are only granted access to personal data that is necessary to carry out their job functions. For example, customer service staff may see contact information and order history that is limited to managing the customer's requirements; they would not have access to financial systems or fully identify payment information.
  2. Training and awareness: All staff who access personal data, are provided with training on the GDPR, the organization's data protection policies and procedures, including security procedures and their responsibilities as an employee of the organization. This training is provided on an annual basis and is updated whenever there is a significant change in the processes or legislation. New employees will receive data protection training upon being hired and prior to accessing any system that contains personal data. 
  3. Confidentiality: Every employee, contractor, or service provider that has access to personal information must sign a confidentiality agreement that prohibits disclosure or use of information otherwise. These confidentiality obligations continue beyond the employment or contracted relationship with the organization. 

Art. 45 (1) Security testing and evaluation methods include:

  1. Regular internal audits to ensure conformance to security policies and identify potential weaknesses in processes or systems;
  2. Periodic penetration tests performed by qualified professionals to simulate attack scenarios and evaluate whether defensive measures are effective;
  3. Vulnerability scanning to uncover technical vulnerabilities in software and infrastructure that could be exploited by malicious actors;
  4. Reviewing access logs and system activity to identify patterns of unusual activity that may indicate security incidents or policy violations.

(2) The results from security evaluation are analyzed promptly and corrective actions are prioritized according to risk severity. The Controller monitors remediation activities and tracks efforts to mitigate vulnerabilities within an appropriate time frame. 

Section XII -  Security breaches

Art. 46 (1) The Controller has designated procedures for detection, reporting, and responding to personal data breaches. The procedures ensure that breaches are contained quickly, the impact is assessed properly, and where required, notifications are made to the supervisory authority and to affected Data Subjects.

(2) In the case of a data breach, the Controller considers whether the breach is likely to result in a risk to the rights and freedoms of individuals. 

(3) If the breach is likely to result in a risk to an individual's rights and freedoms, the Controller, unless it is unlikely that the breach will pose a risk to the rights and freedoms of individuals, shall notify the Commission for Personal Data Protection within 72 hours of the breach upon becoming aware of it. If the notification cannot be made within 72 hours, the Controller will submit an explanation for the delay in reporting the breach.

(4) If the breach is likely to result in a high risk to an individual's rights and freedoms, the Controller shall notify the impacted Data Subjects without undue delay, usually within the timeframe of 48 to 72 hours. The notification to Data Subjects will include:

  1. A clear description of the nature of the breach and when it occurred;
  2. The categories and approximate number of Data Subjects and data records affected;
  3. The likely consequences of the breach;
  4. The measures taken or proposed by the Controller to address the breach and mitigate its effects;

(5) The Controller maintains a register of all data breaches, documenting the facts, effects, and remedial actions taken. This register is available for inspection by the supervisory authority and serves as part of the accountability documentation.

Section XIII - Cookies and Tracking Technologies

Art. 49 (1) The Controller utilizes cookies and other similar tracking technologies to improve the experience when users visit the Platform, analyze visitor usage, and customize the content we display to individuals. Cookies are small text files placed on the Data Subject's device while navigating the website, allowing our system to recognize the device when you return to the site, and remembering user-selected functional or design options.

(2) Other tracking technologies that may identify the individual browser or device include tracking pixels, local storage objects, and other digital markers with a similar purpose to cookies.

(3) A full and regularly updated registry of every tracking tool used is shared publicly in developing areas, including information about the creator, lifespan, and specific purposes for the use. Each cookie, including its name, category and expiration date, and the specific data collected can also be found in the Cookie Policy

Article 50 (1) Before Data Subjects utilize the functionalities of the Platform, a cookie consent banner appears advising Data Subjects of the use of various types of tracking technologies and informing them they the option to consent, or refuse consent, to all tracking technologies that are not strictly necessary.

(2) Data Subjects can choose, from the following consent options:

  1. "Accept All" means consent to use all cookie categories;
  2. "Reject All" or "Essential Only" means refuse all tracking technologies except those strictly necessary for the basic operation of the Platform; or
  3. "Customize Preferences" button directs to an information preference center, allowing more granular selection by category.

(3) Consent for cookie use provided by Data Subjects are valid for a period on 12 months, after which time the Data Subject will be prompted to renew their preferences upon return to the Platform. 

(4) Data Subjects can change their cookie preferences at any time through:

  1. Cookie Preference Center by accessing a link that states "Cookie Settings" or similar, which appears clearly on every page of the Platform;
  2. Browser settings on their device, which allow the total deactivation or deletion of cookies, although this may affect functionality of websites.

Art. 52 (1) The Controller is authorized to use third-party service providers that may deploy their own cookies and/or similar tracking mechanisms on the Platform. These third parties may include service providers that offer analytics, advertising networks, and social media applications that permit content sharing or integrations.

(2) Where data has been transmitted outside the European Economic Area via these channels, the Controller implements legal mechanisms and additional safeguards for such transfers, as described in Section IX of this Policy.

(3) Links to the privacy policies of leading third-party cookie providers are available as part of the Cookie Preference Center as well as the comprehensive Cookie Policy, allowing Data Subjects to familiarize themselves with how those outside parties handle information collected through their respective technologies.

Section XIV - Updates to the Privacy Policy

Art. 53 (1) The Controller retains the option to amend or modify unilaterally this Privacy Policy if it is necessary for due to amendments in laws that apply, or a new technology or service is adopted, as well as enhancing privacy-preserving practices, or amendments in the way it processes personal data.

(2) The subclasses of modifying the Policy is to ensure that the Controller's activities remain compliant with Regulation (EU) 2016/679 legislation as well as applicable National data protection legislation. Each Policy version shall cite an effective date, located at the end of the Policies.

Art. 54 (1) The Controller shall take appropriate action to notify Data Subjects of material changes to this Privacy Policy. Material changes refer to changes that would or may have an effect on Data Subjects' rights, changes in the purposes or lawful bases for processing, changes in categories of data, adding recipients, and or changing retention periods. 

(2) Each time a material change is made the Controller provides a notification to Data Subjects with confirmation via:

  1. An email that is sent to the registered email address that states the individual is being contacted because the Privacy Policy has undergone a material change. The subject line of the email provides notice of this change.
  2. A banner notification in a conspicuous location on the Platform homepage

(3) In cases where changes require new consent before processing any activity (including where new purposes for marketing are added or profiling occurs which has not previously been disclosed), the Controller will specifically request new consent from Data Subjects by way of a clear opt-in mechanism. Processing for such purposes will only take place following affirmative consent.

Art. 55 (1) Changes will come into effect on the date the changes are published by the Platform, unless a later effective date is stated in the changes.

(2) Continuing to use the Platform after being notified there have been changes is deemed acceptance of the changes, unless new consent is expressly required for any specific processing activity.

(3) Data Subjects that are not okay with material changes have the option to use any of the following options: object to new processing activity, withdraw consent, request deletion of data and/or discontinue use of the Platform’s services.

Section XV - Final Provisions

Art. 56 (1) This Privacy Policy takes effect on 27.10.2025  and replaces all previous versions.

(2) This Policy, in conjunction with the Terms and Conditions of the Platform, is considered part of the Terms and Conditions of the Platform. In the event of a conflict between the terms of this Policy and Terms and Conditions regarding the protection of personal data, the terms in this Policy will govern.

(3) This Policy applies to any personal data obtained and processed by the Platform for use, irrespective of whether it has been obtained and processed prior to or after the effective date of this Policy.

Art. 57 (1) This document is governed and corresponds to the legislation of Bulgaria and applicable European Union Law, specifically Regulation (EU) 2016/679.

(2) Any disputes arising with this Policy will be handled through negotiations between the parties. Where negotiations do not result in an agreement, we will submit all disputes to be handled by the competent Austrian court having jurisdiction over the Controller's registered office.

(3) If any provision of this Policy is found invalid or unenforceable by a competent court or authority, that decision will not impact the validity or applicability of the other provisions. The invalid or unenforceable provision will be replaced by a valid or enforceable provision that most closely achieves the purpose of this Policy with respect to the original provision. 

Art. 58 (1) In interpreting the provisions of this Policy, attention will be given to the purpose of the provision, the ordinary meaning of the words and expressions used, and the context of all provisions of this Policy. 

(2) The Controller is committed to a high standard of the protection of personal data and a continuing enhancement of practices and processes aligned with best standards in the field of data protection. Regular reviews are conducted to ensure that technical and organizational measures are sufficiently effective and proportionate in relation to the risks identified. 

(3) The Controller welcomes feedback from Data Subjects in relation to this Policy and data protection practices. Questions, concerns or suggestions can be submitted to the email address of the Controller and will be responded to promptly and openly.