Privacy Policy

Anyseats Ltd (“Anyseats”, “we”, “us”) is the data controller for personal information collected through anyseats.net. This policy explains what we collect, why we collect it, how we use and protect it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies whether you browse the marketplace, register an account, place an order, subscribe to editorial updates, or contact our support team.

We have written this policy to be readable. Where a technical term is unavoidable we explain it on first use. If anything is unclear, email [email protected] and we will answer in plain English within five business days.

1. Who we are

Anyseats Ltd is a company registered in England and Wales. Our registered office is at [Company address — to be confirmed]. We can be reached for any privacy-related matter at [email protected]or by post to the address above, marked for the attention of the Data Protection contact. Where a UK data-protection complaint is escalated beyond us, the supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.

1a. Scope and definitions

This policy covers personal data we control as the data controller — the entity that decides how and why data is processed. Where we use third-party processors (payment providers, cloud hosts, courier services, customer-support platforms) we remain the controller, and the processor handles your data on our instructions under a data-processing agreement. Where you interact with a third-party site that operates independently — for example, clicking through to an external fixture aggregator — that operator is the controller and their policy applies.

“Personal data” means any information that identifies you or could reasonably be combined to identify you. Aggregated and anonymised data — for example, a count of orders placed for a fixture, with no individual identifiers — is not personal data once the anonymisation is irreversible, and we may use it for analytics, reporting and product improvement without restriction.

2. The personal data we collect

We collect personal data in four broad categories, each tied to a clear purpose:

• Identity and contact data.Your full name, billing address, delivery address, email address and telephone number. We collect these when you register an account or complete a checkout. For mobile-entry transfers we may capture a second “ticket recipient” email or phone number specifically to route the credential to the person attending.
• Transactional and payment data. The amount and currency of your order, the event and seats purchased, and a tokenised reference to the card used. Full card numbers are never stored on our systems — they are tokenised by our PCI-DSS compliant payment providers (Stripe, Adyen and equivalent) and returned to us only as a reference safe to retain.
• Verification data. For higher-risk transactions, or where the ticket issuer requires identity matching at the gate, we may request a photograph of a government-issued ID and a partial view of the payment card. These documents are reviewed by our fraud team and stored encrypted, with access restricted to verification staff, for the period required by anti-money-laundering and chargeback obligations.
• Technical and usage data. Your IP address, device type, browser, referring URL, session timing, the pages you visit on the marketplace, and basic interaction events (search terms, filters applied, listings viewed). This data is captured server-side and through first-party cookies described in section 7.

We do not knowingly collect personal data from children under 16. If you believe a minor has submitted personal data to us, contact [email protected] and we will remove it.

3. How we use your data — and our lawful basis

Under UK GDPR every use of personal data requires a lawful basis. The principal bases on which we rely are:

• Performance of a contract. Most processing connected to an order — payment, seller routing, ticket delivery, identity matching, refund handling — is necessary to perform the contract you entered into when you completed checkout.
• Legitimate interests. Fraud prevention, account-security monitoring, internal analytics that improve the marketplace, and direct marketing to existing customers about equivalent products. We balance these interests against your rights and stop processing on request where the balance shifts.
• Consent. Optional cookies (analytics and advertising), email newsletters to non-customers, and any processing that goes beyond what is strictly necessary to deliver the service. You can withdraw consent at any time without affecting prior lawful processing.
• Legal obligation. Tax, accounting, anti-money-laundering and consumer-protection record-keeping requirements that compel us to retain certain order-related data for defined periods regardless of your request to delete.

4. Who we share your data with

We share personal data only with parties that need it to deliver the service you have asked for, or to operate the business lawfully. The principal recipients are:

• Verified sellers in our network. The seller fulfilling your order receives the ticket-recipient name and contact details needed to route the credential — and, where the ticket issuer requires it, the matched buyer name. They do not receive your payment data.
• Payment providers. Stripe, Adyen and equivalent processors receive the transaction data necessary to authorise and settle payment, subject to their own published privacy notices.
• Courier and delivery partners. Where a physical ticket or membership card is shipped, the courier receives the delivery name, address and tracking-status updates.
• Cloud and infrastructure providers. Hosting, email, customer-support tooling and analytics platforms operated under data-processing agreements that bind them to the same standards we apply ourselves.
• Regulators, auditors and law enforcement. Where required by law, court order or legitimate regulatory request, including HMRC tax-reporting obligations.

We do not sell personal data, and we do not share it with third-party advertisers for the purpose of profiling beyond what you have explicitly consented to through the cookie banner.

5. International transfers

Some of our processors are based outside the United Kingdom — typically within the European Economic Area, the United States or other adequacy jurisdictions. Where we transfer personal data to a country outside the UK that has not received a UK adequacy decision, we use the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK addendum to ensure equivalent protection. A copy of the safeguards we rely on is available on request to [email protected].

6. How long we keep your data

Retention is set by purpose, not by convenience. The headline periods are:

• Order and transactional records: seven years from the order date, to satisfy HMRC record-keeping obligations and to allow late chargeback or fraud investigation.
• Account profile: for as long as your account is active. If you have not signed in for 24 months we contact you to confirm continued use; absent a response we anonymise the profile and retain only the transactional skeleton required for the period above.
• Verification documents (ID, partial card images): 12 months from the order date, then deleted permanently, unless extended by an active fraud or chargeback matter.
• Marketing preferences and consent records: for as long as you remain subscribed plus three years, in order to demonstrate the lawful basis of past communications.
• Support correspondence: three years from last contact, then deleted.

7. Cookies and analytics

The site uses cookies and equivalent technologies to keep you signed in, remember preferences, measure performance and — only with your consent — surface relevant marketing. Cookies fall into three groups:

• Strictly necessary cookies. Used to maintain a session, hold your cart, route you to the right country and prevent fraud. These cannot be disabled because the site does not function without them. No consent is required — they are exempt under PECR.
• Functional cookies. Remember language, currency and accessibility preferences. Set on consent and easily cleared.
• Analytics and marketing cookies. Used to measure conversion, attribute traffic to partner sites, and personalise marketing on platforms like Meta and Google. Set only after you have actively accepted on the cookie banner; you can change your choice at any time via the cookie-preferences control in the footer.

8. How we protect your data

Personal data is encrypted in transit using TLS 1.2 or higher, and at rest in our databases. Access to personal data is granted on a least-privilege basis and authenticated through single-sign-on with multi-factor authentication mandatory for every internal user. We log administrative access events centrally and review them as part of a quarterly security audit. Code changes that touch the order pipeline go through peer review and automated security scanning before deployment.

Despite reasonable precautions, no system can be guaranteed perfectly secure. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the ICO within 72 hours of becoming aware, and notify you without undue delay where the risk is high.

9. Your rights

Under UK GDPR you have a set of rights in respect of personal data we hold about you. We will respond to a verified request within 30 days, free of charge in most cases.

• Right of access. A copy of the personal data we hold about you, in a portable format.
• Right to rectification. Correction of any inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”). Deletion of personal data, subject to the retention obligations described in section 6.
• Right to restriction. Pause processing while a dispute is resolved.
• Right to object. Stop processing based on legitimate interests, including direct marketing.
• Right to data portability. Receive a machine-readable copy of the personal data you have provided to us, to transfer to another service.
• Right to withdraw consent. Where consent is the lawful basis, you may withdraw it at any time without affecting the lawfulness of past processing.
• Right to lodge a complaint. With the ICO (ico.org.uk, 0303 123 1113) or with the data-protection authority in your country of residence.

To exercise any right, email [email protected]with the subject line “Privacy request”. For your protection, we may ask you to verify identity before action — usually by replying from the email address on the account.

9a. Subject access requests in detail

A subject access request (SAR) lets you receive a complete copy of the personal data we hold about you, structured in a way that is intelligible and usable. When you submit a SAR we assemble: account profile data, every order placed under your account with the corresponding payment summary, every support ticket and email exchange referencing your account, any verification documents still in retention, and the marketing-consent log. For most accounts the response is a single PDF with linked attachments delivered to the email address on file; for larger or technically structured requests we can deliver a JSON export instead.

We do not charge for the first SAR in any 12-month period. For repeat or manifestly excessive requests we may charge a reasonable administrative fee or refuse to act, as permitted under UK GDPR — in practice this is rare and reserved for clearly vexatious requests rather than legitimate follow-ups.

10. Automated decision-making

Some fraud-prevention checks at checkout are automated — for example, scoring the consistency of your IP address, billing address and payment-method history to decide whether to refer the order to manual review. A fully automated decision will not refuse your order outright; a referred order is reviewed by a human, who is the actual decision-maker. You have the right to ask for human reconsideration of any decision that materially affects you.

10a. Profiling for fraud prevention

We profile transactions — not people — for the purpose of fraud prevention. The signals weighed in a transaction score include the consistency of the billing and delivery address, the relationship between the payment method and the account, device and network fingerprint stability, velocity of similar orders across the platform, and exposure of the order to high-risk indicators identified by our payment-processing partners. None of this scoring drives a decision about you as a person beyond the specific order; profiles are not stored as long-term reputation data, and a clean order is not used to underwrite later orders without re-scoring.

11. Changes to this policy

We review this policy annually and whenever we make a material change to how we process personal data. The most recent version is always published here, with the “last updated” date at the top. Where a change is material we will surface a banner on the site and, where possible, email registered users in advance. Continued use of the site after publication of a revised policy constitutes acceptance of the changes — except where consent is required, in which case we will ask for it explicitly.

12. Direct marketing

We send three categories of email: transactional, service and marketing. Transactional messages — order confirmation, delivery notification, refund acknowledgement, password resets — are sent on the basis of contract performance and cannot be opted out of while you have an active order. Service messages — match-day reminders, fixture-rescheduling alerts, security notifications — are sent on the same basis. Marketing emails — newsletters, fixture-of-the-week alerts, partner promotions — are sent only with your consent or, where you are an existing customer, under the “soft opt-in” rules of the Privacy and Electronic Communications Regulations (PECR).

Every marketing email contains a one-click unsubscribe link in the footer; unsubscribing takes effect within 24 hours and is honoured in perpetuity unless you actively re-subscribe. We do not run separate “sender lists” — a single preference applies across the whole marketing programme. You can also manage marketing preferences from inside your account at any time.

We do not engage in cross-context behavioural advertising — your purchase data and browsing history are not sold or rented to third-party advertisers for retargeting. Where advertising cookies are set with your consent, they enable measurement and personalisation only on platforms you have already consented to (typically Meta and Google), and only while consent remains active.

13. Third-party links and embedded content

The site may include links to third-party websites — official club pages, fixture aggregators, travel partners, transport-information services — and may embed third-party content such as maps, video players or social-media widgets. We do not control these third parties, and their privacy practices are governed by their own policies. Where embedded content sets cookies or tracks behaviour on our site, those cookies are described in the cookie-preferences control and activated only with your consent.

14. Contact

For any privacy-related matter — questions, requests, complaints — write to [email protected]. We aim to acknowledge within two business days and respond substantively within 30 days. If you believe we have not handled a request properly you may complain to the Information Commissioner's Office, but we would prefer the opportunity to make it right first.

For questions about a specific order — including how data was handled for that purchase — include the order ID in the subject line; this lets us pull the relevant audit trail faster than a general search by name or email. For complex requests covering multiple orders or several years of account history, we will agree a scope with you at first reply and confirm an estimated turnaround inside the 30-day window.