Legal
Privacy Policy
Effective May 22, 2026
Information we collect
When you create an account, we collect your name, email address, and password (stored as a one-way hash). If you verify your phone, we store the verified phone number. If you add a bank account for payouts, we store the last four digits only — we never store full account or routing numbers.
When you list or purchase tickets, we collect the listing details you provide (event, section, row, seat, price) and the payment information processed by Adyen, our payment provider. We store Adyen's transaction reference; we never see or store your full card number.
We automatically collect IP addresses, browser type, and pages visited for rate limiting, fraud detection, and analytics. We do not sell this data.
How we use your information
To operate the marketplace: matching buyers with sellers, processing payments through Adyen, facilitating ticket transfers, and releasing payouts.
To send transactional emails via Resend: OTP verification, purchase confirmations, transfer updates, and payout notifications. You cannot opt out of transactional emails while you have an active account.
To detect and prevent fraud: unusual account activity, misuse of the platform, or attempted circumvention of our trust system.
To calculate your trust score: the number of verified credentials, completed transfers, and dispute history contribute to your public trust score visible to other users.
Information we share
We share your name and trust score with other FreelySeat users as part of the marketplace experience. Your email address is never shared with other users.
When a transfer is in progress, we share your first name with your counterpart (buyer or seller) to facilitate the handoff.
We share data with Adyen (payment processing), Resend (transactional email), and Neon (database hosting). All sub-processors are contractually bound to protect your data.
We do not sell, rent, or share your personal data with advertisers or data brokers.
Data retention
Account data is retained for as long as your account is active. If you close your account, we retain transaction records for 7 years as required for financial recordkeeping, then delete your personally identifiable information.
Verification tokens (OTPs) expire within 10 minutes and are deleted after use.
Your rights
You may request a copy of your personal data, correction of inaccurate data, or deletion of your account by emailing us at privacy@freelyseat.com. We will respond within 30 days.
If you are in the European Economic Area, you have additional rights under GDPR including the right to data portability and the right to lodge a complaint with your local supervisory authority.
Security
Passwords are hashed using bcrypt with a cost factor of 12. All connections are encrypted in transit (TLS 1.2+). Payment data is handled entirely by Adyen under PCI DSS Level 1 compliance — we are not in scope for PCI.
We use rate limiting and HMAC-verified webhooks to prevent unauthorized access to our APIs.
Changes to this policy
We will notify registered users by email at least 14 days before any material changes to this Privacy Policy take effect. Continued use of FreelySeat after the effective date constitutes acceptance of the updated policy.
Questions? Contact us at privacy@freelyseat.com