Privacy Policy

Last update: May 22nd, 2018

We participate in and comply with the EU-U.S. Privacy Shield Framework and retention of Personal Data(defined in Section 2.1) from European Economic Area("EEA") member countries.

1. RESPONSIBLE FOR THE PROCESSING OF YOUR DATA

XCEED S.R.L P. IVA #03373311202 Address: Via Felice Casati 1/A, Milano (MI), 20124, Italy. E-mail: info@xceed.me

2. OUR COMMITMENT TO YOU

• Xceed S.r.l.'s main objective is to maintain your trust through respectful management of the personal information of Website Users and Buyers, giving them control over it. • It is important that you know what personal information Xceed S.r.l., (hereinafter 'we' or 'Xceed S.r.l.,') collects about you, and how we use it. • For any further information, questions or concerns, please contact us using the details provided in the 'Contact' section. • We will inform you appropriately if we make any material changes to our privacy practices at any time. If necessary, we will also ask for your permission.

3. PURPOSES OF THE PROCESSING OF PERSONAL DATA

A) Provision of the service • The online platform owned by Xceed S.r.l. is used by its clients and by event organisers to advertise and sell their tickets to people interested in purchasing them. • The purpose for which we process your data is to collaborate in the management of the purchase of tickets to the event you wish to attend. The collaboration is to make available through our portal the catalogue of events advertised on our website. • The relationship of the purchase and sale of tickets will always be established between the buyer and the organiser of the event. • We will also send you electronic communications to promote and notify you of upcoming events in which you may be interested. • There may be occasions when we collect your details for events where ticket sales are not yet available. In these cases of "pre-registration" we will only use your data for the sole purpose of notifying you when tickets go on sale for the event in which you are interested. B) Sending commercial communications by electronic means to promote events We may send you commercial communications by electronic means to notify you of new events and/or shows that we are promoting through our website. C) Sending third party advertising • Provided that you consent, we may send you advertising from third party companies interested in promoting their goods or services. • This advertising will be sent directly by Xceed S.r.l. without any physical delivery of your data to the advertisers. • This will involve the need to submit your personal data to standardisation, duplication, filtering and verification operations. • We may send you advertising by e-mail, post, telephone calls to landlines or mobile phones, sending SMS and/or MMS messages, multi-platform messaging services, chat, automated calls without human intervention, push notifications, or any other type of similar communication. D) Communication of your data for commercial purposes and commercial prospecting to third party companies. • Provided that you consent, we may communicate your data to interested third parties such as companies, organisations and/or entities interested in carrying out marketing campaigns or market research. • These advertisers may send you advertising through any of the following channels: email, post, telephone calls to landlines or mobiles, sending SMS and/or MMS messages, messaging services without human intervention or any other type of similar communication. • This processing will necessarily involve the need to subject your personal data to standardisation, duplication, filtering and verification operations.

4. LEGITIMATION FOR THE PROCESSING OF PERSONAL DATA

A) Provision of the service In relation to the provision of our services, we process your data because it is necessary for the execution of the contract, so that your opposition to the processing of your data would make it impossible for the Organiser of the event to receive your wish to purchase the tickets, making it impossible to carry out the provision of the service. B) Promotion of events In relation to the promotion of events through the sending of electronic communications, we send them based on our legitimate interest in keeping you informed about our news and upcoming events. In each communication you receive, we will give you the opportunity to object to the processing for promotional purposes. C) Third-party advertising • The only legitimation for the use of your data for commercial purposes and to be able to send you advertising from third parties interested in promoting their goods or services is your consent. • Similarly, the legitimacy to communicate your personal data to third party companies, organizations and / or entities, for purposes of advertising, commercial prospecting or market research, will also be solely your consent. • In the data registration form you will find two separate boxes, the ticking of which is in no way obligatory, so that you may or may not give us your consent for these purposes.

5. PRIVACY NOTICE

The way in which the privacy notice will be applied to users will depend on how they interact with us: - If you purchase a ticket, we will use the information you provide to fulfil both our obligations to you and the organisers' obligations to you in providing that service, and, where permitted, to keep you informed about other events that may be of interest to you. - When you browse our sites or app we will use cookies to personalise your experience and to hopefully provide you with a seamless experience.

6. WHAT INFORMATION WE HOLD AND WHERE WE COLLECT IT

• We collect and store different types of information about you when: - You create an account. - You purchase tickets. - You contact us. - You use our website, app and social media. - You have a ticket passed on to you by a third party. • We will collect information from you which, depending on the service we are providing, may include your contact information and billing information. • Retention of your information when you use our Website or App: we will collect information such as the browser and device you are using, your IP address, your location, the site from which you have accessed it, what you have and have not used our Website or App for, or the site you access after visiting our Website or App. For further information on how we collect this information, please see our Cookie Policy. • Retention of your data at the time of your registration by storing the following information, if provided: date of registration, IP address, name, surname, first name, ID number, gender, date of birth, email address, telephone number and postcode and those relating to your purchase. • When you use a social media feature within our Website or App and make a social media post, the social media site will provide us with information about you. • If you have any accessibility requirements, we want to ensure you have the best experience when attending events. To do this, we will need to collect details of your requirements, which may involve you providing us with additional health-related information. • Where we collect personal information from minors, we always seek parental consent and, in any event, we will collect such information only for the purposes specified at the time of collection. • We use vendors that collect geo-demographic data to help us more effectively tailor our services to you. • As a general rule, all your data will be automatically deleted from all purposes for which you agreed to the processing, five years from the date of your registration.

7. HOW WE USE YOUR INFORMATION AND WHY

A) We collect and use your information to carry out the purpose of our services and to perform our contract with you. We use your information when you enter into a contract with us by purchasing a ticket in order to: - Process your order. - Receive payment. - Providing you with customer service. B) For our legitimate business interests • To conduct market research and analysis to help us improve and customise our products and services. • For our marketing purposes, unless such marketing requires your consent (Section C). • To send you customer service emails, including booking confirmations and event reminders. • To prevent or detect unlawful behaviour, to protect or enforce our legitimate rights or as otherwise permitted by law. For example, to ensure that tickets are received by genuine fans. Therefore, we may use your information to prevent ticket resale, misuse of our intellectual property (e.g., our or our Event Partners' trademarks), fraud, or other crimes. • To ensure the security of our operations and the operations of our Event Partners. • To create a profile of you to help us personalise our services to you. C) Where you have given us your consent • To contact you with information or offers about our upcoming events, products or services. These communications may be made via email, push and web notifications, SMS or social media. You may change your marketing preferences at any time, sending us an email to info@xceed.me. • To provide you with location-based services. • To send you personalised advertising and marketing communications on our websites and App. See our Cookie Policy for further information). • To process your health data in order to meet your accessibility requirements, where specifically requested and where express consent is given.

8. WHO WE SHARE YOUR DATA WITH AND WHY

Once you access our website and/or App, register and/or make a ticket purchase, you agree to Xceed transmitting your data: • Internally at Xceed S.r.l. • With our customers, such as the artist, the Promoter, the record label, the team or the venue, as well as with other third parties associated with the service provided. • With our third party service providers (sometimes referred to as data processors), such as cloud computing providers who provide the IT infrastructure upon which our products and systems are established. • With our Event Partners, so that they can organise the event and for other reasons described in their privacy policies. We will quote Event Partners when you purchase a ticket along with a direct link to their Privacy Policy. • With third parties who supply the products and services purchased by you so that they can process and fulfil your orders. • With government agencies or other authorised bodies, where legally permitted or required. • With any successor to all or part of our business.

9. PAYMENT PROCESSING

We use third-party services for payment processing (e.g., payment processors). If you make a purchase on our site or app, your payment card information is processed directly by these payment processors. We do not store or have access to your payment card details. Adyen We use Adyen as a payment processor. When you use Adyen, we process: • Transaction Information: Includes the amount, date and time, and merchant details. • Payment Information: Includes your payment card details. • Adyen processes your payment data in accordance with GDPR. For more information, please refer to Adyen's Privacy Policy. Apple Pay When you use Apple Pay on our iOS mobile app or website, we process certain personal data to facilitate the transaction: • Transaction Information: Includes the amount, date and time, and merchant details. • Device Information: Includes the unique identifier of the device used for the payment. • Payment Information: Includes tokenized card details provided by Apple Pay, which do not include your actual credit or debit card numbers. • The processing of your personal data is necessary for the performance of the contract (Article 6(1)(b) GDPR) and to comply with legal obligations such as fraud prevention and financial regulations (Article 6(1)(c) GDPR). Your personal data may be shared with the following parties: • Apple Inc.: To facilitate and process the payment. • Financial Institutions: Your bank or card issuer to process the payment. • Regulatory Authorities: If required by law, to comply with applicable regulations. Google Pay When you use Google Pay, we process: • Transaction Information: Includes the amount, date and time, and merchant details. • Payment Information: Includes tokenized card details provided by Google Pay. Google processes your payment data in accordance with GDPR. For more information, please refer to Google's Privacy Policy. PayPal When you use PayPal, we process: • Transaction Information: Includes the amount, date and time, and merchant details. • Payment Information: Includes your PayPal account information. PayPal processes your payment data in accordance with GDPR. For more information, please refer to PayPal's Privacy Policy. Bancontact When you use Bancontact, we process: • Transaction Information: Includes the amount, date and time, and merchant details. • Payment Information: Includes your Bancontact card details. Bancontact processes your payment data in accordance with GDPR. For more information, please refer to Bancontact's Privacy Policy. MB WAY When you use MB WAY, we process: • Transaction Information: Includes the amount, date and time, and merchant details. • Payment Information: Includes your MB WAY account information. MB WAY processes your payment data in accordance with GDPR. For more information, please refer to MB WAY's Privacy Policy.

10. YOUR CHOICES AND RIGHTS

You have the right to: - Access information we hold about you. - Opt in to receive marketing communications from us. - Access your personal data. - Request its rectification - Request its deletion - Oppose their processing - Request the limitation of their processing - The portability of personal data A) Your options Once you have given us your consent you may withdraw your consent in accordance with the following: - To stop receiving marketing communications from us you can change your preferences in your account, follow the unsubscribe instructions in any of the emails we send you or contact us and we will do this for you. - To opt out of location tracking, you can change the settings on your device or keep your location turned off. To stop receiving network push notifications you will need to use your browser settings. - To opt out of personalisation, you can contact us using the contact form under Communications and we will do it for you. - To opt out of the use of cookies and tracking tools, please see our Cookie Policy. B) Your rights As a user, you have rights about how we use your personal information, including the following: - The right to object to our processing of your data. - The right to request that your information be deleted or its future use restricted. - The right to request a copy of the information we hold about you. - The right to correct, amend or update information you have provided to us. Where you have an account with us you will also be able to do this by logging into your account and updating your information. - The right to challenge any automatic decision we make about you. An automatic decision is a decision made without any human intervention that has legal consequences, for example a credit check. We do not normally make automatic decisions, but when we do we will make it clear that such a decision is being made. To exercise any of the above rights, please contact us at the addresses listed in the Communications section. Please note that while we carefully consider each request we receive, your rights may differ depending on where you live and we may not always be bound by them. If so, we will explain why.

11. RESPONSIBILITY FOR YOUR INFORMATION

• We are continually taking steps to ensure that your information is protected and that it is securely disposed of when it is no longer needed. • We have security measures in place to protect your information. The security measures we apply will depend on the type of information collected. • We will only keep your information for as long as is necessary to provide you with the services you have requested, for the purposes set out in this policy and for any other legal purpose for which we are required to keep the information. • We will securely delete your information when it is no longer required for the above purposes in accordance with our company policies. • We use shared services, some of which are located outside Europe. At the same time, your information may be transferred internationally when world-class artists are touring in order to provide you with a seamless experience. • When we carry out such transfers of information, we must emphasise that there are strict rules in place to ensure that your data continues to be protected to the highest standards. When we do so, we will ensure that we have appropriate security measures in place. If your information is transferred outside the European Economic Area, we will use one of the mechanisms set out below: - Standard Contractual Clauses approved by the European Commission - EU-U.S. Privacy Shield - Binding Corporate Rules - Binding Corporate Rules of the Processor • For additional information, or to obtain a copy of the relevant documentation, please contact us at the addresses listed in the Communications section.

12. THIRD PARTIES

• Please note that tickets to attend events are sold through: 1. Xceed Website and App 2. Promoters to whom Xceed S.r.l. makes available the technology necessary to carry out the sale of tickets, in which case the purchase will be made through the Promoter's website, external to Xceed S.r.l. 3. Promoters who collaborate with Xceed S.r.l., in which case the purchase of tickets will be made through the Promoter's website, outside of Xceed S.r.l. • Please note that the above stipulations involve an International Transfer of Data legitimised by the existence of Adequate Safeguards, Binding Corporate Rules, the Explicit Consent of the users by ticking the box and the Necessity of the transfer for the execution of the contract between the data controller and the data subjects. • Therefore, we inform you that in the second and third case our website may include, display or display links to the websites of the promoters. These websites operate independently of us. These websites have their own privacy policies and we strongly recommend that you read them when you visit them. To the extent that any linked websites you visit are not owned or controlled by us, we are not responsible for the content of such websites, their use or their privacy practices.

13. APPLICABLE LAW

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) applies. • This Regulation applies to the processing of personal data in the context of the activities of an establishment of the controller or processor in the Union, whether or not the processing takes place in the Union. • This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to such data subjects in the Union, whether or not the data subjects are required to pay for them, or the monitoring of their behaviour, in so far as it takes place in the Union. • This Regulation applies to the processing of personal data by a controller who is not established in the Union but in a place where the law of the Member States applies by virtue of public international law. • The preceding paragraphs support the legitimacy of Xceed S.r.l. to process the data of European citizens and third country nationals, as well as the transfer of such data to data controllers established outside the European Union.

14. COMMUNICATIONS - CONTACT US

• You may exercise your rights by contacting us directly and free of charge at the following e-mail address support@xceed.me indicating "EXERCISE OF RIGHTS" in the subject line. Your request must include date, name and surname, request in which the request is made, address for the purpose of notifications. In order to dispel any reasonable doubt about your identity, we ask you to provide us with a copy of your ID document to confirm your identity. • If you believe that Xceed S.r.l. has not dealt with your request correctly, you may apply to the Italian Data Protection Agency at the following address: Piazza di Monte Citorio n.121, 00186, Rome.