Privacy Policy

Last updated: 2 July 2026

This policy explains how Popup Pal, United Kingdom (“Popup Pal”, “we”) processes personal data when you use the Popup Pal platform — whether you organise events, trade at them or buy tickets to them. It is written to comply with UK GDPR and the Data Protection Act 2018.

1. Two hats: controller and processor

The most important thing to understand about data on Popup Pal:

  • For attendee and trader data collected through an organiser’s event — buyer names and emails, checkout answers, stall applications — the organiser is the data controller and Popup Pal acts as their data processor. The organiser decides why that data is collected; we process it on their instructions under our data processing terms. Privacy questions about a specific event’s data should go first to its organiser.
  • For data we need to run Popup Pal itself — organiser and trader accounts, billing, support tickets, security logs, and this website — Popup Pal is the controller.

2. What we store

  • Account data (organisers, team members, traders): email, name, locale and notification preferences, sign-in records. Buyers never have accounts.
  • Order data: buyer name and email, tickets purchased, amounts, refund history and answers to the organiser’s checkout questions. Card details go directly to Stripe and never touch our servers; we store only payment references.
  • Stall data: application answers (which may include uploaded documents such as insurance certificates), invoices and payment status, pitch assignments.
  • Audience data: marketing opt-ins from checkout and stall QR sign-ups, each recorded with source and timestamp; unsubscribes are honoured and recorded.
  • Operational data: support tickets, structured logs, audit trails of sensitive actions (including IP addresses), and aggregate page-view counts for event pages (daily totals, not individual browsing profiles).

3. Lawful bases

  • Contract — delivering tickets you bought, administering stalls you applied for, running organiser accounts and subscriptions.
  • Legitimate interests — service emails about your order or event (e.g. cancellation notices, live announcements), fraud prevention, security logging, improving the Service using aggregate data.
  • Consent — marketing. You only receive marketing where you opted in (an unticked box at checkout, a stall QR sign-up), and every message includes a working unsubscribe.
  • Legal obligation — financial records retained for tax and accounting law.

4. Who receives data

We use a small number of sub-processors to run the Service: Stripe (payments), our email delivery provider, and our hosting and database infrastructure providers. We share data with them only as needed to provide the Service, under contracts imposing equivalent protections. Where data is transferred outside the UK, we rely on adequacy regulations or standard contractual clauses. We do not sell personal data, ever.

Organisers see the buyer and trader data for their own events (they are its controller). Traders see the subscribers captured at their own stall. Neither sees the other’s audience without a separate opt-in.

5. Retention

  • Order and invoice records: kept while needed for the event, refund windows and statutory accounting periods (generally 6 years for financial records in the UK).
  • Marketing contacts: kept while consent stands; removed promptly on unsubscribe or erasure request.
  • Unsuccessful stall applications: retained for the organiser’s reasonable review period, after which organisers are expected to delete what they no longer need.
  • Accounts: deleted or anonymised after closure, except records we must keep by law.
  • Logs and audit trails: retained for a limited security window, then deleted or aggregated.

6. Your rights

Under UK GDPR you can request access to your data, correction, erasure (where we no longer need it), restriction, portability, and you can object to processing based on legitimate interests. You can withdraw marketing consent at any time via the unsubscribe link. To exercise any right, contact us; we respond within one calendar month. Where the organiser is the controller we will assist them in fulfilling your request, and pass it on where appropriate. You also have the right to complain to the Information Commissioner’s Office (ICO).

7. Data export and erasure for organisers

Organisers can export their event, order and audience data from the dashboard at any time — it is their data. On account closure, we delete or anonymise the organiser’s data on request, subject to records we are legally required to keep and to obligations still owed to ticket holders (for example, refund records).

8. Security

Buyer access is protected by high-entropy tokenised links rather than passwords; ticket QR codes are cryptographically signed; sensitive actions are audit-logged; access to production data is restricted and logged. No system is perfectly secure — if we become aware of a breach affecting your data we will notify you and the ICO as required by law.

9. Cookies

We use a minimal set of cookies, described in the Cookie Policy.

10. Contact

Data protection queries: contact support and choose “General question”, or write to Popup Pal, United Kingdom.