GDPR Compliance
Last updated: April 2026
TickAtlas is committed to protecting the personal data of users in the European Economic Area (EEA) in accordance with the General Data Protection Regulation (GDPR). This page explains what data we collect, why we collect it, how long we keep it, and what rights you have over it.
1. Data We Collect
- Account information — Name, email address, and company name (optional), collected at registration.
- Payment information — Subscription plan and transaction records processed via NOWPayments. We do not store raw card data.
- API usage logs — Endpoint accessed, timestamp, response time, HTTP status, and the API key identifier (not the key itself).
- IP addresses — Logged per request for security, abuse prevention, and rate limiting.
- Session data — A session token stored in an httpOnly cookie to authenticate your dashboard session.
2. Why We Collect It
| Data | Purpose | Legal Basis |
|---|---|---|
| Account information | Service delivery, communications, account management | Contract performance |
| Payment records | Billing, subscription management, refunds | Contract performance / Legal obligation |
| API usage logs | Quota enforcement, billing, abuse detection, analytics | Legitimate interests |
| IP addresses | Rate limiting, security, fraud prevention | Legitimate interests |
3. Data Retention
- API usage logs — Retained based on your plan: Free tier: 30 days, Pro: 90 days, Enterprise: unlimited (or until account deletion is requested).
- Payment records — Retained for 7 years for legal and tax compliance purposes.
- Account data — Retained for the lifetime of your account, then deleted within 30 days of account closure unless a legal hold applies.
- Session data — Expires after inactivity or explicit logout.
4. Your Rights
Under GDPR, you have the following rights. To exercise any of them, email [email protected]. We will respond within 30 days.
- Access — Request a copy of the personal data we hold about you. A JSON export of your usage data is available via the dashboard.
- Rectification — Correct inaccurate or incomplete data via your dashboard profile settings, or by contacting us.
- Erasure — Request deletion of your account and associated personal data. Contact support to initiate. Payment records may be retained for legal compliance.
- Portability — Receive your data in a structured, machine-readable format (JSON). Available on request or via the dashboard export feature.
- Restriction — Ask us to pause processing of your data while a dispute is resolved.
- Objection — Object to processing based on legitimate interests (e.g. analytics). We will stop unless we can demonstrate compelling grounds.
- Withdraw consent — Where processing is based on consent, you may withdraw at any time without affecting prior lawful processing.
You also have the right to lodge a complaint with your local data protection authority.
5. Data Processing Location
All data is processed and stored on our production server hosted by OVH in Gravelines, France (EU). We do not transfer personal data outside the EEA except where third-party processors listed below operate internationally under Standard Contractual Clauses or equivalent safeguards.
6. Third-Party Processors
We share data with the following sub-processors only to the extent necessary to deliver the service:
| Processor | Purpose | Data Shared |
|---|---|---|
| NOWPayments | Cryptocurrency payment processing | Email, subscription plan, transaction ID |
| Sentry | Application error tracking | Error context (PII scrubbing enabled) |
| BetterUptime | Uptime and status monitoring | None (synthetic monitoring only) |
| MailRelay / Gmail SMTP | Transactional emails and alerts | Email address, alert content |
We do not sell personal data to any third party, ever.
7. Data Security
- Passwords — Hashed with bcrypt before storage. We never store plaintext passwords.
- API keys — Stored as SHA-256 hashes. The raw key is only shown once at creation.
- Transport — All traffic is HTTPS-only with HSTS enforced. HTTP requests are redirected.
- Sessions — Dashboard sessions use httpOnly, Secure, SameSite cookies with automatic expiry.
- Access control — Internal admin access requires separate credentials and is IP-restricted.
For a full overview of our security practices, see our Security page.
8. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authenticates your dashboard session (httpOnly, Secure, SameSite=Strict) | Session / inactivity expiry |
| CSRF token | Protects form submissions from cross-site request forgery | Session |
We do not use advertising, tracking, or third-party analytics cookies.
9. Contact & Data Requests
For all data-related requests — access, erasure, portability, objection — contact us at:
We will acknowledge your request within 72 hours and respond in full within 30 days.