Privacy Policy
How we collect, use, share, and protect your information when you use GIMMETIX.
1. Who We Are & Scope
This Privacy Policy explains how KIWIE Studio (Reg. No. 202503250602) (“GIMMETIX”, “we”, “us”, “our”) collects and processes personal data when you visit or use our ticketing platform and related services (the “Platform”).
Controller: KIWIE Studio, 1, PERSIARAN SIERRA UTAMA, BANDAR 16 SIERRA,
PUCHONG, SELANGOR, Malaysia.
Contact: privacy@gimmetix.com
Geographic scope: We primarily serve Malaysia. We do not target EU/UK or California residents. If this changes, we will update this policy.
Effective date:
2. What We Collect
- Identity & Contact: name, email, phone.
- Event Extras: answers to custom fields requested by the organizer (e.g., t-shirt size or other simple preferences). No sensitive data requested.
- Account Data: username and password (hashed).
- Transactional: ticket purchases, order IDs, receipts, timestamps.
- Payment: processed by payment gateways; we do not store full card details. We receive payment status/metadata only.
- Device/Usage (for security/operations): IP address, user agent, basic logs (e.g., rate-limit events, error logs).
- Support: emails and attachments sent to us.
Sensitive data: None. Please do not submit medical, biometric, or other sensitive personal data.
3. How We Use Your Data
- Ticketing & Account Management: to create/manage your account, process orders, deliver tickets, and provide customer support.
- Event Operations: to share only the minimum necessary details with event staff for admission and safety.
- Security & Abuse Prevention: to enforce rate limits, detect bots (e.g., anti-bot checks) and prevent fraud/abuse.
- Legal & Compliance: to keep records required by law (e.g., tax, accounting, audits).
- Communications: to send transactional emails (receipts, confirmations, tickets). Marketing messages are sent only if you opt in and you can withdraw at any time.
4. Cookies & Similar Technologies
We use only essential cookies and anti-bot checks. No analytics or advertising cookies are used at this time.
| Name (example) | Type | Purpose | Retention |
|---|---|---|---|
gtx_session | Essential | Keep you logged in and maintain your session. | Session (deleted on logout/expiry) |
gtx_cart | Essential | Remember cart/seat holds during checkout. | Up to 24 hours or until checkout completes |
gtx_csrf | Essential | Protect against cross-site request forgery. | Session |
cf_turnstile | Security | Cloudflare Turnstile anti-bot verification. | Short-lived (per challenge) |
If we later add analytics or preferences cookies, we will update this Policy and (if required) request consent.
5. Sharing & Disclosures
- Event Staff/Organizers (Operations-Only): we share only what is needed to operate the event (e.g., name, ticket info, relevant extras). Use for marketing is prohibited.
- Service Providers: infrastructure and vendors that help run the Platform (e.g., hosting, email, storage, anti-bot, payments). They are bound by contracts and may only process data on our instructions.
- Legal/Safety: where required by law or to protect rights, safety, and security.
- No Sale of Personal Data: we do not sell or rent personal data to third parties.
Payments: Your card details are submitted directly to payment gateways (e.g., Stripe, Billplz, HitPay depending on the event). We receive status/metadata but do not store full card numbers.
6. Legal Basis (if GDPR/UK GDPR ever applies)
We do not target EU/UK users today. If GDPR/UK GDPR applies in the future, our legal bases would be:
- Contract: ticketing, account management, customer support.
- Legitimate Interests: platform security, anti-fraud, service improvement (balanced against your rights).
- Consent: marketing communications and any non-essential cookies.
- Legal Obligation: tax, accounting, compliance records.
7. Retention
| Category | Typical Retention | Reason |
|---|---|---|
| Orders & Tickets | Up to 7 years | Tax, accounting, audit obligations. |
| Seat holds / cart state | Up to 24 hours | Operational necessity; fairness controls. |
| Access & device logs | ~12 months | Security, troubleshooting, abuse prevention. |
| Anti-fraud signals | Up to 24 months | Detect patterns of abuse while minimizing data. |
| Support emails/attachments | ~24 months | Case history and dispute resolution. |
| Inactive accounts | Review at ~24 months | Data minimization; we may anonymize or delete if unused. |
| Event extras | Up to 12 months after the event | Operations, refunds/chargebacks, then anonymize or delete. |
When we no longer need data, we will anonymize or securely delete it. Some records must be kept longer if required by law or for ongoing disputes.
8. Security
We use industry-standard technical and organizational measures, including:
- TLS encryption in transit; encryption at rest where supported by our vendors.
- Least-privilege, role-based access; staff access is logged and limited.
- Rate limiting, bot detection (Cloudflare Turnstile), and abuse monitoring.
- HSTS, CSRF protections, input validation and XSS safeguards.
- Regular backups and routine patching of systems.
- Password hashing and recommended password practices for users.
No method is 100% secure, but we continually improve our safeguards. If we suspect a breach that affects you, we will notify you as required by law.
9. International Data Transfers
Our service providers and infrastructure may be located outside Malaysia (for example, in the US, EU, or Singapore). Where data is transferred internationally, we use appropriate safeguards such as contractual data protection commitments and standard security measures.
10. Your Rights (PDPA – Malaysia)
Under Malaysia’s Personal Data Protection Act (PDPA), you can:
- Request access to the personal data we hold about you.
- Request correction of inaccurate or incomplete personal data.
- Withdraw consent where processing is based on consent (e.g., marketing).
- Raise questions or complaints about our data practices.
To exercise your rights, contact privacy@gimmetix.com. We may need to verify your identity (e.g., email verification and order information) before acting on your request.
If you are not satisfied with our response, you may lodge a complaint with the relevant regulator in Malaysia.
11. Marketing & Communications
- Transactional emails (receipts, tickets, order updates) are always sent as part of our service.
- Marketing (email/SMS) is opt-in only. You can unsubscribe at any time via the message footer.
- WhatsApp or SMS notifications: currently not used for marketing.
12. Automated Checks & Fairness
We use limited automated checks (e.g., anti-bot challenges, IP-based rate limiting) to protect the Platform and ensure fair access to tickets. These measures may temporarily block suspicious activity. If you believe we made a mistake, please contact support and we will review it.
13. Children
Our Platform is intended for general audiences and not directed to children under 13. If we discover we have collected personal data from a child without appropriate consent, we will delete it.
14. Roles & Responsibilities (Organizers)
GIMMETIX acts as the data controller for users of the Platform. When we share attendee details with event staff strictly for operational purposes, those event organizers act as independent controllers for the data they receive. We contractually require that they:
- Use attendee data only for event admission, support, and safety.
- Do not use attendee data for marketing unless they independently obtain your explicit consent.
- Protect data with appropriate security measures and follow applicable laws.
If an organizer contacts you for purposes beyond event operations without your consent, please notify us at privacy@gimmetix.com.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the effective date above. For material changes, we may also notify you via email or in-app notice. Your continued use of the Platform after changes become effective means you acknowledge the updated Policy.
16. Contact Us
Questions or requests about this Policy? Contact our privacy team at privacy@gimmetix.com.
Controller: KIWIE Studio (Reg. No. 202503250602) · 1, PERSIARAN SIERRA UTAMA, BANDAR 16 SIERRA, PUCHONG, SELANGOR, Malaysia