PERSONAL DATA CHARTER

https://www.passetonbillet.fr/

This charter aims to provide the User with complete information on the collection and processing of their personal data by the Company (as defined in the Terms and Conditions of Sale) in connection with the provision of the Company’s Services via the website accessible at https://www.passetonbillet.fr/ (the “Website”) to the User.

The definitions set out in the Terms and Conditions of Use, as supplemented where applicable by the Terms and Conditions of Sale, apply to this Personal Data Charter.

As part of its activities, the Company provides a service connecting Users, for the purpose of enabling the purchase and resale, between private individuals, of transport and event tickets on the Website.

In order to provide this service, the Company must collect and process personal data relating to Users.

Mindful of the User’s privacy and of the processing of their personal data, the Company, acting as data controller, undertakes to comply with Regulation (EU) No. 2016/679 of 27 April 2016 (GDPR), by ensuring the best possible level of protection for Users’ personal data.

This Charter therefore enables the User to benefit from full transparency regarding the processing of their personal data by the Company.

1. WHO COLLECTS USERS’ PERSONAL DATA?

The data controller that collects personal data and implements data processing operations is the Company, as identified in the Terms and Conditions of Use.

2. WHAT PERSONAL DATA IS COLLECTED BY THE COMPANY?

The Company ensures that it collects only personal data that is strictly necessary in light of the purpose for which it is processed.

The categories of personal data that the Company typically processes as part of its services and in accordance with its regulatory obligations include:

• Identification data: such as first name, last name, place and date of birth, contact details (postal address, phone number), nationality, identification numbers and documents (national ID card, passport, driver’s license), and the User’s photograph
• Banking data: Sellers’ IBAN
• Any personal data shared when using the chat feature

This personal data is collected directly from the User.

The Company also collects and processes other data indirectly, such as IP address (Internet Protocol), connection and browsing data, email addresses and phone numbers used to contact customer support, and the User’s order history.

The Company may also process data obtained from third-party organizations in order to meet its regulatory obligations.

The Company collects and processes only the data necessary to provide the Services or to comply with its legal obligations.

Users are informed that the collection of payments for Transactions carried out directly on the Website is managed by Stripe, which is authorized as an electronic money institution by the Commission de Surveillance du Secteur Financier (CSSF). Stripe carries out personal data processing for which it acts as data controller, as described in Stripe’s privacy policy: https://stripe.com/fr/privacy

Accordingly, the Company informs Users that it does not process any data relating to the payment methods used to pay for Transactions.

3. WHAT ARE THE PURPOSES OF COLLECTING THE USER’S PERSONAL DATA?

The Company is authorized to use Users’ personal data only if it has a valid legal basis and must ensure that it relies on one or more of the following legal bases:

• Performance of a contract
• Compliance with a legal obligation
• Legitimate interest of the data controller
• The User’s consent

The Company collects and records Users’ personal data for the following purposes and on the following legal bases:

4. IS PERSONAL DATA TRANSFERRED TO THIRD PARTIES?

Personal data collected is processed only by the Company, except in the following cases:

4.1. Disclosure to Users in the context of a Transaction

In the context of connecting Users and performing a Transaction, the Company may disclose certain personal data of the Seller to the Buyer and vice versa, in order to facilitate the Transaction.

4.2. Disclosure to Rights Holders and commercial partners

The Company may disclose personal data to Rights Holders, commercial partners and the Company’s processors (hosting providers, email-sending tools, website security tools, form management tools, audience measurement tools, document sharing tools, navigation tracking tools, customer service and assistance tools, advertising targeting tools on social networks and on the Internet), strictly in accordance with the purposes defined above. The Company’s processors are subject to confidentiality and security obligations, as well as other obligations required by applicable regulations.

4.3. Disclosure to the payment service provider Stripe

The Company may disclose personal data to Stripe in order to manage financial Transactions carried out via the Website. Personal data is then collected and processed by Stripe in its capacity as data controller in accordance with the terms governing Stripe’s terms of use and privacy policy.

4.4. Disclosure to authorities

In compliance with applicable regulations, the Company may provide personal data in France or abroad for the purpose of establishing, safeguarding or defending a legal right, within the framework of administrative or criminal investigations or litigation of any kind.

4.5. Data may also be shared with third parties for:

• Fraud prevention and debt collection
• Technical maintenance and development of the Website, internal applications and the Company’s information system
• Collection of customer reviews
• Sending newsletters

The Company may also share personal data, with the Customer’s prior and express authorization, in the event of a sale, transfer or merger of the Company or part of it, or if the Company acquires or merges with another company.

If such a transaction occurs, the Company will ensure that the other party complies with data protection legislation.

5. WHAT ARE USERS’ RIGHTS REGARDING THEIR PERSONAL DATA?

Pursuant to Articles 14 to 22 of Regulation (EU) 2016/679 of 27 April 2016, any individual using the service may exercise the following rights:

• Right to information (provision of clear and easily accessible information to the User)
• Right of access
• Right to rectification
• Right to object to processing and to erasure of their data
• Right to object to profiling
• Right to restriction of processing (meaning that, beyond a certain point, the Company may no longer continue processing and using the User’s personal data)
• Right to data portability (meaning the right to retrieve the data provided by the User and transfer it)
• Right to deletion

Where the Company detects a personal data breach likely to result in a high risk to the User’s rights and freedoms, the User will be informed of such breach as soon as possible.

These rights may be exercised by contacting the Company by email at: support@passetonbillet.fr or via the customer support chat.

In accordance with applicable regulations, any request must be signed and accompanied by a photocopy of an identity document bearing the requester’s signature and must specify the address to which the response should be sent. A response will be sent to the User within two (2) months of receipt of the request.

6. WHAT HAPPENS TO THE SELLER USER’S DATA AFTER THEIR DEATH?

The User may send instructions to the Company regarding the storage, deletion and disclosure of their personal data after their death, in accordance with Article 40-1 of French Law No. 78-17 of 6 January 1978. The User may submit advance directives to: support@passetonbillet.fr or via the customer support chat.

7. IS PERSONAL DATA TRANSFERRED OUTSIDE THE EUROPEAN UNION?

Personal data relating to the User will not be transferred, for the purposes defined above, to companies located outside the European Union, except where mandatory information must be provided to any bank and/or payment service provider located outside the European Union in connection with the payment of the purchase or sale price of Products between the Company and the User.

If personal data is transferred to companies located outside the European Union, data will be transferred only to entities that have undertaken to ensure a sufficient and appropriate level of data protection (in particular through Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)).

8. WHAT SECURITY MEASURES DOES THE COMPANY IMPLEMENT TO PROTECT PERSONAL DATA?

8.1. Internal measures

As data controller, the Company takes all useful precautions to preserve data security and confidentiality and, in particular, to prevent data from being altered, damaged or accessed by unauthorized third parties, through information system security measures designed to prevent external access to Customers’ personal data.

Where the Company uses processors, it ensures that such processors comply with data protection rules.

8.2. Relationships with processors

Where the Company uses processors that may process the User’s personal data, it ensures that they provide sufficient guarantees regarding compliance with data protection rules, at least equivalent to those of the Company, by entering into a contract with such processors for this purpose.

9. DOES THE COMPANY USE COOKIES, TAGS AND TRACKERS?

When the User uses the Company’s Services, the Company automatically receives and records certain types of information such as the settings of the Internet browser used, the content of the shopping cart, or identifiers enabling the User to log in.

Cookies and trackers that are strictly necessary to provide a service expressly requested by the User do not require prior consent. For example, the following trackers do not require User consent:

• “session identifier” cookies, for the duration of a session, or persistent cookies limited to a few hours in certain cases
• authentication and consent cookies
• persistent interface customization cookies (language or display preferences)

Any other cookie requires prior information and the User’s express and prior consent, for example:

• cookies related to advertising operations
• social network cookies generated by social sharing buttons when they collect personal data without the data subject’s consent
• certain audience measurement cookies

Upon the User’s first visit to the Website, an information message is displayed to inform them of the use of cookies.

Consent is collected via a banner displayed on the Website allowing the User to choose which cookies will be stored on their device, except for cookies necessary to provide the Services.

Cookies and other unique identifiers are used to obtain this information when the User’s browser or device accesses the Website.

9.1. What is a cookie?

The term “cookie” covers several technologies enabling tracking of browsing and online actions. These technologies are multiple and constantly evolving, including cookies, tags, pixels and JavaScript code.

A cookie is a small text file stored by the browser of the User’s computer, tablet or smartphone, allowing user data to be saved in order to facilitate browsing and enable certain features.

9.2. Why are cookies, tags and trackers used?

Cookies are used by the Company to remember the User’s preferences, and to optimize and improve the User’s use of the Website by providing content more specifically suited to their needs.

9.3. Cookies issued by the Company on the Website enable it to:

• Identify the User when they log in
• Determine the User’s browser settings, such as the browser type used and installed plug-ins
• Produce statistics and traffic volumes and usage of the various components of the Services (using audience measurement cookies)
• Adapt the Website’s display to the device used
• Adapt the Website’s display to each User’s preferences
• Optimize the Services offered on the Website
• Communicate with the User in a targeted manner

Only the issuer of a cookie may read or modify the information it contains.

Some cookies are installed until the User closes their browser, while others are stored for longer.

9.4. Browser settings

The User may configure their browser so that cookies are stored on their device or, on the contrary, rejected, either systematically or depending on the issuer.

The User may also configure their browser so that acceptance or refusal of cookies is offered on a case-by-case basis, before a cookie is stored on their device.

9.5. How to make this choice depending on the browser used?

Cookie management settings differ for each browser.

The “Help” section of most browsers indicates how to refuse new cookies, obtain a message notifying their reception, or disable all cookies.

Cookies issued by the Company are used for the purposes described above, subject to the User’s choices, resulting from their browser settings when visiting the Website and their acceptance by clicking “ok” on the cookie banner.

Several options are available to the User to manage cookies. Any cookie settings chosen by the User may affect their browsing experience and their access conditions to certain services requiring cookies.

The User can at any time express and modify their cookie preferences directly in their browser settings.

As each procedure differs, the User is invited to refer to their browser documentation, available on the browser publisher’s website.

10. THE COMPANY’S DATA PROTECTION OFFICER (DPO)

The Company has appointed a Data Protection Officer who can be contacted by email at: support@passetonbillet.fr or via the customer support chat.

11. UPDATES TO THIS PERSONAL DATA POLICY

The Company may update this policy from time to time.

In the event of any significant change, the Company will inform the User by email or by any other means.

12. HOW TO CONTACT US

If you have any questions or concerns regarding this privacy policy or the Company’s data processing practices, you can contact us at: support@passetonbillet.fr or via the customer support chat.

If you wish to delete your account and your data, you can do so at any time from your profile: https://help.passetonbillet.fr/fr/article/comment-supprimer-mon-profil-6m3zui/

13. ACCOUNT DELETION

The User may request closure of their account and deletion of the associated data by writing to: support@passetonbillet.fr.

Upon receipt of the request and after identity verification, PasseTonBillet will delete the account within a maximum period of five (5) weeks.

However, certain information cannot be deleted immediately, in particular information relating to:

• payment operations
• fraud prevention checks
• tax or accounting obligations applicable to Payment Service Providers

Such data is retained solely to comply with legal obligations imposed on payment actors.

It is no longer used by PasseTonBillet and may only be accessed in the event of a formal request from an administrative or judicial authority.

APPENDICES

A. Definitions

• Personal data: any information relating to an identified or identifiable natural person
• Processing: any operation or set of operations performed on personal data, whether or not by automated means
• Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing
• Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

B. Legal basis for processing

The Company undertakes to process Users’ personal data only in the following cases:

• Where the User has consented to the processing of their personal data for one or more specific purposes
• Where processing is necessary for the performance of a contract to which the User is a party, or to take steps at the User’s request prior to entering into a contract
• Where processing is necessary to comply with a legal obligation to which the Company is subject
• Where processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the User’s interests or fundamental rights and freedoms requiring protection of personal data

C. Users’ rights

Users have the following rights regarding their personal data:

• Right of access: the right to obtain confirmation as to whether or not personal data is being processed and, where that is the case, access to such data and certain information (purposes, categories of data, etc.)
• Right to rectification: the right to obtain correction of inaccurate personal data or completion of incomplete data
• Right to object: the right to object at any time, on grounds relating to the User’s particular situation, to the processing of their personal data
• Right to erasure: the right to obtain erasure of personal data without undue delay under certain conditions
• Right to restriction of processing: the right to obtain restriction of processing in certain cases
• Right to data portability: the right to receive personal data provided in a structured, commonly used and machine-readable format and to transmit it to another controller without hindrance

To exercise these rights, Users may contact the Company at: support@passetonbillet.fr

Updated on: 30/01/2026