Privacy Policy
Protection of your personal data
Last updated: March 13, 2026
1. Introduction
This Privacy Policy describes how Timevault TCG, operating under the brand Event Manager Pro (hereinafter "we", "our" or "the Platform"), collects, uses, stores and protects your personal data when you use our ticketing and tournament management platform accessible at https://eventmanager.sbs.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 of April 27, 2016 - and applicable French data protection laws.
By using our Platform, you accept the practices described in this policy. If you do not accept these terms, please do not use our services.
2. Data Controller
Timevault TCG
Sole Proprietorship (Auto-entrepreneur)
1 Allée Louis Nabarrit
64450 Thèze, France
Email: contact@eventmanager.sbs
For any questions regarding the protection of your personal data, you can contact us at the email address above.
3. Data Collected
3.1. Data you provide directly
For Users (ticket buyers):
- Identification data: surname, first name, email address, phone number
- Payment data: processed directly by our payment providers (Stripe, PayPal, HelloAsso) - we do not store your credit card data
- Gaming data: player identifiers (Wizards Account, Pokémon ID, Konami ID, Ravensburger ID, etc.) when required for tournaments
- Participation data: event registrations, tournament results, decklists
For Organizers:
- Identification data: surname, first name, email address, phone number
- Professional data: organization name, address, billing information
- Configuration data: payment settings (encrypted API keys), event preferences
3.2. Automatically collected data
- Connection data: IP address, browser type, operating system, pages visited, date and time of access
- Cookies: session identifiers, language preferences, display theme (see Cookies section)
- Transaction data: order history, payment status, reference numbers
3.3. Sensitive data
We do not collect sensitive data within the meaning of Article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric data).
4. Processing Purposes
Your personal data is processed for the following purposes:
| Purpose | Description | Legal Basis |
|---|---|---|
| Account management | Creation, authentication and management of your user or organizer account | Contract performance |
| Ticketing | Order processing, ticket generation, sending confirmations | Contract performance |
| Event management | Tournament organization, participant management, results publication | Contract performance |
| Payments | Transaction processing, refunds, fraud prevention | Contract / Legal obligation |
| Communication | Event notifications, reminders, service updates | Contract / Legitimate interest |
| Customer support | Responding to your requests, problem resolution | Contract performance |
| Security | Protection against fraud, abuse and unauthorized access | Legitimate interest |
| Service improvement | Anonymized usage analysis, user experience improvement | Legitimate interest |
| Legal obligations | Billing data retention, response to authorities | Legal obligation |
5. Legal Basis for Processing
In accordance with the GDPR, we process your data on the following legal bases:
- Contract performance (Article 6.1.b): Processing is necessary for the performance of our services (ticket purchase, event participation, tournament organization).
- Legal obligation (Article 6.1.c): Processing is necessary for compliance with our legal obligations (invoice retention, fraud prevention, response to requisitions).
- Legitimate interest (Article 6.1.f): Processing is necessary for our legitimate interests (platform security, service improvement, non-commercial communication).
- Consent (Article 6.1.a): When you expressly accept certain processing (newsletter, non-essential cookies).
6. Data Recipients
6.1. Sharing with Organizers
When you purchase a ticket or participate in an event, some of your data is shared with the Organizer of the relevant event:
- Surname and first name
- Email address
- Phone number (if provided)
- Player identifiers (if required by the tournament)
- Participation data (registration, results, decklists)
Important: The Organizer then becomes a joint controller of your data for their own purposes. We invite you to consult each Organizer's privacy policy where applicable.
6.2. Technical subcontractors
We use the following subcontractors who process your data on our behalf:
| Subcontractor | Service | Location |
|---|---|---|
| Hostinger | Web hosting and database | Lithuania (EU) |
| Stripe | Card payment processing | Ireland (EU) / United States |
| PayPal | PayPal payment processing | Luxembourg (EU) / United States |
| HelloAsso | Association payment processing | France (EU) |
These subcontractors are contractually bound to protect your data in accordance with the GDPR and may only use it for the defined purposes.
6.3. Other recipients
Your data may also be communicated to:
- Competent authorities in case of legal obligation (tax authorities, judicial authorities)
- Game publishers (Wizards of the Coast, The Pokémon Company, Konami, Ravensburger) for official tournament reporting, with your consent
7. International Data Transfers
Your data is primarily hosted within the European Union (Lithuania).
Some of our subcontractors (Stripe, PayPal) may transfer data to the United States. These transfers are governed by:
- The EU-US Data Privacy Framework (DPF) for certified companies
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional protective measures (encryption, pseudonymization)
8. Data Retention
We retain your personal data for the following periods:
| Data Type | Retention Period | Justification |
|---|---|---|
| User account data | Account lifetime + 3 years after deletion | Relationship management / Civil statute of limitations |
| Order data | 10 years after transaction | Accounting and tax obligations |
| Tournament participation data | 5 years after event | Sports history / Statistics |
| Connection logs | 1 year | Security / Fraud detection |
| Payment data (references) | 13 months after transaction | Dispute management |
| Session cookies | Session duration | Technical operation |
| Preference cookies | 13 months | CNIL recommendations |
Upon expiration of these periods, your data is deleted or irreversibly anonymized.
9. Your Rights
In accordance with the GDPR, you have the following rights over your personal data:
Right of access
Obtain a copy of all personal data we hold about you.
Right to rectification
Correct inaccurate data or complete incomplete data.
Right to erasure
Request deletion of your data ("right to be forgotten"), subject to legal obligations.
Right to restriction
Temporarily restrict the processing of your data in certain situations.
Right to portability
Receive your data in a structured, machine-readable format.
Right to object
Object to the processing of your data on grounds relating to your particular situation.
How to exercise your rights?
To exercise your rights, you can:
- Contact us by email at contact@eventmanager.sbs
- Use your account features (profile modification, data download)
- Write to us at the postal address indicated in the legal notice
We will respond to your request within one month of receipt. This period may be extended by two months in case of complex requests, in which case you will be informed.
Proof of identity may be requested to verify your identity.
Complaint to the supervisory authority
If you believe that the processing of your data does not comply with regulations, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) - the French Data Protection Authority:
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, modification, disclosure or destruction:
- HTTPS/TLS encryption for all communications
- Secure password hashing (Argon2ID)
- AES-256 encryption of sensitive data (payment API keys)
- Role-based access control
- CSRF protection on all forms
- Rate limiting against brute force attacks
- Logging of access and sensitive actions
- Regular encrypted backups
- Multi-tenant isolation: each organizer only accesses their own data
Secure payments: We never store your credit card data. Payments are processed directly by our PCI-DSS certified partners (Stripe, PayPal).
12. Protection of Minors
Our platform is primarily intended for adult audiences.
- Organizer account creation: reserved for persons 18 years of age and older.
- Ticket purchase: Minors aged 16 and over may purchase tickets with the consent of their legal guardian. For minors under 16, purchases must be made by a legal guardian.
- Tournament participation: Minors may participate in tournaments in accordance with the Organizer's rules and with required parental authorization.
We do not knowingly collect personal data from children under 16 without parental consent. If you believe a minor has provided us with data without appropriate consent, please contact us immediately.
13. Policy Changes
We reserve the right to modify this Privacy Policy at any time to reflect legal, technical or service changes.
In case of substantial modification:
- The "last updated" date will be changed
- A notice will be displayed on the platform
- Registered users will be notified by email
We encourage you to regularly review this page to stay informed about our data protection practices.
14. Contact
For any questions regarding this Privacy Policy or the processing of your personal data, please contact us:
Timevault TCG - Event Manager Pro
Email: contact@eventmanager.sbs
Address: 1 Allée Louis Nabarrit, 64450 Thèze, France
We are committed to responding to your requests as soon as possible and within a maximum of one month.