Legal
Privacy Policy
Effective Date: 1 April 2026 | Last Updated: 1 April 2026
Introduction
Two Bit Digital (SMC-PVT) LTD, trading as Tikkit X ("Tikkit X," "we," "us," or "our"), is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Tikkit X platform, including our website at tikkitx.com, our mobile applications, and all related services (the "Platform").
This Privacy Policy should be read together with our Terms and Conditions. By using the Platform, you consent to the collection and use of your personal data as described in this Policy.
Data Controller
The data controller responsible for your personal data is:
Website: https://tikkitx.com
For Event-specific data (Guest Lists, attendee communications, event analytics), the Event Organiser acts as a joint data controller alongside Tikkit X. Tikkit X processes such data on behalf of and under the instructions of the Organiser.
Personal Data We Collect
3.1 Information You Provide Directly
| Category | Data Elements | Purpose |
|---|---|---|
| Account Registration | Full name, email address, phone number, username, password (hashed) | Account creation, authentication, communication |
| Identity Verification | CNIC number, passport number, identity document images, facial photograph (where applicable) | Identity verification, fraud prevention, compliance with anti-scalping obligations |
| Payment Information | Payment method, transaction ID, payment screenshots (where applicable), bank/wallet details for Organiser payouts | Payment processing, transaction verification, refunds |
| Event Registration | Event preferences, EOI submissions, ticket selections, dietary or accessibility requirements (if provided) | Event registration, Guest List management, event delivery |
| Organiser Information | Company/brand name, event details, venue information, vendor relationships, payout bank details | Event listing, payout processing, platform operations |
| Vendor Information | Business name, service descriptions, portfolio images, pricing, availability | Marketplace listing, booking facilitation, verified profile display |
| Communications | Messages sent through in-app chat, support enquiries, feedback | Customer support, dispute resolution, platform improvement |
3.2 Information Collected Automatically
| Category | Data Elements | Purpose |
|---|---|---|
| Device Information | Device type, operating system, browser type, screen resolution, unique device identifiers | Platform optimisation, security, fraud detection |
| Usage Data | Pages viewed, features used, time spent, click patterns, search queries | Platform improvement, personalisation, analytics |
| QR Scan Data | Scan timestamp, scan location (venue), scan result (valid/invalid), entry/exit records | Event check-in, attendance verification, dwell time analytics, audit trail |
| IP Address and Location | IP address, approximate geographic location (city/region level) | Security, fraud prevention, regional service delivery |
Legal Basis for Processing
| Legal Basis | Applicable Processing Activities |
|---|---|
| Contractual Necessity | Processing necessary to perform our contract with you, including account management, ticket issuance, QR code generation, payment processing, and event delivery. |
| Consent | Processing based on your explicit consent, including identity verification (CNIC/biometric), marketing communications, and optional profile features. You may withdraw consent at any time by contacting admin@tikkitx.com. |
| Legitimate Interests | Processing necessary for our legitimate interests, including fraud prevention, platform security, analytics for service improvement, and enforcement of our Terms. |
| Legal Obligation | Processing required to comply with applicable laws, including the Prevention of Electronic Crimes Act 2016 (PECA), tax reporting obligations, and responses to lawful requests from law enforcement or regulatory authorities. |
How We Use Your Personal Data
- Platform Operations: To create and manage your account, process registrations, issue QR Code tickets, facilitate payments, and deliver the core services of the Platform.
- Identity Verification: To verify your identity through document checks and, where applicable, biometric verification, in order to prevent fraud, scalping, and unauthorised access.
- Event Analytics: To provide Event Organisers with anonymised and aggregated analytics, including attendance counts, check-in velocity, demographic breakdowns (where consented), and dwell time metrics.
- Communications: To send you transactional notifications (ticket confirmations, event updates, account alerts), and, with your consent, marketing communications about events and platform features.
- Security and Fraud Prevention: To monitor for suspicious activity, enforce our anti-scalping policies, maintain audit trails, and protect the integrity of the Platform.
- Platform Improvement: To analyse usage patterns, conduct research, and improve the functionality, performance, and user experience of the Platform.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes, including responding to lawful requests from governmental authorities.
How We Share Your Personal Data
We do not sell your personal data. We share your personal data only in the following circumstances:
6.1 With Event Organisers
When you register for or attend an Event, the Organiser receives your name, email address, ticket status, and check-in data as necessary to manage their Event and Guest List. Organisers are bound by their own privacy obligations and are prohibited from using your data for purposes unrelated to the Event.
6.2 With Service Providers
We share personal data with trusted third-party service providers who assist us in operating the Platform, including:
- Supabase (database hosting and authentication)
- Vercel (application hosting)
- Payment processors (PayPro, JazzCash, EasyPaisa, or others as applicable)
- Identity verification providers (Didit or equivalent KYC services)
- Email service providers (Resend or equivalent)
These providers process data only on our instructions and are contractually bound to protect your data and use it solely for the purposes of providing their services to us.
6.3 With Vendors (Tikkit X Vendors)
Where you book a Vendor through the Platform, we share necessary booking details (event date, requirements, contact information) with the Vendor to facilitate service delivery.
6.4 For Legal Reasons
We may disclose your personal data where required by law, regulation, legal process, or governmental request, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
6.5 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data.
Cryptographic Data and QR Codes
Tikkit X uses cryptographic technology (HMAC-SHA256 with HKDF key derivation) to generate and verify QR Code tickets.
- QR Code Payload: Your QR Code contains your guest ID, event ID, name, ticket days, status, and timestamp. This payload is cryptographically signed but not encrypted — it is readable by any scanner with the per-event verification key.
- Per-Event Keys: Verification keys are derived from a master secret using event-specific parameters. Per-event keys are cached on scanner devices for offline verification. Keys are rotated per event and cannot be used to derive the master secret.
- Offline Verification: QR Code verification can occur without network connectivity. Scan data is stored locally on the scanner device and synchronised with the Platform when connectivity is restored.
- Scan Logs: All scan events are recorded in an immutable, append-only audit log for security and compliance purposes.
Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Data | Duration of account plus 2 years after deletion request | Contractual, legal compliance |
| Identity Verification Documents | Deleted within 90 days of successful verification | Data minimisation |
| Payment Records | 7 years from transaction date | Tax and financial reporting obligations |
| Event Check-in / Scan Logs | 3 years from event date | Audit trail, dispute resolution |
| In-App Chat Messages | Automatically purged 72 hours after event conclusion | Privacy by design |
| Usage and Analytics Data | Anonymised after 12 months; aggregated data retained indefinitely | Platform improvement |
Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Row Level Security (RLS): Database-level access controls ensuring users can only access data they are authorised to view.
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
- Encryption at Rest: Personal data stored in our databases is encrypted at rest.
- Access Controls: Service role keys and administrative credentials are segregated and never exposed to client-side code.
- Immutable Audit Logs: Critical operations are recorded in append-only, cryptographically chained audit logs that cannot be altered after creation.
- Rate Limiting: IP-based rate limiting on sensitive endpoints to prevent brute-force attacks.
While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure.
International Data Transfers
The Platform is hosted on infrastructure provided by Supabase (cloud database) and Vercel (application hosting), which may store and process data in jurisdictions outside Pakistan, including the United States and European Union. Where your data is transferred outside Pakistan, we ensure that appropriate safeguards are in place, including contractual protections with our service providers.
For users in the United Kingdom or European Economic Area, international transfers are conducted in compliance with Chapter V of the UK GDPR or EU GDPR, as applicable, using Standard Contractual Clauses or other approved transfer mechanisms.
Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
- Right of Access: You may request a copy of the personal data we hold about you.
- Right to Rectification: You may request that we correct inaccurate or incomplete personal data.
- Right to Erasure: You may request that we delete your personal data, subject to our legal retention obligations.
- Right to Restriction: You may request that we restrict the processing of your personal data in certain circumstances.
- Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format.
- Right to Object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis.
- Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at admin@tikkitx.com. We will respond within 30 days.
Children's Privacy
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly. If you believe that a child under 18 has provided us with personal data, please contact us at admin@tikkitx.com.
Cookies and Tracking Technologies
The Platform may use cookies, local storage, and similar technologies to enhance your experience, analyse usage, and provide core functionality. These include:
- Essential Cookies: Required for the Platform to function, including authentication tokens and session management. These cannot be disabled.
- Analytics Cookies: Used to understand how users interact with the Platform and to improve our services. These are only set with your consent where required by applicable law.
We do not use third-party advertising cookies or tracking pixels. We do not sell data to advertisers or ad networks.
Third-Party Links and Services
The Platform may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services before providing them with your personal data. Tikkit X is not responsible for the privacy practices of third-party services.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable laws. Material changes will be communicated to you via email or through a prominent notice on the Platform at least fourteen (14) days before the changes take effect. Your continued use of the Platform after the effective date constitutes your acceptance of the updated Policy.
Applicable Law
This Privacy Policy is governed by the laws of the Islamic Republic of Pakistan, including the Prevention of Electronic Crimes Act, 2016 (PECA), the Electronic Transactions Ordinance, 2002 (ETO), and the constitutional right to privacy under Article 14(1) of the Constitution of Pakistan.
For users in the United Kingdom, this Policy additionally complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For users in the European Economic Area, this Policy additionally complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679).
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Website: https://tikkitx.com
For data protection enquiries from the United Kingdom or European Economic Area, you may also contact the relevant supervisory authority in your jurisdiction.