1. Applicability

1.1. This Privacy Policy (“Privacy Policy”) is issued by Thumpn Entertainment Pvt. Ltd., having its registered office at 100, Aram Nagar Part 2, Machhlimar Colony, Versova, Andheri West, Mumbai, Maharashtra, 400061, (“thumpN”, “Company”, “we”, “us”, or “our”) and applies to all users and visitors (“you”, “your”, or “Data Principal”) of our website and mobile application (“Platform”).

1.2. This Privacy Policy must be read together with our Terms and Conditions (“Terms of Use”) and all other applicable policies published on the Platform (collectively, “Platform Policies”). In the event of any inconsistency between this Privacy Policy and any other Platform Policies, this Privacy Policy shall prevail to the extent of such inconsistency in relation to matters concerning Personal Data (defined below).

1.3. For the purposes of this Privacy Policy, we are the Data Fiduciary and you are the Data Principal in respect of the Personal Data you provide to us or that we collect from you. However, in the following circumstances, the roles may differ:

1.3.1. Where your Personal Data is Processed by us on behalf of an Organizer, the Organizer is the Data Fiduciary in respect of such Personal Data, and we act solely as a Data Processor under a valid contract with the Organizer. For any queries relating to how an Organizer handles your Personal Data, we encourage you to refer to the privacy policy of the relevant Organizer. A link to the same will be present in the privacy notice that the Organiser provides you before the event booking journey on the Platform.

1.3.2. Where you input, upload, or otherwise submit the Personal Data of any third party (such as a friend, family member, or any other individual) onto the Platform, you shall be deemed to be the Data Fiduciary (defined below) in respect of such third-party Personal Data, and we shall act solely as a Data Processor (defined below) Processing (defined below) such data on your behalf and in accordance with your instructions.

1.4. By accessing the Platform or using any of our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy, Terms of Use, and all other applicable Platform Policies. Your continued use of the Platform constitutes your consent to the Processing of your Personal Data in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Platform or any of our services. You can reach out to us at [email protected] to clarify any part of this Privacy Policy.

1.5. The Platform is not intended for use by individuals who have not completed the age of eighteen (18) years (“Child”). In the event that a Child accesses or uses the Platform, we shall assume that such access or use is being undertaken with the knowledge and consent of their parent or lawful guardian, and such parent or lawful guardian shall be deemed to have consented to the Processing of the Child’s Personal Data in accordance with this Privacy Policy.

1.6. You acknowledge and agree that any Personal Data you voluntarily make available in the public domain (including through public profiles, public reviews, etc.) may be Processed by us without obtaining your separate consent. Similarly, by attending events listed on the Platform, you acknowledge that your presence and likeness may be captured through photographs, videos, or other means, and agree that such Personal Data shall be deemed to have been made publicly available by you.

2. Definitions

In this Privacy Policy, unless the context otherwise requires, the following terms shall have the meanings set out below. All capitalised terms used but not defined in this Privacy Policy shall have the meanings assigned to them in the Terms of Use, as applicable.

2.1. “Applicable Laws” means all laws, statutes, rules, regulations, ordinances, notifications, directives, guidelines, circulars, and lawful orders of any governmental, regulatory, judicial or quasi-judicial authority that are applicable to you, us, the Platform, the services, or any event, including sectoral directions (for example, those issued by the RBI and NPCI), and all other data protection, consumer protection and e-commerce laws as enforced or due to be in-force.

2.2. “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of Processing of Personal Data.

2.3. “Data Principal” means the individual to whom the Personal Data relates and, where such individual is a child, includes the parents or lawful guardian of such child, and where such individual is a person with disability, includes her lawful guardian acting on her behalf.

2.4. “Data Processor” means any person who Processes Personal Data on behalf of a Data Fiduciary.

2.5. “Event Organizers” or “Organizers” means persons or entities identified as such on the Platform responsible for planning, producing, promoting, or operating an event that may be listed for discovery and redirection on the Platform.

2.6. “Personal Data” means any data about an individual who is identifiable by or in relation to such data.

2.7. “Personal Data Breach” means any unauthorised Processing of Personal Data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to Personal Data, that compromises the security, confidentiality, integrity, or availability of Personal Data.

2.8. “Platform” means our website and mobile application, including all features, services, content, and functionality made available through them.

2.9. “Process” or “Processing” in relation to Personal Data, means a wholly or partly automated operation or set of operations performed on digital Personal Data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction.

3. Information We Collect and How We Use It

3.1. As the agency that collects and retains your Personal Data, we Process it only for the necessary lawful purposes connected with the functions and activities of this Platform (specified below). Such Processing is consented to by you by accessing our Platform. The Privacy Policy provides an itemised description of the Personal Data collected and the specific purpose for such collection, along with the goods and services enabled by such Processing.

3.2. We do not Process your Personal Data for any purpose other than those for which you have provided your consent, unless such Processing is permitted under Applicable Laws without consent.

3.3. Where we act as a Data Processor on behalf of an Organizer, we Process your Personal Data solely for the purposes instructed by the Organizer in accordance with our contract with them, unless otherwise permitted by Applicable Laws. We do not determine the purposes or means of Processing such Personal Data independently unless we have obtained consent from you for a specified purpose of our own.

4. Disclosure to Third Parties

4.1. We do not sell your Personal Data to any third party. We disclose your Personal Data only to the extent necessary to fulfil the purposes for which you have provided consent by accessing our Platform, or as otherwise permitted under Applicable Laws.

4.2. We may disclose your Personal Data with the following categories of third parties in connection with the services provided on the Platform:

4.2.1. Event Organizers: We collect and Process your Personal Data (including your name, contact details, and booking information) on behalf of Organizers who are the Data Fiduciaries for such Personal Data. This enables the confirmation and fulfilment of your bookings, generation and delivery of your tickets, and entry verification at event venues. We share such Personal Data with the relevant Organizer, who may further Process or share it for their own specified purposes in accordance with their own privacy policy and Applicable Laws. We encourage you to review the privacy policy of the relevant Organizer for details on how they handle your Personal Data.

4.2.2. Payment processing partners: To Process ticket purchases, wallet transactions, payouts, refunds, and recurring payments. These partners handle your payment instrument information in accordance with Applicable Laws.

4.2.3. Communications and messaging partners: To deliver OTPs, booking confirmations, payment receipts, service updates, and promotional communications (where you have consented to the latter). These partners receive your phone number and email address for the purpose of message delivery.

4.2.4. AI and technology partners: To power AI-assisted features on the Platform, such as smart search, suggestions, and automated customer support. These partners may receive your search queries, interactions, and support requests for the purpose of providing these services.

4.2.5. Mapping and location partners: To display venue details, maps, and directions for events listed on the Platform. These partners receive your location and venue-related queries.

4.2.6. Advertising and analytics partners: To measure the effectiveness of our advertising campaigns and to understand how users discover the Platform. These partners receive campaign attribution data.

4.2.7. Customer support partners: To assist in the resolution of grievances and queries raised by you. These partners receive your name, contact details, and the content of your support requests.

4.2.8. Cloud hosting and data storage partners: To host, store, and manage the Platform and associated Personal Data. These partners may Process your Personal Data, including your name, contact details, account information, booking details, transaction data, and any other information you provide on the Platform solely for the purpose of providing secure hosting and storage services.

4.2.9. Artists and artist management agencies: To enable artists and their representatives to connect with you, share updates about upcoming performances, releases, and other activities, and stay engaged with you on the Platform. These partners may receive your name, contact details, and event attendance history for the purpose of fan engagement and communications.

4.3. All third parties with whom we disclose your Personal Data are contractually bound to Process such data only for the purposes for which it was shared, to implement reasonable security safeguards, and to comply with Applicable Laws. Similarly, where an Organizer discloses your Personal Data with us for Processing on their behalf, we are contractually bound to Process such data only for the purposes instructed by the Organizer and to implement reasonable security safeguards in respect of such Personal Data.

4.4. We may also disclose your Personal Data where we are required to do so by law, by any order or direction of a court or tribunal, by any governmental or regulatory authority, or as otherwise required or permitted under Applicable Laws.

5. Cross Border Data Transfers

5.1. Some of the Data Processors we engage may Process your Personal Data outside the territory of India. By continuing to access our Platform, you consent to such transfer of your Personal Data.

5.2. Where your Personal Data is transferred outside India, we ensure that such transfers are made subject to appropriate contractual safeguards requiring the recipient to protect your Personal Data to a standard no less than that required under Applicable Laws.

6. Cookies

6.1. When you access the Platform, we may place cookies and similar tracking technologies on your device (“Cookies”). These help us recognise your device, store your preferences, and analyse how you interact with the Platform.

6.2. Cookies are small text files stored on your device. They may be session-based (deleted when you close your browser) or persistent (remaining on your device until they expire or you delete them).

6.3. We use the following types of Cookies and tracking technologies on the Platform.

6.3.1. First-party Cookies: Placed directly by us and essential for the functioning of the Platform. We use these to keep you logged in and maintain your session and location preferences.

6.3.2. Third-party Cookies: Placed by our partners for specific purposes.

(a) Razorpay and Juspay: To enable secure payment processing. For more information, see [Razorpay’s Privacy Policy] and [Juspay’s Privacy Policy].

(b) Google: To track advertisement performance and analyze user interactions on the Platform. For more information, see [Google’s Privacy Policy].

(c) Meta: To track advertisement performance and measure campaign effectiveness across Meta’s platforms. For more information, see [Meta’s Privacy Policy].

(d) CleverTap: To analyze user engagement and enable targeted communications. For more information, see [CleverTap’s Privacy Policy].

7. Reasonable Security Safeguards

7.1. We strive to maintain the security and safety of your Personal Data in line with industry standards. Once we have received your Personal Data, we use strict procedures and security features as per industry standards and Applicable Laws to try to prevent unauthorized access, loss, misuse, unauthorized disclosure and dissemination, destruction and alteration of your Personal Data. Our reasonable security safeguards are periodically reviewed in compliance with Applicable Laws.

7.2. We aim to protect from unauthorized access, alteration, disclosure or destruction of your Personal Data or other information that we hold. To the extent feasible, the security measures we adopt to protect your Personal Data or other information include the following:

7.2.1. We use encryption to keep your Personal Data or other information private while in transit;

7.2.2. We offer security features like an OTP verification to help you protect your user account on the Platform;

7.2.3. We review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems;

7.2.4. We restrict access to your Personal Data or other information to our and our partners’ employees, contractors, and agents who need that information in order to Process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be subject to disciplinary action if they fail to meet these obligations;

7.2.5. We maintain appropriate logs and monitoring mechanisms to enable the detection of unauthorized access to Personal Data, its investigation, and remediation to prevent recurrence;

7.2.6. We implement appropriate technical and organisational measures to ensure the effective observance of the security safeguards set out above, including regular security assessments, employee training on data protection, and compliance reviews;

7.2.7. We ensure compliance with Applicable Laws;

7.2.8. We regularly review this Privacy Policy and make sure that we Process Your Personal Data or other information in ways that comply with it.

7.3. Where we act as a Data Processor on behalf of an Organizer, we act on the instructions of such Organizer documented in a valid contract and implement security safeguards that are equivalent to those set out above in respect of any Personal Data Processed on the Organizer’s behalf.

7.4. Where we engage any Data Processors (in our role as a Data Fiduciary) or sub-processors (in our role as a Data Processor) to assist in Processing of your Personal Data, we issue instructions documented in a valid contract to ensure that appropriate contractual provisions are in place requiring such Data Processor or sub-processor to implement equivalent safeguards.

7.5. While we take every reasonable measure to protect your Personal Data, no system is completely secure. We cannot guarantee the absolute security of your Personal Data against all threats. If you have reason to believe that your interaction with us is no longer secure or that your Personal Data has been compromised, please notify us immediately using the contact details set out in clause 13 of this Privacy Policy.

8. Data Retention

8.1. We shall retain your Personal Data only for as long as is necessary to fulfil the purpose for which it was collected, or as required for compliance with Applicable Laws, whichever is longer.

8.2. Upon receiving a request for erasure or upon withdrawal of consent, we shall erase your Personal Data as soon as it is reasonable to assume that the purpose is no longer being served and there is no legal obligation to retain such Personal Data. We shall also cause our Data Processors to erase any Personal Data that was made available to them for Processing.

8.3. Before erasing your Personal Data, we shall inform you at least forty-eight (48) hours prior to the completion of the applicable retention period that unless you log into your account or otherwise initiate contact with us for the performance of the specified purpose or exercise your rights, your Personal Data will be erased.

8.4. Where we act as a Data Processor on behalf of an Organizer, we retain your Personal Data for the period instructed by the Organizer or as specified in our contract with them. Upon the Organizer’s instruction or upon expiry of the contractual retention period, we shall erase such Personal Data and cause any sub-processors to do the same, unless retention is required under Applicable Laws.

8.5. Notwithstanding the foregoing, we may retain your Personal Data for archiving, research, or statistical purposes, provided that such Personal Data is Processed in a manner that does not result in any decisions being made that are specific to you as a Data Principal.

9. Data Breach Notification

9.1. In the event of a Personal Data Breach, we shall intimate you, without delay, through your user account or any mode of communication registered by you with us, providing:

9.1.1. A description of the breach, including its nature, extent, and timing of occurrence;

9.1.2. The consequences relevant to you that are likely to arise from the breach;

9.1.3. The measures implemented and being implemented by us to mitigate the risk;

9.1.4. The safety measures that you may take to protect your interests; and

9.1.5. Business contact information of a person who is able to respond on our behalf to your queries.

9.2. If you notice any unusual or suspicious activity in relation to your account or Personal Data on the Platform, including but not limited to unauthorised logins, unexpected changes to your account information, or communications that appear to originate from us but that you did not initiate, we encourage you to report such activity to us immediately using the contact details set out in clause 13 of this Privacy Policy. Early reporting helps us investigate and contain potential breaches and protects both you and other users of the Platform.

10. Third-Party Links and Sites

10.1. The Platform may contain links to third-party websites, applications, or services that are not owned or controlled by us. These may include, but are not limited to, the websites of event Organisers, payment processors, social media platforms, and advertising partners.

10.2. We are not responsible for the privacy practices or the content of any such third-party websites, applications, or services. Each such third party may have its own privacy policy governing the collection, use, and sharing of your Personal Data, and we do not accept any responsibility or liability for such policies or practices.

10.3. We strongly encourage you to review the privacy policy of every third-party website, application, or service that you visit or interact with through the Platform before submitting any Personal Data to such third parties.

10.4. The inclusion of a link to a third-party website, application, or service on the Platform does not imply our endorsement of, or affiliation with, such third party.

11. Your Rights

Under the Applicable Laws, you have the following rights in relation to your Personal Data. You may exercise your rights via our portal here.

11.1. Right to withdraw Consent: You may withdraw your Consent for any Specified Purpose at any time, with the ease of doing so being comparable to the ease with which your Consent was given. You can withdraw Consent by toggling off the relevant consent preferences tab in your account settings on the Platform. The withdrawal of Consent shall not affect the lawfulness of any Processing carried out prior to such withdrawal. Upon withdrawal, we shall, within a reasonable time, cease Processing and cause our Data Processors to cease Processing your Personal Data for that purpose, unless such Processing without Consent is required or authorised under the DPDPA or any other law for the time being in force.

11.2. Right to access information: You have the right, upon making a request to us, to obtain a summary of the Personal Data that we are Processing about you and the Processing activities undertaken with respect to such data, the identities of all other Data Fiduciaries and Data Processors with whom your Personal Data has been shared along with a description of the data so shared, and any other information related to your Personal Data and its Processing as may be prescribed.

11.3. Right to correction and erasure: You have the right to request the correction of any inaccurate or misleading Personal Data, the completion of any incomplete Personal Data, and the updating of any outdated Personal Data. You also have the right to request the erasure of your Personal Data, and upon receipt of such a request, we shall erase your Personal Data unless its retention is necessary for the Specified Purpose or for compliance with any law for the time being in force or for research, archiving, or statistical purposes in line with clause 9.5 of this Privacy Policy.

11.4. Right to grievance redressal: If you have any concern about how we handle your Personal Data or about the exercise of your other rights, you may raise a grievance with us. We shall respond to your grievance within a reasonable period not exceeding thirty (30) days from the date of its receipt or such extended time as Applicable Laws may permit.

Where we Process your Personal Data as a Data Processor on behalf of an Organizer, requests for exercising your rights in relation to such Personal Data should be directed to the relevant Organizer, as they are the Data Fiduciary for that Personal Data. We shall assist the Organizer in responding to such requests in accordance with our contractual obligations.

The rights set out above may be exercised with our direct assistance only in respect of Personal Data for which we are the Data Fiduciary.

12. Your Duties

12.1. As a Data Principal, you have the following duties:

12.1.1. You shall comply with all Applicable Laws while exercising your rights.

12.1.2. You shall not impersonate another person while providing Personal Data for any specified purpose.

12.1.3. You shall not suppress any material information while providing Personal Data for any document, unique identifier, proof of identity, or proof of address issued by the State or any of its instrumentalities.

12.1.4. You shall not register a false or frivolous grievance or complaint with us.

12.1.5. You shall furnish only such information as is verifiably authentic while exercising your rights under this Privacy Policy and Applicable Laws.

12.1.6. You are responsible to keep your credentials for accessing the Platform personal and confidential. You should not share your password or login details with anyone. We will not be responsible for any liability or obligation you might face due to your sharing of your user account details with anyone.

12.2. Where you input, upload, or otherwise submit the Personal Data of any third party onto the Platform (for instance, when you share booking details with a friend, invite others to an event, or input contact details of any other individual), you shall be deemed to be the Data Fiduciary in respect of such third-party Personal Data. In such circumstances, you represent and warrant that:

12.2.1. You have obtained all necessary consents from such third party for the Processing of their Personal Data with us, in accordance with Applicable Laws;

12.2.2. You have informed such third party of the Processing of their Personal Data, the purposes thereof, and their rights under Applicable Laws;

12.2.3. You shall be solely responsible for any claims, liabilities, or proceedings arising from the Processing of such third-party Personal Data, and you shall indemnify and hold us harmless against any such claims, liabilities, or proceedings; and

12.2.4. We shall act solely as a Data Processor in respect of such third-party Personal Data, Processing it only in accordance with your instructions and for the purpose for which it was provided.

13. Contact Us With Your Queries

13.1. If you have any questions, concerns, or grievances about this Privacy Policy or about how we handle your Personal Data, you may contact us at:

Grievance Officer: Dipti Goel

Email: [email protected]

Phone: +91 98201 89916

Address: 100, Aram Nagar Part 2, Machhlimar Colony, Versova, Andheri West, Mumbai, Maharashtra, 400061

13.2. These contact details are prominently published on our Platform, and will be included in every response to a communication for the exercise of your rights under Applicable Laws.

13.3. If your concern relates to a grievance about the Processing of your Personal Data or the exercise of your rights, we will acknowledge your grievance and endeavour to resolve it within a reasonable period not exceeding thirty (30) days from the date of its receipt.

13.4. If your query or grievance relates to Personal Data that is Processed by us on behalf of an Organizer, we may redirect your query to the relevant Organizer or assist the Organizer in responding, as the case may be. We encourage you to also contact the Organizer directly using the contact details available on their event listing or their own privacy policy.

14. Changes to This Privacy Policy

14.1. We may update or amend this Privacy Policy from time to time to reflect changes in our Data Processing practices, changes in Applicable Laws, or for other operational, legal, or regulatory reasons.

14.2. Where we make any material changes to this Privacy Policy, we shall notify you through the Platform by way of a prominent notification on the website or app, through your registered email address, or through an in-app notification, prior to such changes taking effect.

14.3. Your continued use of the Platform following notification of changes to this Privacy Policy shall constitute your acceptance of the revised Privacy Policy. If you do not agree with any changes, you should discontinue use of the Platform and contact us to request the erasure of your Personal Data.

14.4. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your Personal Data. The “Last updated on” date at the top of this Privacy Policy indicates when it was most recently revised.