Privacy & Cookie Policy

Last updated: 11 June 2026

1. About this Policy

This Privacy & Cookie Policy explains how Federico Jorge Nussbaumer (ABN 49 163 940 184) trading as Bileto (“BILETO”, “we”, “us” or “our”) collects, uses, discloses and protects personal information when you use the BILETO website, ticketing tools, promoter tools, check-in tools, referral tools, payment flows, agent API and related services (the “Platform”).

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Policy forms part of, and should be read together with, our Terms and Conditions.

2. The personal information we collect

Depending on how you use the Platform, we may collect:

  • Account information — your email address, name, and account role (buyer, organiser, promoter, admin).
  • Buyer information — the details you provide when purchasing a ticket, including attendee names and any answers to organiser-defined checkout questions.
  • Organiser information — your public profile, event content, and payout details. Bank account numbers and PayID values are encrypted at rest.
  • Payment information — card payments are processed by our third-party payment processor. We do not store full card numbers; we receive only transaction metadata (amount, status, payment reference).
  • Promoter information — referral links you create, attribution data, and payout/verification details.
  • Usage and device information — log data, IP address, browser type, and analytics events (see the Cookies section).
  • Agent API information — where you connect an AI agent, we store a hashed form of your API key and its usage timestamps. We never store the plain key.
  • Uploaded content — images and other content you upload (e.g. event covers, profile images).

3. How we collect it

We collect personal information directly from you when you create an account, list or buy tickets, set up payouts, contact us, or use Platform features. We also collect some information automatically through cookies and analytics, and we may receive information from third parties such as our payment processor.

Where an organiser collects attendee information through the Platform (for example via checkout questions), the organiser is a separate handler of that information and is responsible for its own compliance — see section 9.

4. Why we use it

We use personal information to: operate and provide the Platform; create and authenticate accounts (including one-time-code login); process ticket sales, refunds, payouts and commissions; deliver tickets and QR check-in; detect and prevent fraud, abuse and security threats; provide customer support; send transactional messages (purchase confirmations, security, payouts, account and event operations); comply with legal obligations; and improve and secure the Platform.

5. Who we share it with

We share personal information with service providers who help us run the Platform, only as needed and under appropriate confidentiality and security obligations. These include providers of:

  • Payment processing — to take payments, issue refunds and manage payouts.
  • Email delivery — to send transactional and (where applicable) marketing messages.
  • Hosting, infrastructure, content delivery and data storage — to run the Platform and store content such as uploaded images.
  • Security, bot detection and abuse prevention — to protect the Platform and its users.
  • Analytics — to understand and improve how the Platform is used.

When you buy a ticket, the relevant organiser receives the information needed to run their event (such as your name, email and ticket/check-in details). We may also disclose information where required or permitted by law, to enforce our Terms, or to protect the rights, safety or property of BILETO, our users or others.

6. Overseas disclosure

Some of our service providers store or process information outside Australia (for example in the United States or the European Union). Where we disclose personal information overseas, we take reasonable steps to ensure it is handled consistently with the APPs. By using the Platform you acknowledge that your information may be processed in those locations.

7. Cookies and analytics

We use a small number of cookies and similar technologies. These include:

  • Essential cookies — for example your login session cookie, required for the Platform to function.
  • Analytics cookies — set by our third-party analytics provider, to understand how the Platform is used so we can improve it.

You can control or block cookies through your browser settings. Blocking essential cookies may prevent parts of the Platform from working.

8. Marketing communications

We send transactional messages necessary to provide the Platform. Any marketing or promotional messages we send will comply with the Spam Act 2003 (Cth): they will identify the sender and include a functional unsubscribe option. You can opt out of marketing at any time without affecting transactional messages.

9. Organisers as separate handlers

Organisers use the Platform to collect and manage information about their attendees. Each organiser is responsible for its own handling of that information, including its own privacy compliance, lawful basis for any direct marketing, and compliance with the Spam Act 2003 (Cth) and applicable privacy laws. Organisers must not use attendee information for purposes the attendee would not reasonably expect.

10. Security and retention

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Measures include encryption of sensitive payout details at rest, hashed credentials and API keys, access controls and rate limiting. No method of transmission or storage is completely secure.

We retain personal information for as long as needed to provide the Platform, comply with legal, tax and accounting obligations, resolve disputes, and enforce our agreements, after which we take reasonable steps to delete or de-identify it.

11. Data breaches

We maintain processes to detect and respond to data breaches. Where a breach is likely to result in serious harm and is notifiable, we will comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.

12. Accessing and correcting your information

You may request access to the personal information we hold about you, and ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading, consistent with APP 12 and APP 13. You can update much of your information directly in your account. To make a request, contact us via our contact form. We may need to verify your identity before responding.

13. Children

The Platform is not directed at children. Organiser and promoter accounts require users to be at least 18. We do not knowingly collect personal information from children except as permitted by law and with appropriate consent.

14. Changes to this Policy

We may update this Policy from time to time. The updated version will be posted on the Platform with a revised “Last updated” date. Material changes will take effect when posted unless a later date is stated.

15. Contact and complaints

For privacy questions, access or correction requests, or to make a privacy complaint, contact us via our contact form. We will acknowledge and respond to complaints within a reasonable period. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.