PRIVACY POLICY (TICKET BUYERS)

Last Updated: 14th March 2026

1. INTRODUCTION AND COMPLIANCE Tessera Ticketing Solutions Ltd (“Tessera,” “we,” “us,” or “our”) is committed to protecting your personal data. This Privacy Policy outlines how we collect, process, store, and protect your personal information in strict compliance with the Zambia Data Protection Act No. 3 of 2021 (the “Act”).

Under the Act, Tessera acts as a registered Data Controller when collecting your information to create an account and process ticket sales. In some instances, we act as a Joint Controller alongside the Event Organizer.

2. LEGAL BASIS FOR PROCESSING We only process your personal data when we have a lawful basis under Section 13 of the Act. These bases include:

  • Consent: Where you have explicitly agreed to the processing (e.g., subscribing to marketing emails).

  • Contractual Necessity: Processing required to fulfill our agreement with you (e.g., processing your payment and delivering your ticket).

  • Legal Obligation: Processing required to comply with Zambian laws (e.g., tax reporting).

  • Legitimate Interests: Processing for business operations, security, and fraud prevention, provided these interests do not override your fundamental rights.

3. INFORMATION WE COLLECT

  • Identity & Contact Data: First name, last name, email address, phone number, and physical billing address.

  • Financial Data: Payment details. (Note: Tessera does not directly store full credit card numbers; this is handled securely by our PCI-compliant third-party payment processors).

  • Technical & Usage Data: IP address, browser type, operating system, and data regarding your interaction with our Platform.

4. HOW WE USE YOUR INFORMATION

  • To process transactions, issue digital tickets, and provide customer support.

  • To communicate critical event updates, cancellations, or policy changes.

  • To verify your identity and prevent fraudulent transactions or unauthorized account access.

5. DATA SHARING AND DISCLOSURE We do not sell your personal data. We share your information only under the following conditions:

  • With Event Organizers: When you purchase a ticket, we share your Name, Email, Phone Number, and Ticket Details with the Organizer. This is strictly required for event admission and day-of-event communication. Organizers are legally bound to protect this data and cannot use it for unrelated marketing without your consent.

  • With Service Providers: We share data with trusted processors (e.g., payment gateways, cloud hosting) who operate under strict Data Processing Agreements.

  • Legal Compliance: We may disclose data if required by Zambian law enforcement, court order, or to protect the safety of the public.

6. CROSS-BORDER DATA TRANSFERS Our Platform may utilize cloud servers located outside of Zambia. In accordance with Section 71 of the Act, any cross-border transfer of personal data is conducted only when:

  • You have explicitly consented to the transfer; or

  • The transfer is necessary for the performance of a contract; and

  • Appropriate safeguards, approved by the Data Protection Commissioner, are in place to ensure your data receives an adequate level of protection.

7. DATA RETENTION We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. In accordance with ODPC guidelines, transaction and account data is retained for a minimum of one (1) year beyond the active processing need, or longer if required to satisfy Zambian accounting, tax, or legal obligations. Once this period expires, your data is securely deleted or anonymized.

8. DATA SECURITY AND BREACH NOTIFICATION We implement rigorous technical and organizational measures to secure your data against unauthorized access, alteration, or destruction. In the unlikely event of a data breach that compromises your personal information, Tessera will notify you and the Office of the Data Protection Commissioner (ODPC) within twenty-four (24) hours of discovering the breach, as mandated by the Act.

9. YOUR DATA SUBJECT RIGHTS Under Part IX of the Zambia Data Protection Act, you possess the following rights regarding your personal data:

  • Right of Access: You may request details about the personal data we hold about you.

  • Right to Rectification: You may request that we correct any inaccurate or incomplete data.

  • Right to Erasure (“Right to be Forgotten”): You may request the deletion of your personal data when it is no longer necessary for the purpose it was collected.

  • Right to Restriction of Processing: You may request that we temporarily halt the processing of your data under specific conditions.

  • Right of Objection: You may object to the processing of your data for direct marketing or legitimate interests.

  • Right to Data Portability: You may request a copy of your data in a structured, machine-readable format to transfer to another controller.

  • Right Regarding Automated Decision Making: You have the right not to be subject to a decision based solely on automated processing.

To exercise any of these rights, please contact our Data Protection Officer using the details below. We will respond within the statutory timeframes.

10. CHILDREN’S PRIVACY In compliance with Section 17 of the Act, our Services are not directed to individuals under the age of 18. We strictly prohibit the collection or processing of personal data from minors without verified consent from a parent or legal guardian. If we discover that we have inadvertently collected such data without authorization, it will be immediately deleted.

11. CONTACT US AND COMPLAINTS If you have questions, wish to exercise your rights, or want to lodge a complaint regarding our data practices, please contact our Data Protection Officer:

Tessera Ticketing Solutions Ltd Plot 2153/m Kateya Road Leopards Hill Lusaka, Zambia Email: [email protected] Phone: +260 97 313 7700

Note: You also maintain the right to lodge a formal complaint directly with the Office of the Data Protection Commissioner (ODPC) in Zambia if you believe your rights have been violated.