PRIVACY POLICY

Last updated: 1 October 2025

This Privacy Policy explains how The Masked Theatre Pty Ltd (“we”, “us”, “our”) collects, uses, discloses, and protects personal information when you use our website, buy event/show tickets, purchase digital products (E-Books & Audio Stories), buy physical products, or organise events on our platform.

We process personal information in line with South Africa’s Protection of Personal Information Act, 2013 (POPIA) and related guidance. This notice is intended to meet POPIA Section 18 transparency obligations (what we collect, why, who we share with, your rights, and how to contact us).

1) Who we are & contacts

Responsible party: The Masked Theatre Pty Ltd

If you believe your POPIA rights are infringed, you may also contact the Information Regulator (South Africa). Contact details are available on the Regulator’s website.

2) What we collect

  1. A) Customers (attendees/buyers)
  • Identity & contact: name, email, phone.
  • Account & login: username, password (hashed), preference settings.
  • Orders & bookings: event name/date, seats/ticket IDs, order numbers, download counts (for digital goods), fulfilment and courier references (for physical goods).
  • Communications: messages you send us (support, refund requests, queries).
  • Device & usage: IP address, timestamps, basic logs for security and performance (e.g., failed login attempts, error diagnostics).
  1. B) Organizers / Agents (platform users)
  • Identity & contact: legal name, trading name, email, phone.
  • Verification & compliance (where applicable): ID or business documents, proof of authority, proof of bank account for payouts.
  • Financial for payouts: bank account details and settlement preferences (we do not store full card numbers).
  • Event operations: listing content (text, images, logos, audio/video), schedules, prices, venue details.
  • Scanning device registration: device identifiers (e.g., model/OS/app ID), assigned users, and basic scan logs (time, status).
  • Communications: support threads, settlement and dispute correspondence.
  • Device & usage: security/diagnostic logs, especially around scanning and box-office tools.
  1. C) Children

Our services are aimed at adults. We do not knowingly collect personal information from children without the consent of a competent person (parent/guardian), as required by POPIA.

3) How we collect it

  • Directly from you: when you create an account, purchase, submit a form, or contact us.
  • Automatically: through necessary cookies and logs for security and performance.
  • From service providers: payment gateways send us transaction confirmations; couriers send delivery statuses; ticketing/scanning tools log scans.
  • From organizers: where they provide event details or attendee lists for fulfilment (e.g., reserved seating allocations).

4) Why we process it (purposes) & lawful grounds

We use personal information to:

  • Provide and support our services (create accounts, take orders, issue tickets/QRs, register scanning devices, deliver downloads, ship products, process refunds/returns, settle payouts). Lawful ground: necessary to conclude/perform a contract; or to take steps at your request.
  • Comply with the law (tax, accounting, fraud prevention, lawful requests). Lawful ground: legal obligation.
  • Communicate with you (service messages such as confirmations, event changes, password resets).
  • Improve security and performance (detect abuse, protect accounts, maintain uptime). Legitimate interests balanced against your rights.
  • Direct marketing (optional): only with your consent or under the existing customer rules in POPIA; you can opt out any time.

5) Cookies & analytics

We use necessary cookies (e.g., session/cart/security). We may use basic analytics to understand usage and improve site performance. You can manage cookies in your browser. We only place non-essential cookies or send direct marketing in line with your preferences/consent.

6) Sharing with operators (service providers)

We use trusted providers who process information for us, for example:

  • Payments: PayFast, Ozow, PayPal (we receive transaction confirmations, not full card details).
  • Ticketing & events: our WordPress/WooCommerce stack, WP Event Manager, scanning apps/devices registered to your event.
  • Delivery: couriers and logistics partners (for shipped products).
  • Hosting, security, backups, email: infrastructure and support tools.

These providers act on our instructions and under appropriate safeguards. Some are located outside South Africa; when transferring personal information internationally, we rely on POPIA Section 72 grounds (e.g., contractual safeguards/adequacy, your consent, or transfer necessary for a contract with you).

7) Organizers/Agents – how you may use attendee data

When organizers access attendee information through our platform (e.g., to manage entry, seating or updates):

  • You act as a responsible party (controller) for any separate uses of attendee data outside our platform’s built-in processes.
  • You must comply with POPIA, only authorise use of attendee information for the event’s legitimate purposes (e.g., operational updates), honour opt-outs, and avoid unsolicited marketing unless you have a lawful ground (such as consent).
  • You must keep attendee information secure, limit staff access, and delete it when no longer needed for the event or legal reasons.
  • You are solely responsible for content and compliance in your listings and communications (including spelling, images, logos, branding, copyright/permissions, ages, warnings). We do not endorse or verify organiser content.

If you export attendee data or use third-party tools, you must ensure those tools are lawful operators with appropriate safeguards.

8) Box office & scanning privacy notes

  • When we run box office or scanning for an event, we will process attendee check-ins (scan time/status), which helps prevent fraud and resolve entry disputes.
  • When you scan, each device must be registered with us to link scans to your event. You are responsible for ensuring devices, power, and signal at the venue; we are not responsible for organiser devices or connectivity.

9) Retention

We keep information only as long as needed for the purposes above and as required by law (e.g., tax/financial record-keeping). Typical periods:

  • Orders & tickets: retained for legal/accounting and chargeback windows.
  • Download logs: kept long enough to enforce limits and resolve support issues.
  • Organiser payout records & KYC: kept as required by financial and audit obligations.
  • Accounts: retained while active; limited archives may be held after closure where legally required.

10) Security

We use reasonable technical and organisational measures to protect personal information against unauthorised access, loss, or misuse. No system is perfectly secure, but we work to minimise risks and respond to incidents appropriately.

11) Your rights (POPIA)

Under POPIA you can access your information, request correction of inaccuracies, object to certain processing (including direct marketing), and request deletion or destruction where appropriate. To exercise your rights, email legal@tmtheatre.co.za.
You also have the right to complain to the Information Regulator.

12) Direct marketing

We send service emails/SMS necessary to provide our services. For direct marketing, we rely on your consent or the existing customer provisions in POPIA. You can opt out at any time via the unsubscribe link or by emailing support@tmtheatre.co.za.

13) Cross-border transfers

Where operators process data in other countries, we implement safeguards consistent with POPIA Section 72 (e.g., contracts ensuring adequate protection) or rely on other permitted grounds (such as necessity for a contract with you or your consent).

14) Third-party sites & links

Our site may link to third-party websites or services. Their privacy practices are their own; please review those notices before providing personal information to them.

15) Social media (Facebook, Instagram, X & TikTok)

Platforms covered. Our official pages/accounts on Facebook, Instagram, X (Twitter), and TikTok operated by The Masked Theatre Pty Ltd (“Our Social Pages”).

What we collect on-platform.

  • Public interactions you choose to make (comments, replies, reviews, tags/mentions, handles, profile photos).
  • Direct Messages (DMs) and enquiries you send us.
  • Platform analytics/insights (e.g., reach, engagement, aggregated audience demographics).
  • If you visit our website from Our Social Pages, we may use advertising/analytics tools such as Meta Pixel, TikTok Pixel, or similar to measure performance and deliver/retarget ads—see 5) Cookies & analytics.

How we use it.

  • Community management and support (responding to enquiries, moderating comments).
  • Marketing and content improvement (including re-sharing public posts that tag us or use our campaign hashtags, in line with each platform’s terms; we’ll credit your handle and remove upon request).
  • Running promotions/competitions (subject to posted rules; not sponsored, endorsed, or administered by Facebook, Instagram, X, or TikTok).
  • Safety and legal compliance (e.g., removing prohibited content, preventing abuse).

Lawful grounds (POPIA).

  • Legitimate interests to run Our Social Pages and engage with you.
  • Consent where required (e.g., for certain marketing/retargeting cookies; you can withdraw any time—see 12) Direct marketing and your platform privacy settings).

Sharing.

  • Platform providers (Meta, X, TikTok) and trusted operators (e.g., social media management/analytics tools) acting on our instructions with appropriate safeguards.
  • We do not sell your personal information.

Moderation & house rules.
We may hide/remove content or block users for spam, harassment, hate speech, illegal content, or privacy violations. Please don’t post sensitive data (IDs, card numbers, medical info) in public comments or DMs.

Retention.

  • Public posts remain per platform settings.
  • DMs/inquiries are generally retained up to 12 months (or longer if needed for legal or complaint handling) and then deleted or anonymised.

Your choices & rights.

  • Manage ad preferences and privacy settings directly in each platform.
  • To exercise POPIA rights (access, correction, deletion, objection) or to request removal of content we re-shared, contact legal@tmtheatre.co.za. Cross-border processing by platforms is covered by 13) Cross-border transfers.

Children.
Our Social Pages are not intended for children under 18. We do not knowingly collect their data.

16) Changes to this policy

We may update this Policy to reflect operational or legal changes. We’ll post the updated version with a new “Last updated” date.

17) How to contact us