SeatLock

Privacy Policy

Effective April 27, 2026

Who we are

SeatLock Inc. (“SeatLock”, “we”, “us”) is a corporation incorporated under the Ontario Business Corporations Act on January 22, 2025 (Ontario Corporation Number 1001114159), with its registered office at 116 Yorkview Drive, Toronto, Ontario, M2R 1L7, Canada. We operate a peer-to-peer escrow service that helps buyers and sellers exchange Ticketmaster tickets without trusting each other directly.

This policy describes what personal information we collect when you use SeatLock, why we collect it, who we share it with, and the choices you have. If anything below is unclear, email privacy@seatlock.ca.

Information we collect

We collect only what we need to run the escrow flow and meet our legal obligations. Concretely:

Account & profile

  • Sign-in identity. When you sign in with Google, Facebook, or Apple, we receive your email address, display name, and (where the provider supplies one) profile picture URL. Apple may return a private relay email address instead of your real one; we treat whatever the provider gives us as your sign-in email.

Wallet & payments

  • In-app wallet balance and a full ledger of every credit and debit (deposits, trade payments, refunds, payouts, withdrawals).
  • Stripe identifiers. When you deposit funds or connect a payout account, Stripe assigns us a Customer ID and (for sellers) a Connect Account ID. We store those IDs to associate Stripe activity with your account.
  • Payout eligibility. A timestamp set when Stripe tells us your connected account is eligible to receive payouts.
  • Card numbers and bank details — we never see these. They are entered directly into Stripe and stored by Stripe.

Trade activity

  • Listings you create or join: invite code, event reference, number of tickets, seat descriptions, asking price, fee, and current status.
  • An immutable audit log of state changes on your trades (created, joined, paid, completed, cancelled, expired, disputed).

Ticketmaster transfer emails received at our inbox

SeatLock does not hold tickets in an intermediate account. To verify a transfer happened, the seller transfers tickets in Ticketmaster to a per-trade SeatLock relay address (transfer+{code}@seatlock.ca) instead of directly to the buyer. The Ticketmaster transfer notifications land at our inbox; we verify them, store them as audit evidence, and forward the relevant ones to the buyer so they can accept the transfer in their own Ticketmaster account. For each TM email we accept, we store:

  • Envelope and header addresses (from, to), subject line, and the message body in plain text and HTML form.
  • Authentication metadata used to confirm the email actually came from Ticketmaster (DKIM verdict, origin domain).
  • Information we extract from Ticketmaster transfer emails: the event name, ticket count, and seat descriptors. These let us match the email to the correct trade.

We never read, scan, or store any of your personal email. We do not connect to your Gmail or any other inbox of yours — every email we process arrives directly at SeatLock’s own inbox at seatlock.ca from Ticketmaster.

How we use it

  • To run the escrow. Match buyers to sellers, hold funds until a trade resolves, and release or refund based on the Ticketmaster confirmation emails we observe.
  • To prevent fraud and abuse.Verify that the same person isn’t signing up twice with different providers, that an inbound email genuinely came from Ticketmaster, and that the transfer matches the listing before relaying it to the buyer.
  • To process payments and payouts through Stripe.
  • To support you. Investigate disputes, respond to questions, and resolve stuck trades.
  • To meet legal obligations (tax, accounting, anti-fraud, lawful requests).

We do not sell your personal information. We do not use your data for advertising or for training third-party AI models.

Who we share it with

We share data only with service providers that help us run SeatLock, and only as needed for them to do their job:

  • Supabase — our hosting, database, and authentication provider. All your account data, trades, and wallet ledger live in Supabase Postgres.
  • Stripe— payments (Stripe Checkout for deposits) and seller payouts (Stripe Connect Express). Stripe receives the information necessary to process a transaction and is itself subject to Stripe’s privacy policy.
  • Google, Facebook & Apple — only as identity providers when you choose to sign in with them. We receive limited profile data from them; we do not push data back.
  • CloudMailin — our email vendor. Receives Ticketmaster transfer notifications at our SeatLock inbox (the per-trade transfer+{code}@seatlock.ca alias) and sends the relayed message on to the buyer’s sign-in email. CloudMailin sees the contents of those messages in transit but does not store user accounts on our behalf.
  • Amplitude— our product analytics and session-replay provider, subject to the consent flow described under “Analytics & session replay” below. Amplitude receives the events and session recordings generated by your visit; it does not receive your wallet balance, your trade history, or any Stripe / Ticketmaster data.
  • The other party in your trade.When you create or join a trade, your display name is shown to the counterparty so they know who they’re dealing with. After payment is confirmed, the seller is shown a per-trade SeatLock relay address to use as the recipient in Ticketmaster — they never see the buyer’s email. No other contact details are shared.

We may also disclose information when required by law, to enforce our terms, or to protect the rights, property, or safety of SeatLock or our users.

How we keep it safe

  • Database access is gated by row-level security: by default you can only read your own profile, your own wallet ledger, and trades you participate in.
  • Sensitive operations (creating trades, paying, releasing funds, recording forwarded emails) go through server-side functions with explicit authorization checks.
  • Inbound Ticketmaster emails are accepted only after we verify the original Ticketmaster DKIM signature. Messages that fail are rejected.
  • Card and bank details are handled directly by Stripe and never touch our servers.

No system is perfect. If you believe your account has been compromised, contact us immediately.

Cookies and browser storage

SeatLock uses two kinds of cookies, both first-party and set on the SeatLock domain:

  • Strictly-necessary authentication cookies. When you sign in, our auth provider (Supabase) sets a short-lived access token cookie and a longer-lived refresh token cookie so subsequent requests know who you are. During the OAuth handshake a temporary code-verifier cookie is also set and then discarded.
  • A returning-visitor preference cookie.On successful sign-in we set a small cookie (“seatlock-returning”) that simply records the fact that you have signed in here before. We use it only to personalize the sign-in page (e.g. show “Welcome back” instead of “Welcome”). It contains no identifier or personal data and lasts up to two years.

We also use the browser’s sessionStorage briefly to keep multi-step flows working across redirects. For example, if you click “Pay with card” on a trade and we send you to Stripe to top up your wallet, we store the trade’s ID in sessionStorage so we can bring you back to that exact trade after Stripe returns. These entries are first-party, contain no personal data beyond an internal identifier, and are removed as soon as the flow completes (or when you close the tab).

The auth cookies above are strictly necessary to deliver the service you asked for; the returning-visitor cookie is a functional preference. We also use the analytics described in the next section — that processing has its own consent flow, and we explain it separately below.

When you are redirected to Stripe (for deposits or to manage your Connect account) or to Google, Facebook, or Apple (to sign in), those providers may set their own cookies on their own domains under their own privacy policies. We have no access to them. You can clear or block cookies in your browser at any time; doing so will sign you out of SeatLock and reset the returning-visitor flag.

Analytics & session replay

To understand how SeatLock is actually used, find bugs, and attribute referrals, we use Amplitude — a product analytics service that includes session replay. Amplitude is a service provider acting on our instructions.

What is captured

  • Product events.Page views, clicks, and form interactions (which fields you focus, when you submit), captured automatically by Amplitude’s autocapture.
  • Session recordings.A replayable reconstruction of your visit — mouse movements, scroll position, clicks, and DOM changes as the page updates. It is not a video; it’s a structured log the Amplitude viewer plays back.
  • Device & environment metadata. Browser, operating system, screen size, language, and an approximate location derived from your IP address (city / region level — we do not receive precise GPS coordinates).

We sample 100% of sessions and Amplitude retains the data for up to 12 months, after which it is deleted on Amplitude’s side.

What is masked or never captured

  • Passwords. Standard password inputs are masked by default — the replay shows asterisks, never the characters you typed.
  • PII-bearing fields. We additionally tag inputs and elements that carry personal information — email fields, prices, wallet balances, ledger amounts — with the CSS class amp-mask. Anything inside such an element is replaced with a placeholder in the recording.
  • Card numbers, CVCs, and bank details. These are entered inside Stripe’s own iframes hosted on a different origin. Session replay cannot see inside a cross-origin iframe at all, so payment fields are inherently invisible to Amplitude — they were never on the page from the recorder’s point of view.

A note on profiling

Building a record of how an identifiable person interacts with our product — including by replaying their session — is a form of profilingunder Quebec’s Law 25 and a form of personal-data processing under the GDPR. We treat it as such, and the consent model below reflects that.

Linking anonymous activity to your account

Before you sign in, your activity is tied to an anonymous Amplitude device ID. When you create an account, the events recorded during that anonymous session are linked to your new user ID so that things like referral attribution work correctly. After that point, your Amplitude profile is keyed to your SeatLock account.

Your consent to analytics

Because analytics and session replay go beyond what’s strictly necessary to run the service, we ask for your consent. The exact prompt depends on where you appear to be visiting from, based on the approximate IP geolocation described above:

  • Quebec, the United Kingdom, and the European Economic Area — and any visitor whose location we cannot determine — see an express opt-in banner on first visit. Nothing is recorded, no events are sent, and no session replay starts until you click Accept. This mirrors what Quebec Law 25 and the GDPR / UK GDPR require for profiling and analytics cookies.
  • The rest of Canada and the United States see an informational banner on first visit. Analytics starts on arrival under an implied-consent model, and the banner gives you a one-click Opt out. If you opt out, we stop sending events and stop session replay for the rest of your visit and on future visits from the same browser.

Once you make a choice — Accept, Decline, or Opt out — we remember it on your device and it overrides the geo-defaulting on every subsequent visit. You can change your mind at any time using the button below; it clears your stored choice and re-shows the banner so you can re-choose.

How long we keep it

We keep your account data while your account is open and for as long afterwards as we need to comply with our legal and accounting obligations or to resolve outstanding disputes. Ticketmaster transfer emails received at our inbox are kept while they remain relevant to a trade or dispute investigation, and the link to your account is removed when you delete your account.

Wallet ledger entries (deposits, payments, payouts, refunds, withdrawals) are immutable financial records and are retained even after you delete your account, with the link back to your account anonymised — required by Canadian tax and accounting law.

When you delete your account we also keep a small audit log recording your former account ID, your email at the time, the date, and how the request was made (in-app, admin, or support). We’re required to keep this record under GDPR Art. 17(3)(b) and CCPA §1798.130(a)(4) so we can demonstrate that the deletion request was honored.

Stripe separately retains its own customer and connected account records under its privacy policy. We don’t instruct Stripe to delete those when you delete your SeatLock account, so that ongoing disputes, chargebacks, or refunds tied to your earlier transactions remain investigable.

Your choices

  • Access & correction. You can view and edit your profile (display name) from your account settings.
  • Withdraw funds.You can withdraw your available wallet balance through Stripe Connect at any time, subject to Stripe’s payout requirements.
  • Account deletion.You can delete your account directly from your profile page in SeatLock. Before deleting, you’ll be asked to cancel or complete any active trades and withdraw your wallet balance to zero. Once you confirm, we delete:
    • your profile (display name, avatar, the Stripe customer ID and Connect account ID we store);
    • the trades you participated in (and their seat lists); Ticketmaster transfer emails attached to those trades are cascade-deleted with them;
    • your sign-in record so the account can no longer be used to log in.

    Wallet ledger entries are kept with the link to your account anonymised, and a short deletion-audit record is kept for the legal reasons described under “How long we keep it”. Stripe also retains its own customer and Connect account records on its side under its own privacy policy. When you delete your account — or if you email us with a deletion request — we also instruct Amplitude to delete the events and session recordings associated with your account so the analytics history goes with it. If you’d rather we handle the deletion for you, or you can’t access the in-app option, email privacy@seatlock.ca.

  • Regional rights. Depending on where you live, you may have additional rights under PIPEDA (Canada), the GDPR (EU/UK), or your local privacy law — for example, the right to a copy of your data, to object to certain processing, or to lodge a complaint with a regulator. Contact us to exercise them.

International transfers

Our infrastructure providers (Supabase, Stripe, CloudMailin, Amplitude, Google, Facebook, Apple) operate from data centers in multiple countries, including the United States. By using SeatLock you acknowledge that your information may be processed outside your country of residence.

Children

SeatLock is not directed to anyone under 18, and we do not knowingly collect information from minors. If you believe a minor has signed up, contact us and we’ll remove the account.

Changes to this policy

We may update this policy as the product evolves. When we make material changes, we’ll update the effective date at the top and, where appropriate, notify you in-app or by email. Continued use of SeatLock after a change means you accept the updated policy.

Contact

SeatLock Inc.
116 Yorkview Drive
Toronto, Ontario, M2R 1L7
Canada
Ontario Corporation Number: 1001114159
privacy@seatlock.ca