Skip to main content
DRAFT — In-house operations draft pending outside counsel review. Placeholders (e.g. <JURISDICTION>) remain. Not legally binding in this state.

Privacy Policy

Last updated: 2026-05-10 · Effective: 2026-05-10

MrStubs is operated by Black Asterisk LLC ("we," "us"). Registered in <JURISDICTION>. This policy explains what we collect, why, who we share it with, and your rights.

1. What we collect

  • Account data: name, email, password hash, phone (optional).
  • Order data: events purchased, ticket type, quantity, attendee names if you provide them.
  • Payment data: handled by Stripe. We store the last 4 digits, card brand, and a Stripe customer ID. We do not see or store full card numbers or CVV.
  • Device and usage: IP, browser, pages visited, referrer.
  • Communications: support emails and chat transcripts.

2. Why we use it — lawful basis (GDPR Art. 6)

Purpose Lawful basis
Run your account and process tickets Contract (Art. 6(1)(b))
Send transactional email (receipts, ticket delivery) Contract
Fraud prevention and platform security Legitimate interest (Art. 6(1)(f))
Analytics and product improvement Consent (Art. 6(1)(a)) — opt-in via banner
Marketing email Consent — opt-in only
Legal compliance, tax, accounting Legal obligation (Art. 6(1)(c))

3. Sub-processors

We share data with these vendors so the platform can function. Each is bound by a contract that limits use to our instructions.

Vendor Purpose Data shared Retention
Stripe (Stripe Connect) Payment processing, payouts to organizers Name, email, payment method tokens, order amount Per Stripe terms (typically 7 years for tax/fraud)
Cloudflare CDN, DNS, load balancer, DDoS protection IP, request metadata, TLS handshake Logs ≤ 30 days
Postgres (self-hosted) Application database (primary store) All account, order, and event data For the life of the account; deleted on request per Section 5
Mailcow (self-hosted) Transactional and support email Name, email, message content 24 months in mailbox; backups 90 days
Glitchtip (self-hosted) Error tracking IP, user ID, error stack, browser 30 days

We post a new "Last updated" date when this list changes.

4. International transfers

Some sub-processors (Stripe, Cloudflare) process data in the United States. Transfers from the EU/UK rely on Standard Contractual Clauses and the EU-US Data Privacy Framework where the vendor is certified.

5. Your rights

GDPR (EU/UK residents)

  • Access, rectification, erasure, restriction, portability, objection.
  • Right to withdraw consent at any time without affecting prior processing.
  • Right to lodge a complaint with your supervisory authority.

CCPA / CPRA (California residents)

  • Right to know what we collect.
  • Right to delete.
  • Right to correct.
  • Right to opt out of "sale" or "sharing." We do not sell personal information for money. Some analytics may qualify as "sharing."
  • Do Not Sell or Share My Personal Information — email [email protected] with subject "Do Not Sell or Share" or use the cookie banner to opt out of analytics.
  • Right to non-discrimination for exercising your rights.

To exercise any right, email [email protected] . We respond within 30 days (GDPR) or 45 days (CCPA).

6. Retention

  • Account data: kept while the account is active, deleted within 90 days of closure unless we must keep it for tax or legal reasons.
  • Order and tax records: 7 years (US tax / EU VAT requirements).
  • Marketing consent records: lifetime of the account plus 3 years.
  • Cookie retention: see our cookies policy.

7. Security

We use TLS in transit, encryption at rest for the database, role-based access for staff, and audit logs. No system is perfect — we maintain an incident response plan and notify users per applicable breach laws.

8. Children

MrStubs is not for children under 16. We do not knowingly collect data from children under 16. If you believe a child has given us data, email [email protected] and we will delete it.

9. Changes

We post changes here with a new "Last updated" date. Material changes are also emailed to account holders.

10. Contact

[email protected] · Black Asterisk LLC · <JURISDICTION> · EU representative (to be designated by counsel) · UK representative (to be designated by counsel)