Last updated May 2026
Kickflip Experience Company ("Kickflip," "we," "us," or "our") operates the Kickflip event discovery and ticketing platform at kickflip.co. This Privacy Policy explains what information we collect, how we use it, the legal bases on which we rely, and the choices and rights you have. By using Kickflip, you agree to the practices described in this policy, except where your applicable law requires a separate consent (in which case we will obtain that consent through the platform).
Kickflip operates two categories of events. For events organized by third-party creators ("Creator Events"), we process attendee data both as a data controller for our own purposes (e.g., providing the platform) and, in some cases, as a processor or joint controller alongside the creator. For events that Kickflip itself organizes, hosts, or produces ("Kickflip Originals," labeled with a visible "Hosted by Kickflip" badge), Kickflip is the event organizer and is the controller of attendee data for that event. The same privacy practices described in this policy apply in both cases, except that for Kickflip Originals there is no third-party creator with whom we share organizer-level attendee data.
Account Information: When you sign in with Google, we receive your name, email address, and profile photo via Google OAuth. We store these to create and maintain your account.
Saved Events: We store the events you save, whether via local storage (when signed out) or our database (when signed in). On first sign-in we migrate any locally saved events to your account.
Ticket and Purchase Data: When you buy a ticket, we store your name, email, ticket details, and payment confirmation reference. Guest purchasers provide their name and email at checkout. We do not store full payment card data — see Section 5.
Usage Signals: We collect signals to improve recommendations: inferred chat intent categories (e.g., "looking for music events in Capitol Hill"), event click data, and search interactions. While we attempt to limit identifiability, some of these signals may be linked or linkable to your account and should therefore be considered "pseudonymous" rather than fully anonymous under GDPR and CPRA. We never store the raw text of your chat messages on our servers.
Our chat feature is powered by Claude, an AI assistant developed by Anthropic, PBC. When you send a message, it is transmitted to Anthropic's API to generate a response. Anthropic processes this data under their own privacy policy (anthropic.com/privacy) and our data processing agreement with Anthropic.
Kickflip does not retain the raw text of your chat messages on Kickflip servers. We retain inferred intent signals derived from chat interactions (e.g., inferred category preferences) for the purpose of improving recommendations. As noted in Section 2, these signals may be linkable to your account and should be considered pseudonymous.
Legal bases (GDPR / UK GDPR): Where GDPR or UK GDPR applies, we process personal data on the following legal bases: (a) performance of a contract — to provide the Service you have requested; (b) legitimate interests — to improve our platform, prevent fraud, and ensure security, balanced against your rights and freedoms; (c) legal obligations — to comply with applicable law, including tax, accounting, and regulatory requirements; and (d) consent — where required by law (e.g., for certain marketing communications), in which case you may withdraw consent at any time.
To provide the Service: display personalized event feeds, process ticket purchases, send ticket confirmations and event reminders, and enable creators to communicate with their attendees.
To improve the platform: analyze usage signals to improve event recommendations, chat quality, and product features.
To protect the Service: detect fraud, enforce our Terms of Service, and prevent abuse.
To comply with law: respond to lawful requests, comply with tax and accounting obligations, and enforce our agreements.
We do not sell your personal data to third parties. We do not engage in cross-context behavioral advertising or share personal data for the purpose of targeted advertising. We do not use your data for third-party advertising.
All payments are processed by Stripe, Inc. We do not store your card number, CVV, or full payment credentials on our servers. Stripe operates on PCI-DSS compliant infrastructure.
For creators, Stripe Connect is used to facilitate payouts. Your Stripe Connect account is governed by Stripe's Connected Account Agreement (stripe.com/connect-account/legal). We store a reference to your Stripe account ID to coordinate payouts. We may also store transaction metadata (amount, status, timestamp) for accounting and reconciliation purposes.
You can review Stripe's Privacy Policy at stripe.com/privacy.
Transactional emails (ticket confirmations, refund receipts, RSVP confirmations, event reminders) are sent via Resend and are necessary for the Service to function.
You can turn off event reminder notifications at any time from your Profile settings. We may occasionally send product updates — you can unsubscribe via the link in any such email.
If you are a creator, we may send operational emails about your events, payouts, and account status. These cannot be fully disabled while your creator account is active.
We use a session cookie to keep you signed in. This cookie is strictly necessary for authentication and cannot be disabled without breaking sign-in functionality. See our Cookie Policy (kickflip.co/cookies) for full details.
We use browser local storage to save events for users who are not signed in. This data stays on your device and is not transmitted to our servers until you sign in.
We rely on the following subprocessors to operate Kickflip. We maintain a data processing agreement with each, and each is subject to confidentiality, security, and data protection commitments at least as protective as those in this Privacy Policy:
We will update this list as our subprocessor arrangements change. We do not use third-party advertising networks, retargeting pixels, or behavioral tracking services.
Kickflip is headquartered in the United States, and the data we collect is processed in the United States. If you access Kickflip from outside the United States, your information will be transferred to, stored in, and processed in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum) with our subprocessors to provide an appropriate safeguard for personal data transferred from the EEA, UK, or Switzerland.
We retain your account data while your account is active. If your account has been inactive for 36 consecutive months, we may delete or anonymize the account and associated personal data after providing notice to your registered email at least 30 days in advance. If you delete your account, we remove your personal data within 30 days, except where retention is required for legal, tax, accounting, or fraud-prevention purposes (in which case the data is retained only for as long as necessary for those purposes and access is restricted).
Pseudonymous usage signals are retained for up to 24 months to support long-term product improvement and are then deleted or further de-identified.
You can request a copy of your personal data, correct inaccurate information, or delete your account at any time from your Profile page or by contacting support@kickflip.co.
California (CCPA / CPRA): If you are a California resident, you have the rights to: (a) know what personal information we collect, use, disclose, and retain about you; (b) access and obtain a copy of that information; (c) request deletion or correction of inaccurate information; (d) opt out of the "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising); (e) limit the use of "sensitive personal information" (which, in our case, is limited to account credentials); and (f) be free from discrimination for exercising your rights.
Categories of personal information collected (CPRA enumeration): In the 12 months preceding the date of this policy, we have collected the following statutory categories of personal information: identifiers (name, email, account ID); commercial information (ticket purchases, saved events); internet or electronic network activity (event clicks, search interactions, inferred chat categories); and sensitive personal information limited to account log-in credentials. We collect this information directly from you, from Google OAuth, and from your interactions with the platform. We disclose information only to the subprocessors listed in Section 8 and as otherwise described in this policy.
EEA / UK (GDPR / UK GDPR): If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights to: access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. You may also withdraw consent where we rely on consent. You have the right to lodge a complaint with your supervisory authority, although we encourage you to contact us first at support@kickflip.co so we can address your concerns directly.
Washington (My Health My Data Act): See Section 12 below.
We do not respond to Do Not Track signals, as there is no industry standard for such signals. We do honor the Global Privacy Control (GPC) signal as an opt-out of "sale" or "sharing" under CPRA, although as noted we do not engage in such activity.
If you are a Washington consumer, the Washington My Health My Data Act ("MHMDA") provides additional rights regarding "consumer health data," defined broadly to include personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status, including inferences derived from non-health information.
Health-adjacent event categories: We acknowledge that some event categories on Kickflip (for example: yoga, meditation retreats, recovery and support meetings, fertility workshops, LGBTQ+ events, mental wellness events) could in some circumstances be construed as consumer health data when associated with you. We do not use such categories for advertising, do not sell such data, and apply heightened access controls to category-linked profile data for Washington users.
No medical providers in scope: Kickflip does not knowingly list events provided by entities licensed by a state Department of Health or that involve diagnosis, treatment, or prescription of medical conditions. Kickflip is not a covered entity or business associate under HIPAA and does not collect Protected Health Information. The Creator Agreement prohibits Department-of-Health-licensed providers from listing on the platform.
Your MHMDA rights: As a Washington consumer, you have the rights to: (a) confirm whether we are collecting, sharing, or selling your consumer health data, and access such data; (b) withdraw consent; (c) request deletion; and (d) appeal a denial of your request. We do not sell consumer health data and we do not share it for advertising. To exercise your rights, contact support@kickflip.co. We will respond within 45 days, with one 45-day extension where reasonably necessary.
Kickflip is intended for adults 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe we have collected personal information from a minor, please contact support@kickflip.co and we will delete the information promptly. We do not knowingly process personal information from children under 13 within the meaning of COPPA.
We implement reasonable technical and organizational measures to protect your information against unauthorized access, disclosure, or loss, including encryption in transit, access controls, and routine security review. However, no internet transmission is 100% secure.
Breach Notification: In the event of a security incident affecting your personal information, we will notify affected users without undue delay and in accordance with applicable breach notification laws, including the breach notification statutes of your state of residence and, where applicable, GDPR Article 33/34 timelines. Notification will include a description of the incident, the categories of information affected, the steps we are taking, and recommended steps you can take to protect yourself.
Promptly notify us at support@kickflip.co if you suspect a security incident affecting your account.
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. Continued use of Kickflip after the effective date constitutes acceptance of the revised policy.
For privacy-related questions or requests, contact us at support@kickflip.co.
Questions? Email us at support@kickflip.co