Privacy Policy

Last updated: July 1, 2026

Loftstage (“Loftstage”, “we”, “us”) is a subscription ticketing platform for venues, operated from Montréal, Québec, Canada. This policy explains what personal information we collect, why, who we share it with, and the rights you have over it. It applies to the Loftstage websites (loftstage.com and its subdomains, including venue event pages), the organizer dashboard, and ticket purchases made through the platform.

We are subject to Québec’s Act respecting the protection of personal information in the private sector (as amended by Law 25) and to Canada’s PIPEDA. The person in charge of the protection of personal information is the operator of Loftstage, reachable at privacy@loftstage.com.

Who this policy covers

  • Organizers — venues and their staff who create an account and sell tickets.
  • Buyers — people who purchase tickets. Buyers check out as guests; no buyer account is ever created.
  • Visitors — anyone browsing our pages.

What we collect

From organizers

  • Account details: name, email address, password (stored only as a hash) or your Google account link if you sign in with Google.
  • Venue details: organization name, address, contact and billing email, description, images you upload.
  • Identity verification (KYC): handled entirely by Stripe. We never see or store your identity documents — we store only your Stripe account identifier and its verification status.
  • Subscription billing: processed by Stripe. We do not store card numbers.

From buyers

  • Order details: your name, email address, tickets purchased.
  • Payment: processed by Stripe directly to the venue’s Stripe account. We never see or store your card number.
  • Fraud-prevention evidence, collected on every order: your IP address, a hashed device fingerprint (a one-way signature of technical browser characteristics), and timestamps. We collect this to protect venues and buyers against payment fraud and to respond to chargebacks. It is used for nothing else.
  • Ticket usage: whether and when your ticket’s QR code was scanned at the door.

From everyone

  • Technical logs: IP address, request identifiers, and error reports needed to run and secure the service.
  • Analytics and error session replay — only with your consent, see “Cookies and consent” below.

Why we use it

  • To provide the service: accounts, event pages, checkout, ticket delivery, the door scanner, and support.
  • To process payments and subscriptions through Stripe.
  • To prevent fraud and respond to payment disputes.
  • To meet legal obligations (tax, accounting, record-keeping).
  • With your consent only: to understand how the product is used and to replay error sessions so we can fix bugs.

We do not sell personal information. Ever.

Cookies and consent

Strictly necessary cookies (sign-in sessions, security protections, your language choice, and the record of your consent choices) are always active — the platform cannot work without them. Everything else is off by default:

  • Product analytics (PostHog)— page views and usage patterns, enabled only if you accept the “analytics” category in our consent banner.
  • Error session replay (Sentry) — an anonymized replay of your session captured only when an error occurs, with all text you type masked; also enabled only with your consent.

You can change your mind at any time via “Cookie preferences” in the page footer. Our hosting provider (Vercel) also collects cookieless, aggregate performance metrics that identify no one.

Who we share it with

We share personal information only with the service providers that run the platform, each bound to use it solely to provide their service to us:

  • Stripe — payments, payouts, identity verification, subscription billing.
  • Vercel — application hosting.
  • Cloudflare — content delivery, security filtering, event-page hosting.
  • Neon — database hosting.
  • Upstash — short-lived operational cache.
  • Resend — transactional email delivery.
  • Inngest — background job processing.
  • Sentry — error monitoring (and, with consent, error session replay).
  • Axiom — operational logs.
  • PostHog — product analytics (with consent only).

If you buy a ticket, the venue you bought it from receives your name, email address and order details — they are the seller of your ticket and need this to run their event. Venues are independently responsible for how they use their attendee lists.

We may also disclose information where the law requires it (for example, a court order) or to protect the safety and rights of users and the platform.

Where your information is stored

Loftstage is operated from Québec, but our infrastructure providers store and process data primarily in the United States. Your personal information therefore leaves Québec and Canada. We choose providers with strong contractual and technical safeguards, but information stored abroad is subject to the laws of those jurisdictions.

How long we keep it

  • Organizer accounts: for as long as the account exists.
  • Order and transaction records: kept after the event for legal, accounting and dispute-evidence purposes (typically up to seven years for financial records), then deleted or anonymized.
  • Operational logs: rotated on short schedules.
  • Backups: encrypted, rotated on a 30-day cycle — deleted data ages out of backups within 30 days.

Security

All traffic is encrypted in transit (TLS). Access tokens are stored hashed. Access to production data is restricted to the operator. Payment card data never touches our servers. No system is perfectly secure, but if a confidentiality incident presents a risk of serious injury, we will notify you and the Commission d’accès à l’information as the law requires.

Your rights

You may ask us at any time to: access the personal information we hold about you; correct it; withdraw your consent to analytics; or delete your information (subject to records we must legally retain, which we will anonymize instead). Write to privacy@loftstage.com — we respond within 30 days.

If you are unsatisfied with our response, you may lodge a complaint with the Commission d’accès à l’information du Québec or the Office of the Privacy Commissioner of Canada.

Children

Loftstage is not directed at children. We do not knowingly collect personal information from anyone under 14 without parental consent.

Changes to this policy

If we make material changes, we will update the date at the top and, for significant changes affecting organizers, notify account holders by email. Continued use of the platform after a change means you accept the updated policy.

Contact

Privacy questions, requests and complaints: privacy@loftstage.com.