PRIVACY POLICY

Tiveko

www.tiveko.com

Effective date: February 11, 2026

1. Introduction

This Privacy Policy (hereinafter, the "Policy") describes how MS Themes, Inc. (hereinafter, "MS Themes," "we," or "the Company") collects, uses, stores, shares, and protects the personal data of users of the Tiveko platform, accessible at www.tiveko.com and any associated applications (hereinafter, the "Platform").

This Policy applies to all users of the Platform, including event Organizers, ticket Buyers, and website visitors. By accessing or using the Platform, you accept the practices described in this Policy. If you do not agree with any provision, you must refrain from using the Platform.

This Policy should be read in conjunction with the Terms and Conditions of Use available on the Platform.

2. Definitions

Terms defined in the Terms and Conditions of Use maintain the same meaning in this Policy. Additionally:

• "Personal Data": Any information that directly or indirectly identifies or allows the identification of a natural person, including name, email, IP address, payment data, among others.
• "Data Controller": The natural or legal person who decides on the processing of Personal Data. MS Themes is the Controller with respect to data it collects directly; the Organizer is the Controller with respect to data of attendees at their events.
• "Data Processor": The natural or legal person who processes Personal Data on behalf of the Controller. MS Themes acts as Processor with respect to Buyer data it processes on behalf of Organizers.
• "Cookies": Small text files stored on the user's device that allow it to be recognized and remember preferences.
• "Tracking Technologies": Cookies, tracking pixels, web beacons, SDKs, and similar technologies used to collect information about user activity.
• "Virtual Event": An event that takes place wholly or partially through the Zoom video conferencing platform, integrated with the Platform.

3. Data We Collect

3.1 Data Provided Directly by the User

Organizers:

• Full name and contact information (email, phone).
• Organization information (name, logo, description).
• Authentication data managed through Clerk (access credentials, identity provider).
• Stripe Connect account information (managed directly by Stripe).
• Linked Zoom account data for the creation of Virtual Events (managed directly by Zoom).

Buyers:

• Full name.
• Email address.
• Purchased ticket information (type, quantity, event date).
• Data necessary for payment processing (managed directly by Stripe).

3.2 Data Collected Automatically

• IP address and approximate geolocation data.
• Browser type, operating system, and device.
• Pages visited, date and time of access, session duration.
• Referral URL (website from which the user arrived).
• Platform interaction data (clicks, forms, transactions).

3.3 Virtual Event Data (Zoom)

When an Organizer uses the Zoom integration to create Virtual Events, the Platform may process the following data in connection with said integration:

• Zoom meeting identifiers (Meeting ID).
• Meeting configuration data (date, time, duration, access settings).
• Meeting access link information provided to Buyers.

Important note: Data generated during the Zoom meeting (audio, video, chat, participant data, recordings) is processed directly by Zoom Video Communications, Inc. and is subject to Zoom's Privacy Policy (https://explore.zoom.us/en/privacy/). MS Themes does not have access to, control over, or store data generated within Zoom meetings.

3.4 Data from Third Parties

In certain circumstances, we may receive personal data from third parties, including:

• Data provided by Stripe about transaction status.
• Data from the authentication provider (Clerk) when the user registers through a social identity provider (Google, etc.).
• Zoom API data related to the status and configuration of meetings created through the Platform.

4. Purposes of Processing

4.1 Primary Purposes (Necessary for Service Provision)

• Create and manage user accounts.
• Process the creation, sale, and issuance of tickets.
• Facilitate the creation and configuration of Virtual Events through the Zoom integration.
• Provide Virtual Event access information to Buyers who purchase tickets.
• Send purchase confirmations, tickets, and event-related notifications.
• Manage teams and permissions within Organizations.
• Provide sales and attendance analytics to Organizers.
• Facilitate the HubSpot Marketing Events integration for Pro Plan users.
• Provide technical support and customer service.
• Comply with legal and regulatory obligations.

4.2 Secondary Purposes (with Consent or Legitimate Interest)

• Improve and optimize the Platform through usage and behavior analysis.
• Send commercial communications about updates, new features, or Tiveko promotions (the user may unsubscribe at any time).
• Personalize the user's experience on the Platform.
• Prevent fraud, abuse, and illicit activities.
• Conduct aggregated and anonymous statistical analyses.

5. Legal Basis for Processing

Personal Data processing is carried out under the following legal bases, as applicable:

• Contract performance: When processing is necessary for the provision of the contracted service (account creation, ticket processing, Virtual Event configuration, event management).
• Consent: When the user has given their explicit consent (commercial communications, non-essential cookies, tracking integrations).
• Legitimate interest: When processing is necessary for our legitimate interests or those of third parties (fraud prevention, Platform security, service improvement), provided that the user's rights do not prevail.
• Legal obligation: When processing is necessary to comply with an applicable legal obligation.

6. Technology Infrastructure and Service Providers

The Platform operates through the following service providers, who act as Data Processors to the extent they process Personal Data on our behalf:

6.1 Vercel, Inc.

• Function: Web application hosting, distribution, and deployment.
• Data processed: Web traffic data, access logs, IP addresses.
• Server location: United States and global distribution network (CDN).
• Privacy policy: https://vercel.com/legal/privacy-policy

6.2 Clerk, Inc.

• Function: Authentication, identity management, and user sessions.
• Data processed: Access credentials, email, name, social identity provider data, session tokens.
• Privacy policy: https://clerk.com/legal/privacy

6.3 Stripe, Inc.

• Function: Payment processing via Stripe Connect.
• Data processed: Payment data, identity verification information (KYC), transaction history, Organizer bank data.
• Important note: Stripe acts as an independent payment processor. The Buyer's financial data is processed directly by Stripe and is not stored by MS Themes. The Organizer's relationship with Stripe is governed by Stripe's own terms.
• Privacy policy: https://stripe.com/privacy

6.4 Supabase, Inc.

• Function: Database and backend services.
• Data processed: All information stored on the Platform, including user, event, ticket, and configuration data.
• Privacy policy: https://supabase.com/privacy

6.5 Zavu (Zavudev)

• Function: Transactional email and WhatsApp Business message delivery (purchase confirmations, tickets, reminders, notifications).
• Data processed: Recipient email address and/or phone number, message content, delivery metadata.
• Privacy policy: https://zavu.dev/legal/privacy

6.6 Zoom Video Communications, Inc.

• Function: Video conferencing platform for Virtual and hybrid Events.
• Data processed by the integration: Meeting identifiers, meeting configuration (date, time, duration, access options), meeting access link.
• Data processed directly by Zoom: Once the participant joins the Zoom meeting, all data generated (audio, video, chat, participant data, recordings, transcriptions, and telemetry) is processed directly by Zoom in accordance with its own terms and policies. MS Themes does not have access to or control over this data.
• Important note: The Zoom integration with the Platform is limited to creating and configuring meetings through the Zoom API. The user's relationship with Zoom during the meeting is governed exclusively by Zoom's terms of service and privacy policy.
• Privacy policy: https://explore.zoom.us/en/privacy/
• Terms of service: https://zoom.us/terms

7. Cookies and Tracking Technologies

7.1 First-Party Cookies

We use essential cookies necessary for the operation of the Platform:

• Session cookies: Keep the user's session active during their visit.
• Authentication cookies: Managed by Clerk to maintain login status.
• Preference cookies: Store the user's configuration preferences.

7.2 Organizer Analytics and Marketing Integrations

The Platform allows Organizers to configure the following third-party integrations on their event pages. When an Organizer activates these integrations, the corresponding tracking technologies run on their event pages:

Google Analytics (Google LLC)

• Purpose: Web traffic analysis, visitor behavior, and conversion metrics.
• Data collected: IP address (anonymized when applicable), pages visited, session duration, traffic source, device type and browser, interaction events.
• Main cookies: _ga, _ga_*, _gid, _gat.
• Retention: According to the Organizer's configuration in their Google Analytics account.
• Privacy policy: https://policies.google.com/privacy
• Opt-out: https://tools.google.com/dlpage/gaoptout

Google Tag Manager (Google LLC)

• Purpose: Centralized management of tracking tags and scripts.
• Data collected: Google Tag Manager itself does not collect personal data, but it facilitates loading of other services that may do so. The data collected depends on the tags configured by the Organizer.
• Privacy policy: https://policies.google.com/privacy

Meta Pixel (Meta Platforms, Inc.)

• Purpose: Conversion tracking, custom audience creation, and remarketing on Meta platforms (Facebook, Instagram).
• Data collected: IP address, cookie identifiers, pages visited, actions taken (ticket purchase, event views), device and browser data.
• Main cookies: _fbp, _fbc.
• Privacy policy: https://www.facebook.com/privacy/policy/
• Opt-out: https://www.facebook.com/settings?tab=ads

AdRoll (NextRoll, Inc.)

• Purpose: Retargeting advertising and ad performance analysis.
• Data collected: IP address, browsing data, cookie identifiers, ad interaction information.
• Main cookies: __adroll, __adroll_fpc, __ar_v4.
• Privacy policy: https://www.nextroll.com/privacy
• Opt-out: https://app.adroll.com/optout

7.3 Organizer Responsibility

It is the Organizer's responsibility to inform Buyers about active tracking technologies on their event pages and to obtain the consents required by applicable data protection laws. MS Themes provides the technical functionality, but the Organizer decides which integrations to activate and is responsible for the corresponding regulatory compliance.

8. Data Sharing with Third Parties

MS Themes does not sell Personal Data to third parties. We share data only in the following cases:

8.1 Service Providers

We share data with the service providers described in Section 6 (Vercel, Clerk, Stripe, Supabase, Zavu, and Zoom), exclusively for the provision of contracted services and subject to confidentiality obligations.

8.2 Organizers

Buyer data (name, email, ticket type, ticket status) is accessible to the Organizer of the corresponding event, who acts as an independent Data Controller.

8.3 Organizer Integrations

When the Organizer activates third-party integrations (Google Analytics, Meta Pixel, AdRoll, HubSpot, Zoom), Buyer data may be shared with said third parties according to the Organizer's configurations.

8.4 Legal Requirements

We may disclose personal data when required by law, court order, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

9. International Data Transfers

Personal Data collected through the Platform is stored and processed on servers located in the United States of America. By using the Platform, the user consents to the transfer of their data to the United States.

For users located in the European Economic Area (EEA), Mexico, or other jurisdictions with restrictions on international data transfers, we inform that:

1. Our service providers (Vercel, Clerk, Stripe, Supabase, Zavu, Zoom) implement adequate security measures in accordance with industry standards.
2. Transfers are carried out based on standard contractual clauses approved by competent authorities, the data subject's consent, or any other valid legal mechanism.
3. MS Themes implements appropriate technical and organizational measures to ensure an adequate level of protection for transferred data.

10. Data Retention

Personal Data is retained for the time necessary to fulfill the purposes for which it was collected:

• Organizer account data: During the account's term and up to 12 months after cancellation.
• Transaction and ticket data: For 5 years after the transaction, in accordance with applicable tax and legal obligations.
• Analytics and cookie data: According to the retention periods of each provider (see Section 7).
• Lead data: While the Organizer's account is active and up to 6 months after cancellation.
• Virtual Event data (Zoom configuration): During the event's term and up to 12 months after its occurrence.

Anonymized or aggregated data that does not allow individual identification may be retained indefinitely for statistical purposes.

11. Data Security

MS Themes implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, including:

1. Data-in-transit encryption via TLS/SSL (managed by Vercel).
2. Data-at-rest encryption in the database (managed by Supabase).
3. Secure authentication with multi-factor authentication support (managed by Clerk).
4. Payment processing in compliance with the PCI DSS standard (managed by Stripe).
5. Role-based access control and permissions within Organizations.
6. System access monitoring and logging.
7. Communications with Zoom protected via TLS encryption and OAuth authentication tokens.

However, no security system is infallible. MS Themes cannot guarantee absolute data security and shall not be liable for security breaches in third-party service provider systems.

12. User Rights

Depending on your location and applicable legislation, you may have the following rights regarding your Personal Data:

• Access: Request information about the Personal Data we hold about you.
• Rectification: Request the correction of inaccurate or incomplete data.
• Deletion: Request the deletion of your Personal Data, subject to legal retention obligations.
• Objection: Object to the processing of your data for certain purposes.
• Portability: Request a copy of your data in a structured, commonly used format.
• Restriction of processing: Request the restriction of your data processing in certain circumstances.
• Withdrawal of consent: Withdraw your consent at any time, without affecting the lawfulness of prior processing.
• Non-discrimination: Not be discriminated against for exercising your privacy rights.

To exercise any of these rights, send a request to soporte@tiveko.com with the subject line "Privacy Rights." We will respond within a maximum of 30 calendar days.

12.1 Jurisdiction-Specific Rights

California Residents (CCPA/CPRA): You have the right to know what personal data we collect, request its deletion, opt out of the sale or sharing of your data, and not be discriminated against for exercising these rights. MS Themes does not sell personal data as defined by the CCPA.

European Economic Area Residents (GDPR): You have all the rights described above and may file a complaint with the data protection authority in your country. For data processed in connection with the Zoom integration, we inform you that data generated within Zoom meetings is controlled by Zoom and/or the Organizer; we recommend consulting Zoom's privacy policy and contacting the Organizer to exercise your rights regarding such data.

Mexico Residents (LFPDPPP): You may exercise your ARCO rights (Access, Rectification, Cancellation, and Opposition) under the Federal Law on Protection of Personal Data Held by Private Parties. To exercise these rights, send a request to soporte@tiveko.com indicating: your full name, a clear description of the right you wish to exercise, and a copy of an official identification document. We will respond within a maximum of 20 business days in accordance with the LFPDPPP.

Brazil Residents (LGPD): You have the rights provided under the General Data Protection Law, including confirmation of processing, access, correction, anonymization, portability, and deletion.

13. Children's Privacy

The Platform is not directed at minors. We do not intentionally collect Personal Data from persons under 18 years of age (or the applicable minimum age in your jurisdiction). If we become aware that we have collected data from a minor without the consent of their parent or legal guardian, we will delete such information promptly.

If you are a parent or guardian and believe your child has provided Personal Data to the Platform, contact us at soporte@tiveko.com.

14. Organizer Responsibility as Data Controller

14.1 Role of the Organizer

When an Organizer collects Buyer data through the Platform (including through features such as lead capture), the Organizer becomes an independent Data Controller. This includes data collected through analytics and marketing integrations configured by the Organizer, as well as data generated in connection with Virtual Events held through Zoom.

14.2 Organizer Obligations

The Organizer commits to:

1. Comply with all applicable data protection laws in the jurisdictions where they operate.
2. Inform Buyers about the processing of their data, including disclosure of active tracking technologies.
3. Obtain the necessary consents for the collection and use of personal data, especially for the use of non-essential cookies and tracking technologies.
4. Implement consent management mechanisms (cookie banners) when required by applicable legislation.
5. Respect the rights of data subjects and address their requests promptly.
6. Not use Buyer data for purposes incompatible with those disclosed.
7. In the case of Virtual Events, inform attendees about Zoom's privacy policies and obtain necessary consents, including consent for recording if applicable.
8. Comply with Zoom's terms of service and privacy policies when using the Virtual Events integration.

14.3 MS Themes' Responsibility as Processor

In its capacity as Data Processor, MS Themes commits to:

1. Process Buyer data solely in accordance with the Organizer's instructions and the purposes established in this Policy.
2. Implement the security measures described in Section 11.
3. Notify the Organizer in the event of a security breach affecting their Buyers' data.
4. Facilitate data portability and deletion when requested by the Organizer.

15. Third-Party Services and External Links

The Platform may contain links to third-party websites or services (including Stripe, HubSpot, Zoom, Google, Meta, and AdRoll). This Privacy Policy does not apply to such third-party services. We recommend that users review the privacy policies of each third-party service before providing their personal data.

16. HubSpot Marketing Events Specific Data

For Organizers using the HubSpot integration (Pro Plan), the following data is synced with HubSpot:

• Event information (name, dates, description).
• Registrant and attendee data (name, email, ticket type, attendance status).
• Event metrics (tickets sold, revenue, attendance rate).

This data is transferred to the Organizer's HubSpot account, and the Organizer is the Controller for subsequent processing of such data in accordance with HubSpot's terms (https://legal.hubspot.com/privacy-policy).

17. Modifications to This Policy

MS Themes reserves the right to update this Policy at any time. Modifications will take effect upon publication on the Platform. Material changes will be communicated to registered users via the email associated with their account at least 15 days in advance.

The "Last updated" date at the end of this Policy indicates when the most recent revision was made.

18. Contact

For any inquiry, rights exercise request, or complaint related to this Policy, you may contact us at:

Email: soporte@tiveko.com Suggested subject: "Privacy — [Description of the request]" Company: MS Themes, Inc. Website: www.tiveko.com

We commit to responding to all requests within a maximum of 30 calendar days.

Last updated: February 11, 2026