Cigar & Bourbon Tickets Data Processing Addendum
This Data Processing Addendum (“Addendum”) supplements the terms of the Data Protection Statement of the Cigar & Bourbon Tickets ticketing, registration, and membership platform (“Platform”), owned and operated by Cigar & Bourbon Tickets LLC (“Company”, “we”, “us”, or “our”), a limited liability company organized under the laws of the State of California, with its principal place of business at 8821 Aviation Blvd Unit 88271, Los Angeles, CA 90009 USA. This Addendum forms part of the agreement between Company and its users. To learn more about Cigar & Bourbon Tickets Legal Terms, take a look here.
Definitions
(a) “Data Controller” means the entity that determines the purposes and means of processing personal information.
(b) “Data Processor” means the entity that processes personal information on behalf of the Data Controller.
(c) “Data Subject” refers to an individual whose personal information is processed.
(d) “Personal Information” has the meaning ascribed to it under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Roles of the Parties
(a) Company, as the operator of the Platform, acts as the Data Controller for the personal information collected through the Platform, as described in the Data Protection Statement.
(b) Event Organizers, who use the Platform to list and manage events and memberships, may act as independent Data Controllers for the personal information they collect from Data Subjects. Company acts as a Data Processor on behalf of Event Organizers in processing such personal information.
(c) With respect to payment information, Stripe acts as an independent Data Controller and Data Processor pursuant to its own privacy policy and the Stripe Connected Account Agreement.
Obligations of the Data Processor
(a) Compliance with Instructions: Company shall process personal information in accordance with the instructions provided by the Event Organizers, as documented in the Platform’s functionalities and agreed-upon terms.
(b) Confidentiality: Company shall ensure that its personnel involved in the processing of personal information are subject to appropriate confidentiality obligations.
(c) Security Measures: Company shall implement reasonable technical and organizational measures to protect the personal information against unauthorized access, disclosure, alteration, or loss. These measures include SSL/TLS encryption, secure hosting with Cloudflare protection, access controls, and regular security monitoring.
(d) Data Subject Requests: Company shall, to the extent possible, assist Event Organizers in fulfilling their obligations to respond to Data Subject requests relating to the personal information processed through the Platform, including requests to access, correct, delete, or port data.
(e) Sub-Processors: Company engages sub-processors to assist in the provision of the Platform’s services. A current list of sub-processors is maintained at /subprocessors/. Company shall ensure that such sub-processors are bound by contractual obligations that provide the same level of data protection as set forth in this Addendum. Company will notify Organizers of material changes to its sub-processor list.
(f) Data Breach Notification: In the event of a data breach affecting personal information processed on behalf of an Event Organizer, Company shall notify the affected Organizer without undue delay (and in any event within 72 hours of becoming aware of the breach) and provide sufficient information to enable the Organizer to meet any obligations to report the breach to authorities or Data Subjects.
(g) Data Deletion: Upon termination of an Organizer’s account or upon written request, Company shall delete or anonymize the personal information processed on behalf of the Organizer within 90 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or dispute resolution).
Event Organizer’s Responsibilities
(a) Compliance with Laws: Event Organizers shall comply with all applicable data protection laws and regulations, including the CCPA/CPRA, in their collection, use, and processing of personal information through the Platform.
(b) Lawful Basis for Processing: Event Organizers shall ensure that they have a valid lawful basis, such as consent or legitimate interest, to process personal information and that all necessary consents or permissions are obtained from Data Subjects as required by applicable laws.
(c) Data Subject Rights: Event Organizers shall be responsible for responding to Data Subject requests relating to their personal information, including requests to access, rectify, delete, or restrict the processing of personal information. Company shall assist Organizers in fulfilling such requests as described above.
(d) Organizer Privacy Policies: Event Organizers are encouraged to maintain their own privacy policies that describe how they collect, use, and protect personal information obtained through the Platform.
(e) Indemnification: Event Organizers shall indemnify and hold Company harmless from any claims, losses, or damages arising out of or in connection with their processing of personal information through the Platform in violation of applicable laws.
Term and Termination
This Addendum shall remain in effect as long as the Event Organizer continues to use the Platform. Either party may terminate this Addendum in the event of a material breach by the other party, subject to any notice and cure provisions in the agreement between the parties. The obligations regarding data deletion, confidentiality, and security shall survive termination.
Governing Law and Dispute Resolution
This Addendum shall be governed by and construed in accordance with the laws of the State of California and applicable federal laws of the United States, without regard to conflict of laws principles. Any disputes arising out of or in connection with this Addendum shall be resolved through arbitration in accordance with the rules of the American Arbitration Association.
This Data Processing Addendum is an integral part of the agreement between Company and Event Organizers using the Platform and reflects the specific data processing obligations related to the processing of personal information.