Privacy Policy

    Montreal cityscape at night

    Outbox Privacy Policy

    Last updated: September 22, 2025

    Outbox (“Outbox,” “we,” “us,” or “our”) provides ticketing and box office technology to venues, promoters, and event organizers (our “Clients”). This Privacy Policy explains how we collect, use, share, and protect personal information when you visit our websites, use our Services, interact with us for sales or support, or apply for a job.

    Quick summary

    • If you’re a website visitor or prospect, this policy explains what we collect on our Sites and for marketing.

    • If you’re a Client or platform user, we use your info to provide and secure the Services.

    • If you’re a ticket buyer, we typically act as a processor for our Clients—your primary privacy relationship is with the event organizer.

    • You have privacy rights. See Your Privacy Rights below to exercise them.

    If you have questions, contact us at contact@outbox.com

    1) Who we are & scope

    This policy covers personal information processed by Outbox through:

    • Sites: our corporate websites, pages, and forms (e.g., contact@outbox.com).

    • Services: our ticketing and box office software and related tools provided to Clients.

    • Marketing & sales: events, webinars, ads, emails, and social media.

    • Recruiting: when you apply for a job with Outbox.

    Role: We act as controller for personal data we collect directly (e.g., site visitors, prospects, applicants, Client account users). We act as a processor (service provider) when processing ticket buyer data on behalf of Clients. For processor activities, our Clients’ privacy policies govern; we process per their instructions.

    2) Information we collect

    A. Information you provide to us

    • Contact & account data: name, business email, phone, company, job title, password, role.

    • Business records: contracts, orders, billing and invoicing details, support tickets.

    • Communications: emails, chats, call recordings (where permitted), survey responses.

    • Job applicant data: résumé/CV, cover letter, work history, education, references, immigration status, and any info you provide during interviews or assessments.

    B. Information collected automatically

    • Usage & device data: IP address, device identifiers, browser type, operating system, language, referring URLs, pages viewed, links clicked, session duration, and performance metrics.

    • Cookies & similar tech: pixels, tags, SDKs that help us remember your preferences, secure the Sites, understand usage, and personalize content/ads. See Cookies & Tracking.

    C. Information from third parties

    • From Clients: end-user/admin data needed to provision and support the Services.

    • From partners & vendors: lead info, analytics, ad engagement metrics.

    • From public sources: social media profiles, company websites, public directories.

    Ticket buyers: Event organizers (our Clients) may send us your data to fulfill purchases, manage seating, or support event operations. We handle this data as a processor per our contract with the organizer.

    3) How we use information

    We use information for the following purposes (and, where applicable, lawful bases):

    • Provide and improve the Services (perform a contract; legitimate interests): enable logins, configure accounts, process transactions for Clients, provide support, fix issues, develop features, maintain security, and analyze performance.

    • Operate our Sites (legitimate interests; consent for non-essential cookies): remember preferences, measure usage, debug, and keep our Sites secure.

    • Sales & marketing (consent where required; legitimate interests): send product updates, event invites, newsletters; personalize content and ads; measure campaign effectiveness. You can opt out at any time (see Marketing Choices).

    • Recruiting (consent; legitimate interests): evaluate candidates, schedule interviews, and onboard hires.

    • Compliance & protection (legal obligations; legitimate interests): comply with laws, enforce terms, detect and prevent fraud, security incidents, or misuse.

    We may aggregate or de-identify information so it can no longer reasonably be linked to you; we may use and share such information for any lawful purpose.

    4) How we share information

    We do not sell your personal information as the term “sell” is defined by many privacy laws. We may “share” data for cross-context behavioral advertising; see Your Privacy Rights for state law opt-out rights.

    We share information with:

    • Service providers/processors: cloud hosting, security, analytics, communications, payment/billing, recruitment platforms, and customer support tooling. They may only use data to provide services to us and must protect it.

    • Clients: if you are an admin/user of a Client account, we share info with your organization. If you are a ticket buyer, we process and share your data with the relevant Client/event organizer under their instructions.

    • Partners: with your consent or at your direction (e.g., co-marketing, integrations).

    • Legal & safety: to comply with law, lawful requests, or to protect rights, safety, and property.

    • Business transfers: as part of a merger, acquisition, financing, or sale of assets; your information may be transferred as permitted by law.

    5) Cookies & tracking

    We use cookies and similar technologies to:

    • Essential: authentication, security, load balancing.

    • Analytics: understand Site and Service usage.

    • Functional: remember preferences.

    • Advertising: deliver and measure ads on our Sites and third-party sites.

    Where required by law, we obtain your consent for non-essential cookies. You can manage cookies via our cookie banner, your browser settings, or the Do Not Sell/Share options (where applicable). Blocking cookies may impact Site functionality.

    6) Data retention

    We keep personal information only as long as necessary to:

    • provide the Services and operate the Sites,

    • comply with legal obligations (e.g., tax, accounting),

    • resolve disputes, enforce agreements, and protect our rights.

    When no longer needed, we delete or irreversibly de-identify data according to our retention policies. Typical retention examples: marketing leads (24–36 months of inactivity), support logs (12–24 months), contract/account records (during the relationship + 7 years), recruiting data (up to 24 months unless you consent to a talent pool).

    7) Security

    We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, network monitoring, and employee training. No system is 100% secure; if we detect a breach impacting your data, we will notify you and regulators as required by law.

    8) International data transfers

    We may process and store information in countries other than where it was collected. Where required, we use appropriate safeguards for cross-border transfers (e.g., EU/UK Standard Contractual Clauses, UK IDTA/Addendum, and additional measures as needed). You can request a copy of relevant transfer mechanisms via contact@outbox.com . 

    9) Your privacy rights

    Depending on your location, you may have the right to:

    • Access your personal information and obtain a copy.

    • Correct inaccurate or incomplete data.

    • Delete your information.

    • Portability: receive your data in a usable format.

    • Restrict or object to certain processing (including profiling and direct marketing).

    • Withdraw consent where processing is based on consent.

    • Appeal a decision if we deny your request (US state laws).

    You can exercise your privacy rights by emailing contact@outbox.com. We may need to verify your identity and will respond within the timeframes required by law.

    California & other US state privacy laws (e.g., CA, CO, CT, VA, UT):

    • We do not “sell” personal information for money. We may “share” identifiers and internet activity with advertising partners for cross-context behavioral advertising. You can opt out via our “Do Not Sell or Share My Personal Information” link or by using a browser-based opt-out signal (e.g., GPC), which we honor.

    • You may also request disclosure of categories of personal info collected, sources, purposes, and third parties, and request deletion or correction.

    • You may use an authorized agent to submit requests (subject to verification).

    • We do not discriminate for exercising your rights.

    EEA/UK/Swiss residents: Outbox is the controller for Site/marketing data. Our legal bases include contract performance, legitimate interests (e.g., service improvement, security, marketing to business contacts), consent (where required), and legal obligations. You may lodge a complaint with your local supervisory authority, but we encourage you to contact us first.

    10) Marketing choices

    • Email & SMS: You can unsubscribe using the link in our messages or by contacting us.

    • Ads: Adjust cookie settings, use platform controls (e.g., Google/LinkedIn/Facebook ad preferences), or enable a browser opt-out signal where supported.

    • Analytics: You can use industry tools (e.g., Google’s opt-out add-on) and your browser settings to limit tracking.

    11) Ticket buyers: our role as processor

    When you purchase or manage tickets for an event using our technology, the event organizer (Client) is the data controller. We process your information on their behalf to deliver the Services (e.g., seating, payments via their chosen processor, access control, communications). To exercise your privacy rights as a ticket buyer, please contact the event organizer directly. We will assist our Clients in responding to such requests as required by law and our contracts.

    12) Children’s privacy

    Our Sites and Services are intended for business use and are not directed to children. We do not knowingly collect personal information from children under 16 (or a higher age where required by local law). If you believe a child has provided us personal information, contact contact@outbox.com and we will take appropriate steps to delete it.

    13) Third-party sites, platforms, and integrations

    Our Sites may include links to third-party websites, plug-ins, or integrations. We are not responsible for the privacy practices of those third parties. Review their policies before providing any personal information.

    14) Changes to this policy

    We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated version on our Sites and updating the “Last updated” date. Your continued use of the Sites or Services after changes become effective means you accept the updated policy.

    15) Contact us

    Outbox CRB Inc. 

    705 - 3575 boulevard St-Laurent

    Montréal, QC  H2X 2T7

    Privacy & data protection inquiries:

    Email: contact@outbox.com

    Data Protection Officer: Jean-Philippe Samson

    16) Region-specific addendum (optional to include on the same page or as a linked supplement)

    • California CPRA Notice (Categories Table):

    • Identifiers: name, email, IP address (sources: you, your device; purposes: service, security, marketing; sharing: service providers, advertising partners).

    • Customer records & commercial info: account, transactions (sources: you/Client; purposes: service, support, compliance; sharing: service providers, Client).

    • Internet activity: browsing, usage (sources: your device; purposes: analytics, security, ads; sharing: service providers, advertising partners).

    • Professional/employment info: job title, company (sources: you, public sources; purposes: sales, contracts; sharing: service providers).

    • Inferences: product interest segments (purposes: marketing; sharing: advertising partners).

    We retain data as described above; we disclose for business purposes and may “share” for advertising. We do not knowingly sell or share data of consumers under 16.

    • EEA/UK Transparency (Art. 13/14 GDPR): contact details of controller/representative; legal bases listed in Section 3; recipients in Section 4; transfers in Section 8; retention in Section 6; rights in Section 9; whether provision of data is required (typically optional for Sites; necessary for Service accounts); existence of automated decision-making (we do not engage in solely automated decisions that produce legal or similarly significant effects).