Privacy Policy

The controller of your personal data is Tonyzales, an Estonian company with registry code 17173259, registered office in Tallinn, Estonia, and EU VAT identifier EE102829396.

For any privacy or data protection question, write to [email protected]. If you live in the European Union and believe your rights have not been properly addressed, you can file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or with the authority in your country of residence.

When you create an account: your email address, a bcrypt-hashed password, and a TOTP secret for two-factor authentication. The plaintext password is never stored.

When you place an order: your declared country, the payment method used, the identifiers returned by the payment processor (for example a Stripe transaction ID), and your IP at the time of purchase. For Zelle payments we also store the proof you uploaded.

In enhanced verification (KYC): when an operation exceeds certain thresholds we may ask for a photo of your government-issued identity document. That image is processed through Stripe Identity, a specialised identity verification provider.

For security and fraud prevention: we log sign-ins, detected country changes, failed payment attempts and a hash of your IP on every sensitive action.

If you sign in with a third-party provider (Google or Facebook): we receive your name, email address and, if available, your profile picture, solely to create or identify your account. We never post on your behalf or access your contacts.

To process your purchases and deliver the digital codes you bought. This is the contractual basis under Article 6(1)(b) of the GDPR.

To meet our legal obligations on tax, accounting, anti-money laundering and counter-terrorism financing. This basis falls under Article 6(1)(c) of the GDPR.

To prevent fraud, detect abuse and protect customers and the platform. This corresponds to the legitimate interest of Article 6(1)(f) of the GDPR.

To send you communications about the status of your orders and, if you explicitly authorise it, marketing communications. Marketing relies on your revocable consent (Article 6(1)(a)) and always includes an unsubscribe link.

We share only what is strictly necessary with the following third parties, all subject to their own privacy policies and Data Processing Agreements (DPA) with us: Stripe (card payment processor), PayPal (PayPal payments), NowPayments (crypto payments), Resend Inc. (transactional email), Cloudflare Inc. (CDN and R2 storage), Hetzner Online GmbH (server hosting in Falkenstein, Germany), Anthropic PBC (AI assistance for ticket classification, once that feature is enabled).

Login providers (Google and Meta Platforms/Facebook): only if you choose to authenticate with them. We exchange the minimum data needed to create or identify your account (name, email and, if available, profile picture). Their processing of that data is governed by their own privacy policies.

We share data with the competent authorities when a legal rule obliges us to, for example in response to a duly grounded request from the Prosecutor General, the Estonian Financial Intelligence Unit (Rahapesu Andmebüroo) or a court with jurisdiction.

We never sell personal data to third parties and we do not use it for off-platform targeted advertising.

Our main infrastructure is in the European Union (Germany and Estonia). Some providers process data in other countries, mainly the United States. In those cases we require adequate safeguards such as Standard Contractual Clauses approved by the European Commission or adherence to the EU-US Data Privacy Framework, as appropriate.

Data of active accounts is kept while the account remains open. If you request closure, we delete personal data that we are not required by law to retain.

Financial, tax and anti-money laundering records are kept for 5 years from the end of the business relationship or from the date of the transaction, whichever is later. This term is imposed by the EU 5th AML Directive and the equivalent Estonian Act.

Security and anti-fraud logs are kept for 12 months, unless they become part of a fraud case under investigation, in which case they are retained until the case is closed.

Under the GDPR you have the right to access the data we hold about you, to rectify it if inaccurate, to request its erasure when there is no legal basis to keep it, to object to certain processing, to request portability in a structured and commonly used format, and to withdraw any consent you have given at any time.

Deleting your account and data: you can request deletion of your account and personal data by writing to [email protected] from your registered email address. We process the request within a maximum of 30 days, except for records we are legally required to keep (see section 6). If you signed in with Facebook or Google, you can also revoke access from the settings of that provider (on Facebook: Settings & privacy → Settings → Apps and websites).

To exercise any of these rights, write to [email protected] from the address you registered with. We respond within a maximum of 30 calendar days. If you do not receive an answer or you disagree with it, you can turn to the Estonian Data Protection Inspectorate or the authority in your country.

We use strictly necessary cookies for the site to function: a session cookie to keep you signed in, a cart cookie to preserve what you were buying, and signed cookies bound to two-factor authentication and the detected country.

We do not use third-party advertising or tracking cookies for marketing purposes. If we ever add any, we will ask for explicit consent through a cookie banner before activating it.

Tonyzales is not aimed at people under 16. If we become aware that an account was opened on behalf of a minor without valid parental consent, we delete the associated data immediately. If you are a parent or legal guardian and believe your child opened an account without authorisation, write to [email protected].

If we change this policy we update the date at the bottom and, when changes affect substantive rights, we notify customers with an active account by email at least 15 days before the new version takes effect.