PRIVACY POLICY

GrabScene — Events Ticket Marketplace Platform

Effective Date: March 21, 2026 Last Updated: March 22, 2026

1. INTRODUCTION

1.1. This Privacy Policy ("Policy") describes how GrabScene ("Company," "Platform," "we," "us," or "our") collects, uses, stores, shares, transfers, and protects the personal data and information of individuals ("User," "you," or "your") who access or use the GrabScene website, mobile application, and all related services (collectively, the "Platform").

1.2. GrabScene operates as an online marketplace connecting event organizers ("Organizers") with ticket buyers ("Buyers") across all categories of events, including concerts, music festivals, conferences, workshops, sports events, and more.

1.3. By creating an account, accessing, browsing, or using the Platform in any manner, you acknowledge that you have read, understood, and unconditionally consent to the collection, use, storage, processing, sharing, and transfer of your personal data as described in this Policy. If you do not agree to this Policy in its entirety, you must immediately cease all use of the Platform and delete your account.

1.4. This Policy is incorporated into and forms an integral part of GrabScene's Terms and Conditions. Capitalised terms not defined herein shall have the meanings ascribed to them in the Terms and Conditions.

1.5. This Policy is published in compliance with the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Digital Personal Data Protection Act, 2023 ("DPDP Act"), and any rules, regulations, or guidelines issued thereunder, as applicable and in force from time to time.

2. DATA CONTROLLER

2.1. For the purposes of this Policy and applicable data protection laws, GrabScene is the data fiduciary (as defined under the DPDP Act) and data controller responsible for the processing of your personal data collected through the Platform.

2.2. For any questions, concerns, or requests regarding this Policy or your personal data, you may contact us at:

GrabScene Email: support@grabscene.com

3. PERSONAL DATA WE COLLECT

GrabScene collects personal data through multiple channels and mechanisms. The categories of data collected are as follows:

3.1. Information You Provide Directly

3.1.1. Account Registration Data: When you create an account on the Platform, we collect your full name, email address, phone number, date of birth (or age), and profile photo (if uploaded).

3.1.2. Event-Related Data: When you purchase tickets, list events, or interact with Event pages, we collect transaction details, ticket preferences, event interests, and any communications exchanged through the Platform.

3.1.3. Communications Data: When you contact our support team, submit feedback, file complaints, or participate in surveys, we collect the content of your communications, including any attachments.

3.1.4. User-Generated Content: Any reviews, ratings, comments, or other content you voluntarily submit through the Platform.

3.2. Information Collected Automatically

3.2.1. Device and Technical Data: We automatically collect information about the device you use to access the Platform, including device type, model, manufacturer, operating system and version, browser type and version, screen resolution, unique device identifiers (including advertising identifiers), and hardware settings.

3.2.2. IP Address: We collect your Internet Protocol (IP) address each time you access the Platform. Your IP address may be used to derive your approximate geographic location (city and state level).

3.2.3. Usage and Behavioural Data: We collect information about your interactions with the Platform, including pages visited, links clicked, features used, time spent on each page, navigation paths, search queries entered on the Platform, events viewed, events bookmarked, ticket purchase history, and session duration and frequency.

3.2.4. Location Data:

GPS / Real-Time Location: With your explicit permission (via device-level location permissions), we may collect precise GPS-based geolocation data from your mobile device. You may revoke this permission at any time through your device settings; however, doing so may limit certain location-based features of the Platform.
IP-Based Location: We derive your approximate location (city and state) from your IP address. This occurs automatically and does not require separate consent beyond acceptance of this Policy.
User-Entered Location: We collect any city, region, or location preference you manually enter or select within the Platform for the purpose of showing relevant local events.

3.2.5. Log Data: Our servers automatically record information generated by your use of the Platform, including access times, referring URLs, error logs, crash reports, and request/response metadata.

3.3. Information from Third-Party Sources

3.3.1. Analytics Providers: We receive aggregated and individual-level analytics data from Google Analytics regarding your usage patterns, traffic sources, and engagement metrics.

3.3.2. Advertising Partners: We receive data from Meta (Facebook Pixel) and other advertising partners regarding ad interactions, conversions, and audience segments to measure advertising effectiveness and deliver personalised advertisements.

3.3.3. Push Notification Services: We use Firebase Cloud Messaging (FCM) to deliver push notifications. Firebase may collect device tokens, message delivery data, and interaction data.

3.3.4. Publicly Available Sources: We may supplement the data we collect with information from publicly available sources, social media profiles (where permitted), and commercial data providers, to the extent permitted by applicable law.

3.4. Payment Data

3.4.1. All Buyer payment transactions on the Platform are processed exclusively by Razorpay ("Payment Processor"). GrabScene does not directly collect, store, process, or have access to your full credit card numbers, debit card numbers, UPI PINs, or other sensitive Buyer financial credentials.

3.4.2. Organizer Payout Data: For Event Organizers who receive payouts through the Platform, GrabScene collects and stores payout-related information necessary to facilitate fund transfers. This may include: bank account number, IFSC code, account holder name, bank name, UPI ID, and billing details (name, address, phone, GSTIN). This data is stored securely in GrabScene's database and is accessible only to the Organizer themselves and authorised GrabScene administrators. Organizer payout data is never shared with other users or exposed publicly.

3.4.3. GrabScene may receive and store limited, non-sensitive payment-related information from the Payment Processor for the purposes of transaction records, customer support, and fraud prevention. This may include: transaction ID (Razorpay order ID, payment ID), transaction amount, transaction status (success/failure), payment method type (e.g., credit card, UPI, net banking), partial card information (last four digits, card network), billing address (if provided), and timestamp.

3.4.4. Your use of Razorpay is governed by its privacy policy and terms of service. GrabScene strongly encourages you to review the privacy policy of Razorpay (https://razorpay.com/privacy/) before completing any transaction.

4. PURPOSES OF DATA COLLECTION AND PROCESSING

4.1. GrabScene collects and processes your personal data for the following purposes:

4.2. Essential Platform Operations

4.2.1. To create, maintain, and authenticate your account.

4.2.2. To process ticket purchases, generate booking confirmations, issue tickets (QR codes, barcodes, or digital passes), and manage transaction records.

4.2.3. To facilitate communication between Buyers and Organizers as necessary for event fulfilment, ticket validation, and attendee management.

4.2.4. To provide customer support and respond to your enquiries, complaints, and requests.

4.2.5. To enforce our Terms and Conditions and other applicable policies.

4.3. Personalisation and Recommendations

4.3.1. To personalise your experience on the Platform, including displaying events relevant to your location, interests, browsing history, and past purchases.

4.3.2. To deliver personalised search results and event recommendations based on your usage patterns and preferences.

4.4. Marketing and Advertising

4.4.1. To send you marketing communications via email, SMS, and push notifications regarding upcoming events, promotions, offers, and Platform updates. You may opt out of marketing communications at any time (see Section 8).

4.4.2. To serve personalised advertisements on the Platform and on third-party platforms based on your browsing behaviour, purchase history, interests, and demographic information.

4.4.3. To measure the effectiveness of advertising campaigns and to understand how users interact with advertisements.

4.5. Analytics and Platform Improvement

4.5.1. To analyse usage patterns, trends, and user behaviour to improve the Platform's functionality, performance, user interface, and overall user experience.

4.5.2. To conduct internal research, statistical analysis, and business intelligence using aggregated and anonymised data.

4.5.3. To monitor and analyse Platform traffic, server performance, and system health.

4.6. Security and Fraud Prevention

4.6.1. To detect, investigate, and prevent fraudulent transactions, unauthorised access, bot activity, scraping, and other malicious or illegal activities.

4.6.2. To verify user identity and prevent the creation of fake or duplicate accounts.

4.6.3. To monitor compliance with our Terms and Conditions and enforce Prohibited Conduct policies.

4.7. Legal and Regulatory Compliance

4.7.1. To comply with applicable laws, regulations, legal processes, governmental requests, tax obligations (including GST), and regulatory requirements.

4.7.2. To establish, exercise, or defend legal claims.

4.7.3. To respond to law enforcement requests and court orders.

5. LEGAL BASIS FOR PROCESSING

5.1. GrabScene processes your personal data on the following legal bases, as applicable under Indian data protection law:

5.1.1. Consent: Where you have provided explicit consent for specific processing activities, including account creation, location data collection (GPS), marketing communications, and cookie placement. You may withdraw consent at any time (see Section 8), though withdrawal shall not affect the lawfulness of processing carried out prior to withdrawal.

5.1.2. Contractual Necessity: Processing necessary for the performance of a contract to which you are a party, including ticket purchases, account management, and service delivery.

5.1.3. Legitimate Interests: Processing necessary for GrabScene's legitimate business interests, including fraud prevention, platform security, analytics, improvement of services, and direct marketing (where not overridden by your rights). GrabScene conducts proportionality assessments to ensure that its legitimate interests do not override your fundamental rights and freedoms.

5.1.4. Legal Obligation: Processing necessary for compliance with a legal obligation to which GrabScene is subject, including tax laws, anti-money laundering regulations, and lawful government requests.

5.1.5. Public Interest: Processing necessary for reasons of substantial public interest, including cooperation with law enforcement in criminal investigations.

6. DATA SHARING AND DISCLOSURE

6.1. GrabScene does not sell your personal data to third parties, except as expressly described in Section 6.7 regarding anonymised and aggregated data.

6.2. GrabScene may share your personal data with the following categories of recipients:

6.3. Event Organizers

6.3.1. When you purchase a Ticket, we share your relevant personal data (name, email, phone number, ticket details, and any Event-specific information) with the applicable Organizer for the purposes of event fulfilment, attendee management, entry verification, and communication regarding the Event.

6.3.2. Once shared with an Organizer, your data is subject to the Organizer's own privacy practices. GrabScene does not control and shall not be held liable for how Organizers use, store, or disclose your personal data. We strongly encourage you to review any privacy notices provided by the Organizer.

6.4. Payment Processors

6.4.1. We share necessary transaction data with Razorpay to process your payments. Razorpay acts as an independent data controller and is governed by its own privacy policy.

6.5. Analytics and Advertising Partners

6.5.1. We share data with Google Analytics for platform usage analysis, traffic monitoring, and performance measurement.

6.5.2. We share data with Meta (via Facebook Pixel) and other advertising partners for the purposes of serving personalised advertisements, measuring ad performance, building audience segments, and retargeting.

6.5.3. These third-party partners may use cookies, pixels, SDKs, and similar technologies to collect data about your activity on the Platform and across other websites and applications.

6.6. Service Providers

6.6.1. We engage third-party service providers to perform functions on our behalf, including cloud hosting (AWS, Google Cloud Platform, Microsoft Azure), email delivery, SMS delivery, push notification services (Firebase), customer support tools, and security monitoring. These service providers are granted access to personal data only to the extent necessary to perform their designated functions and are contractually obligated to protect your data and not use it for any other purpose.

6.7. Anonymised and Aggregated Data

6.7.1. GrabScene may anonymise and aggregate user data such that it can no longer identify any individual User. Such anonymised and aggregated data may be used, shared, sold, licensed, or disclosed to third parties — including business partners, advertisers, investors, researchers, and the general public — for any purpose, including market research, trend analysis, benchmarking, business development, and commercial purposes.

6.7.2. Anonymised and aggregated data is not considered personal data under applicable law and is not subject to the restrictions of this Policy.

6.8. Legal and Regulatory Disclosures

6.8.1. GrabScene may disclose your personal data without your consent when required or permitted by law, including in response to: (a) court orders, subpoenas, or legal process; (b) requests from law enforcement agencies, government authorities, or regulatory bodies; (c) national security or public safety requirements; (d) to establish, exercise, or defend legal claims; or (e) to prevent fraud, illegal activity, or imminent harm to any person.

6.9. Business Transfers

6.9.1. In the event of a merger, acquisition, reorganisation, asset sale, bankruptcy, or similar corporate transaction involving GrabScene, your personal data may be transferred to the acquiring or successor entity. GrabScene shall make reasonable efforts to ensure that the successor entity honours the commitments made in this Policy or notifies you of any material changes.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1. Overview

7.1.1. GrabScene uses cookies, web beacons, pixels, local storage, device fingerprinting, and similar tracking technologies ("Tracking Technologies") to collect data, enhance your experience, and serve personalised content and advertisements.

7.2. Types of Cookies Used

7.2.1. Essential Cookies: These cookies are strictly necessary for the operation of the Platform. They enable core functionalities including user authentication, session management, login persistence, security token validation, and load balancing. Essential cookies cannot be disabled without impairing the fundamental functionality of the Platform.

7.2.2. Analytics Cookies: These cookies are placed by Google Analytics and similar services to collect information about how Users interact with the Platform. Data collected includes pages visited, session duration, bounce rate, traffic sources, and user flow. This data is used to analyse Platform performance and improve user experience.

7.2.3. Preference Cookies: These cookies remember your settings and preferences, including language selection, theme preferences, location settings, and display configurations, to provide a personalised and consistent experience across sessions.

7.3. Third-Party Tracking

7.3.1. Google Analytics: Google Analytics uses cookies and similar technologies to collect and analyse usage data. Google's use of data is governed by Google's Privacy Policy (https://policies.google.com/privacy). You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

7.3.2. Facebook Pixel (Meta): Meta's Facebook Pixel is embedded on the Platform to track user interactions for the purposes of ad targeting, conversion measurement, and audience building. Meta's use of data is governed by Meta's Privacy Policy (https://www.facebook.com/privacy/policy/).

7.3.3. Firebase Cloud Messaging: Firebase is used for push notification delivery. Firebase may collect device identifiers and messaging interaction data. Google's Firebase privacy practices are described in the Firebase Privacy Information page.

7.4. Managing Cookies

7.4.1. You may manage, block, or delete cookies through your browser settings. Most browsers allow you to: view and delete individual cookies, block cookies from specific or all websites, block third-party cookies, and set preferences for cookie notifications.

7.4.2. Please note that blocking or deleting essential cookies may impair or prevent the functionality of the Platform, including login, session management, and ticket purchasing.

7.4.3. Disabling analytics or preference cookies may result in a less personalised and optimised experience on the Platform.

8. YOUR RIGHTS AND CHOICES

8.1. Right to Correct and Update Data

8.1.1. You have the right to request correction or updating of any inaccurate, incomplete, or outdated personal data held by GrabScene. You may update certain account information directly through your Account settings. For corrections that cannot be made through the Platform, you may contact us at support@grabscene.com.

8.1.2. GrabScene shall make reasonable efforts to process correction requests within a reasonable timeframe, subject to verification of your identity.

8.2. Marketing Opt-Out

8.2.1. Email Marketing: You may opt out of promotional emails at any time by clicking the "Unsubscribe" link included in every marketing email, or by contacting support@grabscene.com. Opt-out requests shall be processed within ten (10) business days.

8.2.2. SMS Marketing: You may opt out of promotional SMS messages by replying "STOP" to any marketing SMS, or by contacting support@grabscene.com. Opt-out requests shall be processed within ten (10) business days.

8.2.3. Push Notifications: You may disable push notifications through your device settings or within the Platform's notification preferences at any time.

8.2.4. Important: Opting out of marketing communications does not affect transactional or service-related communications (such as booking confirmations, ticket delivery, account alerts, security notifications, and policy updates), which are essential to the operation of your Account and cannot be opted out of.

8.3. Location Data

8.3.1. You may revoke GrabScene's access to your precise GPS location at any time by disabling location permissions for the GrabScene app in your device settings.

8.3.2. IP-based location inference and user-entered location preferences cannot be independently disabled, as they are integral to delivering location-relevant event recommendations.

8.4. Cookie Preferences

8.4.1. You may manage your cookie preferences through your browser settings as described in Section 7.4.

8.5. Account Deletion

8.5.1. You may request deletion of your Account and associated personal data by contacting support@grabscene.com. Upon receiving a verified deletion request, GrabScene shall delete your personal data promptly, except for data that GrabScene is required or permitted to retain under applicable law (see Section 9).

8.5.2. Please note that account deletion is irreversible. All ticket purchase history, transaction records, preferences, and other account-associated data will be permanently lost upon deletion, except as retained for legal compliance.

8.6. Withdrawal of Consent

8.6.1. Where processing of your personal data is based on your consent, you have the right to withdraw such consent at any time by contacting support@grabscene.com. Withdrawal of consent shall not affect the lawfulness of processing carried out based on consent prior to its withdrawal.

8.6.2. Withdrawal of consent for essential processing activities (such as account registration data) may necessitate the closure of your Account, as such data is required for the provision of Platform services.

8.7. Grievance Redressal

8.7.1. In accordance with the IT Act and the SPDI Rules, GrabScene has designated a Grievance Officer to address any concerns, complaints, or grievances regarding the processing of your personal data. You may contact the Grievance Officer at:

GrabScene — Grievance Officer Email: support@grabscene.com

8.7.2. The Grievance Officer shall acknowledge your complaint within forty-eight (48) hours and make reasonable efforts to resolve it within thirty (30) days from the date of receipt.

9. DATA RETENTION

9.1. Retention During Active Account

9.1.1. GrabScene retains your personal data for as long as your Account remains active and as necessary to provide you with the Platform's services, fulfil the purposes described in this Policy, and comply with applicable legal obligations.

9.2. Retention After Account Deletion

9.2.1. Upon account deletion, GrabScene shall delete your personal data promptly from its active databases and systems.

9.2.2. Exceptions: Notwithstanding the above, GrabScene may retain certain data after account deletion to the extent required or permitted by applicable law, including but not limited to:

Tax and Financial Records: Transaction records, invoices, and GST-related data as required under the Income Tax Act, 1961, the Goods and Services Tax Act, 2017, and related regulations (typically retained for a minimum of six to eight years).
Legal Claims: Data necessary for the establishment, exercise, or defence of legal claims, which may be retained until the expiry of the applicable limitation period.
Regulatory Compliance: Data required to be retained under the IT Act, DPDP Act, Reserve Bank of India directives, or any other applicable law or regulation.
Fraud Prevention: Data associated with accounts terminated for fraud, abuse, or violation of Terms, which may be retained indefinitely to prevent re-registration and protect the Platform and other Users.
Anonymised Data: Anonymised and aggregated data that can no longer identify you may be retained indefinitely for analytics, research, and business purposes.

9.3. Backup and Archival Systems

9.3.1. Deleted data may persist in encrypted backup and archival systems for a limited period (not exceeding ninety (90) days) as part of standard data management and disaster recovery practices, after which it shall be permanently purged.

10. DATA STORAGE AND INTERNATIONAL TRANSFERS

10.1. Storage Locations

10.1.1. GrabScene stores user data on servers located in India and on cloud infrastructure provided by Amazon Web Services (AWS), Google Cloud Platform (GCP), and/or Microsoft Azure, which may include servers located outside India.

10.1.2. The primary copy of your personal data is maintained on servers within India. However, replicated, cached, or backup copies may reside on cloud servers in other jurisdictions as part of standard cloud infrastructure operations.

10.2. International Data Transfers

10.2.1. Your personal data may be transferred to, stored in, and processed in countries outside India where GrabScene's cloud service providers, payment processors, analytics providers, and advertising partners maintain their infrastructure.

10.2.2. GrabScene shall only transfer personal data to countries or organisations that provide an adequate level of data protection as determined by: (a) the applicable provisions of the DPDP Act and any rules or notifications issued thereunder; (b) the existence of enforceable data protection laws in the receiving jurisdiction; or (c) contractual safeguards, including standard contractual clauses, data processing agreements, and binding corporate rules, that obligate the recipient to protect your data to a standard substantially equivalent to that provided under Indian law.

10.2.3. By using the Platform, you explicitly consent to the transfer of your personal data to jurisdictions outside India in accordance with this Section.

10.3. Third-Party Cloud Providers

10.3.1. GrabScene's cloud service providers (AWS, GCP, Azure) maintain their own comprehensive security certifications and compliance programs, including ISO 27001, SOC 2, and other industry-standard frameworks. GrabScene selects cloud providers that demonstrate robust data protection practices.

11. DATA SECURITY

11.1. Security Measures

11.1.1. GrabScene implements and maintains reasonable security practices and procedures, as required under the SPDI Rules, to protect your personal data against unauthorised access, alteration, disclosure, destruction, loss, or misuse. Our security measures include, but are not limited to:

OTP-Based Authentication: User accounts are authenticated via one-time password (OTP) verification sent to the registered phone number or email address, providing a secure passwordless login experience.
Regular Security Audits: GrabScene conducts periodic security assessments, vulnerability scans, and penetration testing to identify and remediate potential security weaknesses.
Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls and audit logging.
Secure Development Practices: The Platform is developed in accordance with secure coding standards, including regular code reviews and security testing.
Monitoring and Incident Detection: Continuous monitoring of Platform infrastructure for suspicious activity, anomalies, and security incidents.

11.2. Limitations

11.2.1. While GrabScene takes reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. GrabScene cannot guarantee the absolute security of your personal data and shall not be liable for any unauthorised access, data breach, or security incident that occurs despite the implementation of reasonable security measures.

11.2.2. You are responsible for maintaining the confidentiality of your Account credentials and for any activity that occurs under your Account. GrabScene strongly recommends that you: use a strong, unique password; enable two-factor authentication; do not share your credentials with any third party; and immediately report any suspected unauthorised access.

12. DATA BREACH NOTIFICATION

12.1. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, GrabScene shall notify affected Users via email to their registered email address within seventy-two (72) hours of becoming aware of the breach.

12.2. The breach notification shall include, to the extent known at the time of notification: (a) the nature and scope of the breach; (b) the categories and approximate number of Users affected; (c) the categories of personal data compromised; (d) the likely consequences of the breach; (e) the measures taken or proposed to be taken by GrabScene to address and mitigate the breach; and (f) contact information for obtaining further information.

12.3. GrabScene shall also notify the relevant data protection authority, the Indian Computer Emergency Response Team (CERT-In), and any other regulatory body as required under the IT Act, DPDP Act, CERT-In directions, and any other applicable law or regulation.

12.4. GrabScene may delay notification if requested by law enforcement authorities where immediate notification would impede an ongoing criminal investigation.

13. CHILDREN'S DATA

13.1. The Platform is intended for Users aged thirteen (13) years and above. GrabScene does not knowingly collect personal data from children under the age of thirteen (13).

13.2. If you are between thirteen (13) and eighteen (18) years of age, you may only use the Platform with the verifiable consent of a parent or legal guardian. The parent or legal guardian consents to the collection and processing of the minor's data as described in this Policy by permitting the minor to use the Platform.

13.3. If GrabScene becomes aware that it has inadvertently collected personal data from a child under thirteen (13), it shall take immediate steps to delete such data from its systems. If you believe that GrabScene has collected data from a child under thirteen (13), please contact us immediately at support@grabscene.com.

14. PERSONALISED ADVERTISING AND BEHAVIOURAL TRACKING

14.1. How Personalised Advertising Works

14.1.1. GrabScene uses your personal data — including browsing behaviour, search queries, purchase history, location data, demographic information, and device data — to build interest profiles and deliver personalised advertisements on the Platform and on third-party platforms through advertising partners.

14.1.2. Advertising partners such as Meta (Facebook/Instagram) and Google may use cookies, pixels, device identifiers, and similar technologies to track your activity across the Platform and other websites and apps for the purpose of delivering relevant ads, measuring ad effectiveness, and building custom audience segments.

14.2. Opting Out of Personalised Ads

14.2.1. You may limit personalised advertising through the following mechanisms:

Device Settings: Adjust your device's advertising settings (e.g., "Limit Ad Tracking" on iOS or "Opt out of Ads Personalisation" on Android).
Browser Settings: Use browser-based opt-out tools, ad-blocker extensions, or privacy-focused browsers.
Platform-Specific Opt-Outs: Visit Google's Ad Settings (https://adssettings.google.com) and Meta's Ad Preferences (https://www.facebook.com/adpreferences) to manage ad personalisation.
Industry Opt-Outs: Visit the Digital Advertising Alliance's opt-out page (https://optout.aboutads.info) for participating companies.

14.2.2. Opting out of personalised advertising does not eliminate advertisements entirely; you will continue to see non-personalised (generic/contextual) advertisements.

15. AUTOMATED DECISION-MAKING AND AI/ML PROFILING

15.1. As of the effective date of this Policy, GrabScene does not use fully automated decision-making processes that produce legal effects or similarly significant effects on Users without human involvement.

15.2. GrabScene may implement artificial intelligence (AI) and machine learning (ML) based systems in the future for purposes including, but not limited to: event recommendations, fraud detection and prevention, risk scoring, pricing optimisation, and content moderation.

15.3. Prior to implementing any automated decision-making or AI/ML profiling system that may significantly affect Users, GrabScene shall update this Policy to describe the nature, purpose, and logic of such processing, and shall provide Users with the right to: (a) be informed about the existence of such automated processing; (b) receive meaningful information about the logic involved; and (c) request human review of any decision made solely by automated means.

15.4. GrabScene shall comply with all applicable provisions of the DPDP Act and any rules issued thereunder regarding automated decision-making when such features are deployed.

16. ANONYMISED AND AGGREGATED DATA

16.1. GrabScene may anonymise and aggregate personal data to create datasets that cannot reasonably be used to identify any individual User. Anonymisation processes shall be designed to be irreversible, using industry-standard techniques such as data masking, generalisation, noise addition, and k-anonymity.

16.2. Anonymised and aggregated data may be used, shared, sold, licensed, or otherwise disclosed by GrabScene to third parties for any lawful purpose, including but not limited to: market research, industry trend analysis, benchmarking studies, academic research, investor reporting, business development, and commercial partnerships.

16.3. Anonymised and aggregated data is not considered personal data under the DPDP Act or other applicable Indian data protection laws, and the provisions of this Policy regarding personal data protection do not apply to such data.

17. DIRECT MARKETING COMMUNICATIONS

17.1. Types of Marketing Communications

17.1.1. GrabScene may use your personal data to send you marketing communications through the following channels:

Email: Promotional emails about upcoming events, special offers, discounts, new features, and platform updates.
SMS: Text messages regarding event recommendations, limited-time offers, and promotional campaigns.
Push Notifications: In-app and device-level push notifications about events of interest, price alerts, booking reminders, and marketing promotions.

17.2. Consent and Legal Basis

17.2.1. Marketing communications are sent based on your consent (obtained during account registration or subsequently) and/or GrabScene's legitimate interest in promoting its services to existing Users.

17.2.2. You may opt out of any or all marketing channels at any time using the methods described in Section 8.2. Opt-out requests shall be honoured within ten (10) business days.

17.3. Transactional Communications

17.3.1. Regardless of your marketing preferences, GrabScene will continue to send you essential transactional and service-related communications, including: booking confirmations and e-tickets, payment receipts, event updates and changes (cancellation, postponement, venue change), account security alerts, Terms and Conditions and Privacy Policy updates, and responses to your support requests. These communications are not considered marketing and cannot be opted out of.

18. THIRD-PARTY LINKS AND SERVICES

18.1. The Platform may contain links to third-party websites, applications, and services that are not owned, operated, or controlled by GrabScene.

18.2. This Policy applies only to personal data collected by GrabScene through the Platform. GrabScene is not responsible for the privacy practices, data collection, security measures, or content of any third-party websites or services.

18.3. We strongly encourage you to read the privacy policies of any third-party website or service before providing any personal data or interacting with such services.

18.4. GrabScene shall not be liable for any loss, damage, or harm arising from your interaction with third-party websites or services accessed through the Platform.

19. DO NOT TRACK SIGNALS

19.1. Some web browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no universally accepted standard for how websites should respond to DNT signals.

19.2. At this time, GrabScene does not alter its data collection and use practices in response to DNT signals from your browser. If a uniform standard for responding to DNT signals is adopted in the future, GrabScene shall update this Policy to reflect its compliance approach.

20. CHANGES TO THIS PRIVACY POLICY

20.1. GrabScene reserves the right to modify, amend, or replace this Policy at any time and at its sole discretion.

20.2. When material changes are made, GrabScene shall notify Users via email to the registered email address on their Account. The modified Policy shall become effective upon the date specified in the notification or, if no date is specified, upon the date of sending the notification.

20.3. Your continued use of the Platform following any modification constitutes your acceptance of the modified Policy. If you do not agree to the modified Policy, you must discontinue all use of the Platform and delete your Account.

20.4. GrabScene encourages you to review this Policy periodically. The "Last Updated" date at the top of this Policy indicates when the most recent revisions were made.

21. GOVERNING LAW AND DISPUTE RESOLUTION

21.1. This Policy shall be governed by and construed in accordance with the laws of the Republic of India, without regard to its conflict of law principles.

21.2. Any disputes arising out of or in connection with this Policy shall be resolved in accordance with the dispute resolution provisions set forth in the Terms and Conditions, including mandatory binding arbitration in Bengaluru, Karnataka, India, and the class action waiver.

22. SEVERABILITY

22.1. If any provision of this Policy is found by a court of competent jurisdiction or arbitrator to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving the original intent. If modification is not possible, the provision shall be severed, and the remaining provisions shall continue in full force and effect.

23. CONTACT US

For any questions, concerns, complaints, or data-related requests, please contact us at:

GrabScene Email: support@grabscene.com

Grievance Officer Email: support@grabscene.com

You may also write to us for exercising your data rights, filing a privacy complaint, or requesting information about our data processing practices.

24. ACKNOWLEDGEMENT

By creating an Account or using the Platform, you acknowledge that you have read this Privacy Policy in its entirety, that you understand it, and that you consent to the collection, use, storage, processing, sharing, and transfer of your personal data as described herein.

PRIVACY POLICY

GrabScene — Events Ticket Marketplace Platform

Effective Date: March 21, 2026 Last Updated: March 22, 2026

1. INTRODUCTION

2. DATA CONTROLLER

2.2. For any questions, concerns, or requests regarding this Policy or your personal data, you may contact us at:

GrabScene Email: support@grabscene.com

3. PERSONAL DATA WE COLLECT

GrabScene collects personal data through multiple channels and mechanisms. The categories of data collected are as follows:

3.1. Information You Provide Directly

3.1.1. Account Registration Data: When you create an account on the Platform, we collect your full name, email address, phone number, date of birth (or age), and profile photo (if uploaded).

3.1.4. User-Generated Content: Any reviews, ratings, comments, or other content you voluntarily submit through the Platform.

3.2. Information Collected Automatically

3.2.4. Location Data:

GPS / Real-Time Location: With your explicit permission (via device-level location permissions), we may collect precise GPS-based geolocation data from your mobile device. You may revoke this permission at any time through your device settings; however, doing so may limit certain location-based features of the Platform.
IP-Based Location: We derive your approximate location (city and state) from your IP address. This occurs automatically and does not require separate consent beyond acceptance of this Policy.
User-Entered Location: We collect any city, region, or location preference you manually enter or select within the Platform for the purpose of showing relevant local events.

3.3. Information from Third-Party Sources

3.3.1. Analytics Providers: We receive aggregated and individual-level analytics data from Google Analytics regarding your usage patterns, traffic sources, and engagement metrics.

3.3.3. Push Notification Services: We use Firebase Cloud Messaging (FCM) to deliver push notifications. Firebase may collect device tokens, message delivery data, and interaction data.

3.4. Payment Data

4. PURPOSES OF DATA COLLECTION AND PROCESSING

4.1. GrabScene collects and processes your personal data for the following purposes:

4.2. Essential Platform Operations

4.2.1. To create, maintain, and authenticate your account.

4.2.2. To process ticket purchases, generate booking confirmations, issue tickets (QR codes, barcodes, or digital passes), and manage transaction records.

4.2.3. To facilitate communication between Buyers and Organizers as necessary for event fulfilment, ticket validation, and attendee management.

4.2.4. To provide customer support and respond to your enquiries, complaints, and requests.

4.2.5. To enforce our Terms and Conditions and other applicable policies.

4.3. Personalisation and Recommendations

4.3.1. To personalise your experience on the Platform, including displaying events relevant to your location, interests, browsing history, and past purchases.

4.3.2. To deliver personalised search results and event recommendations based on your usage patterns and preferences.

4.4. Marketing and Advertising

4.4.2. To serve personalised advertisements on the Platform and on third-party platforms based on your browsing behaviour, purchase history, interests, and demographic information.

4.4.3. To measure the effectiveness of advertising campaigns and to understand how users interact with advertisements.

4.5. Analytics and Platform Improvement

4.5.1. To analyse usage patterns, trends, and user behaviour to improve the Platform's functionality, performance, user interface, and overall user experience.

4.5.2. To conduct internal research, statistical analysis, and business intelligence using aggregated and anonymised data.

4.5.3. To monitor and analyse Platform traffic, server performance, and system health.

4.6. Security and Fraud Prevention

4.6.1. To detect, investigate, and prevent fraudulent transactions, unauthorised access, bot activity, scraping, and other malicious or illegal activities.

4.6.2. To verify user identity and prevent the creation of fake or duplicate accounts.

4.6.3. To monitor compliance with our Terms and Conditions and enforce Prohibited Conduct policies.

4.7. Legal and Regulatory Compliance

4.7.1. To comply with applicable laws, regulations, legal processes, governmental requests, tax obligations (including GST), and regulatory requirements.

4.7.2. To establish, exercise, or defend legal claims.

4.7.3. To respond to law enforcement requests and court orders.

5. LEGAL BASIS FOR PROCESSING

5.1. GrabScene processes your personal data on the following legal bases, as applicable under Indian data protection law:

5.1.2. Contractual Necessity: Processing necessary for the performance of a contract to which you are a party, including ticket purchases, account management, and service delivery.

5.1.5. Public Interest: Processing necessary for reasons of substantial public interest, including cooperation with law enforcement in criminal investigations.

6. DATA SHARING AND DISCLOSURE

6.1. GrabScene does not sell your personal data to third parties, except as expressly described in Section 6.7 regarding anonymised and aggregated data.

6.2. GrabScene may share your personal data with the following categories of recipients:

6.3. Event Organizers

6.4. Payment Processors

6.4.1. We share necessary transaction data with Razorpay to process your payments. Razorpay acts as an independent data controller and is governed by its own privacy policy.

6.5. Analytics and Advertising Partners

6.5.1. We share data with Google Analytics for platform usage analysis, traffic monitoring, and performance measurement.

6.5.3. These third-party partners may use cookies, pixels, SDKs, and similar technologies to collect data about your activity on the Platform and across other websites and applications.

6.6. Service Providers

6.7. Anonymised and Aggregated Data

6.7.2. Anonymised and aggregated data is not considered personal data under applicable law and is not subject to the restrictions of this Policy.

6.8. Legal and Regulatory Disclosures

6.9. Business Transfers

7. COOKIES AND TRACKING TECHNOLOGIES

7.1. Overview

7.2. Types of Cookies Used

7.3. Third-Party Tracking

7.4. Managing Cookies

7.4.2. Please note that blocking or deleting essential cookies may impair or prevent the functionality of the Platform, including login, session management, and ticket purchasing.

7.4.3. Disabling analytics or preference cookies may result in a less personalised and optimised experience on the Platform.

8. YOUR RIGHTS AND CHOICES

8.1. Right to Correct and Update Data

8.1.2. GrabScene shall make reasonable efforts to process correction requests within a reasonable timeframe, subject to verification of your identity.

8.2. Marketing Opt-Out

8.2.3. Push Notifications: You may disable push notifications through your device settings or within the Platform's notification preferences at any time.

8.3. Location Data

8.3.1. You may revoke GrabScene's access to your precise GPS location at any time by disabling location permissions for the GrabScene app in your device settings.

8.3.2. IP-based location inference and user-entered location preferences cannot be independently disabled, as they are integral to delivering location-relevant event recommendations.

8.4. Cookie Preferences

8.4.1. You may manage your cookie preferences through your browser settings as described in Section 7.4.

8.5. Account Deletion

8.6. Withdrawal of Consent

8.7. Grievance Redressal

GrabScene — Grievance Officer Email: support@grabscene.com

8.7.2. The Grievance Officer shall acknowledge your complaint within forty-eight (48) hours and make reasonable efforts to resolve it within thirty (30) days from the date of receipt.

9. DATA RETENTION

9.1. Retention During Active Account

9.2. Retention After Account Deletion

9.2.1. Upon account deletion, GrabScene shall delete your personal data promptly from its active databases and systems.

9.2.2. Exceptions: Notwithstanding the above, GrabScene may retain certain data after account deletion to the extent required or permitted by applicable law, including but not limited to:

Tax and Financial Records: Transaction records, invoices, and GST-related data as required under the Income Tax Act, 1961, the Goods and Services Tax Act, 2017, and related regulations (typically retained for a minimum of six to eight years).
Legal Claims: Data necessary for the establishment, exercise, or defence of legal claims, which may be retained until the expiry of the applicable limitation period.
Regulatory Compliance: Data required to be retained under the IT Act, DPDP Act, Reserve Bank of India directives, or any other applicable law or regulation.
Fraud Prevention: Data associated with accounts terminated for fraud, abuse, or violation of Terms, which may be retained indefinitely to prevent re-registration and protect the Platform and other Users.
Anonymised Data: Anonymised and aggregated data that can no longer identify you may be retained indefinitely for analytics, research, and business purposes.

9.3. Backup and Archival Systems

10. DATA STORAGE AND INTERNATIONAL TRANSFERS

10.1. Storage Locations

10.2. International Data Transfers

10.2.3. By using the Platform, you explicitly consent to the transfer of your personal data to jurisdictions outside India in accordance with this Section.

10.3. Third-Party Cloud Providers

11. DATA SECURITY

11.1. Security Measures

OTP-Based Authentication: User accounts are authenticated via one-time password (OTP) verification sent to the registered phone number or email address, providing a secure passwordless login experience.
Regular Security Audits: GrabScene conducts periodic security assessments, vulnerability scans, and penetration testing to identify and remediate potential security weaknesses.
Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls and audit logging.
Secure Development Practices: The Platform is developed in accordance with secure coding standards, including regular code reviews and security testing.
Monitoring and Incident Detection: Continuous monitoring of Platform infrastructure for suspicious activity, anomalies, and security incidents.

11.2. Limitations

12. DATA BREACH NOTIFICATION

12.4. GrabScene may delay notification if requested by law enforcement authorities where immediate notification would impede an ongoing criminal investigation.

13. CHILDREN'S DATA

13.1. The Platform is intended for Users aged thirteen (13) years and above. GrabScene does not knowingly collect personal data from children under the age of thirteen (13).

14. PERSONALISED ADVERTISING AND BEHAVIOURAL TRACKING

14.1. How Personalised Advertising Works

14.2. Opting Out of Personalised Ads

14.2.1. You may limit personalised advertising through the following mechanisms:

Device Settings: Adjust your device's advertising settings (e.g., "Limit Ad Tracking" on iOS or "Opt out of Ads Personalisation" on Android).
Browser Settings: Use browser-based opt-out tools, ad-blocker extensions, or privacy-focused browsers.
Platform-Specific Opt-Outs: Visit Google's Ad Settings (https://adssettings.google.com) and Meta's Ad Preferences (https://www.facebook.com/adpreferences) to manage ad personalisation.
Industry Opt-Outs: Visit the Digital Advertising Alliance's opt-out page (https://optout.aboutads.info) for participating companies.

14.2.2. Opting out of personalised advertising does not eliminate advertisements entirely; you will continue to see non-personalised (generic/contextual) advertisements.

15. AUTOMATED DECISION-MAKING AND AI/ML PROFILING

15.4. GrabScene shall comply with all applicable provisions of the DPDP Act and any rules issued thereunder regarding automated decision-making when such features are deployed.

16. ANONYMISED AND AGGREGATED DATA

17. DIRECT MARKETING COMMUNICATIONS

17.1. Types of Marketing Communications

17.1.1. GrabScene may use your personal data to send you marketing communications through the following channels:

Email: Promotional emails about upcoming events, special offers, discounts, new features, and platform updates.
SMS: Text messages regarding event recommendations, limited-time offers, and promotional campaigns.
Push Notifications: In-app and device-level push notifications about events of interest, price alerts, booking reminders, and marketing promotions.

17.2. Consent and Legal Basis

17.2.2. You may opt out of any or all marketing channels at any time using the methods described in Section 8.2. Opt-out requests shall be honoured within ten (10) business days.

17.3. Transactional Communications

18. THIRD-PARTY LINKS AND SERVICES

18.1. The Platform may contain links to third-party websites, applications, and services that are not owned, operated, or controlled by GrabScene.

18.3. We strongly encourage you to read the privacy policies of any third-party website or service before providing any personal data or interacting with such services.

18.4. GrabScene shall not be liable for any loss, damage, or harm arising from your interaction with third-party websites or services accessed through the Platform.

19. DO NOT TRACK SIGNALS

19.1. Some web browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no universally accepted standard for how websites should respond to DNT signals.

20. CHANGES TO THIS PRIVACY POLICY

20.1. GrabScene reserves the right to modify, amend, or replace this Policy at any time and at its sole discretion.

20.4. GrabScene encourages you to review this Policy periodically. The "Last Updated" date at the top of this Policy indicates when the most recent revisions were made.

21. GOVERNING LAW AND DISPUTE RESOLUTION

21.1. This Policy shall be governed by and construed in accordance with the laws of the Republic of India, without regard to its conflict of law principles.

22. SEVERABILITY

23. CONTACT US

For any questions, concerns, complaints, or data-related requests, please contact us at:

GrabScene Email: support@grabscene.com

Grievance Officer Email: support@grabscene.com

You may also write to us for exercising your data rights, filing a privacy complaint, or requesting information about our data processing practices.