Privacy Policy
This policy explains how Besta (mobile app) and Besta Pro (SaaS for venues) collect, use, and protect your personal data in accordance with GDPR and French data protection law.
Last updated: December 11, 2025
Website Editor
The website besta-app.fr is published by:
Besta Company
Simplified joint-stock company with a capital of €150.00
Registered with the Paris Trade and Companies Register under number 992 400 390
Head office: 60 RUE FRANCOIS IER, 75008 PARIS - France
VAT number: FR67992400390
Email address: contact@besta-app.fr
Publication Directors
Mr. Oier CESAT (President of BESTA) and Mr. Colas NAUDI (Chief Executive Officer of BESTA)
Hosting
The site is hosted by:
Vercel Inc.
340 S Lemon Ave #4133
Walnut, CA 91789
United States
Website: https://vercel.com
1. Purpose of this Policy
This Privacy Policy informs users of the Besta mobile app and Besta Pro platform about: - personal data collected, - processing purposes, - legal bases, - recipients, - retention periods, - user rights, - security measures. Besta complies with GDPR and French data protection law.
2. Data controller
Controller: BESTA Email: contact@besta-app.fr Legal representative: Mr. Oier CESAT, represented by the General Manager Mr. Colas NAUDI
3. User profile — Individual user data (mobile app)
Profile data: email address, name, date of birth, city, gender, music preferences Connection data: IP, device, logs Preferences (followed event types) Push notification tokens (expo-notifications / FCM) Favorites history and viewed events
3.1 Additional profile data (age, city, gender, music preferences)
These details are currently required when creating an account to enable initial content personalization and calculation of anonymous statistics for venues. They are processed securely and only for the purposes described. In the future, these details may become optional and editable by the user in their account settings. Processing of these data is based on Besta’s legitimate interest (Article 6-1(f) GDPR): providing a relevant, personalized, and useful service for users and venues. Statistics shared with venues always remain anonymous; no personal or identifiable data is disclosed.
3.2 Ticket buyer data
Any person purchasing a ticket through Besta provides the following data, processed by Besta as data controller: — Email address (required for purchase confirmation). — Stripe session ID (for payment reconciliation). — If the establishment has enabled nominative tickets: full name per ticket. — If the establishment has enabled date-of-birth collection: date of birth per ticket. — QR scan history: scan date and time, ticket number, tier. This data does not require a Besta account. It is used exclusively for ticket delivery, event access management, and dispute mediation. The legal basis for processing is contract performance (ticket purchase). For nominative data and date of birth collected at the establishment's request, the legal basis is the buyer's consent, collected at the time of purchase.
4. Venue data (Besta Pro)
Public data (visible): - Venue name, address, opening hours, type, public events, public photos. - These data may be created by Besta without a manager because they are already public and of public interest. - Public venue data are processed on Besta’s legitimate interest basis (Article 6-1(f) GDPR) to list publicly accessible places and events. Non-public data (confidential): - Manager/contact name, professional email, professional phone number. - Internal info: validation status, settings, credits, invoices. Statistics shared with venues are always anonymized: no personal or identifiable data are disclosed.
5. Billing data
Purchase history and subscriptions Information from Stripe (never full card numbers) Ticketing data (buyers): amount paid, purchased tier, Stripe session, promo code used.
6. Data collected automatically
Usage statistics Technical device data Notifications received Cookies / local storage on the web version
7. Purposes and legal bases
| Purpose | Data used | Legal basis |
|---|---|---|
| Account creation | Email, password | Contract performance |
| Event publishing | Venue data | Legitimate interest + Contract performance |
| Subscription management | Billing data | Contract performance |
| Push notifications | FCM token | Consent |
| Security / fraud | Logs, IP | Legitimate interest |
| Internal statistics | Anonymized logs | Legitimate interest |
| Customer support | Email, logs | Legitimate interest |
| Personalization and recommendations | Profile data (age, city, gender, music preferences) | Legitimate interest (Article 6-1(f) GDPR) to provide a relevant, personalized service |
| Ticket sale and confirmation | Buyer email, Stripe session | Contract performance |
| Event access verification (QR scan) | Stripe session, ticket number | Legitimate interest |
| Nominative tickets (if enabled) | Name, date of birth per ticket | Consent |
| CSV export of buyers by establishment | Email, name | Legitimate interest (establishment contract) |
Statistics shared with venues are always anonymized (no identification possible).
8. Retention periods
| Data | Period |
|---|---|
| User account | Until deleted by the user |
| Public venue data | No limit, unless manager requests or inaccuracy is proven |
| Private venue data | Duration of the contract + 3 years |
| Invoices / accounting | 10 years (legal obligation) |
| Technical logs | 12 months |
| Notification tokens | Until revoked / uninstalled |
| Ticket sale data (TicketSale) | 5 years from the event date |
| Abandoned reservation data (expired TicketReservation) | 3 months |
| QR scan history | 12 months after the event |
| Buyer data exported as CSV (establishment side) | Under establishment's responsibility |
Note: public venue data may be kept even if a manager deletes their account, because it is non-personal public-interest information.
9. Data sharing with third parties
Besta uses European or GDPR-certified providers: Data hosting is provided by Supabase (European Union) and Vercel (United States). Firebase (Google) may also be used for notifications. All processors are contractually bound to Besta to comply with GDPR obligations. Their privacy policies are available on the providers’ websites.
- Supabase — data hosting (European Union)
- Firebase / FCM — notifications (Google)
- Stripe — payments and billing
- OVH — application hosting
- Vercel — application hosting (United States)
- GDPR-compliant monitoring and analytics tools
- Partner establishments (ticketing): in the context of the ticketing module, the organizing establishment accesses sales data for their own events (buyer email, name if nominative, amount paid). The establishment acts as data controller for this data when managing event access.
10. Transfers outside the EU
Data are mostly hosted in the European Union. Some processors may handle data outside the EU in countries with an adequacy decision or covered by Standard Contractual Clauses (SCCs). Besta requires: - European hosting when possible, - standard contractual clauses (SCCs), - pseudonymization or anonymization measures.
11. Your GDPR rights
Right of access, rectification, objection (if based on legitimate interest), erasure, restriction, portability, withdrawal of consent. To exercise your rights: contact@besta-app.fr Response time: 30 days.
12. Account deletion
Individual users: immediate deletion of email, profile, and related logs; anonymization of statistics. Venues: deletion of private data linked to the manager. Public venue data and events may be kept because they are not personal data. To contest or edit public venue information: contact@besta-app.fr
13. Security
Encryption of data in transit and at rest Strict internal access controls Only authorized Besta team members (engineering, support, billing) can access data with limited, logged access Logging of access and sensitive operations Regular security audits
14. Policy changes
In case of major changes, users will be informed by notification or email.
15. DPO / GDPR contact
For any questions: contact@besta-app.fr Address: 60 Rue François Ier, 75008 Paris – France