FANZO Privacy Policy

Last Updated: 17th April 2026

What this policy covers

FANZO recognises the importance of personal privacy and security. This Privacy Policy describes how we collect, use, share, and protect the personal data of individuals who visit our websites and use the FANZO mobile application (collectively, the "Services"), and the rights and choices available to you under the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 ("DPA 2018"), and the Privacy and Electronic Communications Regulations 2003 ("PECR").

Who we are

FANZO is a trading name of MatchPint Limited, a company registered in England and Wales (Company Number: 07168721) with its registered office at 3A Westbourne Road, Islington, London N7 8AR ("MatchPint," "FANZO," "we," "our," or "us"). MatchPint Limited is the data controller for the personal data processed under this policy.

MatchPint Limited is part of a corporate group that includes FANZO Inc. (a Delaware corporation) and its wholly-owned subsidiary Rail Media Inc. (a Delaware corporation, with mailing address P.O. Box 575, Monson, MA 01057, United States), which operates the FANZO-branded Services for customers in the United States. Our group-company sharing arrangements are described below under "International Transfers."

Our ICO registration number is ZA788261. Our Data Protection Officer can be contacted at [email protected].

Scope of this policy

This policy applies to individuals located in the United Kingdom. If you are located in the United States, a separate privacy notice applies to you, operated by Rail Media Inc. By using our Services you acknowledge that we process your personal data as described in this policy. Your rights are described in the "Your Rights" section below.

Personal data we collect

We collect information about you when you provide it to us, when you use our Services, and when other services provide it to us. The categories of personal data we may collect include:

  • Account information: When you register for an account or submit information to us, you may provide details such as your name, email address, gender, Facebook ID, and date of birth.
  • Website visitors: When you visit any FANZO-branded domain, we may collect technical information such as your browser type, referring website, device identifiers, IP address, and timestamps of your visits. We also collect information when you register a venue, subscribe to our newsletter, or complete a form.
  • Usage information: When you use our Services, we automatically collect data such as features you use, pages you visit, approximate location (city or region derived from IP address), and frequency of platform use. This is typically used in aggregate form.
  • Cookies and similar technologies: See our Cookie Policy at https://www.fanzo.com/en/cookies for full detail, and the "International Transfers" and "Marketing" sections below.

We do not intentionally collect special category data (as defined in Article 9 UK GDPR) through the Services.

Lawful bases for processing

Under UK GDPR we rely on the following lawful bases, depending on the activity:

  • Contract (Article 6(1)(b)): to provide you with your account, deliver the Services you have requested, process transactions, and provide customer support.
  • Legitimate interests (Article 6(1)(f)): to improve our Services, analyse usage, maintain the security of our platform, prevent fraud, enforce our terms, send service communications, and conduct limited non-consent-based direct marketing to existing customers in accordance with the "soft opt-in" under PECR. We conduct Legitimate Interests Assessments (LIAs) and balance these interests against your rights and freedoms, and we review those assessments periodically.
  • Consent (Article 6(1)(a)): for cookies and similar technologies that are not strictly necessary, for marketing by electronic means where consent is required, and for any processing of special category data that we may in future need to carry out. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legal obligation (Article 6(1)(c)): to meet our regulatory, tax, accounting, and law-enforcement obligations.

How we use your personal data

We use personal data for the following purposes:

  • Personalising your experience using your preferences to deliver relevant content
  • Improving our Services through user feedback and behaviour analysis
  • Providing customer service and support
  • Sending push notifications you have opted into (you can opt out at any time)
  • Managing contests, promotions, surveys, and site features in accordance with their published rules and the CAP Code
  • Sending marketing communications about promotions, offers, and content (with opt-out available in every marketing email and via your account settings)
  • Providing aggregated, de-identified data to brand partners and others for insights and improvements
  • Detecting, investigating, and preventing fraud, abuse, and security incidents
  • Complying with our legal obligations

Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to deliver the Services, and we seek your consent before using any non-essential cookies (analytics, advertising, social, or functionality). You can manage your cookie preferences at any time via our on-site cookie preferences tool or your browser settings. See our Cookie Policy at https://www.fanzo.com/en/cookies for the full inventory and controls.

Marketing

We will only send you electronic marketing where you have consented, or where we are relying on the PECR "soft opt-in" for existing customers of similar products. Every marketing communication will include a free and straightforward unsubscribe link. You can also opt out at any time by contacting [email protected] or through your account settings. If you opt out, we will keep a minimal suppression record so that we do not contact you again.

Sharing your personal data

We do not sell your personal data. We may share it with:

  • Processors: trusted vendors (see "Processors" below) that process personal data on our behalf under written Article 28 contracts that restrict their use of the data to the services they provide to us.
  • Corporate group: FANZO Inc. and Rail Media Inc. (our Delaware affiliates), for ordinary corporate administration, product operations, technical support, and legal compliance. Sharing with our US affiliates is governed by the intragroup arrangements described in "International Transfers" below.
  • Brand and venue partners: where you participate in a branded promotion or interact with a venue, we may share limited information with the relevant partner to administer the promotion, subject to written confidentiality obligations.
  • Legal and safety: courts, regulators (including the ICO), law enforcement, or other parties where we are required by law to disclose or where we believe in good faith that disclosure is necessary to protect rights, safety, or property.
  • Corporate transactions: in the event of a merger, acquisition, financing, reorganisation, insolvency, or sale of some or all of our assets, personal data may be transferred as part of that transaction, subject to the protections of this policy.

We may share aggregated, anonymised data for analytics, research, or marketing without restriction.

International Transfers

Some of our processors and all of our Delaware affiliates are located outside the UK, principally in the United States. Where we transfer personal data outside the UK to a country that is not covered by UK adequacy regulations, we put in place appropriate safeguards, which typically means the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK Addendum, supplemented by a transfer risk assessment. A copy of the safeguards in place for a particular transfer is available on request from [email protected].

Security

We use appropriate technical and organisational measures to protect your personal data, including access controls, encryption in transit, authentication protocols, and security monitoring. Passwords are stored using one-way cryptographic hashing. Our production database is accessible only via authenticated channels, and our offices use key-card access controls. You are responsible for protecting your own devices, browsers, and account credentials.

Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy any legal, tax, accounting, or reporting requirements. After the applicable period, we either securely delete the data or retain it in de-identified, aggregated form.

  • Consumers: as long as your account is active, your account information is retained. We may keep some data for up to 18 months after you deactivate your account (distinct from deletion) in case you choose to reactivate. We may retain limited information longer where necessary to comply with legal obligations, resolve disputes, enforce our agreements, or support business operations.
  • Marketing: unless you have opted out, we may retain your information for marketing communications for up to 18 months after account deactivation. If you opt out, we retain your email address on a suppression list for the minimum period required to honour your choice.
  • Venue customers (where applicable): where this policy covers venue-account data, we retain it for as long as your account is active and for up to 7 years from the end of the accounting period in which you deactivate your account, to comply with HMRC record-keeping guidance and Companies Act requirements.

If you request deletion of your account, your personal data (other than information we are required to keep by law) will be securely and irreversibly deleted, and any remaining data will be de-identified.

Your Rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Receive an electronic copy of your personal data (data portability)
  • Correct inaccurate or incomplete personal data
  • Request deletion in certain circumstances (the "right to be forgotten")
  • Restrict or object to our processing in certain circumstances
  • Object to processing based on legitimate interests, including direct marketing
  • Withdraw consent at any time where we rely on consent

To exercise any of these rights, email [email protected] or write to MatchPint Limited, Attn: Data Protection, 3A Westbourne Road, Islington, London N7 8AR. We will respond within one month, extendable by up to two further months for complex requests.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO). Contact details are at https://ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you approach the ICO.

Children

Our Services are directed to users 18 years of age or older. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe a child has provided us with personal data, please contact [email protected] and we will delete it.

Processors

We engage the following categories of processor, each bound by a written Article 28 agreement:

  • Stripe and similar PCI-compliant payment processors (for collecting customer payments)
  • Accounting and invoicing platforms (for managing our accounting processes)
  • Intercom (for customer service)
  • Batch (for in-app messaging and notifications)
  • Google LLC (for analytics and email delivery)
  • Dotdigital (for email marketing and newsletters)
  • Customer feedback and NPS tools (e.g., SurveyMonkey)
  • Cloud infrastructure providers (e.g., DigitalOcean, AWS)

A current list of sub-processors and the purposes for which they are engaged is available on request from [email protected].

Google Analytics and advertising

Our Services use Google Analytics, subject to your cookie consent, to measure and evaluate web and application performance. You can learn more about Google's practices at https://policies.google.com/privacy and opt out of Google Analytics at https://tools.google.com/dlpage/gaoptout.

Subject to your consent, we may also use Google's remarketing products and similar services to display ads based on cookies stored in your browser. These ads are not linked to your personally identifying account information. You can opt out of interest-based advertising at https://adssettings.google.com, at https://www.youronlinechoices.com/uk, or through our on-site cookie preferences tool.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated by posting the updated policy on our Services and, where appropriate, by email or in-app notice. The "Last Updated" date below reflects the most recent version.

Contacting us

  • Email: [email protected]
  • Data Protection Officer: [email protected]
  • Post: MatchPint Limited, Attn: Data Protection, 3A Westbourne Road, Islington, London N7 8AR
  • ICO registration: ZA788261

Your personal data is controlled by MatchPint Limited (trading as FANZO).