Privacy Policy for Elsewhere


The event organiser, Elsewhere, has the legal responsibility to tell ticket buyers and event attendees how their personal information will be collected and used. You can find their Privacy Policy below or contact them to request it.

Please find an up to date version of this document at nobodies.team/privacy-policy.html.

1. Data Controller

Asociación Nobodies Collective (“Nobodies,” “the Association,” “we,” “us,” or “our”) is the data controller responsible for personal data collected through this ticket shop.

Registered address: Glorieta de Bilbao 1, 1, Derecha, 28004 Madrid, Spain

Legal form: Non-profit cultural association registered under Spanish Organic Law 1/2002

Data protection contact: privacy@nobodies.team

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us at the address above.

2. Scope

This policy explains how we collect, process, and store your personal data when you interact with us in connection with our events — including when you visit our website or ticket shop, purchase tickets, register as a member or collaborator, participate in the event, submit a Code of Conduct report, or otherwise provide personal data to us.

Ticket purchases are processed through Ticket Tailor (Zimma Ltd, registered in England and Wales), which acts as a data processor on our behalf. Ticket Tailor’s own privacy policy governs its processing of data in its capacity as a controller. This policy governs how we, as the event organiser and data controller, handle the personal data we collect across all of our activities.

3. Personal Data We Collect

3.1 Data you provide directly

When you book a ticket or purchase associated products and services, we collect:

  • Identity data: full name
  • Contact data: email address and non-mandatory phone number
  • Financial data: payment information (processed by our payment provider; we do not store full payment card details)
  • Event-related data: ticket type, and other information you voluntarily provide during registration (e.g. for applying to some ticket tiers)

If you register another person to attend an event, you confirm that you have informed them of this privacy policy and, where necessary, obtained their consent for us to process their personal data.

All personal data you provide must be true, complete, and accurate.

3.2 Data collected automatically

When you visit our ticket shop, we or third parties acting on our behalf may automatically collect:

  • Device identifiers and technical information (device type, browser, operating system)
  • Preferences and settings (time zone, language)
  • Browsing patterns and statistical data

This data is collected using cookies and similar technologies (see Section 9 below) and is used on an anonymised basis to improve our ticket shop and for analytical purposes.

3.3 Communications

When you contact us by email, post, or other means, we may keep a record of the correspondence.

3.4 Code of Conduct and incident records

If a report is made regarding a breach of the Participant Code of Conduct, we may collect and retain information relating to the incident. This may include the identity of the individuals involved, a description of the reported behaviour, the date and location of the incident, witness statements, and any correspondence or evidence relating to the report.

Where a report is made anonymously, we will retain the details of the reported incident without identifying the reporter.

4. Why We Process Your Data and Our Legal Basis

Under the GDPR, we must have a lawful basis for each processing activity:

PurposeLegal Basis
Processing your ticket purchase, delivering event services, and managing your bookingPerformance of a contract (Art. 6(1)(b) GDPR)
Contacting you with information relating to the event or your purchasePerformance of a contract (Art. 6(1)(b) GDPR)
Processing health and dietary information for safety and accessibilityYour explicit consent (Art. 9(2)(a) GDPR)
Sending newsletters and marketing communicationsYour consent (Art. 6(1)(a) GDPR)
Complying with tax, accounting, and regulatory obligationsLegal obligation (Art. 6(1)(c) GDPR)
Dealing with customer service enquiries, enforcing terms, preventing fraud, and defending legal claimsLegitimate interest (Art. 6(1)(f) GDPR)
Website analytics (if implemented)Your consent (Art. 6(1)(a) GDPR)
Recording and investigating reported breaches of the Participant Code of Conduct, and taking appropriate action to protect participants and the communityLegitimate interest (Art. 6(1)(f) GDPR) — the safety and wellbeing of event participants. Where reports involve special category data (e.g. allegations of sexual harassment or discrimination), processing is necessary for the establishment, exercise or defence of legal claims (Art. 9(2)(f) GDPR)

5. Special Category Data

If you voluntarily provide health or dietary information (e.g., allergies, accessibility needs), this constitutes special category data under the GDPR. We process it solely for the purpose of ensuring your safety and inclusion at our events, based on your explicit consent (Art. 9(2)(a) GDPR).

You may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal but may affect our ability to accommodate specific needs at events.

6. Marketing Communications

We will only send you marketing communications (newsletters, event announcements, surveys) with your prior consent.

You can withdraw consent and unsubscribe at any time by contacting us at privacy@nobodies.team or clicking the unsubscribe link in any marketing email. If you unsubscribe, it may take up to 5 business days for your new preferences to take effect.

7. Who We Share Your Data With

We do not sell your personal data. We share it only when necessary for the purposes described in this policy, with the following categories of recipients:

Data processors (acting on our behalf, under data processing agreements):

  • Ticket Tailor (Zimma Ltd) — ticketing platform
  • Stripe — payment processing
  • MailerLite — newsletter distribution
  • Google Workspace — email and collaboration
  • Other service providers as needed (IT support, cloud hosting)

Independent controllers (who determine their own processing purposes):

  • Legal and accounting advisors — for compliance matters
  • Spanish tax authorities (Agencia Tributaria) — as required by law
  • Other authorities — where required by applicable law or regulation

Community safety sharing:

Where we hold records of Code of Conduct breaches, we may share those records or a summary of those records with other organisations that organise events similar to ours (such as other participatory community events or Burning Man regional events), for the purpose of protecting the safety and wellbeing of participants across the wider community. We will only do so after we have ascertained that the receiving organisation has sufficiently robust consent handling and confidentiality processes in place to protect the data appropriately.

We may also share your personal data if the Association merges with or transfers its activities to another organisation, in accordance with its statutes and applicable law.

8. International Data Transfers

The Association is based in Spain. Some of our data processors are based outside the European Economic Area (EEA).

We ensure that any transfer of personal data outside the EEA is protected by appropriate safeguards, including:

  • EU adequacy decisions — for transfers to countries the European Commission has determined provide adequate protection
  • Standard Contractual Clauses (SCCs) — included in agreements with non-EEA processors
  • EU-US Data Privacy Framework — where processors are certified under the framework
  • Technical measures — encryption in transit and at rest; access protected by two-factor authentication

You may request details of the specific safeguards applied to any particular transfer by contacting us.

9. Cookies

Our ticket shop uses cookies to recognise you when you return and personalise your settings. Cookies are small text files stored on your device by your browser.

Essential cookies are necessary for the ticket shop to function and do not require your consent. Non-essential cookies (including analytics cookies) will only be placed with your prior consent, in accordance with Article 22.2 of Spanish Law 34/2002 (LSSI) and the ePrivacy Directive.

We may use analytics services (such as Google Analytics) to monitor how the ticket shop is used. These services collect information anonymously and generate reports on visits, traffic sources, and browsing behaviour. You can manage your cookie preferences through your browser settings or through any cookie consent mechanism on our ticket shop.

10. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

Data CategoryRetention Period
Event participation and ticket records1 year after the event
Health and dietary data18 months after collection
Financial and accounting records6 years after the relevant financial year (Spanish Commercial Code, Art. 30; General Tax Law, Art. 66)
Marketing/newsletter subscriber dataUntil you unsubscribe or after 2 years of inactivity
Customer service correspondence6 months after last contact
Code of Conduct incident records5 years after the date of the report, or longer where necessary for ongoing proceedings or the establishment, exercise or defence of legal claims

When retention periods expire, data is securely deleted or anonymised.

11. Your Rights

Under the GDPR and Spanish Organic Law 3/2018 (LOPDGDD), you have the following rights:

  • Access (Art. 15) — request a copy of the personal data we hold about you
  • Rectification (Art. 16) — request correction of inaccurate or incomplete data
  • Erasure (Art. 17) — request deletion of your data when it is no longer necessary or you withdraw consent
  • Restriction (Art. 18) — request that we limit how we use your data in certain circumstances
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format, or request transfer to another controller
  • Objection (Art. 21) — object to processing based on legitimate interest; we will stop unless we demonstrate compelling grounds
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

How to exercise your rights:

Contact: privacy@nobodies.team

We will respond within one month. This may be extended by two months for complex requests, in which case we will inform you within the first month.

We may need to verify your identity before processing your request.

Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive.

Right to lodge a complaint:

If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the Spanish Data Protection Authority:

Agencia Española de Protección de Datos (AEPD)
Website: aepd.es
Address: C/ Jorge Juan 6, 28001 Madrid, Spain
Phone: +34 912 663 517

We encourage you to contact us first so we can try to resolve your concern.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Two-step verification for organisational accounts
  • Encryption in transit (TLS) and at rest
  • Access controls limiting data to authorised personnel
  • Payment transactions processed via encrypted channels (SSL/TLS)

No system can be completely secure. While we take these steps to protect your data, we cannot guarantee absolute security.

13. Third-Party Links

Our ticket shop may contain links to other websites. Once you leave our ticket shop, we have no control over those sites and are not responsible for their privacy practices. Please review the privacy policy of any site you visit.

14. Changes to This Policy

We may update this privacy policy to reflect changes in our practices, legal requirements, or organisational structure. When we make material changes, the updated policy will be published on our ticket shop and the “Last updated” date will be revised.

15. Governing Law and Jurisdiction

This policy is governed by and construed in accordance with Spanish law. For any disputes arising from or relating to this policy, the courts of Madrid, Spain shall have jurisdiction.

This policy is drafted in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation), Spanish Organic Law 3/2018 on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD), and Spanish Law 34/2002 on Information Society Services (LSSI).

Asociación Nobodies Collective
Glorieta de Bilbao 1, 1, Derecha, 28004 Madrid, Spain
privacy@nobodies.team