Website Privacy Notice (GDPR) & Terms of Use
Our website rock-symphony.com is a safe and convenient way to buy electronic tickets for The ROCK SYMPHONY Orchestra concerts in various countries.
We are fully committed to protecting your privacy and respecting your choices. We make every effort to comply with our obligations under the General Data Protection Regulation (GDPR).
We prioritize the protection of individuals’ rights—including where processing is automated—and strive for maximum transparency in our relationship with customers. To this end, we have adopted this policy, which describes our processes, purposes, and the tools available to users to exercise their rights.
You can find additional information about personal data protection at: https://www.cnil.fr/
By continuing to browse this website, you unconditionally accept the terms of use below. The version published on the website is the only version in effect during your use of the resource and remains in force until it is replaced by an updated version.
Our company’s contact details (the Seller/Platform) are provided at the end of this document.
PRIVACY NOTICE & PERSONAL DATA PROCESSING UNDER THE GDPR
By visiting https://rock-symphony.com/, you agree that we collect, process, and use the personal data set out below. This Privacy Notice describes how we process personal data collected through https://rock-symphony.com/ and its content module (the “Widget”). Your access to the Website and our interactions with you are governed by this Notice. You may use the Website without disclosing personal data; however, for most of our services the provision of certain data is necessary. By providing us with personal data, you agree to its collection, use, disclosure, and storage under the terms of this Notice. This document applies to the processing of personal data that you provide to us or that may be collected when you visit the Website, use the Widget, and our services.
Scope. This Notice applies to all users, customers, and visitors of the website.
Governing Law and Jurisdiction. These Terms and any disputes arising out of or in connection with them shall be governed and interpreted in accordance with the laws of the Republic of Estonia. Mandatory rules of European Union law apply as well, including consumer protection and personal data processing rules (e.g., GDPR). The courts of Estonia shall have exclusive jurisdiction over all disputes, unless mandatory consumer-protection law provides otherwise.
Personal Data We May Collect
• Identification data — first name, last name, date of birth, nationality.
• Contact data — email address, phone number, postal/billing address.
• Payment data — information needed to process payment (card data, IBAN, transaction references).
• Ticketing data — purchased tickets, attendance information, seat numbers.
• Technical data — IP address, browser type, operating system, device identifiers, access logs.
• Communications data — customer support correspondence, requests, complaints or feedback.
• Marketing data — newsletter subscriptions, marketing preferences, participation in promotions or surveys.
As a rule, we obtain personal data directly from you via the Website/Widget. In certain cases, we receive limited data from the payment provider (e.g., transaction token/identifier, anti‑fraud status, last 4 digits of a card) — to process payments and prevent fraud; and from event partners/venues (e.g., order number, seating/attendance status) — strictly to perform the contract and ensure access to the event.
We do not knowingly collect data from individuals under 16, except where explicitly permitted by law and with parental consent. For children below 16, we rely on parental consent (see Article 8 GDPR).
Purposes of Processing
• Contract performance — processing ticket purchases, order confirmation, issuing e‑tickets, and providing access to the event.
• Customer support — responding to requests, complaints, and support tickets.
• Legal obligations — complying with tax, accounting, and other statutory requirements (e.g., VAT reporting, anti‑fraud checks).
• Security — preventing fraud, securing transactions, and access control at the venue.
• Service information — sending messages related to the purchased event (e.g., date changes, cancellations).
• Marketing (with consent) — sending newsletters, offers, and personalized advertising only with explicit customer consent.
• Legitimate interests — improving our services, analyzing user behavior, maintaining the proper operation of the website and ticketing system.
Automated Decision-Making / Profiling. We use anti‑fraud scenarios for automatic transaction scoring (analysis of technical signals/payment patterns). This may result in temporary suspension or refusal to process an order pending additional checks.
For marketing (only with consent to cookies/ads), we apply simple segmentation based on purchase/interactions history and cookie identifiers. Such operations do not produce legal effects for you. You have the right to contest an automated decision, to obtain human intervention, and to express your point of view by contacting us via the details in the “Contacts” section.
Required Data. To conclude the contract and issue tickets, you must provide the following data: first name, last name, email (for ticket delivery/notifications), and payment data (processed by the payment provider). If mandatory data is missing, we will be unable to place the order, issue an e‑ticket, send notifications, and/or ensure access to the event.
We do not process personal data for purposes incompatible with those listed above.
Legal Bases for Processing (Article 6 GDPR)
• Performance of a contract (Art. 6(1)(b) GDPR) — processing necessary to fulfill the contract (e.g., ticket purchase, order confirmation, event access).
• Legal obligation (Art. 6(1)(c) GDPR) — processing necessary to meet requirements of EU and Estonian law (e.g., tax and accounting duties, retention periods).
• Legitimate interests (Art. 6(1)(f) GDPR) — processing necessary for our legitimate interests (e.g., website security, fraud prevention, service improvement), provided those interests do not override the data subject’s rights and freedoms.
• Consent (Art. 6(1)(a) GDPR) — processing based on explicit consent, e.g., for marketing communications or surveys. Consent may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.
Sharing Personal Data
We share personal data with third parties only where permitted and necessary by law:
• IT service providers (processors): hosting, technical support, email delivery — processing data on our instructions under a data processing agreement.
• Ticketing platforms and box‑office providers: for booking and issuing tickets (e.g., Fnac Spectacles, Fimalac Entertainment, Ticketmaster). Depending on their role, they may act as our processor or as an independent controller.
• Payment systems through which your payment is processed. We currently use Stripe to provide this service. More details: https://stripe.com/. Any personal data you provide to this payment service provider is processed by the provider (as a separate controller) in accordance with its own privacy notice.
• Mailing services — processing data on our behalf and per our instructions under Article 28 GDPR.
• Event partners — in certain cases, local organizers or venues, but only to the extent necessary to perform the contract (e.g., access control, seating).
• Public authorities and courts — where required by law (e.g., tax authorities, courts, or law enforcement). Tax authorities process such data as separate controllers in line with their own privacy notices.
• Professional advisers — auditors, accountants, lawyers bound by confidentiality.
In addition, we may disclose your personal data if required by law.
International Data Transfers (Chapter V GDPR)
We may transfer personal data to recipients outside the European Economic Area (EEA) when the relevant processor, joint controller, or other recipient is located in a third country. Such transfers are made strictly in accordance with Chapter V GDPR and only with appropriate safeguards, including:
• An adequacy decision of the European Commission (Art. 45 GDPR);
• Appropriate safeguards (Art. 46 GDPR), including Standard Contractual Clauses (SCC, 2021/914) and/or Binding Corporate Rules (BCR), alongside necessary technical and organizational measures (e.g., encryption, access limitations) and a transfer impact assessment (TIA);
• Derogations under Art. 49 GDPR (e.g., explicit consent, necessity for contract performance) — only to the extent strictly necessary for the transfer’s purpose.
For analytics and advertising we may use Google Analytics and Meta (Facebook) Pixel, and TikTok Pixel. Processing can occur in the EU and/or the USA. Transfers outside the EEA are covered by Standard Contractual Clauses (SCC) and supplementary measures (data minimization, pseudonymization, IP masking). Mailing/hosting providers process data in the EU/EEA or in other countries subject to SCC/BCR and equivalent safeguards.
We do not sell or rent personal data to third parties. Our processors act under data processing agreements (Art. 28 GDPR), follow our instructions, and do not use data for their own purposes; sub‑processors may be engaged only with our authorization and subject to equivalent safeguards. For joint controllers, an Article 26 GDPR arrangement allocates responsibilities; key provisions are available upon request. Upon a data subject’s request, we will provide summarized information on safeguards and/or access to relevant clauses (e.g., SCC excerpts).
Retention Periods
We store personal data only as long as necessary to achieve the purposes for which it was collected, or for the period required by law. Retention timelines:
• Ticketing and contractual data — for the duration of the contractual relationship and up to 3 years thereafter to defend against potential legal claims.
• Accounting and tax data — for 7 years, in line with Estonian accounting and tax legislation.
• Customer support correspondence — up to 2 years after the ticket is closed.
• Marketing data — until consent is withdrawn or for a maximum of 2 years after your last interaction with us.
After the retention period expires, personal data will be securely deleted or anonymized.
Your Rights (GDPR Articles 15–22)
• Right of access (Art. 15) — request confirmation of processing and obtain a copy of your personal data.
• Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17) — have your personal data deleted, except where we are legally required to retain it.
• Right to restriction (Art. 18) — restrict processing in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine‑readable format and transmit it to another controller.
• Right to object (Art. 21) — object to processing, in particular for direct marketing.
• Right to withdraw consent (Art. 7) — when processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (Art. 77) — file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or another supervisory authority in your place of residence.
You can exercise your data subject rights (access, rectification, erasure, restriction, portability, objection, withdrawal of consent) by contacting us at: [email]. We respond within one (1) month of receiving your request; where necessary, this may be extended by a further two (2) months due to complexity and number of requests — in such cases we will notify you of the extension and reasons before the initial one‑month period expires.
For security, we may ask for minimal identity verification and may clarify certain details to process your request correctly. Responses are provided free of charge, except for manifestly unfounded or excessive requests, where a reasonable fee may be charged or the request refused with reasons provided.
You may lodge a complaint with the supervisory authority in your habitual residence, place of work, or the place of the alleged infringement. A list of EU authorities is available on the EDPB website.
Cookies
Our website uses cookies and similar technologies to ensure proper operation, enhance user experience, and for analytics and marketing.
Cookie categories:
• Strictly necessary — essential for the site to function (e.g., ticket booking, secure sign‑in). These do not require consent.
• Analytics — help us analyze traffic and improve the site. Used only with your consent.
• Functional — remember your settings (e.g., language/region). Used only with your consent.
• Advertising & tracking — used for marketing, personalized ads, and retargeting. Used only with your explicit consent.
On first visit, a banner offers “Accept all” / “Reject all” / “Settings”. We are the controller for processing on our site; Google/Meta/TikTok may act as separate controllers for their subsequent processing under their own policies.
Types of cookies used:
• Necessary cookies — essential for correct operation, such as ticket purchases, secure sign‑in, and session management. They cannot be disabled.
• Analytics cookies (Google Analytics) — to measure and analyze website usage and improve usability; set only with your consent.
• Marketing cookies (Facebook Pixel and similar tools) — for personalized advertising, campaign measurement, and retargeting; set only with your explicit consent.
You may withdraw your consent at any time by changing cookie settings in the Cookie Settings section of our website. Withdrawal does not affect processing performed before withdrawal.
You can manage, block, or delete cookies at any time through your browser settings. Disabling certain cookies may cause some site features (e.g., ticket purchase or secure sign‑in) to function improperly.
TERMS OF USE
These Terms of Use (the “Agreement”) apply to all purchases made through the Company’s Widget and are intended to explain the purchasing process, our role in providing the Services, and the specifics of acquiring Tickets. The Agreement is effective from its publication on https://rock-symphony.com/ and remains in force until repealed or replaced by a new version.
Definitions
“Ticket” — an electronic document sent to the Buyer by email (unless otherwise provided by this Agreement or on https://rock-symphony.com/) confirming the right to attend (enter/view/listen to) the Event. It contains a unique identifier (code/bar‑ or QR‑code), order number, information about the Event’s name, date and venue, allocated seat (sector/row etc., if applicable), the price and Service Fee amount, and other legal/technical information.
“Reservation” — an Order created in the System, pending payment by the Buyer.
“Reservation period” — the time interval displayed in the Widget during checkout during which the Buyer can pay for the Order before automatic cancellation.
“Order” — one or more Tickets for a single Event selected by the Buyer in the Widget and combined by the System under a single ID number.
“Event” — a concert or cultural/entertainment event that can only be attended with a Ticket.
“Buyer” / “You” — a natural or legal person using the services of the Ticket Seller for booking (if available) and issuing Tickets under this Agreement.
“Ticket Seller” — the legal entity that sells Tickets, publishes and controls the accuracy of Event information, and ensures the validity and authenticity of Tickets.
“Service Fee” — the fee charged to the Buyer upon sale of Tickets for booking and issuance services. The amount per Ticket is a certain percentage of the Ticket price indicated on the Ticket (unless otherwise provided).
“System” — the Company’s software/hardware complex ensuring Website operation and managing the Widget; intended for booking, registration, sale and generation of unique Ticket serials/numbers, identification and storage of user transactions, sending purchase confirmations by email, etc.
“Website” — the Platform’s web pages (including subdomains) available at https://rock-symphony.com/
“Widget” — the Company’s content module through which the Buyer interacts with the Organizer and completes Ticket purchases; the Buyer is redirected to the Widget to complete the purchase.
Key Terms
This section governs your use of the Website/Widget and the purchase of Tickets. When issuing Tickets, we process required personal data as provided in this Policy and applicable law.
The ticket sale contract is concluded when the buyer completes the order process on our website and receives electronic order confirmation (by email or on screen). From that moment, the order is binding and the buyer must pay the ticket price. Under the Estonian Law of Obligations Act (§ 53(4) cl. 7 and § 56), the right of withdrawal does not apply to leisure services where the contract provides a specific date or period of performance. Therefore, purchased tickets are non‑refundable, except in cases of event cancellation or rescheduling.
All ticket prices are displayed in euros by default, unless otherwise indicated. When purchasing from other countries, payment may be made in the local currency depending on the buyer’s location, chosen payment method, and the ticketing operator’s system. The final amount payable in local currency is determined by the payment provider at the exchange rate in effect on the purchase date. All currency conversion costs or bank fees are borne by the buyer.
Tickets are delivered electronically (e‑tickets), which fulfills the contract. After purchase confirmation and successful payment, the buyer receives the tickets by email. The buyer is responsible for providing a correct email address and for accessing the e‑tickets received. We are not responsible for non‑delivery due to an incorrect email address provided by the buyer, or due to technical issues beyond our control (spam filters, full mailbox, etc.). Tickets must be presented in electronic or printed form to enter the event.
Payment
Payment for tickets must be made immediately upon checkout. The sales contract is concluded after payment is confirmed by the payment service.
Ticket prices include applicable VAT or other indirect taxes depending on the event location and applicable legal requirements. VAT rates may differ by country.
For sales within the European Union, VAT is applied in accordance with the EU VAT Directive 2006/112/EC and the national tax law of the event country. When tickets are sold via local ticketing operators, the VAT rate of the event country applies.
Refunds
Tickets are non‑refundable and cannot be canceled by the buyer after the purchase is completed. Under the Estonian Law of Obligations Act (§ 53(4) cl. 7 and § 56) and EU Directive 2011/83/EU, the right of withdrawal does not apply to leisure services tied to a specific date or period. Mandatory rules of the event country and consumer rights of the buyer’s country of residence (B2C) are not diminished.
Refunds are available only in the following cases:
• Event cancellation: the ticket price will be refunded within up to 30 calendar days after cancellation is confirmed, unless mandatory rules of the event country provide otherwise. Service/transaction fees are refunded to the extent required by law.
• Event rescheduling: if the event is rescheduled, tickets remain valid for the new date. If the buyer cannot attend, they may request a refund under the same conditions as for cancellation.
Refund and exchange rules apply subject to the mandatory requirements of the law of the event country and, in B2C relationships, the mandatory rules of the consumer’s country of residence where those provide a higher level of protection.
Rights & Obligations of the Parties
Buyer’s rights:
• Receive information about sales rules, prices, ticket categories, and other event terms posted on the Website/Widget.
• Choose any available payment method in the Widget after reviewing the payment provider’s rules and fees.
• Send feedback/requests about the Platform and Organizer via the contacts listed on the Website.
• Cancel a Ticket purchase before paying for the Order; such cancellation terminates all obligations of the Organizer for the respective Reservation/Order.
User obligations — when using the Website, Widget, and Services, you must not:
• Engage in offensive, threatening, or otherwise unacceptable behavior towards Platform staff, the Organizer, or other users.
• Use the Platform’s trademarks or other IP without prior written permission from the rights holder.
• Copy, reproduce, decompile, modify, create derivative works, distribute, or publicly display content (other than your own information) or the software of the Website/Widget/Services without the necessary permissions from the Platform and (where needed) third parties.
• Interfere, attempt to interfere, or otherwise disrupt the normal operation of the Website, Widget, Services and/or any activity conducted on them (including via bots, scripts, or bypassing technical restrictions).
Seller (Platform) rights:
• Require the Buyer to follow the full procedure for placing and paying for an Order in accordance with this Agreement.
• Cancel a Reservation and/or Order if more than two unpaid Reservations and/or Orders are recorded for the Buyer within a 5‑day period; repeat payment for such Order is not possible — a new Order must be placed.
• Modify Website/System/Widget software at any time; suspend operation to address major malfunctions/errors/outages, for maintenance, and/or to prevent unauthorized access.
• Set and change Service rates unilaterally; include a Service Fee in the Order price where applicable and collect it from the Buyer.
• Require full payment for the Ticket; cancel an Order not paid within the Reservation period (a canceled Order cannot be re‑activated; a new Order is required).
• In case of breach by the Buyer, refuse further services or limit access to the Widget.
Liability
We are liable only for damage caused intentionally or by gross negligence. In cases of simple negligence, our liability is limited to breaches of essential contractual obligations (“cardinal duties”). In such cases, liability is limited to foreseeable and typical damages.
We are not liable for indirect, consequential, or lost profit damages unless caused intentionally. We are not responsible for technical failures of internet services or third‑party platforms (ticketing systems, payment providers, etc.) beyond our reasonable control. Liability for harm to life, health, or bodily integrity remains in full force as provided by applicable law.
These Terms, together with all documents incorporated by reference, constitute the entire agreement and supersede prior oral or written arrangements. Any amendments are valid only in the manner and form expressly provided herein. If any provision is held invalid or unenforceable in certain circumstances, this does not affect its application in other circumstances or the validity of remaining provisions.
In no event shall the Seller (Platform) — or its partners, suppliers, advertisers, or sponsors — be liable to you or any third party for any losses of any kind arising in connection with use of the Website, Widget, System, their content, or goods/services purchased through the Widget. The Buyer expressly waives claims for such losses. The Seller (Platform) is also not liable for damage or moral harm caused by a mistaken understanding/interpretation of information on ordering, payment, receipt, and use of the Services.
Force majeure. The parties are not liable for total or partial non‑performance due to events beyond their control: natural disasters, military actions, strikes, riots/protests, acts of authorities, prolonged outages in telecom and energy networks, and other extraordinary and unavoidable events.
The Platform is not responsible for the functioning/security of information channels used by the Buyer to access the Website/Widget/System, or for the preservation of information on the Buyer’s side, including the Ticket received under this Agreement.
This internal claim procedure does not affect your statutory limitation periods or consumer rights. We encourage you to contact us without undue delay. The Platform reserves the right to report any activity it considers unlawful or in breach of these Terms, and to respond to duly issued requests (such as subpoenas, court orders, or other lawful processes) from law enforcement authorities, regulators, or other authorized third parties, whether domestic or foreign.
Dispute Resolution
Disputes arising in the performance of these Terms are subject to pre‑trial resolution. A written claim (including by email listed on the Website) with supporting documents must be sent to the Seller (Platform) within 10 (ten) calendar days of the dispute arising. The Seller (Platform) will review and respond within a reasonable time.
Estonian substantive law applies to these Terms and the parties’ relations, excluding conflict‑of‑laws rules that would lead to the application of another law. Regardless of the chosen applicable law, mandatory rules of the event country apply to the extent they cannot be altered by agreement and directly regulate the relevant relations (e.g., venue access, safety, mandatory refund rules). In B2C relations, the mandatory laws of the consumer’s habitual residence also apply if they provide a higher level of protection and cannot be altered by agreement.
Other Provisions
We cannot technically restrict minors’ access to the Website/Widget and rely on parents/guardians to assess suitability of content and purchases. Parental‑control tools (hardware/software and filtering services) can limit access to content potentially unsafe for minors.
You agree to comply with applicable rules, policies, and terms of the Seller (Platform) and the venue operator. Entry may be refused, or a person removed without refund, for behavior that disrupts public order, uses offensive/vulgar language, or otherwise violates visitor rules.
The Event is a public occasion. Please note that your presence and activities at or near the venue may be visible to others and may be captured on photo, video, or audio. By attending, you acknowledge and agree that the Seller (Platform), the Organizers, and their partners or licensees may record, use, and share your image, likeness, voice, and movements in live or recorded formats. Such recordings may be broadcast, published, or reproduced on any media, whether existing or developed in the future, without the need for further consent or compensation.
Entry screening and bag checks may occur. By attending, the Buyer consents to screening and waives related claims. Refusal may result in denied entry without refund. Certain venues prohibit specific items (including but not limited to firearms, alcohol, narcotics, cameras/recording devices, laser pointers, strobe lights, etc.).
Illegal resale (or attempts), or use of counterfeit/duplicate Tickets, is grounds for seizure and cancellation without compensation. The Buyer must comply with resale laws. We may limit or refuse Tickets to persons who, in our reasonable opinion, breach or have breached this Agreement. Tickets may not be used in advertising/promotions, contests, or giveaways without our prior written permission.
We reserve the right to change, suspend, or discontinue the Website, Widget, Services, or any part thereof at any time — temporarily or permanently, with or without notice. Scheduled maintenance may render the Website/Widget/Services temporarily unavailable despite efforts to minimize inconvenience.
Section headings are for convenience only and do not affect interpretation. Official notices are sent to the email provided by the Buyer during registration and are deemed delivered 24 hours after sending.
Security & Data Protection
We use SSL/TLS secure server technology — one of the most reliable methods for securing online payments. All personal data transmitted is encrypted to prevent unauthorized access.
Our systems are protected by a multi‑layer firewall infrastructure and internal information‑security policies. Employee access to Buyer data is strictly on a need‑to‑know basis and only to authorized personnel within their duties. All data operations are logged and monitored by responsible persons.
Further details are provided in the Privacy Notice.
Contacts
RSO Production by Voloshyn OÜ
Private limited company
Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Karu tn 14-8, 10120: Commercial register 17018174
VAT number EE102806827
FR74988666830
Managing director Igor Voloshyn
Contacts: rso@rock-symphony-orchestra.com
Data Controller: RSO Production by Voloshyn OÜ Private limited company Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Karu tn 14-8, 10120: Commercial register 17018174, VAT number EE102806827, FR74988666830
Data Protection Contact / DPO: rso@rock-symphony-orchestra.com (address for requests)
Rights requests (Arts. 15–22 GDPR): send to rso@rock-symphony-orchestra.com.
We respond within 1 month (extendable by 2 months for complexity, with notice).