This policy explains how DIVERGENT SOFTWARE LTD (company number 17324678, registered office Tagus House, 9 Ocean Way, Southampton, England, SO14 3TJ—“MTRX”, “we”, “us”) handles personal data in connection with the MTRX website and platform (the “Service”). We handle personal data in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.
01The two roles we play
Where we are the controller. For the personal data of people who visit our website, register interest, use MTRX, or contact us, we decide how and why the data is processed, and this policy applies in full.
Where we are a processor. The Service retrieves event and ticket sales data from ticketing providers at our customers’ instruction. That data may include personal data about ticket buyers and event attendees. For that data, the customer—the event organiser—is the controller and we process it only on their behalf under our Data Processing Addendum. If you are a ticket buyer with questions about your data, please contact the event organiser you bought from; sections 2–5 of this policy do not describe that processing.
02Personal data we collect as controller
- Account data — name, email address, and password, which is held by our authentication provider and which we never see, plus optional multi-factor authentication enrolment.
- Organisation data — the organisations you belong to, your role and permissions, and invitations you send or receive.
- Beta and enquiry data — your name, work email, organisation, the ticketing outlets you use, and any message you submit through our website.
- Billing data — subscription plan, billing status, and invoice history. Card details are collected and held by our payment provider, not by us.
- Usage and log data — actions in the Service, including a security audit log, device and browser information, IP addresses, and error reports.
- Support data — messages you send through the in-app support form or otherwise.
We do not intentionally collect special category data and ask that you do not submit any.
03Why we process it and our lawful bases
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Responding to beta registrations and other pre-contract enquiries | Steps at your request before entering a contract (6(1)(b)); legitimate interests (6(1)(f)) in responding to business enquiries |
| Providing the Service: accounts, organisations, syncing, dashboards, and reports | Contract (6(1)(b)) |
| Billing and subscription management | Contract (6(1)(b)); legal obligation (6(1)(c)) for tax and accounting records |
| Service emails: invitations, security, payment-failure, and sync-failure alerts | Contract (6(1)(b)); legitimate interests (6(1)(f)) in keeping you informed about your account |
| Security: audit logging, access control, fraud, and abuse prevention | Legitimate interests (6(1)(f)) in securing the Service |
| Error monitoring and service improvement | Legitimate interests (6(1)(f)) in running a reliable service |
| Responding to support requests | Contract (6(1)(b)); legitimate interests (6(1)(f)) |
| Complying with law and legal process | Legal obligation (6(1)(c)) |
We do not sell personal data, and we do not use it for third-party advertising.
04Cookies
The public MTRX website does not use analytics, advertising, or cross-site tracking cookies. The platform uses essential cookies only: authentication session cookies and short-lived cookies used to complete provider connections. These cookies are strictly necessary to provide the Service.
05Who we share data with
We share personal data with trusted third-party providers where necessary to operate, secure, and support MTRX. Where they process personal data on our behalf, they are contractually required to protect it and use it only for the agreed purposes.
| Provider category | Purpose |
|---|---|
| Cloud infrastructure and data-storage providers | Hosting the Service, its databases, files, and supporting infrastructure |
| Identity and authentication providers | Account authentication and secure session management |
| Payment providers | Processing payments, subscriptions, and billing records |
| Communications providers | Delivering transactional emails, reports, alerts, and website enquiries |
| Security and service-monitoring providers | Detecting errors, monitoring performance, and protecting the Service |
Customers can obtain information about the current subprocessors used for Customer Personal Data through the Service or by contacting us.
We may also disclose data where required by law, to enforce our terms, or as part of a corporate transaction, with notice where required. Ticketing providers such as DICE, Skiddle, SEE Tickets, Gigantic, Ticketmaster, Eventbrite, and Universe are data sources we read from at your instruction under your own agreements with them; we do not send your personal data to them.
06International transfers
We host the Service and its database in the UK or EEA where available. Some providers may process personal data outside the UK. Where personal data leaves the UK, we rely on UK adequacy regulations or appropriate safeguards such as the ICO’s International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses. You can contact us for further information about the safeguards relevant to your data.
07How long we keep data
- Account and organisation data — for as long as your account or organisation exists. When an organisation is deleted, its data is removed from live systems within 30 days.
- Beta registrations and enquiries — while relevant to your application, our business relationship, or a follow-up you requested.
- Billing records — for 6 years as required by UK tax law.
- Audit logs — while the organisation exists, as a security record for you and us.
- Support messages — while relevant to your account or request.
- Backups — deleted on a rolling cycle after deletion from live systems.
08Security
Provider credentials are envelope-encrypted at rest and never displayed back once saved. Access to Customer Data within MTRX is controlled by row-level security in the database, organisation-scoped permissions, and audited staff access controls. Staff access to tenant data requires a time-boxed, logged support grant. Data is encrypted in transit using TLS.
09Your rights
Under the UK GDPR, you may have the right to access your personal data, correct it, delete it, restrict or object to its processing, and receive a copy in a portable format. You can exercise these rights through the in-app support form or by writing to our registered office. We will normally respond within one month.
You also have the right to complain to the Information Commissioner’s Office: ico.org.uk, or by phone on 0303 123 1113. We would appreciate the chance to address your concerns first.
10Children
The Service is for business use and is not directed at anyone under 18. We do not knowingly collect data from children.
11Changes to this policy
We may update this policy from time to time. Material changes will be notified through the Service or by email before they take effect. The version and effective date at the top identify the current policy.
12Contact
DIVERGENT SOFTWARE LTDCompany number 17324678
Tagus House, 9 Ocean Way
Southampton, England, SO14 3TJ
You can also reach us through the in-app support form in your organisation’s settings.