Privacy policy

The data controller is NEXOTICK, LLC, a New Mexico, USA company (“Nexotick”). This Policy applies to the website nexotick.com, the official mobile apps, the API, and other connected services (the “Platform”).

By using the Platform you acknowledge that your data may be transferred, stored, and processed in the United States of America and in other jurisdictions operated by our cloud providers (AWS, Google Cloud, Cloudflare). By continuing, you give your informed consent for this international transfer.

• Identity and contact: full name, date of birth, sex, ID or passport, email, phone.
• Payment data: processed securely through Stripe, PagueloFacil, or other gateways. We do not store the full card number.
• Banking data for withdrawals: only if you are an Organizer, Photographer, Seller, or other role with the right to withdrawals. We store bank account, bank, holder, country, IBAN/SWIFT, and tax address with encryption at rest.
• Sensitive health data: blood type, allergies, medical conditions, and emergency contacts. They are optional but recommended for your safety in competitions. They are only shared with the Organizer of the event you register for.
• Size, club, team and other specific data requested by each Organizer in its registration form.
• Profile photo: optional. Used for facial search in photo galleries.

• Location data (GPS) in digital challenges: when you participate in a digital challenge, the app captures your location during the activity to validate distance, route, and compliance. Associated exclusively with the corresponding challenge.
• Facial biometric data: when enabling facial search or uploading a profile photo, we generate a mathematical representation (facial vector) stored by Amazon Rekognition, linked to the event.
• Technical data: IP address, device identifier, browser type and version, operating system, language, usage data (pages viewed, clicks).
• Cookies and similar technologies: see section 8.
• Wearables data: if you connect a device (wristband, sports watch), we collect sports metrics (heart rate, distance, sleep) to personalize plans and rankings.
• Cashless / NFC wristband data: top-ups, consumption at stands, and remaining balance.

• Performance of the contract (the Terms): to deliver the service you purchased.
• Explicit consent: for sensitive data (health, biometrics), for sending marketing communications, and for the use of non-essential cookies.
• Legitimate interest: fraud prevention, Platform security, service improvement, and internal reporting.
• Compliance with legal obligations: invoicing, tax withholding, attention to authorities.

• Process your registration and generate your ticket / QR code.
• Charge the payment, manage refunds, and pay Organizers, Photographers, and other roles.
• Display results and rankings for events you participate in (name, category, time).
• Validate digital challenges with your GPS and wearables.
• Allow you to search your photos in event galleries via facial recognition (when you authorize it).
• Send you transactional notices: confirmations, event changes, receipts.
• Direct marketing (only if you opted in): newsletters, recommendations for our own events or those of third-party Organizers operating on the Platform.
• Prevent fraud, abuse, and violations of the Terms.
• Comply with legal obligations and respond to competent authorities' requirements.

We collect blood type, allergies, medications, pre-existing conditions, and emergency contacts only if you provide them. Their purpose is exclusively operational: so that the event's medical staff can act in an emergency. They are only shared with the Organizer of the event you are registered for. You can edit or delete them from your profile at any time.

Searching photos by face requires us to generate a biometric representation of your face. This representation is stored in a per-event collection operated by Amazon Rekognition.

• Express consent: by using the “Find my face” feature or uploading a profile photo for that purpose, you consent to the creation of the biometric representation.
• Limited purpose: matching your face with event photographs. It is not used for surveillance, advertising profiling, and is not sold to third parties.
• Retention: the biometric representation is kept while the associated event is active and up to 24 months thereafter, unless you request its deletion earlier.
• Deletion: you may request immediate deletion by writing to [email protected] or, where applicable, from your profile settings.

The Platform account is for people 18 years of age or older. When an Organizer enables registrations for minors, the minor's data (name, date of birth, size, medical data) is provided by the parent or legal representative through their own account.

• The legal representative accepts this Policy on behalf of the minor and consents to processing.
• We do not request biometric data of minors. Facial search is disabled by default in minors' profiles.
• The representative may access, rectify, and delete the minor's data at any time.

When you purchase a ticket or service, Nexotick and the event Organizer act as independent data controllers.

• Nexotick processes data as the Platform provider: it processes transactions, prevents fraud, improves the service, sends transactional communications, and, with your consent, sends direct marketing of other relevant events.
• The Organizer receives a copy of the data necessary to manage that specific event: name, contact, medical data, size, club. The Organizer is the independent controller of that copy and is required to use it only for logistics, access control, and operational communication of the event. It is prohibited from extracting the database for unrelated marketing purposes. Nexotick may suspend any Organizer that breaches this.
• If you want to exercise rights over the copy held by the Organizer, you may contact them directly or ask Nexotick to forward your request.

• Essential cookies: necessary for the session, cart, and security. They cannot be disabled.
• Analytics cookies: allow us to measure Platform use in an aggregated way (example: Google Analytics, Cloudflare Insights). You can disable them in your browser settings.
• Marketing cookies: enabled only if you authorize. They allow remarketing campaigns and conversion attribution.

• Organizers of the event you register for (section 7).
• Payment gateways (Stripe, PagueloFacil) and withdrawal processors (Mercury), only to execute transactions.
• Technology providers that deliver essential services under confidentiality clauses: AWS, Google Cloud, Resend (transactional email), Cloudflare, Amazon Rekognition (biometrics).
• Team representatives who assign credits to you: they see your name, email, and registration status, but not your medical data.
• Government or judicial authorities when there is a binding order or legal requirement.

Nexotick does not sell your personal information to third-party advertisers.

• We only send marketing if you give us your consent at registration or later.
• You can revoke your consent at any time via the “Unsubscribe” link included in all promotional emails or by writing to [email protected].
• Revoking marketing does not stop transactional emails (confirmations, event changes, receipts).

In compliance with applicable regulations, including Panama's Law 81 on personal data protection and equivalent rules in other Latin American jurisdictions, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Cancel or request the deletion of your data.
• Object to processing, particularly direct marketing.
• Withdraw your consent regarding consent-based processing, without retroactive effects.
• Portability: obtain a structured copy of your data.

To exercise these rights write to [email protected]. We will request reasonable proof of identity and will respond within 30 days.

If you reside in California, in addition to the above rights, you may request details of the categories of data collected, the purposes of their use, and the third parties we share with, as well as opt out of “sales” or “sharing” of data within the meaning of the CCPA (Nexotick does not engage in sales in that sense, but we respect the exercise of the right). For CCPA requests write to [email protected] with subject “CCPA”.

You may request the deletion of your account and the associated personal data at any time. Deletion is irreversible.

• From the app (recommended): sign in, go to Settings → Privacy → Delete account and personal data, and confirm. Deletion is processed immediately.
• From the web: sign in at nexotick.com and go to your profile. To delete the account completely, use the app or contact support.
• By email: write to [email protected] and we will guide you.

We will retain data for the time strictly necessary to comply with legal obligations (invoicing, audit) or to resolve disputes, typically up to five (5) years after your last interaction, after which they will be deleted or anonymized.

• We apply encryption in transit (HTTPS / TLS) and at rest for sensitive data (banking, health, biometrics).
• Access to personal data is restricted by role; employees sign confidentiality agreements.
• We perform encrypted backups and monitor access to detect anomalies.
• Despite these measures, no Internet transmission is 100% secure. We recommend using strong passwords and not sharing them.
• Incident notification: in the event of a security breach affecting your personal data, we will notify you within a reasonable timeframe as required by applicable law.

Your data may be stored and processed in the United States and other jurisdictions where our providers operate. We apply standard contractual clauses and equivalent mechanisms to ensure an adequate level of protection in accordance with applicable regulations.

We may update this Policy to reflect changes in the service, regulation, or our practices. We will notify material changes at least fifteen (15) days in advance by email or notice on the Platform. The “last updated” date above indicates when it was last modified.

For any privacy inquiries, contact [email protected].