HomePrivacy Notice

Privacy Notice

This Privacy Notice applies to Legends Hospitality Parent Holdings LLC, and its affiliates and subsidiaries (“Legends Global,” “we,” “us,” or “our”) websites, mobile applications, and other offline or online and mobile services that link to or post this Privacy Notice (collectively, the “Services”) and explains how we collect, use, and disclose information through the Services.

We may offer some Services in connection with our partners and/or another third party or parties via a website or mobile application. When you have provided personal data on a website or mobile application that is provided with a third party, then that personal data will generally be made available to both us and such third party. We encourage you to consult the partner’s privacy policy to ensure that you understand how it intends to use your personal data and how you may exercise control over it.

What Does the Legends Global Privacy Notice Cover?

This Privacy Notice describes how we collect and use your personal data when you interact with our Services, correspond with Legends Global, interact with us as a representative of our partners or vendors online or offline (including at a venue), follow us or otherwise interact with us on social media platforms, or otherwise interact with Legends Global.

Legends Global is subject to multiple regional and local specific laws, some of which require us to provide extra information about how we use personal data. If this affects you, you can find this extra detail in the Region-Specific Disclosures section.

It also describes your privacy and data protection rights, including where applicable the right to object to some of Legends Global’s processing activities. More information about your rights and how to exercise them is in the Your Privacy Choices section below.

This Privacy Notice does not address Legends Global privacy practices relating to Legends Global job applicants, employees, and other employment-related individuals. It also does not address our use of data that is not subject to applicable data protection laws (such as anonymized data). This Privacy Notice is not a contract and does not create legal rights or obligations not otherwise provided by law.

Legends Role in Processing Personal Data

Data protection laws sometimes differentiate between “controllers” and “processors” of personal data. A “controller” determines the purposes and means (the why and how) of processing personal data. A “processor,” sometimes referred to as a “service provider,” processes personal data on behalf of a controller and is subject to the controller’s instructions and direction.

This Privacy Notice describes Legends Global’s privacy practices where we act as a controller in respect of our processing of your personal data in connection with a variety of purposes and to support our Services.

Personal Data We Collect

Personal Data You Provide to Legends Global

We collect and process personal data about you that you provide directly to us when you interact with us our partners, or our Services.

The categories of personal data we collect depend on how you interact with the Services. For example, you may provide us with your personal data directly when you communicate with us (such as by email or phone), report a problem or request support with a website, facilitate the relationship between us and the partner or vendor you represent, participate in partner or vendor events or surveys, or otherwise engage with the Services.

This includes:

Personal Data Category	Details
Identifiers	name, mailing address, email address, phone number, social media account names, unique device identifiers, date of birth, government identifiers (driver’s license, passport numbers, Social Security numbers, and similar identifiers).
Customer Records	mailing address, email address, or telephone number.
Transaction Information	products and/or services that you purchase from us, amount spent, the date / time of your purchase, how frequently you purchase from us, payment method, whether you have used any discount or gift card codes or other offers. This includes purchases made at our venues or private events, to the extent we are able to associate those purchases with you.
Payment Information	credit or debit card information.
Sensory Information	recordings of any audio communications between you and Legends Global (where permitted by law).
Professional Information	your job title, company name, professional background, and the nature of your relationship with us or the partner / vendor you represent.
Inferences	predictions about interests and preferences and related information.
Biometric Information	Biometric information, such as when you use biometric authentication at stadiums or venues that offer this functionality for entry or other relevant functionality governed by this Privacy Notice. Where required by law, we collect this information pursuant to your consent and may provide additional notice about relevant data handling practices.
Medical and Special Assistance Information	information about any relevant health conditions, religious or dietary requirements, or any other information required to accommodate any special requests, accessibility requirements or to provide assistance (including medical assistance) at our venues. This information may include sensitive or special category data, including information relating to your health, race, ethnicity, religious or philosophical beliefs.
Complaints	information that you submit to us in connection with any complaints. This information may include sensitive or special category data, including information relating to your health, race, ethnicity, religious or philosophical beliefs, sexual orientation, and political opinions.
Criminal Offence Information	criminal conviction and offence data relating to criminal activity or suspicions or allegations of criminal or terrorist activity.
Sensitive Information	including information relating to your health, race, ethnicity, religious or philosophical beliefs, sexual orientation, and political opinions.
Other Personal Data	details of any communications you may make to us, including through messages sent through forms, emails, or other contact information we make available, communications preferences, attendance at events, feedback and ratings you provide relating to our Services, comments and content in response to surveys or other market research, and any other inquiries, requests, or comments you choose to send us or post on social media. We may also collect user-generated content, including any files, documents, audio, videos, images, data, reviews, or communications you choose to input, upload, or transmit to our products and services, or any embedded social media posts featuring our products.

Personal Data We Receive from Third Parties

Sometimes, we receive information about you from third parties. In particular:

Partners and Vendors: If you interact with us or our services in your capacity as a representative of one of our partners or vendors, we may obtain personal data about you from the partner or vendor you represent. For example, we may obtain your contact information from the partner or vendor you represent to allow us to communicate with you about your organization’s relationship with us, or we may receive your contact information from another partner or vendor as a part of a referral. (Identifiers, Professional Information, Other Personal Data)
Social Media Sites: If you interact with us on social media, such as if you “follow” us, “tag” us or participate in an online event, community or forum that we operate on the relevant social media platform, we may access information about you and your profile on that social media platform that you choose to share in accordance with your settings. (Identifiers, Internet/Network Information, Other Personal Data)
Advertisers, Influencers, and Publishers: We advertise on our Services and through third-party services. Advertisers, influencers, and publishers may share personal data with us regarding our advertising efforts. For example, we may obtain information about whether an advertisement on a third party’s services led to your interaction with a Legends Global website. (Identifiers, Internet/Network Information)
Service Providers: Our service providers that perform services on our behalf, such as analytics and surveys, collect personal data and often share some or all this information with us. For example, we receive personal data you may submit in response to requests for feedback to our survey providers. (All categories otherwise listed in this notice)
Law Enforcement Authorities and Security Providers: We may receive information required to ensure the safety and security of our venues and visitors to our venues from law enforcement and third-party security providers. (Criminal Offence Information)
Other Sources: We may also collect personal data about you from other sources, including publicly available sources, third-party data providers, brand partnerships, or through transactions such as mergers and acquisitions. (All categories otherwise listed in this notice)

Personal Data We Receive or Generate Automatically

We also collect the following personal data automatically when you interact with the Services:

Category	Details
Information About Your Device and Network (Internet/Network information)	This may include the device type, manufacturer, and model, operating system, IP address, browser type, Internet service provider, and unique identifiers associated with you, your device, or your network (including, for example, a persistent device identifier or advertising ID). We employ third-party technologies designed to recognize when two or more devices are likely being used by the same individual and may leverage these technologies (where permitted) to link information collected from different devices.
Information About the Way You Use a Legends Global site and Interact With Us (Internet/Network Information)	This may include the site from which you came, the site to which you are going when you leave the Legends Global site, how frequently you access the Legends Global site, whether you open emails or click the links contained in emails, whether you access the Legends Global site from multiple devices, and other browsing behaviour and actions you take on the Legends Global site (such as the pages you visit, the content you view, the communications you have through the Legends Global site, and the content, links and ads you interact with). We employ third-party technologies designed to allow us to collect detailed information about browsing behaviour and actions that you take on the Legends Global site, which may record your mouse movements, scrolling, clicks, and keystroke activity on the Legends Global site and other browsing, search or purchasing behaviour. These third-party technologies may also record information you enter when you interact with the Legends Global site or engage in communication features, we provide.
Information About Your Location (Geolocation data)	This may include approximate geographic location that we or our third-party providers and their partners may derive from your IP address.
Audio, Electronic, Thermal, or Visual Information	We may also collect audio, electronic, thermal, or visual information from you automatically, such as information collected from CCTV cameras or similar devices and when we film or photograph you in a public location at a venue.

We may use the above information to operate the Services, to enhance and personalize your user experience, to monitor and improve the Services, to offer communications features, and to enhance the effectiveness of our products, services, offers, communications, and customer service.

We may also use this information to (a) remember information so that you will not have to re-enter it during your visit or the next time you visit the Services; (b) provide custom, personalized content and information, including targeted content and advertising; (c) identify you across multiple devices; (d) provide and monitor the effectiveness of our services; (e) monitor aggregate metrics such as total number of visitors, traffic, usage, and other patterns on the Services; (f) diagnose or fix technology problems; and (g) otherwise to plan for and enhance our products and services.

We typically collect this information through the use of a variety of our own and our third-party partners’ (including Google, Snapchat, LinkedIn, Crimtan, Sojern and their partners) and promoters’ automatic data collection technologies, including (i) cookies or small data files that are stored on an individual’s computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies and logging technologies.

For additional details about the cookies, pixels and other technologies we use on the Services and to adjust your preferences about those cookies, please click the “Cookie Preferences” link in the footer of the Services.

Information we collect automatically about you may be combined with other personal data we collect directly from you or receive from other sources. We may share a common account identifier (such as a hashed email address or user ID) with third-party advertising partners to help link the personal data we, and our third-party partners, collect about the same person and target advertising to that individual on a third-party website or platform.

We also generate or collect information about you ourselves without your input. We may generate inferences or predictions about you and your interests and preferences based on the other personal data we collect and the interactions we have with you.

How Legends Global Uses Your Personal Data

Personal data and How we use it	Our lawful basis (European Privacy Disclosures only)
Fulfilling a contract with youWe use your personal data as required to deliver the services requested and otherwise fulfil our obligations under our agreement with you. This means that we collect and use your personal data to: communicate with you in connection with the provision of our services to you;provide customer services and arrange the provision of products or services;manage our contractual relationship with you.To do this we use your Identifiers, Customer Records, Transaction Information, Payment Information, Internet/Network Information, Sensory Information, Professional Information, Medical and Special Assistance Information. Relevant third parties we may share this data with include service providers and other controllers that provide us services (e.g. certain payment providers).	The processing is necessary for the performance of a contract (namely our Terms of Service). Where required under applicable law, we process special category data contained in the Medical and Special Assistance Information where you give us your consent to do so.
Managing our business, Services, engaging with and understanding our audience and users.We collect, analyze and use your data to:personalize the products displayed to you on our Services when you log in to your account, such as listing products that are similar to your past purchases or that you have told us would be of interest to you in a more prominent position (see separately our personalization as a result of wider data analysis set out in the row below);present the relevant Service in the language and currency of the country you are in;provide customer support, respond to your queries and comments and to help us identify errors or problems with the Service or products you have purchased, as well as commonly occurring faults our products so that we can fix and improve them;manage entry to our venues;monitor use of the Services, and use your information to help us oversee, improve and protect our products, content, services and websites, both online and offline; andcarry out market research, including carrying out surveys and asking for your feedback.To do this, we use your Identifiers, Customer Records, Transaction Information, Internet/Network Information, Geolocation Data, Biometric Information, Sensory Information, Professional Information, Inferences, Medical and Special Assistance Information, Complaints, and Other Personal Data. Relevant third parties we may share this data with include service providers (such as IT service providers).	The processing is necessary for our legitimate interests, namely:tailoring the Services to the user’s account;providing customer support, administering the Services; addressing user queries and comments; to help us improve the Services;presenting the Services in the appropriate language and currency;overseeing use of the Services to monitor, improve and protect our products, content, service, websites;carrying out market research and seeking user feedback;creating products and services based on analysing customer interactions.We may also rely on our legal obligation to ensure that we use your location to offer you any necessary consents or specific terms as needed to comply with applicable law. Where required under applicable law, we will only use Internet/Network Information and Geolocation Data, as well as any Inferences derived from such data, where you give us your consent to do so. Where required under applicable law, we will only use Biometric Information and any special category data contained in Medical and Special Assistance Information or Complaints, where you give us your consent to do so.
Direct marketing, personalisation and personalised servicesWe collect, analyze and use your data to:tailor the advertising we display to you and the electronic marketing messages we send to you in accordance with your preferences.ensure we communicate with you in accordance with your preferences.ensure that we only send you marketing communications you have consented to, where such consent is requiredinform our product development, improvement and marketing campaigns.provide personalised advertising and services, including where deployed through chat-bots on the service that provides responses based on submissions made to the service.offer financial products to preferred customers (such as gift cards). provide contests, promotions, surveys, sweepstakes, or similar offerings in which you choose to participate.To do this, we use your Identifiers, Customer Records, Transaction Information, Internet/Network Information, Geolocation Data, Professional information, Inferences, and Other Personal Data.Relevant third parties we share this data with include service providers (such as IT service providers), marketing providers, ad networks and advertising partners.	The processing is necessary for our legitimate interests, namely:informing our direct marketing;ensuring we comply with communications preferences; ensuring we can user information you have provided to provide tailored services andinforming product development, improvement and marketing.However, where required by applicable law, we will instead rely upon your consent.
Social media informationWe collect, analyze and use your data to:respond to your comments or posts that are addressed to us or reference us.inform our social media marketing strategy, including choosing and creating the content that we post to our social media pages.To do this, we use your Identifiers, Internet/Network information, Inferences, Complaints and Other Personal Data.	The processing is necessary for our legitimate interests, namely:promoting the Services; andinforming our social media marketing strategy.With respect to any special category data contained in Complaints, the additional condition we rely on for processing this personal data is that it is manifestly made public by you.
Cookie-related analysis, personalisation and marketingWe collect, analyze and use your data to:analyze the performance of the Services to identify errors and ways in which we can improve the Services.serve you targeted advertising on other websites and platforms that you visit, and to identify how effective those advertisements are.To do this, we use Identifiers, Transaction Information, Internet/Network information, Geolocation Data, and Inferences.Relevant third parties we share this with include ad networks and advertising partners and service providers (such as IT service providers).	Your consent, except where applicable law permits analysis to be carried out on the basis of our legitimate interests, namely analysing the performance of the Services and service improvement.
Protecting our business interests and legal rights.We collect and use all of the data types listed in this notice for the purposes of protecting Legends’ business interests and legal rights, including use in connection with legal claims, compliance, regulatory, auditing, investigative and disciplinary purposes, including prevention and detection of crime, and ethics and compliance reporting requirements. We may also use your information where necessary to protect the security of our premises, assets, systems, and intellectual property and enforce company policies, including protecting ourselves from fraud and verifying the individuals with which we interact as appropriate. To do this, we may use any of the information categories listed above, and we may share this as necessary for this purposes, including with our advisors, service providers, regulators and law enforcement bodies.	The processing is necessary for our legitimate interests, namely ensuring our business and the Services is safe, secure and compliant with regulatory requirements (or, where relevant, a recognised legitimate interest listed in UK law). Where we process your special category data for these purposes, we will typically rely upon our need to establish, exercise or defend ourselves from legal claims or consent.
Protecting the safety of our venues, staff and visitors.We collect and use data as necessary to protect the safety and security of our venues, staff and visitors to our venues, and to cooperate with law enforcement authorities in the detection and prevention of crime. This includes your Identifiers, Customer Records, Geolocation Data, Biometric Information, Sensory Information, Professional Information, Medical and Special Assistance Information, Complaints, Criminal Offence Data and Other Personal Data.	The processing is necessary for our legitimate interests, namely ensuring the security and safety of our venues, staff and visitors. To the extent that we process your Medical and Special Assistance Information for this purpose, we do this either on the basis of your consent (if you have consensually provided us with your information to allow use to provide you with assistance) or, in an emergency, to protect your vital interests. We may also process it for reasons in the substantial public interest as identified by national law, such as to the prevention, detection or investigation of crime. To the extent that our processing of Criminal Offence Information involves the processing of criminal offence data requiring authorisation under EEA, Member State, UK or Swiss law, we only process such data as permitted under national rules. In the UK, we in particular process this data primarily in connection with the prevention, detection and investigation of unlawful acts.
Compliance with law Where necessary, Legends Global will process any of the information categories listed in this notice to comply with specific legal obligations. For example, Legends Global may be legally required to: respond to requests by government or law enforcement authorities conducting an investigation; andkeep certain records for health and safety purposes and in relation to purchases made; This information will be shared as required to comply with law, including with law enforcement or public authorities as required.	This processing will take place where Legends Global is under a legal obligation. Where this is based on a legal obligation outside of the EEA, a Member State of the EEA or (where applicable) the UK or Switzerland, this may be based on Legends Global’ legitimate interest in complying with these laws.

Legends Global Disclosure of Personal Data

Legends Global may disclose or otherwise make available personal data in the following ways:

To Affiliates: We may share personal data with other entities in our corporate group. These are companies owned or controlled by Legends Global, companies that own or control us and any subsidiaries they own or control. We do so where required for group-wide reporting and management, to use shared infrastructure and operations, and to receive intragroup services such as support and hosting of data.
To Partners and Vendors: If you interact with us or our services in your capacity as a representative of one of our partners or vendors, we may disclose your personal data to the partner or vendor you represent. For example, we may provide information to the partner or vendor you represent about your communications with us or your usage of our services in connection with your work for them.
To Marketing Providers: We coordinate and share personal data, including personal data provided to us by our customers, with our marketing providers to advertise and communicate with you about the Services we make available.
To Ad Networks and Advertising Partners: We work with third-party ad networks and advertising partners to deliver advertising and personalized content on the Services on other websites and services, and across other devices. These parties may collect information automatically from your browser or device when you visit the Services through cookies and related technologies. This information is used to provide and inform targeted advertising and advertising-related services such as reporting, attribution, analytics, and market research.
To Service Providers: We engage other third parties to perform certain services on our behalf in connection with the uses of personal data described in the sections above.
Other Controllers that Provide Us Services: We may share data with some third-party controllers you engage with through our services or as needed to fulfil a request or transaction or who provide us with services, such as payment processing services, accountants, and legal advisors.
In Connection with a Business Transaction or Reorganization: We may participate in or be involved with a business transaction or reorganization, such as a merger, acquisition, joint venture, or financing or sale of company assets. We may disclose, transfer, or assign personal data to a third party during the negotiation of, in connection with, or as an asset in such a business transaction or reorganization. Also, in the unlikely event of our bankruptcy, receivership, or insolvency, your personal data may be disclosed, transferred, or assigned to third parties in connection with the proceedings or disposition of our assets.
To Facilitate Legal Obligations: We may disclose personal data to third party law enforcement and government agencies:
- in connection with the establishment, exercise, or defense of legal claims;
- to comply with laws or to respond to lawful requests and legal process;
- to protect our rights and property and the rights and property of our agents, customers, and others, including to enforce our agreements, policies, and terms of use;
- to detect, suppress, or prevent fraud;
- to reduce credit risk and collect debts owed to us;
- to protect the health and safety of us, our customers, or any person; or
- as otherwise required by applicable law.

If you access the Services or otherwise interact with us from the European Economic Area, United Kingdom, or Switzerland, additional information about how we share your personal data with any recipients located outside the European Economic Area, United Kingdom or Switzerland is set out in the Additional European Economic Area, United Kingdom, and Switzerland Privacy Disclosures set out below.

Video and Photography at Venues

When you attend an event at a Legends Global operated stadium or venue, we may capture your image, voice and/or likeness, including through the use of CCTV cameras and/or when we film or photograph you at a venue. You should therefore expect to be filmed or photographed by CCTV and/or by cameras when you are in a public location at an event (e.g., as an audience-member in the stadium if you are attending an event, such as a game). In addition to describing how we capture and use your image, voice and/or likeness in this Privacy Notice, we may also display signs at a venue indicating that you may be filmed or photographed. We may use your personal data collected at a venue:

To produce, exhibit, advertise or otherwise use your image, voice, or likeness in any and all media now or existing in future as part of our commercial, advertising and marketing activities; and
In the case of images or footage captured on CCTV cameras, to ensure the safety of the venues hosting events and individuals at the venue.

When we do so at venues located in the European Economic Area, United Kingdom, Switzerland or Brazil, the lawful basis we rely on for processing personal data as described above is express consent or that the processing is necessary for our legitimate interests, namely promoting Legends Global and the venues we operate, and to ensure the safety of our venues.

We may disclose your personal data captured at venue with any of the entities set out in this Privacy Notice. Additionally, when you appear in a photograph or film footage at a venue, we may disclose that photograph or film footage to our third-party partners. These partners include our sponsors, licensees, advertisers, and/or broadcasters. We will disclose the photographs or film footage containing your image, voice and/or likeness when it is in our legitimate business interests to do so. However, each of the third-party partners may use your personal data for their independent commercial purposes without reference to us.

Please also note that broadcasters and other third parties that are unconnected to venue may be independently filming or photographing you when you attend events at a venue. Although we only give permission to a small group of entities (such as certain broadcasters) to film or photograph events, these entities are separate data controllers in respect of your personal data, and we are not responsible for how those parties use your personal data and for what purposes.

Your Privacy Choices

Where applicable, you may exercise certain privacy rights by clicking the “Your Privacy Choices” link at the footer of our sites or by clicking here.

In addition, the following privacy choices are made available to all individuals with whom Legends Global interacts. You may also have additional choices or rights regarding your personal data depending on your location or residency. Please refer to Region-Specific Disclosures below for information about additional privacy choices that may be available to you.

Email Communication Preferences

You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in any of our email communications. Please note that you cannot opt-out of service-related email communications (such as account verification, transaction confirmation, or service update emails).

Direct Mailing Preferences

You can stop receiving promotional direct mail communications from us by contacting us at privacyoffice@legendsglobal.com. Please note this opt-out does not affect mailings that are controlled by third parties that may feature or mention our services.

Automatic Data Collection Preferences

If you are in the European Economic Area, United Kingdom, Switzerland or Brazil, unless these technologies are strictly necessary to provide the Services, or are otherwise exempt from consent under applicable law, we will only use these technologies to the extent you give us your consent to do so. You can withdraw your consent at any time by clicking on the “Cookie Preferences” text link in the footer of the Services and adjusting your preferences (as described above).

You may also be able to utilize third-party tools and features to further restrict the use of automatic data collection technologies. For example, (i) most browsers allow you to change browser settings to limit automatic data collection technologies on websites, (ii) most email providers allow you to prevent the automatic downloading of images in emails that may contain automatic data collection technologies, and (iii) many devices allow you to change your device settings to limit automatic data collection technologies for device applications. Please note that blocking automatic data collection technologies through third-party tools and features may negatively impact your experience using the Services, as some features and offerings may not work properly or at all. Depending on the third-party tool or feature you use, you may not be able to block all automatic data collection technologies, or you may need to update your preferences on multiple devices or browsers. We do not have any control over these third-party tools and features and are not responsible if they do not function as intended.

Targeted Advertising Preferences

The data Legends Global and our partners and their third-party partners use for purposes of facilitating targeted advertising, as well as to provide advertising-related services such as reporting, attribution, analytics, and market research, are primarily collected through the use of a variety of automatic data collection technologies, including cookies, web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies and logging technologies.

You may also be able to further exercise control over the advertisements that you see by leveraging one or more targeted advertising opt-out programs. For example:

Device-Specific Opt-Out Programs: Certain devices provide individuals the option to turn off targeted advertising for the entire device (such as Apple devices through their App Tracking Transparency framework or Android devices through their opt out of ads personalization feature). Please refer to your device manufacturer’s user guides for additional information about implementing any available device-specific targeted advertising opt-outs.
Digital Advertising Alliance: The Digital Advertising Alliance allows individuals to opt out of receiving online interest-based targeted advertisements from companies that participate in their program. Please follow the instructions at https://optout.aboutads.info/?c=2&lang=EN for browser-based advertising and https://www.youradchoices.com/appchoices for app-based advertising to opt out of targeted advertising carried out by third parties that participate in the Digital Advertising Alliance’s self-regulatory program.
European Interactive Digital Advertising Alliance: The European Interactive Digital Advertising Alliance similarly allows individuals to opt out of receiving online interest-based targeted advertisements from companies that participate in their program. Please follow the instructions at https://www.youronlinechoices.eu to opt out of browser-based targeted advertising carried out by third parties that participate in the European Interactive Digital Advertising Alliance’s program.
Network Advertising Initiative: The Network Advertising Initiative similarly allows individuals to opt out of receiving online interest-based targeted advertisements from companies that participate in their program. Please follow the instructions at https://www.optout.networkadvertising.org/?c=1 to opt out of browser-based targeted advertising carried out by third parties that participate in the Network Advertising Initiative’s self-regulatory program.
Platform-Specific Opt-Out Programs: Certain third-party platforms provide individuals the option to turn off targeted advertising for the entire platform (such as certain social media platforms). For example, MediaMath uses its own opt-out system on its site: https://www.mediamath.com/ad-choices-opt-out/. Please refer to your platform provider’s user guides for additional information about implementing any available platform-specific targeted advertising opt-outs.

Please note that when you opt out of receiving interest-based advertisements through one of these programs, this does not mean you will no longer see advertisements from us or on our Services. Instead, it means that the online ads you do see from relevant program participants should not be based on your interests. We are not responsible for the effectiveness of, or compliance with, any third parties’ opt-out options or programs or the accuracy of their statements regarding their programs. In addition, program participants may still use automatic data collection technologies to collect information about their use of the Services, including for analytics and fraud prevention and any other purpose permitted under the applicable advertising industry program.

Precise Geolocation Data for Targeted Advertising

In accordance with local laws, we may disclose your geolocation information, including precise geolocation information, to service providers that perform certain functions or services on our behalf and to third parties so that they may provide you with geographically relevant advertising.

If you wish to stop the further collection of your geolocation information for target advertising, please opt-out using your device settings, as noted below:

Opt-out or Withdraw Consent for Precise Geolocation Data for Targeted Advertising

To opt out of the tracking of your device geolocation and/or precise geolocation data, please visit your device settings. Turning off access to geolocation and precise geolocation data may disable or interfere with certain functionality or services.

For Android users, please see the following link for instructions on how to opt-out of or withdraw consent to geolocation data collection from your settings https://support.google.com/accounts/answer/6179507?hl=en.

For iOS users, please see the following link for instructions on how to opt-out of or withdraw consent to geolocation data collection from your settings https://support.apple.com/en-us/HT207092

Modifying or Deleting Your Personal Data

If you have any questions about reviewing, modifying, or deleting your personal data, please click here. We may not be able to modify or delete your personal data in all circumstances.

Partner-Specific Preferences

Certain of Legend Global’s third-party providers and partners offer additional ways that you may exercise control over your personal data, or automatically impose limitations on the way we can use personal data in connection with the services they provide:

Device-Specific / Platform-Specific Preferences: The device and/or platform you use to interact with the Services (such as your mobile device or social media provider), may provide you additional choices with regard to the data you choose to share with us. For example, many mobile devices allow you to change your device permissions to prevent products and services from accessing certain types of information from your device, and many social media platforms allow you to change your platform permissions to prevent products and services from accessing certain types of information connected with your profile. Please refer to your device or platform provider’s user guides for additional information about implementing any available platform-specific targeted advertising opt-outs.
Google Analytics: Google Analytics allows us to understand better how visitors interact with the Services. For information on how Google Analytics collects and processes data, as well as how you can control information sent to Google, review Google’s website here: https://www.optout.networkadvertising.org/?c=1. You can learn about Google Analytics’ currently available opt-outs, including the Google Analytics Browser Add-On here: https://tools.google.com/dlpage/gaoptout/. We may also utilize certain forms of display advertising and other advanced features through Google Analytics. These features enable the Services to use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick advertising cookie) or other third-party cookies together to inform, optimize, and display ads based on your past visits to the Services. You may control your advertising preferences or opt-out of certain Google advertising products by visiting the Google Ads Preferences Manager, currently available at https://myadcenter.google.com/?ref=help-center.

Children’s Personal Data

We do not knowingly collect personal information from children as defined by law but we may collect personal data relating children under the age of 16, usually where these are provided to us by the relevant parent or guardian. For instance, we may receive the names and details of attendees or participants in learning or other events at venues. It will typically be appropriate for a parent or guardian to exercise the rights of such children under this Privacy Notice, although such children are entitled to exercise their own rights where they can demonstrate that they have legal capacity. Where required, we will ask parents and guardians to provide evidence of their relationship to a child.

However, the Services are not directed to, and we do not intend to, or knowingly, collect or solicit personal data directly from children under the age of 16. If an individual is under the age of 16, they should not use our Services or otherwise provide us with any personal data. If a child under the age of 16 has provided personal data to us in connection with these sites or services, we encourage the child’s parent or guardian to contact us to request that we remove the personal data from our systems. If we learn that any personal data we collect has been provided by a child under the age of 16 on such sites or services, we will promptly delete that personal data.

Retention of Personal Data

Legends Global collects, stores, and uses your personal data as long as you or the relevant partner or vendor remain a customer and in compliance with our legal obligations to retain certain types of data, such as for tax purposes and legitimate business interests. We review our retention periods for personal data on a regular basis. We will retain your information for as long as reasonably necessary for the purposes set out above, considering criteria such as applicable rules on statute of limitations, any legal requirements to retain your personal information in light of compliance obligations , any relevant litigation or regulatory investigations and to enable Legends Global to defend or bring potential legal claims, the sensitivity of the relevant information and the duration of your use of the Services.

To determine the appropriate duration of the retention of personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of personal data, and if we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting, and other applicable obligations.

Therefore, we retain personal data for as long as you continue to use the Services for the purposes explained in the section above. When you discontinue the use of the Services, we will retain your personal data for as long as necessary to comply with our legal obligations, to resolve disputes, and defend claims, as well as for any additional internal business purposes. We will retain any other personal data supplied during the duration of your or the relevant partner’s or vendor’s contract with us in relation to the Services until the statutory limitation periods have expired, when this is necessary for the establishment, exercise or defense of legal claims.

Once retention of the personal data is no longer reasonably necessary for the purposes outlined above, we will either delete or anonymize the personal data or, if that is not possible (for example, because personal data has been stored in backup archives), we will securely store the personal data and isolate it from further active processing until deletion or deidentification is possible.

Automated Decision-Making and Profiling

We do not conduct automated processing of personal data for the purposes of evaluating, analyzing, or predicting an individual’s personal aspects in furtherance of decisions that produce legal or similarly significant effects. As a result, we do not provide a right to exercise control over such forms of automated decision-making and profiling. We do, however carry out some automated decision making that falls short of producing such effects, particularly in connection with the use of any chatbot software and/carrying out analysis for the creation of new products and services.

Third-Party Websites and Services

The Services, newsletters, email updates, and other communications from us may, from time to time, include links to third-party websites, plug-ins, applications and other services. Except where we post, link to or expressly adopt or refer to this Privacy Notice, this Privacy Notice does not apply to any personal data practices of third parties. To learn about the personal data practices of third parties, please visit their respective Privacy Notices.

International Transfers

As a global company operating worldwide, we may need to transfer your personal data to various countries. This may occur, for example, when our affiliates and subsidiaries or its service providers are located in other countries that may have different data protection laws than your country of residence.

Where necessary for the purposes described in this Privacy Notice, Legends Global may transfer your personal data outside of your country of residence, including to jurisdictions that may not provide the same level of protection of that existing in your country. You expressly acknowledge and agree to such international transfers. In such cases, Legend Global will implement the necessary safeguards to ensure that your personal data is transferred in compliance with applicable international data transfer requirements.

Region-Specific Disclosures

We may choose or be required by law to provide different or additional disclosures relating to the processing of personal data about residents of certain countries, regions, or states. Please refer below for disclosures that may be applicable to you:

Argentina: If you are located in Argentina, please click here for additional Argentina-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Argentina under applicable law.
Australia: If you are located in Australia, please click here for additional Australia-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Australia under applicable law.
Brazil: If you are located in Brazil, please click here for additional Brazil-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Brazil under applicable law.
California and other US state privacy laws: If you are a resident of the state of California or certain other states in the United States, please click here for additional United States-specific privacy disclosures, including a description of the personal data rights made available to residents of certain states under applicable law.
Canada: If you are located in Canada, please click here for additional Canada-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Canadian jurisdictions under applicable law.
European Economic Area, United Kingdom or Switzerland: If you are located in the European Economic Area (Member States of the European Union together with Iceland, Norway, and Liechtenstein), the United Kingdom, or Switzerland, please click here for additional European-specific privacy disclosures, including a description of the personal data rights made available to individuals located in those jurisdictions under applicable law.
Hong Kong: If you are located in Hong Kong, please click here for additional Hong Kong-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Hong Kong under applicable law.
Malaysia: If you are located in Malaysia, please click here for additional Malaysia-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Malaysia under applicable law.
New Zealand: If you are located in New Zealand, please click here for additional New Zealand-specific privacy disclosures, including a description of the personal data rights made available to individuals located in New Zealand under applicable law.
Panama: If you are located in Panama, please click here for additional Panama-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Panama under applicable law.
Puerto Rico: if you are located in Puerto Rico, please click here for additional Puerto Rico-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Puerto Rico under applicable law.
Saudi Arabia: If you are located in the Kingdom of Saudi Arabia, please click here for additional KSA-specific privacy disclosures, including a description of the personal data rights made available to individuals located in KSA under applicable law.
Singapore: If you are located in Singapore, please click here for additional Singapore-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Singapore under applicable law.
Thailand: If you are located in Thailand, please click here for additional Thailand-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Thailand under applicable law.
United Arab Emirates: If you are located in the United Arab Emirates, please click here for additional United Arab Emirates-specific privacy disclosures, including a description of the personal data rights made available to individuals located in United Arab Emirates under applicable law.
Uruguay: If you are located in Uruguay, please click here for additional Uruguay-specific privacy disclosures, including a description of the personal data rights made available to individuals located in Uruguay under applicable law.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time. When we make changes to this Privacy Notice, we will change the date at the beginning of this Privacy Notice. If we make material changes to this Privacy Notice, we will notify individuals by email to their registered email address, by prominent posting on the Services, or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided.

Contact Us

If you have any questions or requests in connection with this Privacy Notice or other privacy-related matters, please send an email to privacyoffice@legendsglobal.com. or contact us at:

Legends Global

61 Broadway

Suite 2400

New York, NY 10006

ADDITIONAL PRIVACY DISCLOSURES

ADDITIONAL ARGENTINEAN PRIVACY DISCLOSURES

To the extent the processing of your personal data falls within the scope of the data protection laws of Argentina, the Personal Data Protection Law No. 25,326 (“DPL”) will be applicable to the data processing activities described in this Privacy Notice.

YOU CONFIRM THAT YOU HAVE READ, UNDERSTOOD, AGREE TO AND, WHERE APPLICABLE, PROVIDE YOUR CONSENT IN AN EXPRESS, INFORMED, VOLUNTARY AND UNEQUIVOCAL WAY FOR THE PROCESSING OF YOUR PERSONAL DATA BY LEGENDS GLOBAL, IN THE TERMS OF THIS PRIVACY NOTICE. ACCORDINGLY, WE RECOMMEND READING THIS PRIVACY NOTICE CAREFULLY.

Sensitive Personal Data

Under the DPL, criminal records and other background check information are also considered as sensitive data. Just like other sensitive data, by consenting to this Privacy Notice you provide your express, prior and informed consent to the processing of your sensitive data by Legends Hospitality Parent Holdings LLC, and its affiliates and subsidiaries.

International Transfers

As a global company operating worldwide, we may need to transfer your personal data to countries outside Argentina. This may occur, for example, when our affiliates and subsidiaries or its service providers are located in other countries that may have different data protection laws than your country of residence.

Where necessary for the purposes described in this Privacy Notice, Legends Global may transfer your personal data outside of Argentina, including to jurisdictions that may not provide the same level of protection of that existing in Argentina. By consenting to this Privacy Notice, you expressly acknowledge and agree to such international transfers. In such cases, Legend Global will implement the necessary safeguards to ensure that your personal data is transferred in compliance with applicable international data transfer requirements.

Data Subject Rights

Under the DPL you are entitled to the following rights: (i) access, (ii) rectification, (iii) erasure, and (iv) withdrawal of consent. Please note that the DPL does not recognize the rights to restriction, data portability, or objection.

In accordance with the DPL, we will respond to your request for access to your personal data within 10 calendar days of receiving the request. Requests for rectification or suppression of your personal data will be responded to within 5 business days of receipt.

You may access the information you provided to Legends Global, free of charge, at intervals of no less than six months, unless you can prove a legitimate interest to that effect, as provided for in the DPL.

Please be informed that the Agency of Access to Public Information, in its capacity as the Control Agency of Law No. 25.326, is responsible for dealing with complaints and claims filed by data subjects whose rights are affected by non-compliance with the regulations in force regarding the protection of personal data.

Legal basis

The processing activities described in this Privacy Notice require your express consent under the DPL, unless the processing is necessary for the performance of a contract (namely our Terms of Service), in which case such performance of the contract will be the legal basis. By consenting to this Privacy Notice, you authorize the processing of your personal data as outlined herein.

Mandatory / Voluntary nature of the provision of the personal data

As indicated in section “Privacy Rights”, we will always inform you where the information you provide is mandatory – for example, the provision of payment details will be mandatory if you wish to purchase an item from our website. The provision of any information not marked as mandatory is optional.

When the provision of personal data is mandatory, we will also explain the consequences of providing, not providing, or providing inaccurate or false information. For instance, failing to provide payment details, or providing false or inaccurate information, will prevent us from processing and completing your purchase.

ADDITIONAL AUSTRALIAN PRIVACY DISCLOSURES

The Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs), and binding codes issued under the Privacy Act, govern the way we manage your personal information. In Australia:

“personal information” is any information or opinion about a person, who is identified or reasonably identifiable, whether or not that information or opinion is true; and
“sensitive information” is any information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices or criminal record that is also personal information. Sensitive information also includes health information about an individual, genetic information about an individual that is not otherwise health information, biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.

We will only collect sensitive information when you have voluntarily submitted this information to us (which we will take to constitute your consent to its collection), we otherwise have your consent, or where permitted by applicable law.

We will only collect and use sensitive personal information if it is reasonably necessary for one or more of our functions or activities, or where the information is required or authorised by law or necessary for the establishment, exercise or defense of a legal claim.

We may disclose your sensitive information to third parties for the same reason for which that information was collected by us, or as otherwise permitted by law.

Method of Collection

We generally collect personal information directly from you through Personal Data We Collect section of the Privacy Notice.

When we collect personal information from third parties, we may rely on that third party to tell you that they have disclosed it to us, where reasonable to do so.

Use of CCTV and Biometric Data

We use CCTV for the purposes set out under the ‘Closed Circuit Television (CCTV)’ section of this document. We include appropriate signage at our venues to alert you to this, and by remaining at our venues, you consent to this information being collected.

We may also collect Biometric Data to register your entrance into our venues. We will only use and disclose biometric data for the primary purpose of registering entry into our venues, unless otherwise consented to by you, or permitted by applicable law.

Failure to Provide Information

If the personal information you provide to us is incomplete or inaccurate, we may be unable to provide you the services you are seeking.

Legal Requirements

We collect personal information to assist us to fulfil our legal and regulatory obligations, including under work health and safety legislation, the Corporations Act 2001 (Cth), the Competition and Consumer Act 2010 (Cth) and the A New Tax System (Goods and Services Tax) Act 1999 (Cth).

Overseas Disclosure

We are likely to disclose your personal information to third parties outside Australia. For instance, our related bodies corporate, third party service providers or other recipients may be based overseas or may use infrastructure outside of Australia, including in the United States.

Direct Marketing

We only conduct marketing in Australia with your consent or where otherwise permitted by law. You may manage your marketing preferences (including opt-outs) as described in the Your Privacy Choices section of the Privacy Notice.

Access to Information

You may request access to the personal information we hold about you by visiting our privacy portal here. We will respond to your request within a reasonable period. We may charge you a reasonable fee for processing your request (but not for making the request for access).

We may decline a request for access to personal information in circumstances prescribed by the Privacy Act, and if we do, we will give you a written notice that sets out the reasons for the refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.

If, upon receiving access to your personal information or at any other time, you believe the personal information we hold about you is inaccurate, incomplete or out of date, please notify us immediately. We will take reasonable steps to correct the information so that it is accurate, complete and up to date.

If we refuse to correct your personal information, we will give you a written notice that sets out our reasons for our refusal (unless it would be unreasonable to provide those reasons), including details of the mechanisms available to you to make a complaint.

Complaints and Feedback

If you wish to make a complaint about a breach of the Privacy Act, the APPs or a privacy code that applies to us, please contact us using the details below and we will take reasonable steps to investigate the complaint and respond to you. If after this process you are not satisfied with our response, you can submit a complaint to the Office of the Information Commissioner.

To lodge a complaint, visit the ‘Complaints’ section of the Information Commissioner’s website, located at http://www.oaic.gov.au/privacy/privacy-complaints, to obtain the relevant complaint forms, or contact the Information Commissioner’s office.

If you have any queries or concerns about our Notice or the way we handle your personal information, please refer to the Contact Us section on how to reach us.

For more information about privacy issues in Australia and protecting your privacy, visit the Australian Federal Privacy Commissioner’s web site http://www.privacy.gov.au/.

ADDITIONAL BRAZILIAN PRIVACY DISCLOSURES

This section applies to the collection and processing of Personal Data in or from Brazil and is intended to supplement the main provisions of the Privacy Policy, in accordance with the Brazilian Data Protection Law (Law No. 13,709/2018 or “LGPD”), as well as any other laws, decrees and/or regulations regarding privacy and data protection in Brazil.

Relevant Data Controller

Contact Us

If you need to contact us about anything in this Privacy Notice (including these Additional Brazil Privacy Disclosures), you may e-mail our global privacy team at privacyoffice@legendsglobal.com.

Personal Data Collection, Retention and Use

This Brazilian Privacy Disclosure is complementary to our Privacy Policy. For more information about what personal data we collect and how we use it, please see the Our Collection and Use of Personal Data section of our Privacy Notice.

For more information about how long we retain personal data, please see the Retention of Personal Data section of our Privacy Notice.

Legal Basis for Processing Your Data

We process your personal data for the purposes set forth in our Privacy Policy based on the following:

Your prior and express consent for the processing;
Compliance with a legal or regulatory obligation;
When necessary for the performance of a contract or preliminary procedures related to a contract to which you are a party;
Regular exercise of rights in judicial, administrative or arbitration procedures,
Protection of your life or physical integrity, or of a third party;
Our legitimate interests, observing your fundamental rights and liberties; or
Protection of credit.

Sensitive Personal Data & Applicable Legal Basis

The following types of personal data we collect are classified as “sensitive” under the LGPD:

Biometric data; and
Medical and Special Assistance Information.

We only use or disclose sensitive personal data for the purposes stated in this Privacy Policy and in compliance with the legal basis and obligations imposed by Brazilian personal data protection law. As such, we only process the abovementioned sensitive personal data under the following legal basis:

Your prior and express consent for the processing;
Compliance with a legal or regulatory obligation;
Regular exercise of rights, including in a contract, or in judicial, administrative or arbitration procedures;
Protection of your life or physical integrity, or of a third party; and
Fraud prevention and the data subject’s safety, in processes of identification and authentication of registration in electronic systems.

Privacy Rights for Brazilian Residents

Under the LGPD, you have the following rights:

Right of confirmation: To confirm that we process your personal data.
Right of access: To access the personal data we process from you.
Right of rectification: To request corrections of your personal data that are incomplete, inaccurate or outdated.
Right of erasure, anonymization or blockage: To request the deletion, anonymization or blockage of your personal data that are unnecessary, excessive or processed in an unlawful manner.
Right to data portability: To request the portability of your data to another service provider or product provider.
Right to information: To request information on government and private entities with which we have shared your personal data.
Right to erasure and withdrawal of consent: When processing is based on your consent, to obtain information on the possibility of denying consent and the consequences of such denial, as well as to withdraw your consent for the processing. In such cases, you can also request that we delete your personal data processed under your consent.

You may exercise any of these rights, by visiting our privacy portal here.

If you are a parent or guardian exercising the above rights on behalf of your child, we will need to verify that you are legally authorised to represent the child.

We will always inform you where the information you provide is mandatory – for example, the provision of payment details will be mandatory if you wish to purchase an item from our website. The provision of any information not marked as mandatory is optional.

Complaints

If you have unresolved concerns, you have the right to complain to the Brazilian Data Protection Authority (ANPD) at https://www.gov.br/pt-br/servicos/abrir-requerimento-relacionado-a-lgpd.

Nevertheless, we kindly request that you contact us first should you have any concerns or comments regarding the processing of your personal data by Legend. We are available to provide any necessary clarifications and will duly address your inquiries.

International transfers

The personal data we collect may be transferred to and stored in countries outside of the jurisdiction you are in where we and our third-party service providers have operations, including in the United States. Initial collection of your personal data by Legends Global when you use the Services or otherwise engage with us is not an international transfer, but our subsequent sharing with third parties is such a transfer. We will ensure that where we make international transfers of your personal data, these are made pursuant to appropriate safeguards established by the LGPD. For example, we may enter into data transfer agreements based on the so-called Specific Contractual Clauses provided for in article 33, II, “a”, of the LGPD or resort to other means permitted by the LGPD, as provided for in its Chapter V.

You may ask for a copy of such appropriate data transfer agreements by contacting us using the contact details below.

We may transfer your personal data to, or store your personal data in, the following countries:

Purpose	Country
To coordinate group-wide strategy with our affiliates, obtain intragroup services from our affiliates and use shared group infrastructure and operations, engage service providers, marketing providers, ad network and advertising partners, to facilitate compliance with legal obligations (such as group-wide financial reporting and to establish, exercise or defend legal claims).	United States
To coordinate group-wide strategy with our affiliates, obtain intragroup services from our affiliates and use shared group infrastructure and operations, engage service providers, marketing providers, ad network and advertising partners.	European Economic Area
To coordinate group-wide strategy with our affiliates, obtain intragroup services from our affiliates and use shared group infrastructure and operations, engage service providers, marketing providers, ad network and advertising partners, to facilitate compliance with legal obligations (such as group-wide financial reporting and to establish, exercise or defend legal claims).	UK

We will take appropriate steps to ensure that your personal data is treated securely and in accordance with applicable law and this Privacy Notice regardless of where it is processed.

If you wish to enquire further about the safeguards we use, please contact us using the details set out above.

ADDITIONAL UNITED STATES PRIVACY DISCLOSURES

These disclosures supplement the information contained in our Privacy Notice by providing additional information about our personal data processing practices relating to individual residents of the following states in the United States: California, Colorado, Connecticut, Delaware, Iowa, Maryland, Montana, Minnesota, Nebraska, New Jersey, New Hampshire, Oregon, Tennessee, Texas, Utah, and Virginia. For a detailed description of how we collect, use, disclose, and otherwise process personal data, please read the Privacy Notice (linked above).

Personal Data Collection, Retention and Use

Certain laws require we provide privacy disclosures to you by reference to the enumerated categories of personal data set forth under applicable law. To address this obligation, we have identified the relevant enumerated personal data categories for the personal data described in our Privacy Notice.

We disclose the categories of personal data above as described in the Personal Data Disclosures, Sales, and Targeted Advertising section of these Additional United States Privacy Disclosures.

For more information about what personal data we collect and how we use it, please see the Our Collection and Use of Personal Data section of our Privacy Notice. For more information about how long we retain personal data, please see the Retention of Personal Data section of our Privacy Notice.

Personal Data Disclosures, Sales, and Targeted Advertising

We disclose all of the categories of personal data we collect to the categories of recipients outlined in the Our Disclosure of Personal Data section of our Privacy Notice.

Our disclosure or making available of contact information, professional information, commercial information, information about how you use the Services and interact with us, and inferences about your interests and preferences to ad networks and advertising partners (directly or through the Services may qualify as the sale of personal data or the sharing or processing of personal data to display advertisements that are selected based on personal data obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications, or other services (otherwise known as “targeted advertising” or “cross-context behavioural advertising”) under certain privacy laws.

Depending on your state of residency and subject to certain legal limitations and exceptions, you may be able to limit or opt-out of the sale of personal data or the processing of personal data for purposes of targeted advertising (as described in the Your Additional United States Privacy Choices section below.

Please note we do not collect personal data of individuals we know to be less than 16 years of age. As a result, we do not sell or share such information for targeted advertising purposes.

Sensitive Personal Data

The following personal data elements we collect may be classified as “sensitive” under certain privacy laws:

Biometric data
Certain health information, including disability information

We only use or disclose sensitive personal data where reasonably necessary and proportionate for the purposes of providing products and performing services you have requested, verifying and improving the products and services we provide, detecting security incidents, fraud, and other illegal actions, ensuring the physical safety of natural persons, performing services on behalf of the business, or short-term transient use. We only collect and process sensitive personal data without the purpose of inferring characteristics about the relevant individual, and we do not sell sensitive personal data or process or otherwise share sensitive personal data for the purpose of targeted advertising.

Deidentified Information

We may at times receive, or process personal data to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual or household. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.

Your Additional United States Privacy Choices

Subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights:

Right to Know: The right to confirm whether we are processing personal data about you and, for residents of certain states only, to obtain certain personalized details about the personal data we have collected about you, including:
- The categories of personal data collected;
- The categories of sources of the personal data;
- The purposes for which the personal data were collected;
- The categories of personal data disclosed to third parties (if any), and the categories of recipients to whom this personal data were disclosed;
- The categories of personal data shared for targeted advertising purposes (if any), and the categories of recipients to whom the personal data were disclosed for these purposes;
- The categories of personal data sold (if any) and the categories of third parties to whom the personal data were sold; and
- For Minnesota and Oregon residents only, a list of specific third parties to whom personal data have been disclosed.
Right to Access & Portability: The right to obtain access to the personal data we have collected about you and, where required by law, the right to obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.
Right to Correction: The right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data.
Right to Opt-Out of Targeted Advertising: The right to direct us not to use or share personal data for certain targeted advertising purposes.
Right to Opt-Out of Sales: The right to direct us not to sell personal data to third parties, including the right to opt-out of the disclosure of personal data to third parties for the third parties’ direct marketing purposes under California’s “Shine the Light” Law.
Right to Deletion: The right to have us delete personal data we maintain about you.

You also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, the exercise of the rights described above may result in a different price, rate or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.

Submitting Privacy Rights Requests

Please submit a request specifying the right you wish to exercise by:

Accessing the consumers rights portal and completing the online webform here; or
Calling our toll-free U.S. telephone number: +1 (800) 767-5999.

To exercise your right to opt-out as it relates to the use of cookies and related technologies that involve the sale of personal data or the use of personal data for targeted advertising purposes, please click on the “Cookie Preferences” link in the footer of the Services and adjust your preferences accordingly. If you are visiting the Services with the Global Privacy Control enabled, any cookies that constitute sales or are used for targeted advertising should already be turned off automatically in our cookie preference manager. Please note this opt-out tool is website, device, and browser specific, so you will need to change your preferences on each device and browser you use to interact with the Services. In addition, you can also opt-out of cookie-based sales by businesses that participate in the Digital Advertising Alliance’s CCPA Opt-Out Tool by visiting https://privacyrights.info/. Lastly, you may follow the other steps set forth in the Automatic Data Collection Preferences and Targeted Advertising Preferences sections of the Your Privacy Choices section of our Privacy Notice to further exercise control over automatic data collection technologies.

Before processing your request to exercise certain rights (including the Right to Know, Access & Portability, Correction, and Deletion), we must verify your identity and confirm you are a resident of a state that offers the requested right(s). In order to verify your identity, we will generally either require the successful authentication of your account, or the matching of sufficient information you provide us to the information we maintain about you in our systems. As a result, we may require requests to include your order number and/or email address or a single-use 6-digit code.

In certain circumstances, we may decline or limit your request, particularly where we are unable to verify your identity or locate your information in our systems or where you are not a resident of one of the eligible states.

Submitting Authorized Agent Requests

In certain circumstances, you can use an authorized agent to submit requests on your behalf through the designated methods set forth above where we can verify the authorized agent’s authority to act on your behalf. In order to verify the authorized agent’s authority, we generally require evidence of either (i) a valid power of attorney or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement of authorization for the request. Depending on the evidence provided and your state of residency, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to verify your identity in connection with the request.

Appealing Privacy Rights Decisions

Depending on your state of residency, you can appeal our decision in connection with your privacy rights request. You may submit your appeal through the privacy request portal here or by email privacyoffice@legendsglobal.com.

Notice of Financial Incentives and Loyalty Programs

We offer various programs, promotions, and other financial incentives that may result in differences in our prices or services offered to consumers. For example:

Discounts, coupons, or other access to our exclusive content for customers who sign up to receive our marketing emails;
Discounts, coupons, or other benefits in connection with a contest or sweepstakes or similar promotion;
Loyalty programs, where you earn rewards or credit based upon your past purchases with us; or
Discounts, coupons, and other special offers for shopping with our partners.

To obtain access to certain of these programs and other offerings, we may collect and retain personal data, such as your name, email, telephone, postal address, employer information, business email, business telephone, and business address. We may sell or share personal information with our business and marketing partners who may use this information to send you promotional communications and targeted advertising.

We have determined that the value of these programs and other incentives are reasonably related to the value of the personal information we receive and otherwise process in connection with these programs and offerings, based on our reasonable but sole determination. We estimate the value of the personal information we receive and otherwise process in connection with these programs and offerings by considering the expense we incur in collecting and processing the personal information, as well as the expenses related to facilitating the program or offering.

The material aspects of any financial incentive will be explained and described in its program terms or in the details of the incentive offer. Participating in any financial incentive program is entirely optional and participants may withdraw from the program at any time. To opt-out of the program and forgo any ongoing incentives, please follow the instructions in the program’s terms and conditions or contact us using the contact information below. Participating individuals may also opt out of receiving marketing communications by visiting our privacy portal here or clicking “unsubscribe” in the relevant email.

ADDITIONAL CANADIAN PRIVACY DISCLOSURES

These disclosures supplement the information contained in our Privacy Notice by providing additional information about our personal data processing practices relating to residents of Canada. For a detailed description of how we collect, use, disclose, and otherwise process personal data, please read the Privacy Notice.

Anytime that your personal data is collected or otherwise used, there is an inherent risk of breach. To mitigate these risks, Legends Global has implemented data protection safeguards to create a secure environment of your data, both in-transit and while at rest.

Transfer Outside of Canada

Your personal data may be transferred outside of Canada. Our corporate headquarters are in the United States. Please be aware that information you provide to us or that we obtain as a result of your use of our services may be collected in your jurisdictions and subsequently transferred to, maintained and/or processed outside of your jurisdiction, including in the United States or another jurisdiction by us or our services providers. Personal data processed and stored in another country may be subject to disclosure or access request by the governments, courts, or law enforcement or regulatory agencies in that country according to its laws. We take reasonable steps to ensure that your personal data will only be used for the purposes mentioned above or communicated to service providers with your consent, except where authorized by law.

Canadian Rights and Disclosures

Consent

Wherever possible, Legends Global seeks a person’s consent before collecting their personal data. The form of that consent, either express or implied, might vary depending on the circumstances and the type of information being collected. Consent may be provided directly by the individual or by a representative. Express consent can be given orally, electronically or in writing. While express consent is preferred, implied consent may in some cases be reasonably inferred from a person’s actions or inactions. For example, when an individual provides their name and email address for a ticket purchase, their consent to the use for the purpose of delivering the tickets is implied. When determining the appropriate form of consent, we also consider the sensitivity of the information, the reasons it is being collected, and what a reasonable person’s expectations would be in the circumstance.

It may not always be possible to obtain a person’s consent before we collect, use, or disclose their information. We may use personal data without your consent if it is: for the same purpose for which the information was originally collected or is consistent with the original purpose.

Your Rights

Subject to certain exceptions as prescribed by law, you have the right to access, update, and correct inaccuracies in your personal data and to withdraw your consent to our collection of your personal information. If you request that your information, be corrected due to an inaccuracy and we determine that the disputed information is correct, we will make a note regarding the disputed accuracy of the information but may not change the information.

We will respond to requests within 30 days and may extend the time by an additional 30 days where needed to conduct consultation or convert the personal data into an acceptable format.

To submit a rights request, complete your request here.

Complaints

Individuals have the right to complain to the Office of the Privacy Commissioner (see contact details below) if they do not agree with our handling of their privacy request. They may also request that a privacy request be escalated to a secondary level of review within the company if they are dissatisfied with the result. We investigate all privacy complaints/requests.

To contact the Office of the Privacy Commissioner to make a complaint, go to this link or call 1-800-282-1376 (toll-free).

ADDITIONAL EUROPEAN ECONOMIC AREA, UNITED KINGDOM, AND SWITZERLAND PRIVACY DISCLOSURES

For purposes of this European Economic Area (EEA), United Kingdom, and Switzerland Privacy Disclosure, the relevant data controller shall be:

European Economic Area (EEA) and Switzerland: Legends Hospitality Holding Company LLC or its relevant local subsidiary

UK: Legends International Group Limited

Contact Us

If you need to contact us about anything in this Privacy Notice (including these Additional European Economic Area, United Kingdom, and Switzerland Privacy Disclosures), you may email our global privacy team at privacyoffice@legendsglobal.com.

Legends Global has also appointed a DPO in relation to its processing operations in Germany, who can be contacted at: Markfort@de.asmglobal.com

External DPO for SMG Entertainment Deutschland GmbH

TÜV Rheinland i-sec GmbH

Herr Stefan Eigler

Am Grauen Stein

51105 Köln

Germany

To read the German translated Privacy Notice, click [link to translated German version].

International transfers

ensuring that the personal data is only transferred to countries or recipients recognised by the UK Secretary of State or the European Commission (as applicable) as offering an equivalent level of protection as compared to the level of protection in the country in which you are located (“Adequacy“); or
the transfer is to a third party who uses appropriate and approved safeguards in respect of the processing in question, including but not limited to the EU standard contractual clauses and the UK addendum, which are recognised as offering adequate protection for the rights and freedoms of data subjects, as adopted or recognized by the Swiss Federal Data Protection Commission, UK Secretary of State or the European Commission (as applicable) (“Standard Contractual Clauses“).

We may transfer your personal data to, or store your personal data in, the following countries:

Country	Appropriate Safeguard
United States	Standard Contractual ClausesAdequacy (for recipients certified to the EU-U.S. Data Privacy Framework and UK Extension and the Swiss-U.S. Data Privacy Framework)
European Economic Area	Adequacy (for data subjects in the UK and Switzerland)
UK	Adequacy (for data subjects in the EEA and Switzerland)

We will take appropriate steps to ensure that your personal data is treated securely and in accordance with applicable law and this Privacy Notice regardless of where it is processed.

If you wish to enquire further about the safeguards we use, please contact us using the details set out at the end of this Privacy Notice.

Privacy rights

You have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine-readable format.

In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where it would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in applicable data protection laws and national laws. We will inform you of relevant exemptions we rely upon when responding to any request you make.

To exercise any of these rights, submit your request here or by contacting our DPO where one has been appointed in connection with the processing of your data. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work or where you believe a breach may have occurred.

If you are a parent or guardian exercising the above rights on behalf of your child, we will either need to verify that you are authorised to do so by the child or the child does not have sufficient understanding to exercise the rights themselves, unless it is evident that your exercise of these rights is in the best interests of the child. Where required, we may also ask you to verify your relationship to the child.

Complaints

You have the right to lodge a complaint to your national data protection authority. If you are in the European Economic Area, you can find your local Data Protection Authority at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. If you are in Switzerland, information about how to contact the Federal Data Protection and Information Commissioner is available at https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html. If you are in the UK, you have both an additional right to complain to us, as well as a right to complain to the national data protection authority (the ICO) which can be contacted using the details at https://ico.org.uk/global/contact-us/.

ADDITIONAL HONG KONG PRIVACY DISCLOSURES

This section shall apply when we collect, hold, process and/ or use your Personal Data in or from Hong Kong.

The categories of Personal Data we collect and process

At the time of collecting your personal data, we will take practical steps to inform you whether the requested information is obligatory or voluntary. Please note that if you do not provide us with obligatory information that we require, we may not be able to provide you with some or all of your requested information, products or services as mentioned above (including but not limited to processing or completing your purchase for products or services, responding to your queries or questions).

For which purposes and on which legal grounds do we use your personal data

We will comply with the Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) when we collect, hold, process and/ or use your personal data in or from Hong Kong when you visit our websites, access or use our services, purchase our products or services (whether directly from us, our affiliates or a third party service provider), or when you otherwise engage or interact with us or third parties operating on our behalf.

The purpose for which your personal data is to be used can be viewed at the section titled “How Legends Uses Your Personal Data” of this Privacy Notice, and the classes of persons to whom your personal data may be transferred can be viewed at the section titled “Legends Disclosure of Personal Data” of this Privacy Notice. The affiliates that we share personal data with operate venues and services in their respective jurisdictions and provide group-wide services to us and other affiliated companies.

Advertising/ Marketing/ Direct Marketing

Please note that we cannot use or provide (whether for gain or not) to third parties, your personal data for any advertising, marketing or direct marketing purposes (including sending you our newsletters, invitation and/ or access to exclusive services or benefits, marketing communications and advertising materials) as described in this Privacy Notice without your prior written consent.

Subject to obtaining your prior written consent, we may (i) use your personal data (for example, your name, contact details, purchase history, product/ service interests) for direct marketing to you our products, services or technology in venues and/ or events or facilities we own or operate; and/ or (ii) provide your personal data (for example, your name, contact details, purchase history, product/ service interests) to (a) social media platforms, and/ or (b) promoters, artists and sponsors we work with in the presentation of events who may be engaged in the promotion of these events and our services. These recipients may use your personal data to send you direct marketing or show you advertising in relation to products and/ or services of the aforementioned businesses, whether for gain or not.

For more detailed information, please refer to the section titled “How Legends Uses Your Personal Data” of this Privacy Notice, and the classes of persons to whom your personal data may be transferred at the section titled “Legends Disclosure of Personal Data” of this Privacy Notice.

Your rights

Subject to the limitations and conditions of the PDPO, you have the following rights in respect of the personal data we hold about you:

Right of access: you have the right to ascertain whether we hold personal data that relates to you and request a copy of that personal data.
Right to rectification: you have the right to request the correction of personal data that relates to you .
Right to request the cessation of processing in relation to direct marketing: you have the right to ask us to cease processing your personal data for the purposes of direct marketing at any time.

If you wish to access or correct your personal data, please visit our privacy portal here. Upon receiving the relevant request, we will handle the request in accordance with the provisions of the PDPO. In accordance with the PDPO, we have the right to charge a reasonable fee for complying with any data access request or rectification request.

If you wish to ask us to cease processing your personal data for direct marketing purposes, you may at any time send an email to privacyoffice@legendsglobal.com or contact us as set out in the “Contact Us” section of the Privacy Notice. Once we receive your relevant request, we will stop using and/or transferring your personal data to third party for direct marketing as per your request.

ADDITIONAL MALAYSIAN PRIVACY DISCLOSURES

Transfer Outside of Malaysia

Your personal information may be transferred outside of Malaysia in compliance with the Personal Data Protection Act 2010 (“Malaysia’s PDPA”). Our corporate operations or service providers may be located in other jurisdictions, including the United States.

Under the Malaysia’s PDPA, such transfers are permitted when:

the destination country has laws substantially similar to Malaysia’s PDPA or ensures an equivalent level of protection for personal data;
the transfer is necessary for contractual obligations with you, legal proceedings, protecting your vital interests, or other lawful bases as permitted by the PDPA; or
you have consented to the transfer.

Data Subject Rights

Subject to certain exceptions as prescribed by law, you have the right to access, update, and correct inaccuracies in your personal information. You may also withdraw consent for our processing of your personal information, prevent processing that may cause damage or distress to yourself or others, prevent processing for direct marketing purposes, and request data portability.

We will respond to your data access or correction requests within 21 days of receipt, with possible extensions of up to 14 days in cases requiring additional time.

To exercise these rights, please visit here.

ADDITIONAL NEW ZEALAND PRIVACY DISCLOSURES

If you reside in New Zealand, the following additional terms apply in relation to the processing of your personal information.

In some cases, if personal information is not provided to us on request, it may impact our ability to supply our Services to you and/or you may not be able to access or acquire certain Services.

Your personal information may be transferred outside of New Zealand. Our corporate headquarters are in the United States. Please be aware that information you provide to us or that we obtain as a result of your use of our services may be collected in your jurisdiction and subsequently transferred to, maintained and/or processed outside of your jurisdiction, including in the United States or another jurisdiction by us or our services providers. If we disclose personal information to a third party outside of New Zealand who will use the information for their own purposes, we will take appropriate measures to ensure the information is protected by comparable safeguards as those under the New Zealand Privacy Act 2020.

You may request access to, or correction of, the personal information we hold about you at any time using the contact details referred to in this Privacy Notice. We will need to verify your identity before responding to your request. Subject to any applicable exceptions in the Privacy Act, we will provide you with access to, or correction of, your personal information within 20 working days from the date of your request. If we refuse your request for access to your information we will explain why in writing and how to complain if you are not satisfied with our decision. If we refuse your request to correct any personal information we hold about you, you may request us to attach a statement to your personal information noting the correction sought.

We will obtain your consent prior to sending you any direct marketing messages or selling your personal information to any third party for their own purposes. If you are under the age of 18, you must obtain the consent of your parent of guardian before using our Services and providing us with any personal information.

You can make a complaint to us in writing using the details set out in this Privacy Notice. If you are not satisfied with our response, you may complain to the New Zealand Office of the Privacy Commissioner via email to enquiries@privacy.org.nz or by writing to them at PO Box 10 094, Wellington 6140.

ADDITIONAL PANAMA PRIVACY DISCLOSURES

This section supplements our general Privacy Notice and complies with Law No. 81 of 2019 on Personal Data Protection in Panama (LPDP) and Executive Decree No. 285 of 2021 (DE285), which regulates Law No. 81. Our processing of personal data is governed by Panamanian legislation, including the data of vendors and event participants.

Below are specific provisions for users in Panama:

Your Rights

As a data subject, you have the following non-waivable rights that you may exercise at any time, unless otherwise provided by special laws:

Right of access: To obtain your personal data stored or processed in databases held by us or on our behalf, and to understand the origin and purposes of such data collection.
Right of rectification: To request corrections of your personal data that do not reflect your reality.
Right of erasure: To request the deletion of your personal data that are inaccurate, unauthorized, lacking legal basis, or obsolete.
Right to object: To refuse, on legitimate grounds, the provision or processing of your personal data, or to revoke your consent at any time.
Right to data portability: To obtain a copy of your personal data in a structured, commonly used, and machine-readable format when:
- You have provided the data directly to us;
- A substantial volume of your data is processed automatically; or
- You consented to the processing or it is necessary to fulfil a contract
Exercising your rights: To submit a Data Rights Request, please submit your here].

If we do not respond within the legally established timeframes, you may contact the National Authority for Transparency and Access to Information.

We may not accept requests for rectification, erasure, or blocking when the data are stored under legal mandate or when it would interfere with administrative, judicial, or national security proceedings.

We may also delete or modify data without a request if inaccuracies are proven, or block data when accuracy cannot be determined, or they appear outdated and do not warrant erasure.

Information Provided to the Data Subject

When collecting your data, we will inform you of:

Purposes: e.g., managing bookings, events, invoicing, security, and (with consent) promotional communications. If we intend to use your data for other purposes, we will notify you.
Recipients: e.g., payment processors, event platforms, or legally required authorities.
Contact: How to reach us about your data.
Legal basis: Whether the processing is based on your consent, a legal requirement, or a contract. If based on our or a third party’s legitimate interests, we will specify these
Transfers: If your data will be transferred to another country, we will disclose the legal basis (e.g., your consent or intra-group data sharing).
Retention period: How long we will retain your data or the criteria used to determine the retention period.
Rights: The mechanisms available to exercise access, rectification, erasure, objection, and portability rights.
Automated decisions: If profiling occurs, we will disclose the logic involved and the potential consequences.
Contact details: Our name and contact info, including any appointed Data Protection Officer.

Legal Basis for Processing Your Data

We process your personal data based on the following:

Explicit consent: e.g., for marketing, event photography, or promotional images. Consent may be withdrawn at any time with no retroactive effect.
Contract performance: e.g., for bookings and related services.
Legitimate interest: e.g., to improve services or prevent fraud.
Legal obligation

You may access your data without charge when processing is permitted by law without consent. You may request correction, deletion, or blocking of such data, unless special laws apply.

No consent is required for processing:

Publicly available data.
Financial or commercial data with prior consent.
Data required in an existing commercial relationship.
In medical or health emergencies.
When necessary for our or a third party’s legitimate interest, provided such interest does not override your fundamental rights, especially if you are a minor or have a disability.

Consent for processing health-related sensitive data must be prior, irrefutable, and explicit.

Automated Processing

You have the right not to be subject to decisions based solely on automated processing that significantly affect you or impact your rights.

Exceptions:

You have consented
It is necessary to fulfil a contract between you and us.
It is authorized by special laws.

Data Protection

We implement technical (e.g., encryption, firewalls) and organizational (e.g., restricted access, confidentiality agreements) measures to safeguard the confidentiality, integrity, and availability of your data.

Transfer of Your Personal Data

We may transfer your personal data with your prior, informed, and unequivocal consent, or when:

The recipient country or organization provides equivalent or higher data protection standards.
Permitted by law or international treaties ratified by Panama.
Required for medical care or public interest
Transferred within our corporate group, for original purposes only.
Necessary for a contract in your interest.
Required for public interest, legal representation, or justice.
Required to establish or defend legal claims or for international cooperation against serious crime.
Conducted under binding self-regulation or protective contractual clauses.

Transfer Outside of Panama

If your data is transferred abroad (e.g., cloud systems in the U.S.), we protect them through contractual safeguards.

Sensitive data originating or stored in Panama may be transferred only if the processor applies data protection standards equal or superior to Panamanian law.

Exceptions:

You have explicitly consented, unless exempted by law.
Necessary for life-saving measures when the subject is incapacitated.
Required in legal proceedings, with judicial authorization.
Used for historical, statistical, or scientific purposes, provided the data is anonymized.

Updates

We will notify you of changes to this section via our website or email. For Privacy Notice updates and notification method, please refer to the Updates to this Privacy Notice section of the Privacy Notice.

ADDITIONAL PUERTO RICO PRIVACY DISCLOSURES

For the purposes of the Puerto Rico Privacy Policy Notification Act (“Notification Act”):

The types of personal data that we collect and store are described in the Personal Data We Collect and Video and Photography at Venues sections of this Privacy Notice.
The persons with whom we share collected personal data are set out in the Legends Global Disclosure of Personal Data section of this Privacy Notice.
You can correct or update any personal data that we hold about you by contacting us as set out in the Contact Us section of this Privacy Notice.
We will notify you of changes to this Privacy Notice via our website or email, as further set out in the Updates to this Privacy Notice section of this Privacy Notice.

We will only send you marketing messages to the extent you give us your consent to do so.

ADDITIONAL SAUDI ARABIA PRIVACY DISCLOSURES

Your Rights relating to your personal data

Under the Kingdom of Saudi Arabia’s Personal Data Protection Law, you have the following rights, which primarily depend on the purpose of personal data collection and processing:

Right to be informed about the legal basis and the purpose of the collection of your personal data.
Right to request access to your personal data that we hold about you.
Right to request your personal data from us in a readable and clear format.
Right to request corrections to your personal data if incorrect, and/or modifications to your Personal Data if incomplete or updates where your personal data held by us is out of date. In this instance you may request us to restrict processing of your personal data that is incorrect.
Right to request destruction of your personal data.
Right to withdraw your consent you previously gave us to the extent any of your personal data is collected based on consent. You can exercise your right to withdraw consent as set out below.
Right to lodge a complaint with the Data Protection Authority in respect of our processing activities regarding your personal data.
Right to claim compensation for material or moral damage if you are harmed as a result of any violation stipulated under the applicable laws.

Unless otherwise stipulated by the law, you will not be required to pay any fees in return for exercising this right. In case of submitting a request for exercising this right, you will receive a response within 30 days as of the request receiving date.

For further details regarding the processing of your personal data you can contact us as set out in the “Contact Us” section of this Privacy Notice. To exercise your rights, please visit here.

Direct Marketing

We will not send you any communications for the purpose of direct marketing without obtaining your prior explicit consent. If you consent to receive such direct marketing communications, you have at any time a right to opt out by contacting us as set out in the “Contact Us” section of this Privacy Notice or follow the instructions provided in the direct marketing communication.

Withdraw your consent

When we rely on your consent (and no other alternate legal bases) you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

If you wish to withdraw your consent, you can do so by contacting us as set out in the “Contact Us” section of this Privacy Notice. Please note that even after you withdraw your consent, we may be obliged to keep your personal data due to legal requirements.

Transfer of your Personal Data cross border

We may share your personal data with our affiliates or subcontract the processing of your data to, or otherwise share your data with, service providers located inside or outside KSA. Such third parties may be engaged in, among other things, the provision of services to you, the processing of transactions, payments and/or the provision of support services. We will fulfil any requirements in relation to the international transfers of personal data under applicable laws.

Data Storage and Retention

We will store your personal data in a cloud instance provided by our third-party cloud providers at [please include the geographical location].

We will store your personal data for the periods set out in the section headed “Retention of Personal Data” of this Privacy Notice. In destroying your personal data, after its intended purpose is fulfilled, we will ensure that our cloud storage providers apply certified deletion methods, such as secure wiping, in line with industry standards so that such personal data cannot be viewed or recovered.

We will retain your personal data in an identifiable form only for the period necessary to fulfil (i) the purposes outlined in this Privacy Notice, (ii) our business and operational purposes and in line with our legal and regulatory obligations.

We will only retain your personal data after the purposes for why we collected it no longer exists, in the following cases:

if there is a legal or regulatory requirement for retaining your personal data for a specific period, in which case the personal data must be destroyed upon the lapse of that period or when the purpose of the collection is satisfied, whichever longer.
if your personal data is closely related to a case under consideration before a judicial authority and the retention of the personal data is required for that purpose, in which case the personal data shall be destroyed once the judicial procedures are concluded.

Inquiries and Complaints

For further details regarding the processing of your personal data and how to exercise your rights, you can contact us using the details set out in the “Contact Us” section of this Privacy Notice.

You can also file a complaint by contacting us as set out in the “Contact Us” section of the Privacy Notice if you have any concerns, or if we do not comply with the Saudi Data Protection Law. If you are not satisfied with how we process your complaint, or if we fail to respond within 30 days, you can file a complaint to Data Protection Authority, Saudi Data and Artificial Intelligence Authority (SDAIA) as provided below:

SDAIA Address

Kingdom of Saudi Arabia

Riyadh

Website: sdaia.gov.sa.

National Data Governance Platform (DGP) (dgp.sdaia.gov.sa)

Disclaimer

This Privacy Notice is not intended to, nor does it, create any contractual rights whatsoever or any other legal rights, nor does it create any obligations on us in respect of any other party or on behalf of any party. When you log in to third parties’ websites, you will not be subject to or under this Privacy Notice. Moreover, we are not responsible for their websites’ content, and we do not represent third parties. Therefore, when you leave our website, we recommend you review the privacy and security policy of each website you visit.

ADDITIONAL SINGAPORE PRIVACY DISCLOSURES

Disclosures of Personal Data to Third Parties

We will not disclose your personal data to third parties without first obtaining your consent permitting us to do so. However, please note that we may disclose your personal data to third parties without first obtaining your consent in certain situations. For more information on the exceptions, you are encouraged to peruse the First and Second Schedules of the Singapore Personal Data Protection Act 2012 (PDPA) which are publicly available at https://sso.agc.gov.sg//Act/PDPA2012.

Data Subject Rights

Subject to certain exceptions as prescribed by the PDPA or law, you have the following rights:

You have the right to make a request to us on whether we process personal data about you, and if we do, to make a request to access personal data we hold about you and certain information about how we use it and who we share it with. Where permitted by the PDPA or law, we reserve the right to charge you a reasonable fee for service provided to you to enable us to respond to your request.
You have the right to make a request to us to correct any personal data held about you that is inaccurate.

You have the right to withdraw your consent at any time by contacting us at privacyoffice@legendsglobal.com. We will process your request within a reasonable time from such a request for withdrawal of consent being made, and will thereafter refrain from collecting, using and/or disclosing your personal data in the manner stated in your request.

Accuracy

We will take reasonable efforts to ensure that your personal data is accurate and complete, if your personal data is likely to be used by us to make a decision that affects you, or disclosed to another organisation. However, this means that you must also update us of any changes in your personal data that you had initially provided us with. We will not be responsible for relying on inaccurate or incomplete personal data arising from you not updating us of any changes in your personal data that you had initially provided us with.

Protection of Personal Data

We will put in place reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and the loss of any storage medium or device on which personal data is stored. However, we cannot assume responsibility for any unauthorised use of your personal data by third parties which are wholly attributable to factors beyond our control.

We will also put in place measures such that your personal data in our possession or under our control is destroyed and/or anonymised as soon as it is reasonable to assume that (i) the purpose for which that personal data was collected is no longer being served by the retention of such personal data; and (ii) retention is no longer necessary for any other legal or business purposes.

Transfer Outside of Singapore

Where your personal data is to be transferred out of Singapore, we will comply with the PDPA in doing so. In this regard, this includes us obtaining your consent unless an exception under the PDPA or law applies, and taking appropriate steps to ascertain that the foreign recipient organisation of the personal data is bound by legally enforceable obligations to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. This may include us entering into an appropriate contract with the foreign recipient organisation dealing with the personal data transfer or permitting the personal data transfer without such a contract if the PDPA or law permits us to.

Complaints and Feedback

If you have comments, questions or complaints about or requests relating to this Privacy Notice or other privacy-related matters, please contact our data protection officer at privacyoffice@legendsglobal.com.

ADDITIONAL THAILAND PRIVACY DISCLOSURES

If you are a resident of Thailand, the terms in this section apply in addition to the terms of the main body of the Privacy Notice. To the extent that there are inconsistencies between the terms in this section and the terms of the main body of the Privacy Notice, this section shall prevail.

How We Collect and Use Personal Data

In addition to the terms of the main body of the Privacy Notice, please note that we only process your personal data where we have a legal basis to do so. The legal basis will vary depending on the reason we are collecting and processing your personal data. We may rely on the following legal bases: (i) your consent; (ii) necessity for performing contractual obligations or proceeding with your request to enter into a contract with us; (iii) necessity for our or a third party’s legitimate interests; (iv) compliance with laws; and (v) for establishment, exercising, compliance with, or defense of a legal claim. The legal bases we rely on are set out in this section headed “How Legends Uses Your Personal Data”.

Where your personal data is necessarily required to proceed with your request to enter into a contract with us and/or to perform our obligations under the contract with you, if you do not provide us with the required personal data under said circumstances, we may not be able to proceed with your request or may not be able to perform our obligations under the contract with you, either in whole or in part. For example, we may not be able to supply products and/or services you request or may not be able to process your payment. Consequently, we may need to cancel the relevant contract.

Moreover, there could be circumstances where your personal data is required for compliance with applicable laws or regulations and if you do not provide the required personal data in such cases, it may result in us and/or you being in non-compliance with, or violation of, these laws. We may also refuse to provide certain products and/or services to you in such cases to avoid violating such applicable laws or regulations.

Your Privacy Rights

Subject to the limitations and conditions of the Thailand’s Personal Data Protection Act 2019 (“PDPA”), you are entitled to the following rights:

Right to access: You have the right to access, or obtain a copy of, your personal data. In addition, you also have the right to request that we disclose the source(s) of your personal data which has been acquired without your consent;
Right to rectify: You have the right to request that we correct, update or complete your personal data to ensure it is accurate and not misleading;
Right to delete: You have the right to request deletion, destruction or de-identification of your personal data;
Right to restrict the use: You have the right to request that we restrict the use of your personal data;
Right to object: You have the right to object to the processing of your personal data such as when your personal data is processed for direct marketing purposes;
Right to data portability: You have the right to request to receive your personal data in a format which is commonly readable and usable by automatic tools or device, and which can be used or disclosed via automatic means. You also have the right to request that we transmit your personal data in said format to another data controller as well as to directly receive your personal data in said format that we have transmitted to another data controller;
Right to withdraw consent: When we rely on your consent to process your personal data, you may withdraw your consent at any time; and
Right to lodge a complaint: You may lodge a complaint with the relevant authorities if you believe that our processing of your Personal Data does not comply with the PDPA or other applicable laws.

How to Contact Us

If you have any comments or questions about this Privacy Notice, please contact us using the details set out in the “Contact Us” section of this Privacy Notice. To submit your Data Rights Request, please visit here.

ADDITIONAL UNITED ARAB EMIRATES PRIVACY DISCLOSURES

This section applies to the collection and processing of Personal Data in or from the United Arab Emirates (UAE) and is intended to supplement the main provisions of the Privacy Policy, in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL).

Additional Rights for UAE Residents

Under the PDPL, you may also have the right to:

Receive information about the processing of your personal data, including the purposes of processing, categories of Personal Data processed, and any third parties to whom your Personal Data is disclosed.
Restrict the processing of your Personal Data in certain circumstances, such as where the accuracy of the data is contested, or the processing is believed to be unlawful.
Object to the processing of your Personal Data, including for direct marketing purposes or where decisions are made solely through automated processing, including profiling.
Withdraw your consent to the processing of your Personal Data at any time, where processing is based on consent. Please note that this does not affect the lawfulness of any processing based on consent before its withdrawal.

Data Protection and Security

We take the protection of Personal Data seriously. We implement appropriate technical and organizational measures to help safeguard your Personal Data and reduce the risk of unauthorized access, disclosure, alteration, or destruction.

International Data Transfers
Where we transfer Personal Data outside the UAE, we do so in accordance with the requirements of the PDPL, including applying appropriate safeguards as may be required under applicable law. Transfers may be subject to change once the PDPL Implementing Regulations are issued or further guidance issued by the UAE Data Office.

Note for UAE Residents

For Personal Data collected from or processed in the UAE, while the PDPL sets out several legal bases for processing Personal Data, it does not currently recognize “legitimate interests” as a lawful basis. Accordingly, for any processing activities where we would ordinarily rely on legitimate interests, we will ensure that, in respect of UAE residents, we rely instead on an alternative legal basis permitted under the PDPL, such as consent or the performance of a contract. Where required, we will inform you of the applicable legal basis at the time of collection or before the relevant processing activity takes place.

ADDITIONAL URUGUAYAN PRIVACY DISCLOSURES

If you are a resident of Uruguay, this section provides information in accordance with the applicable national data protection regulations, including Law No. 18.331 (on the Protection of Personal Data and Habeas Data Action), its Regulatory Decree No. 414/009, and other applicable rules and regulations as well as relevant guidelines issued by the Regulatory and Control Unit of Personal Data (“URCDP”).

Your Rights under Uruguayan Law

In accordance with Law No. 18.331, you have the following rights:

Access: To obtain confirmation of whether your data is being processed and to access that data.

Rectification, updating or inclusion: To correct inaccurate, incomplete or missing personal data.

Erasure: To request the erasure of your data where appropriate.

Challenge personal assessment based on automated data processing: To object to the processing of your personal data, particularly for advertising or profiling purposes.

You may also file a complaint before the national data protection authority, the URCDP.

Consent and Sensitive Data

We may collect sensitive personal data only where express and written consent has been provided by you, or where the processing is authorized by law and justified by reasons of general interest. You are under no obligation to provide sensitive data, and any processing will be based on your express and written consent in accordance with Article 18 of Law No. 18.331, and under adequate technical and organizational safeguards and high levels of protection.

Biometric Data

Biometric data may be collected and processed where applicable, solely for the purposes stated in this Privacy Policy and in compliance with the legal basis and obligations imposed by Uruguayan personal data protection law. Biometric data are considered specially protected and will be processed in compliance with Uruguayan personal data protection law and subject to adequate technical and organizational safeguards.

Children’s Data

Services are not directed at individuals under the age of 18 unless expressly stated, and we implement safeguards to protect children. Where personal data from children are collected, this will be done only from parents or guardians, or with verifiable parental consent

International Data Transfers

We may transfer your personal data internationally. In such case, Legends Global will ensure that such transfers comply with Uruguayan personal data protection law and the applicable legal basis for processing, including your express and informed consent, or performance of contractual obligations. If performed to countries that may not provide an adequate level of protection, we will take steps to ensure that the recipient has an adequate level of protection of the rights and freedoms of data subjects. Any such transfer will only occur under appropriate safeguards, such as standard contractual clauses or your express and informed consent, in compliance with Uruguayan regulations. The URCDP may authorize a personal data transfer to a third country that does not provide an adequate level of protection when the data controller provides sufficient guarantees with regard to protection of private life, fundamental rights and liberties of data subjects, as well as exercise of their respective rights.

Profiling and Automated Decisions

We may use with your consent your personal data to create user profiles or to tailor our services and marketing communications. Under Uruguayan law, profiling that produces legal or similarly significant effects requires your explicit consent. You have the right to object or challenge a personal assessment based on automated data processing and to object to the processing of your personal data, including when processed for advertising or profiling purposes. You may withdraw your consent at any time.

Marketing

We may send you marketing communications if you have consented to receiving marketing or promotional communications from us or from our partners. We may share your personal data with another company for marketing purposes if you have expressly provided your consent. You may opt-out from marketing communications at any time.

Data Retention

We retain your personal data for the time strictly necessary to fulfil the purposes for which it was collected, including for the purposes of complying with any legal, accounting or reporting obligations, and in accordance with the principle of data minimization and proportionality set forth under Uruguayan law.

Data Retention

When you use our websites we may gather information about you through Internet access logs, cookies and other technical means. ‘Cookies’ are text files placed on your computer to collect Internet log information and user behaviour information. These are used to track website usage and monitor website activity and for other data processing reasons set out below.

You will see a cookie notice when you access our websites. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.

The majority of web browsers (including Firefox, Internet Explorer, Google Chrome, Opera and Safari) will allow you to block cookies from being installed on your device, or delete selected or all cookies currently installed on your device, via your browsing settings. Depending on your browser, further information can be obtained via the following websites: Firefox, Internet Explorer, Google Chrome, Opera or Safari. Mobile phone users may have to refer to their handset manual for details on how to block or delete cookies using their mobile browser. Please be aware that restricting the use of cookies may impact on the functionality of our website.

Reasons for processing

We process information about you for the following reasons:

providing services to you;
carrying out customer profiling and analysis of purchasing preferences;
marketing our business and service and those of our partners which we believe will be of interest to you;
operational reasons, such as recording transactions, training and quality control;
improving our services;
providing customer service;
analysing customer feedback;
investigating complaints;
ensuring business policies are adhered to;
tracking activity on our website and social media channels;
to contact you in the event any products or services you requested are unavailable or to notify you in the event of any changes to an event;
to personalise and improve your experience on our website and social media channels;
to personalise any communications to you;
compliance with legal, regulatory and corporate governance obligations and good practice; and
gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.

When you use our website and social media channels we may also collect certain information about you and your visit to help us to improve your experiences on those platforms. This may include:

your journey through our website and social media channels;
what content you like or share;
which pop up or push messages you saw and responded to;
your IP address; and
your browser type and operating system.

We may also collect personal information when you purchase a ticket for any of our events from our ticketing partner in order to assist us with event planning activities and to enable us to contact you with details of any changes to the scheduled event. We may keep a record of your name address, delivery details, e mail address, telephone number and bank details. In addition, we record CCTV images of you when you are at the venue or within its vicinity for your safety and security. CCTV images may be shared with the police for the purposes of crime prevention and detection.

Disclosures and exchange of information

We may disclose and exchange information with group companies, credit reference agencies, ticketing agencies, promoters, service providers, representatives and agents, as well as with law enforcement agencies and regulatory bodies for the above reasons.

Information may be held at our offices and those of our group companies, ticketing agents, promoters and third party credit reference agencies, service providers, representatives and agents as described above.

Some of the third parties with whom we share your data may be based outside the United Kingdom or European Union. If we do transfer your personal data outside the EU, we will take proper steps to ensure your personal data is transferred and held securely and in accordance with this privacy policy.

Children

On occasion we may collect limited personal data relating to children under the age of 16, for instance the names of attendees or participants in Learning and Participation or other educational events at certain venues. If you are a parent or guardian of a child under the age of 16 and think that we may have information relating to that child, please contact us at the relevant venue, using the details provided in the Appendix to this document. We will ask you to prove your relationship to the child but if you do so you may (subject to applicable law) request access to and deletion of that child’s personal data.

Sensitive personal data

You may also supply us with sensitive personal data relating to your physical health which is gathered for the purposes of ensuring easy access to our venue (in the case of people with accessibility requirements) or compliance with food safety (in the case of strict dietary requirements).

Keeping your data secure

We have appropriate security measures in place to prevent your personal information being accidentally lost, or used or accessed in an unauthorised way. We also limit access to your personal information to those who have a genuine business need to know it. Some of the technical and organisational measures we use to safeguard your personal data are:

storing your personal data, in all forms, in a secure environment;
training our staff on the importance of data protection measures;
employing SSL (secure sockets layer) encryption on every domain owned by us – this allows us to encrypt any passwords and debit/ credit card information to prevent unauthorised access or disclosure;
securing our network by an advanced firewall supported by industry standard anti-virus software.

We also have policies and procedures in place to deal with any suspected data breach so that we can act quickly to minimise any potential damage.

Your Rights

Under the GDPR you have a number of important rights. Those include:

Right to fair processing of information and transparency over how we use your personal information – we are required to inform you why we want to gather your personal information, what we will do with it, who it will be shared with and how long it will be kept for. That information is set out in this privacy notice, but if you require any further information please don’t hesitate to contact us.
Right to request a copy of your information – you can request a copy of your information which we hold (this is known as a ‘subject access request’). If you would like a copy of some or all of this information please contact us with proof of your identity and let us know what information you would like. We must provide this information to you in a commonly used and machine readable format.
Right to require us to correct any mistakes in your information – you can require us to correct any information which we hold. If you would like to do this, please contact us to let us know the information that is incorrect and what is should be replaced with.
Right to ask us to stop contacting you with direct marketing – you can ask us to stop contacting you for direct marketing purposes at any time. If you would like to do this, please contact us and let us know what method of contact (one or all) you are not happy with.
Right to restrict processing – you can ask us to suspend the processing of your personal data in certain circumstances, for example, if you have notified us there is a mistake in the information we hold about you, you may ask us to suspend processing until that mistake is rectified.
Right to erasure – otherwise known as ‘the right to be forgotten’ – you can ask us to delete or remove your personal data from our systems where there is no compelling reason for us to continue processing it.

If you want to exercise any of these rights, please write to us at the relevant venue, using the details provided in the Appendix to this document, and provide us with enough information to enable us to confirm your identity. We may also require proof of your identity, such as a copy of your driving license, passport and a recent utility bill or bank statement, to be sure that we are not releasing any of your personal data to anyone other than you.

Changes to this privacy notice

This privacy notice was first published on 30 April 2018 and last updated on 1 October 2019.

Your privacy is important to us and we are constantly reviewing our policies and procedures to ensure we are meeting the high standards we set ourselves. As a result, we may amend this privacy notice from time to time, and we recommend that you check this page periodically to review any changes that may have been made.

How to contact us

If you have any questions or concerns about this privacy notice or the information we hold about you, please do not hesitate to contact the relevant venue, as detailed in the Appendix, or the ASM Global European Region Headquarters by one of the following methods:

By post: Privacy Enquiries, ASM Global (European Region), 4^th Floor, Arena Point, 1 Hunts Bank, Manchester, M3 1UN

By e mail: privacy@eu.asmglobal.com
By phone: +44 (0)161 950 5114

If you would like this notice in another format (for example, audio, large print, braille) please contact us using any of the methods above.

If you have a complaint, we hope that we can resolve any issues you have by contacting us via one of the methods above. However, you also have the right to lodge a complaint with the Information Commissioners Office who may be contacted at https://ico.org.uk/concerns/ or via the helpline: 0303 123 1113.

APPENDIX: OUR VENUES

The following is a list of the venues currently operated by the ASM Global European Region. If you have any questions or concerns about the information one of our venues may hold about you, please do not hesitate to contact them using any of the methods also listed below.

Venues operated by SMG Europe Holdings Limited (registered number: 5558259): Utilita Arena Newcastle

How to contact Utilita Arena Newcastle

By post: Utilita Arena Newcastle, Arena Way, Newcastle Upon Tyne, NE4 7NA
By e mail: privacy@eu.asmglobal.com