Security & Trust
Hatch runs ticketing and bookings for UK leisure venues, so we look after your customers' details and their payments. Here, in plain English, is how we keep them safe, and where to find the full detail.
If you have a security question that isn't answered here, email security@hatchtickets.co.uk.
Card payments and PCI
Card payments are handled entirely by Stripe. Each venue is the merchant of record on its own Stripe account, so your takings are paid directly to you and Hatch never holds your money.
Card numbers never pass through Hatch. Online, the customer enters their card on Stripe's own secure payment page. In person, the card is read by a Stripe card reader. Either way the card details go straight to Stripe, and Hatch never sees, handles or stores them. We keep only a payment reference, the amount, and the customer's name and contact details for the booking.
What this means for your PCI compliance
Because you never touch card details yourself, your card-data security is covered by Stripe, which is certified to PCI DSS Level 1, the highest level there is. For online bookings this puts most venues in the simplest category of PCI self-assessment (SAQ A), a short questionnaire rather than audits or scans. In-person sales run on Stripe's PCI-validated card readers. Stripe provides PCI guidance and documentation for your own account, and your card acquirer can confirm exactly which self-assessment applies to you.
Your data, your control
For the personal data of your customers, you are the data controller and Hatch is your data processor. We only use that data to run your ticketing, we never sell it, and we never use your customers' data to market anything of our own. The core record of your data is held in a database in the UK (London). You can export your data, including your mailing list, at any time from your dashboard, and we support your customers' GDPR rights.
How we protect it
- Encryption: every connection to Hatch is encrypted (HTTPS/TLS), and your data and uploaded files are encrypted at rest.
- Tenant isolation: every venue's data is separated at the database level, so one venue can never see another's bookings, customers or takings.
- Authentication: two-factor authentication is available on every account and enforced for our administrators, and staff get role-based access limited to what they need.
- Monitoring: we watch the platform for errors and issues so we can act on them quickly, and we would tell you without undue delay about any breach affecting your customers.
The full detail
When you join Hatch you receive our Data Processing Agreement. It sets out the complete list of the sub-processors we use, where each one processes data and the safeguards for any transfer outside the UK, our data-retention periods, and our security and breach-notification commitments. It is also available on request. Your card-data security is covered by Stripe's PCI DSS Level 1 certification, as described above.
Registration
Hatch Tickets Ltd is registered with the UK Information Commissioner's Office (ICO), registration number ZC151596. See also our Privacy Policy and Terms.
Back to Hatch