1. Purpose and Scope

This appendix describes the operational controls AFICH currently has in place for ticketing, privacy, payments, security, and anti-fraud compliance in the United States, California, and the European Union. It is an evidence-based summary for users and operators, not a guarantee of compliance in every jurisdiction or a replacement for legal counsel.

2. FTC BOTS Act and Fair-Access Controls

2.1 Compliance Objective

AFICH prohibits bypassing access controls, purchase limits, waiting mechanisms, or ticket limits to acquire event tickets at scale. This supports fair access and aligns with the FTC BOTS Act prohibition on circumventing ticket seller controls.

2.2 Implemented Controls

• reCAPTCHA v3 - Production requires reCAPTCHA configuration and blocks invalid or low-score results; Google network failures currently fail open so legitimate users are not blocked by provider outages
• Rate limits - Authentication, checkout, and sensitive endpoints can be throttled to reduce automated abuse
• Purchase caps - Checkout enforces a default 4 tickets per user per event and 10 tickets per transaction unless an event is configured differently
• Guest checkout controls - Guest purchase flows still require checkout validation, payment provider confirmation, and fraud checks
• Fraud and audit signals - AFICH records order, account, device, IP, ticket, refund, dispute, scanner, and provider signals for review
• Enforcement - AFICH may cancel orders, block or revoke tickets, restrict accounts, hold payouts, preserve evidence, notify organizers, and cooperate under valid legal process

3. PCI DSS and Payment Data

3.1 Cardholder Data Scope

AFICH is designed to use provider-hosted payment collection such as Stripe Elements or Checkout so full card numbers are entered into Stripe-hosted fields rather than AFICH-controlled forms. AFICH stores payment references, order snapshots, refunds, disputes, settlements, and payout records needed to operate the service.

3.2 SAQ A Conditions

• Stripe-hosted collection - SAQ A may be available only when all payment-page elements that collect cardholder data originate from PCI DSS validated third-party providers such as Stripe
• No full-card storage - AFICH legal copy should not claim storage or processing of full card numbers unless the architecture changes and is assessed
• Provider records - Stripe and configured payment providers handle card tokenization, authentication, dispute, and settlement data within their compliance programs
• Review requirement - AFICH should confirm final PCI scope with its payment provider or assessor before making formal SAQ claims

4. AML, KYC, and Payout Controls

4.1 Provider-Led Verification

Organizer identity, banking, sanctions, and payout verification is primarily handled through payment providers such as Stripe Connect or configured local providers. AFICH mirrors provider status and uses that status to enable, delay, restrict, or hold payouts.

4.2 Operational Controls

• KYC status - AFICH tracks provider verification status rather than independently promising full KYC review
• Payout holds - Payouts may be delayed or held for provider requirements, fraud risk, refunds, disputes, sanctions, or legal obligations
• Dispute records - Refund, chargeback, payout, settlement, and order records are retained for accounting, provider, legal, and dispute purposes
• Organizer obligations - Organizers remain responsible for truthful event information, lawful sales, tax compliance, and payout account accuracy

5. GDPR, CCPA/CPRA, and Privacy Controls

5.1 GDPR-Aligned Controls

• Lawful bases - AFICH uses contract necessity for ticketing and accounts, legal obligation for tax and accounting, legitimate interests for fraud prevention and platform security, and consent for optional marketing or consent-gated flows
• Consent record - GDPR/privacy consent and age confirmation are stored on the User row with timestamps; signup sessions are short-lived operational records and should not be described as long-term audit evidence
• Rights timing - Data subject requests are generally answered within one month and may be extended by two additional months for complex or numerous requests
• Erasure with retention - Account deletion anonymizes user profile fields and revokes sessions while preserving required transaction, financial, security, dispute, and legal records
• Breach notification - AFICH aims to notify the relevant authority within 72 hours where GDPR Article 33 applies and notification is required, unless the breach is unlikely to result in risk to individuals
• International transfers - Provider processing may occur in the United States or other countries and should rely on applicable provider safeguards and transfer terms

5.2 California Privacy Controls

• Right to know - California users can request categories and specific pieces of personal information, subject to verification and statutory limits
• Right to delete - Deletion is available subject to exemptions for transactions, security, fraud prevention, disputes, legal obligations, and accounting
• Right to correct - Profile and account information can be corrected in account settings or by verified request
• No sale posture - AFICH does not sell personal information and does not describe backend behavior as cross-context behavioral advertising sharing
• Sensitive information - Sensitive information is used for disclosed business purposes such as account security, payment, fraud prevention, support, and legal compliance
• Response timing - California requests receive a substantive response within 45 calendar days, extendable by 45 additional days with notice
• No discrimination - AFICH does not deny service or change prices because a user exercises California privacy rights, except where information is necessary to provide the requested service

5.3 Providers and Subprocessors

• Payment providers - Stripe and configured local providers process checkout, tokenization, refunds, disputes, settlement, and payout records
• Messaging providers - Email and SMS providers deliver transactional, account, security, marketing, and event-operation messages according to the user's preferences and legal basis
• Cloud and storage providers - Hosting, storage, media, backup, and logging providers process data needed to run AFICH
• Anti-abuse providers - reCAPTCHA and related controls process technical signals used to detect abuse
• Monitoring providers - Sentry is configured on the backend with send_default_pii disabled; frontend monitoring includes limited URL token redaction, but Replay masking should be reviewed before making broader privacy-redaction claims
• Integrations - Organizer-configured integrations and webhooks may receive event, order, ticket, or attendee data needed for the configured integration

5.4 Retention Matrix

6. Compliance Matrix

7. Audit and Enforcement

7.1 Operational Enforcement

• Audit logs - Privileged organizer, ticketing, refund, payout, scanner, and security actions should be logged with actor and context when supported by the backend path
• Security review - AFICH may review accounts, orders, devices, tickets, refunds, disputes, provider events, and logs to investigate abuse
• Payout and account restrictions - AFICH may suspend accounts, restrict scanner devices, hold payouts, revoke tickets, or cancel orders when policy, provider status, fraud risk, or legal obligations require
• Legal process - AFICH may preserve and disclose records to regulators, law enforcement, payment providers, or courts when required or permitted by law
• Unsupported claims - AFICH should avoid absolute compliance, global legal coverage, routine penetration-test, or complete privacy-redaction claims unless those programs are documented and operating

8. Contact

For questions about this compliance appendix or AFICH controls, contact AFICH.

• Compliance Email: compliance@afichtickets.com
• Web: https://afichtickets.com/legal/compliance