KEL5 / Event details coming soon
Privacy Policy
How KEL Tournaments handles personal information.
Version 2026-07-05
Privacy Policy
KEL5 Privacy Policy
Version: 2026-07-05 Effective date: 5 July 2026
This Privacy Policy explains how personal data is processed in connection with KEL5 ticket sales, osu! account verification, payment confirmation, ticket delivery, event entry, event safety, support, refunds, disputes and related event operations.
KEL5 is an international LAN tournament held in Poland. Personal data is processed in accordance with the GDPR and applicable Polish data-protection, consumer, accounting and tax rules.
1. Data controller
The data controller is Legal identity not configured, operating as KEL Tournaments, with registered address at Address not configured, NIP not configured.
Privacy questions and requests concerning personal data may be sent to:
2. Who this policy applies to
This policy applies to:
- people who buy or attempt to buy a KEL5 ticket;
- people whose osu! account is used for ticket verification;
- attendees using a KEL5 ticket or pass;
- attendees aged 16 or 17 where guardian approval or age-related information is required;
- parents or legal guardians who provide approval or contact information for a minor attendee;
- people who contact KEL5 for support, refunds, complaints or privacy requests;
- staff users where their staff account is recorded in ticketing, check-in, support, safety or security logs.
3. Data we collect
3.1 osu! login data
When you sign in with osu!, we receive the account information supplied through osu! OAuth, including:
- verified osu! user ID;
- osu! username;
- authentication/session information needed to complete the login process.
We use this to link the ticket to a verified osu! account and to enforce ticketing and event-safety rules.
3.2 Ticket purchase data
For ticket purchases and attempted purchases, we may process:
- first and last name;
- email address;
- verified osu! user ID and username;
- selected ticket type;
- ticket status;
- order timestamp;
- acceptance timestamp;
- version of the Terms of Sale, Event Rules and Privacy Policy accepted at checkout;
- checkout/session identifiers needed to complete or secure the order.
3.3 Minor attendee and guardian data
KEL5 is a 16+ event. If an attendee is aged 16 or 17, we may process limited information needed to verify guardian approval and event eligibility, such as:
- attendee name;
- attendee age confirmation or proof of age, where reasonably required;
- parent or legal guardian name;
- parent or legal guardian contact details;
- guardian approval statement;
- approval timestamp or submitted approval form;
- staff notes needed to verify or handle the approval.
We use this data only where needed for event entry, safety, venue compliance, dispute handling or legal protection.
3.4 Payment data
Payments are processed by Stripe. KEL5 does not receive or store full card details.
We may store:
- Stripe order/payment identifiers;
- Stripe refund ID, where applicable;
- payment status;
- payment currency;
- payment amount;
- payment timestamps;
- limited payment information needed to confirm, refund, investigate or reconcile an order.
Stripe processes payment data under its own privacy policy and security rules.
3.5 Ticket and event-entry data
For ticket delivery and event entry, we may process:
- ticket/pass identifier;
- QR/pass status;
- check-in status;
- check-in time;
- staff account responsible for check-in;
- information needed to prevent duplicate, invalid, refunded, unpaid or blocked ticket use.
3.6 Event safety and enforcement data
Where necessary for event safety, rule enforcement, fraud prevention, harassment prevention, abuse prevention, ban handling or legal protection, we may process:
- reports submitted to staff;
- complaint or incident details;
- evidence provided by attendees, staff, venue staff or online platform users;
- screenshots, links or messages relating to event-connected misconduct;
- internal notes;
- staff account responsible for handling the case;
- decision history, such as warning, refusal of entry, removal or ban.
This may include conduct connected to KEL5 even where the conduct happens outside the physical event, for example on social media, Discord, osu!, livestream chats, private messages or other event-related spaces.
3.7 Security and website data
To keep the ticketing system secure, we may process:
- IP address;
- browser and request information;
- device/session information;
- website security logs;
- rate-limit logs;
- OAuth state and CSRF protection data;
- security alerts and abuse-prevention logs;
- timestamps connected with the above.
3.8 Support and correspondence
If you contact us, we may process:
- your email address;
- your name or osu! username, if included;
- message content;
- attachments or screenshots you send;
- correspondence history;
- internal notes needed to resolve the request.
3.9 Data we do not request during standard checkout
During standard KEL5 ticket checkout, we do not ask for:
- postal address;
- telephone number, except where needed for guardian approval or specific support handling;
- Discord account;
- Twitch account;
- full payment-card details.
4. Where the data comes from
We receive personal data from:
- you, when you enter checkout details, contact us or submit a request;
- a parent or legal guardian, where guardian approval is required;
- osu!, when you authenticate through osu! OAuth;
- Stripe, when Stripe confirms payment, refund or order-status information;
- our own ticketing, check-in, server, security and support systems;
- authorised event staff, where they record check-in, support, safety or enforcement actions;
- attendees, staff, venue staff, platform moderators or other people who submit event-safety reports or evidence.
5. Why we use personal data
We process personal data to:
- authenticate attendees through osu!;
- create and perform the ticket contract;
- issue, display, deliver and verify tickets or passes;
- verify age-related eligibility and guardian approval where required;
- confirm payment;
- process refunds, chargebacks, disputes and support requests;
- prevent duplicate purchases where duplicate active tickets are disabled;
- prevent fraudulent, unpaid, refunded, invalid, transferred or blocked ticket use;
- enforce organiser-maintained event bans;
- enforce the 16+ event restriction;
- operate one-time event entry;
- protect attendees, staff, players, partners, the venue and event integrity;
- investigate harassment, threats, abuse, fraud, security incidents, chargebacks, disputes or legal claims;
- keep necessary accounting, tax and legal records;
- comply with legal obligations.
6. Legal bases for processing
We process personal data under the following legal bases.
6.1 Contract
Ticket fulfilment, ticket delivery, payment confirmation, support, refunds and admission checks are processed because they are necessary to take requested pre-contractual steps or perform the ticket contract.
This includes linking a ticket to a verified osu! account where this is part of the ticketing model.
6.2 Legal obligation
Accounting, tax, payment, complaint-handling and legally required records are processed where necessary to comply with legal obligations.
6.3 Legitimate interests
We process some data on the basis of KEL5’s legitimate interests, including:
- service security;
- fraud prevention;
- event safety;
- harassment prevention;
- abuse prevention;
- ticket enforcement;
- chargeback and dispute handling;
- audit logs;
- prevention of duplicate, invalid, refunded or unpaid ticket use;
- organiser-maintained event bans;
- age-related event safety checks;
- protection of legal claims;
- limited event documentation and public event coverage.
Before relying on legitimate interests, we consider whether the processing is necessary, proportionate and expected in the context of an online ticketing system and LAN event.
6.4 Consent
Where processing legally requires consent, we will request consent separately. Consent may be withdrawn at any time without affecting processing that was lawful before withdrawal.
Consent may be used, for example, for optional analytics, marketing cookies, newsletter-style communication, or specific promotional media use if such features are introduced.
7. Automated ticketing and eligibility rules
Checkout or ticket use may be automatically blocked where:
- the verified osu! ID appears on the organiser’s event-ban list;
- duplicate active tickets are disabled and an active ticket already exists for the same verified osu! account;
- ticket capacity is exhausted;
- payment is not confirmed;
- the ticket is refunded, cancelled, invalidated or already checked in;
- the request is blocked by security, abuse-prevention or rate-limit systems;
- the attendee does not meet the 16+ event requirement or required guardian-approval rules.
These rules are used to operate ticket sales, prevent fraud and protect event safety. They do not involve credit scoring, behavioural advertising, financial profiling or automated prediction of personal characteristics.
If you believe a block was applied incorrectly, contact [email protected]. A staff member will review the case manually.
8. Event-ban list
KEL5 may maintain a limited event-ban list for event safety, fraud prevention, rule enforcement, harassment prevention, abuse prevention, chargeback handling and protection of attendees, staff, players, partners and the venue.
The event-ban list may contain:
- osu! user ID;
- osu! username;
- internal reason or category;
- date added;
- staff account responsible;
- review notes;
- expiry or review date, where applicable;
- limited supporting information where necessary to justify the ban.
The ban list is not public. It is not used for marketing. Access is limited to authorised staff who need it for ticketing, support, entry control, event safety or legal handling.
A person who believes they were incorrectly blocked may contact [email protected] and request manual review.
9. Staff access
Access to personal data is limited to authorised staff and service providers who need the data for their role.
Depending on role, authorised staff may access data for:
- ticket support;
- payment/refund support;
- event check-in;
- event safety;
- website maintenance;
- fraud or abuse investigation;
- legal or accounting handling.
Staff access may be logged where appropriate. Staff should not access, copy, export or share personal data unless needed for authorised event operations.
10. Service providers and recipients
Personal data may be shared with or processed by:
- osu!, for verified account authentication;
- Stripe, for checkout, payment and refund processing;
- hosting and infrastructure providers;
- email providers;
- security and anti-abuse providers;
- accounting, legal or professional advisers;
- authorised KEL5 event staff;
- venue or security personnel where necessary for event safety, entry enforcement or incident handling.
Information may also be disclosed where required by law, public authorities, courts, payment disputes, fraud investigations, chargebacks or legal claims.
11. International transfers
Some providers, including Stripe and osu!, may process data outside the European Economic Area.
Where personal data is transferred outside the EEA, such transfers are handled using applicable data-protection mechanisms, such as:
- adequacy decisions;
- Standard Contractual Clauses;
- provider transfer safeguards;
- equivalent lawful transfer mechanisms where applicable.
Please also read the Stripe and osu! privacy policies for information about their own processing.
12. Retention periods
We keep personal data only for as long as necessary for the purpose for which it was collected, unless a longer period is required or justified by law, accounting, tax, disputes, fraud prevention, chargebacks, event safety or legal claims.
The standard retention rules are as follows.
12.1 Temporary OAuth/session and checkout data
OAuth state, CSRF data, temporary session data and incomplete checkout data are kept only as long as needed to complete authentication, protect the session, secure checkout or troubleshoot failed checkout.
Where possible, this data is deleted or expires automatically after a short operational period.
12.2 Abandoned or unpaid orders
Abandoned, expired or unpaid checkout records may be kept for a short operational period for troubleshooting, abuse prevention and fraud prevention, unless they are needed for a dispute, security incident or legal claim.
12.3 Ticket/order/payment records
Ticket records, accepted Terms/Event Rules/Privacy versions, osu! account-linking data, Stripe payment identifiers, refund identifiers and order-status records are kept for as long as necessary to handle the order, refunds, chargebacks, complaints, accounting, tax obligations and legal claims.
Where accounting or tax rules require longer retention, those rules apply.
12.4 Check-in records
Check-in records are kept for event-entry verification, anti-fraud, dispute handling and safety review. After the event, detailed check-in data is kept only for as long as necessary for those purposes, unless needed for a dispute, safety issue, chargeback or legal claim.
Aggregated attendance statistics may be kept without identifying individual attendees.
12.5 Guardian approval records
Guardian approval records for attendees aged 16 or 17 are kept for as long as necessary to verify eligibility, handle event safety matters, resolve disputes and protect legal claims.
Where no dispute, safety issue or legal need exists, these records should be deleted or reduced after they are no longer needed for event operations.
12.6 Support, complaints and incident correspondence
Support, complaint and incident correspondence is kept for as long as needed to resolve the request and keep an appropriate record of the case. It may be retained longer where needed for accounting, refund, chargeback, dispute, safety, fraud-prevention or legal-claim purposes.
12.7 Security logs
Security, rate-limit and website logs are kept for the shortest operational period appropriate to their purpose. Logs may be kept longer where needed to investigate abuse, fraud, security incidents, chargebacks or legal claims.
12.8 Event-ban records
Event-ban records are kept only for as long as necessary for event safety, rule enforcement, fraud prevention, abuse prevention or legal protection.
Ban records should be reviewed periodically. Where a ban no longer has a valid operational or legal reason, the record should be deleted, anonymised or reduced.
12.9 Provider-held data
Data held by Stripe, osu!, hosting providers or other service providers follows each provider’s own retention policy.
13. Cookies and similar technologies
KEL5 uses the `kel5_session` cookie when you use ticket purchase, protected staff pages or other features that need a server session. It is an essential, session-only cookie used for:
- osu! OAuth state;
- authentication;
- checkout security;
- session management;
- CSRF protection;
- staff panel security.
This cookie is necessary for the website and ticketing system to work securely. It is not used for advertising, profiling or cross-site tracking.
KEL5 does not load optional analytics, advertising or remarketing cookies on public pages. When enabled by the organisers, the Twitch player loads in the stream section and Twitch may process cookies or similar technologies under its own notice. Stripe Checkout and osu! authentication are opened only when you request a payment or login; those providers process their own cookies and similar technologies under their own notices.
If optional analytics, advertising, remarketing or other non-essential technologies are introduced later, this policy will be updated and consent will be requested where required before they are used.
14. Event photography, recording and livestreaming
KEL5 may be photographed, recorded and livestreamed.
Because KEL5 is a public LAN event, attendees may appear incidentally in:
- crowd shots;
- venue photos;
- livestream footage;
- stage or match coverage;
- background footage;
- event recap materials.
This type of limited event coverage may be processed on the basis of the organiser’s legitimate interests in documenting, streaming and promoting the event.
Where practical, KEL5 will consider reasonable media-related requests. However, because the event may be livestreamed and recorded in public areas, KEL5 cannot guarantee removal from all live, crowd or background footage.
Specific media concerns may be sent to [email protected] or raised with staff during the event.
For posed photos, interviews or clearly promotional close-up media use, KEL5 may ask for separate permission where appropriate.
15. Minors
KEL5 is a 16+ event.
Attendees aged 16 or 17 may attend only with permission from a parent or legal guardian. Personal data connected with guardian approval may be processed where necessary for event eligibility, safety, venue compliance or legal protection.
A parent or legal guardian may contact [email protected] regarding privacy requests for a minor where they are legally authorised to act on the minor’s behalf.
Ticket purchase and attendance rules for minors are described in the Terms of Sale and Event Rules.
16. Data security
KEL5 uses organisational and technical measures intended to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.
These measures may include:
- access controls;
- role-based staff access;
- protected staff pages;
- secure authentication;
- CSRF protection;
- rate limiting;
- server logging;
- payment processing through Stripe;
- limited access to ticketing and check-in tools.
No online system can be guaranteed to be completely secure, but KEL5 aims to keep personal data access limited, purposeful and proportionate.
17. Your rights
Depending on the circumstances, you may have the right to request:
- access to your personal data;
- correction of inaccurate data;
- deletion of data;
- restriction of processing;
- portability of data;
- objection to processing based on legitimate interests;
- withdrawal of consent, where processing is based on consent.
These rights are not absolute. KEL5 may need to continue processing or retaining certain data where required for:
- ticket performance;
- event safety;
- fraud prevention;
- accounting or tax obligations;
- refunds;
- chargebacks;
- complaints;
- disputes;
- legal obligations;
- legal claims.
We may ask for information reasonably needed to verify the requester before acting on a privacy request.
18. Right to object
Where we process data on the basis of legitimate interests, you may object to that processing.
If you object, we will review the request. We may continue processing where we have compelling legitimate grounds, including event safety, fraud prevention, abuse prevention, legal obligations, disputes, chargebacks or legal claims.
19. Complaints to a supervisory authority
You may complain to the Polish supervisory authority:
President of the Personal Data Protection OfficePrezes Urzędu Ochrony Danych Osobowych — UODO
You may also contact another competent data-protection authority if applicable.
20. Contact
Privacy requests may be sent to:
We aim to respond without undue delay and within the period required by applicable law.
21. Changes to this policy
This Privacy Policy may be updated when the ticketing process, providers, legal details, event operations, cookies, analytics, media use or legal requirements change.
Each ticket record may retain the version of the Terms of Sale, Event Rules and Privacy Policy accepted when the order was submitted.