Data Privacy Notice

Last Updated: 6/12/2026

1. Who We Are

We are ONELIVE, LLC (“ONELIVE,” “we,” “us”), registered EIN 35-2769683, with a registered address at 4101 Smith School Rd, Building 3, Suite 300, Austin, TX 78744. Our Data Protection Lead can be contacted at legal@onelive.com. “Data Protection Lead” is the title given to the member of staff leading our data protection compliance program in lieu of a statutory requirement for a Data Protection Officer.

We have produced this notice to explain how ONELIVE handles personal data when ONELIVE acts as a controller — that is, when ONELIVE determines the purposes and means of processing. We handle personal data in compliance with applicable data protection laws, including the EU General Data Protection Regulation (EU) 2016/679 (“EU GDPR”), the UK GDPR and the UK Data Protection Act 2018, Swiss data protection law, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable U.S. state privacy laws. Capitalized terms such as “Personal Data,” “controller,” “processor,” “data subject,” and “process” have the meanings given in those laws.

2. How This Notice Relates to Our Customer Services and the DPA

ONELIVE provides ecommerce technology, software applications, and fulfillment services to business customers in the music, sports, entertainment, and creator industries. When we deliver those services, we process personal data about consumers and fans on behalf of, and under the instructions of, our business customer. In that context our customer (or the artist, athlete, team, label, venue, or other rights holder it represents) is the controller, and ONELIVE acts as a processor (or sub-processor). That processing is governed by our Data Processing Agreement and by the controller’s own privacy notice — not by this notice.

This notice applies where ONELIVE is the controller of personal data, which includes: (a) Account Information for the users who create, access, and administer ONELIVE or Platform accounts we manage; (b) personal data of visitors to our own websites; (c) personal data of business contacts and prospects; and (d) personal data of individuals who contact us directly. If you are a consumer or fan and your question concerns an order, membership, or storefront operated for one of our customers, please contact that customer (the controller); we will help route your request as described in Section 9.

3. When Is ONELIVE the Controller, and When the Processor?

Our role depends on the activity. This table summarizes the distinction the DPA sets out in detail.

Activity ONELIVE's Role Governing Document
Account creation, access, and administration of ONELIVE / Platform accounts (Account Information) Controller This notice
Our own website visitors, marketing to business contacts, sales prospects, support enquiries Controller This notice
Consumer / fan data processed through customer storefronts, memberships, and applications we build or operate Processor / Sub-processor The DPA + the customer’s privacy notice
Financial, payment, and tax processing where ONELIVE is merchant of record As set out in a separate DPA Governed by a separate DPA

 

4. Your Rights

Depending on where you live, your rights may include:

  • The right to be informed about how your personal data is used (through this notice);

  • The right to access the personal data we hold about you;

  • The right to rectify inaccurate or incomplete personal data;

  • The right to erasure (“the right to be forgotten”), where no overriding lawful basis to retain the data applies;

  • The right to restrict or object to processing, including processing for direct marketing;

  • The right to data portability; The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects; and

  • For California and other U.S. state residents: the rights to know, delete, correct, and opt out of the “sale” or “sharing” of personal information, and the right not to be discriminated against for exercising these rights.

To exercise any of these rights, email legal@onelive.com or use our Personal Data Request form. We will verify your identity using the contact details associated with your record, and will respond within the timeframe required by applicable law (generally one month under GDPR / 45 days under CCPA/CPRA, extendable where permitted). Where a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline, and will tell you why.

5. Lawful Basis for Processing

Where the GDPR or UK GDPR applies, we rely on one or more of the following lawful bases under Article 6(1):

  1. Your consent;

  2. Performance of a contract with you;

  3. Compliance with a legal obligation;

  4. Protection of your or another person’s vital interests;

  5. A task carried out in the public interest or official authority; and

  6. Our legitimate interests (balanced against your rights and freedoms by our Data Protection Lead).

To learn more about our legitimate-interests balancing, contact legal@onelive.com.

6. The Personal Data We Process (as Controller)

We may collect, use, store, and transfer the following categories of personal data:

  • Identity Data — names, usernames, title, date of birth, and similar.

  • Contact Data — postal addresses, email addresses, and telephone numbers.

  • Account Information — usernames, login credentials, permission levels, and billing contact information associated with a ONELIVE account or a Platform account we administer.

  • Financial Data — limited payment-related information. We do not collect or store full payment-card data; card payments are handled by the Platforms’ payment processors.

  • Transaction Data — information about payments and details of purchases.

  • Technical Data — IP addresses, device and browser information, time zone, operating system, and similar online identifiers. These are personal data and are treated as such.

  • Profile Data — preferences, interests, feedback, and survey or message responses.

  • Usage Data — analytics about how you use our websites.

  • Marketing and Communications Data — your preferences for receiving communications from us.

We also use Aggregated Data (statistical or demographic data that cannot identify you). Consistent with the DPA, aggregated or anonymized data derived from personal data is not treated as personal data unless it is combined so as to become identifiable again. ONELIVE does not request or require special categories of personal data, and does not process information about criminal convictions or offences.

7. Why We Process Your Data

Purpose Involvement & Lawful Basis Source
Account administration Creating, securing, and administering ONELIVE and Platform accounts for our business customers and their authorized users. Lawful basis: performance of a contract and our legitimate interests. Directly from the account holder
Direct marketing (business contacts) Sending business-to-business marketing about our services to current and prospective business customers, subject to opt-out. We use standard CRM segmentation for our own outreach. Lawful basis: our legitimate interests (and consent where required). From you, your organization, or business sources.
Customer services Handling enquiries, complaints, and support requests, and taking any resulting action. Lawful basis: performance of a contract and our legitimate interests. Directly from you at the time of enquiry.
Website operation & analytics Operating and improving our own websites and understanding how they are used. Lawful basis: our legitimate interests and, for non-essential cookies, your consent. Collected automatically via your device.

 

8. Profiling and Automated Decision-Making

ONELIVE does not carry out profiling or solely automated decision-making that produces legal or similarly significant effects about consumers or fans. For our own business-to-business marketing, we use customer-relationship-management tools that segment business contacts (for example, by industry or engagement) to make our outreach relevant. This activity does not make automated decisions that significantly affect individuals. You can object to our marketing at any time by contacting legal@onelive.com or using any unsubscribe link.

9. How Long We Keep Your Data

We keep personal data only as long as necessary for the purpose for which it was collected, after which we delete or anonymize it. In general:

  • Where we process data under legitimate interests, we retain it for as long as that interest remains active, and we review our legitimate interests at least every twelve (12) months.

  • Where data is processed to perform or enforce a contract, we retain it for the period necessary for that purpose and to exercise or defend legal claims (generally the applicable statute-of-limitations period, e.g. four years for written contracts under Texas law).

  • Where ONELIVE processes data as a processor on a customer’s behalf, retention follows the DPA and the customer’s instructions; on termination, the deletion and return provisions of the DPA apply.

10. Requests About Data We Process for a Customer

If your request concerns personal data that ONELIVE processes on behalf of a business customer (for example, your order or membership with a storefront we operate), the customer is the controller and is responsible for deciding how to respond. Please direct your request to that customer. If you contact us instead, we will forward your request to the relevant customer, normally within three to five business days, and may ask you to complete our Personal Data Request form so the customer has what it needs to respond.

11. Cookies

Our websites use cookies and similar technologies. Some are essential to operate the site; others help us understand usage and remember your preferences. Some cookies and identifiers (including IP addresses) are personal data. You can control non-essential cookies through your browser settings or our cookie banner; blocking all cookies may affect site functionality. For details, see our Cookie Policy.

12. Who Receives Your Data, and International Transfers

We share personal data with the categories of recipients listed below and with the service providers in our list of data processors. Because ONELIVE and its providers operate in the United States and elsewhere, your personal data may be transferred outside your country, including outside the EEA, the UK, and Switzerland.

Where we transfer personal data subject to the EU GDPR, UK GDPR, or Swiss law to a country without an adequacy decision, we rely on appropriate safeguards: the European Commission’s Standard Contractual Clauses for EU transfers, the UK International Data Transfer Addendum issued by the Information Commissioner’s Office for UK transfers, and the equivalent Swiss adaptations for transfers subject to Swiss law. ONELIVE does not currently rely on the EU–U.S. Data Privacy Framework; if that changes, we will update this notice.

Other controllers we work with

Category Relationship
Business customer (client controllers) We process consumer/fan data on their behalf as processor; they are the controller.
Ticketing partners Where we facilitate ticketing, your data may be shared with the ticketing provider; we tell you at the point of sale.
Postal / courier providers For order fulfilment; depending on the arrangement they may act as controller or processor.
Payment service providers Card payments are processed by these providers so you do not disclose full card data to us. See their own privacy notices.
Regulatory authorities Where reporting is legally required.

 

Our processors

We use service providers — including web hosting, internal business software, and marketing-technology providers, and the ecommerce Platforms (Shopify and BigCommerce) — to deliver our services. Our current list of processors identifies them and the safeguards in place. Providers located in the United States are bound by the appropriate transfer mechanism described above.

13. Children’s Data

Our websites and our own services are directed to businesses and adults, and are not intended for children. We do not knowingly collect, solicit, or market to children under 18 years of age, and we do not knowingly sell or share the personal data of anyone under 18. By using our services, you represent that you are at least 18, or that you are the parent or guardian of a minor and consent to that minor’s use of the services. If we learn that we have collected personal data from a person under 18 in a context where ONELIVE is the controller, we will deactivate the associated account and take reasonable steps to delete that data promptly. If you believe we may hold data relating to a child, please contact legal@onelive.com. Where ONELIVE processes consumer or fan data on behalf of a business customer, the customer (as controller) is responsible for age-related compliance for its storefront, and the DPA governs that processing.

14. Do-Not-Track and Opt-Out Preference Signals

Most browsers and some operating systems offer a “Do-Not-Track” (DNT) setting. Because there is still no finalized, uniform industry standard for DNT, we do not currently respond to DNT browser signals. California law requires us to disclose this.

We do not “sell” your personal information, and we do not “share” it for cross-context behavioral advertising, as those terms are defined under California and other U.S. state privacy laws. We do not engage in targeted advertising or retargeting on our own websites. Because there is no such sale or sharing to opt out of, no opt-out preference signal is required to be processed for that purpose; if our practices change in the future, we will update this notice and provide the opt-out mechanisms the law requires.

15. How to Complain

You can raise any concern with us directly at legal@onelive.com. You also have the right to complain to a supervisory authority: