PRIVACY POLICY
BLACK MIRROR EXPERIENCE – NEW YORK

Venue Experiences S.L. | Ticket purchases, event attendance, and related services

This Privacy Notice explains how Venue Experiences S.L. processes personal data in connection with the purchase of tickets and attendance at the Black Mirror Experience taking place at The Shed in New York City (the “Event”).

This notice should be read in conjunction with the Ticket Purchase Terms, Event Admission Terms, applicable venue rules, the cookie notice, and any separate consent notices provided before the virtual reality experience begins.

Important Note Regarding Biometric and AI-Based Features

The Event is intended for participants aged 13 and older and may include a standalone virtual reality experience that uses AI-based features, including facial image processing, voice recording, 3D avatar creation, and/or voice cloning. Such activities are not governed by this Privacy Notice regarding ticket sales, unless expressly stated otherwise. Prior to the start of the experience, participants will be provided with a separate privacy notice and, where necessary, a separate consent form for biometric data and AI-based features.

1. Who is responsible for your personal data?

Data Controller: Venue Experiences S.L.

VAT Number: ES B70702196

Registered office: Las Mercedes 25, 4º, 48930 Getxo, Bizkaia, Spain

Privacy contact: privacidad@letsgocompany.com / info@letsgocompany.com

Venue Experiences S.L. is the data controller for personal data related to ticket purchases, ticket issuance and management, operational communications, event access, customer service, event reporting, and regulatory compliance.

2. Who else is involved?

Leap Event Technology

Nortap Technology Inc., operating under the trade name Leap Event Technology (“Leap”), provides the ticketing platform for the Event. In connection with the purchase, issuance, delivery, and validation of tickets, as well as customer service, operational communications, and reporting carried out on our behalf, Leap acts as our data processor and processes personal data in accordance with our documented instructions.

Leap may also process certain personal data as an independent controller for its own legal, tax, accounting, payment, platform security, fraud prevention, regulatory compliance, litigation management, and platform integrity purposes. These independent processing activities are described in Leap’s own Privacy Policy: https://leapevents.com/privacy-policy/.

The Shed

The Event takes place at The Shed, 545 West 30th Street, New York, NY 10001. Limited data regarding tickets and access may be provided to The Shed when necessary for access control, capacity and attendee flow management, security, and the operational management of the Event. The Shed acts as an independent controller for its own processing activities related to the venue, as described in its own privacy notice: https://www.theshed.org/privacy-policy.

Payment Providers

Payments may be processed through third-party payment providers, including Stripe and/or other providers designated by Leap. Venue Experiences S.L. does not request or store full card numbers, CVV codes, or complete payment credentials for ticket purchases. Payment providers may process payment data in accordance with their own terms and privacy notices.

3. Scope of this Privacy Notice

This Privacy Notice applies to personal data processed for:

• the purchase of tickets online and, where applicable, at the box office;
• the issuance, delivery, modification, exchange, validation, and management of access to tickets;
• customer service, claims, complaints, and operational communications;
• reporting, reconciliation, and event administration;
• security, fraud prevention, and legal compliance; and
• marketing communications from Venue Experiences S.L., only if you have given your consent.

This Privacy Notice does not replace the privacy notices of Leap, The Shed, or payment providers, nor does it replace the separate privacy and consent information provided for biometric data and AI-based features before the virtual reality experience begins.

4. What personal data do we process?

Identification and contact information: First name, last name, email address, phone number, billing information (if provided), and language preference.

Ticket sales and purchase data: Order reference, ticket ID, ticket type, number of tickets, session or time slot, date and time of purchase, price, fees, order status, changes, refunds, cancellations, issues, and complaints.

Limited payment-related data: Payment confirmation, payment ID, transaction status, the last four digits of the card, if available. Venue Experiences S.L. does not process the full card number, CVV, or complete payment credentials for ticket purchases.

Attendance and validation data: Ticket validation status, scanner/check-in status, date and time of entry or check-in, information regarding attendance at the event.

Attendance and communications data: Customer service inquiries, complaints, claim records, responses, operational communications, and related correspondence.

Marketing preferences: Subscription or unsubscription status, date, time, and method of consent or withdrawal, opt-out lists, communication preferences.

Technical and security data: IP address, device and browser information, logs, security events, fraud prevention signals, and strictly necessary or functional cookies.

Within the scope of this Privacy Notice, regarding ticket purchases, access management, and related processing, we do not process special categories of data as defined in Article 9 of the GDPR. The processing of facial images, voice recordings, 3D avatars, or voice cloning that may occur within the context of the virtual reality experience falls outside the scope of this Notice and will be governed by a separate notice and, where applicable, by the specific consent to be provided prior to the start of the experience.

Is it mandatory to provide your personal data?

Providing your identification, contact, and payment information is a necessary requirement for entering into the ticket purchase agreement and for managing your access to the Event. If you do not provide this information, it will not be possible to process the ticket purchase, issue the ticket, deliver it, or manage your access to the Event. Providing data for marketing communications is voluntary and does not condition the purchase of the ticket or access to the Event.

5. Why do we process your personal data, what is the legal basis, and how long do we retain it?

We will process your personal data solely for the purposes indicated below and for as long as necessary to fulfill each of them. Once processing is complete, the data may be retained in a locked format for the applicable statute of limitations periods to address potential legal, tax, accounting, or contractual liabilities or claims.

When the legal basis for processing is legitimate interest (Art. 6.1.f) GDPR), the specific legitimate interests pursued by Venue Experiences S.L. are, depending on the purpose: (i) to ensure the proper operational management of the Event and effective communication with attendees; (ii) to ensure safe, orderly access in accordance with the terms of the tickets; (iii) to protect the ticket sales platform, the Event, and attendees against fraud, misuse, and security threats; (iv) to address and defend against claims, incidents, and disputes; and (v) to evaluate, analyze, and improve the organization and performance of the Event, preferably using aggregated or anonymized data.

6. Marketing Communications

We will only send you marketing communications from Venue Experiences S.L. if you have provided separate, optional, and non-default consent. You may unsubscribe or withdraw your consent at any time by using the unsubscribe link included in every marketing email or by contacting us at

Any marketing communications from The Shed or Leap must be based on their own separate consent or other legal basis, and will be governed by their own privacy notices. Consent granted to Venue Experiences S.L. for its marketing will not be used by The Shed or Leap for their own marketing.

7. With whom do we share personal data?

We may disclose personal data to the following recipients when necessary for the purposes described above:

• Leap Event Technology: as the provider of the ticketing platform and the data processor for ticket sales, validation, support, operational communications, and reporting;
• Vendors: payment providers, including Stripe and/or other vendors designated by Leap, for payment processing and payment-related regulatory compliance; technology, hosting, security, analytics, support, and customer service providers acting on our behalf;
• The Shed: limited to ticket and access data necessary for access control, capacity and attendee flow management, security, and operational management of the Event;
• Partners: event partners, the intellectual property owner, and professional advisors when necessary for reporting, administration, auditing, or for legal or financial purposes related to the event, preferably in aggregated or anonymized form whenever possible;
• Public Authorities: courts, regulatory bodies, or law enforcement agencies when required by law or necessary to protect our rights or the safety of attendees.

The data made available to The Shed will be limited to what is necessary for the operation of the venue, such as name, ticket ID, order reference, ticket type, session or time slot, validation status, and check-in time, where applicable.

8. Processing and International Transfers

The Event takes place in New York, and the ticketing platform is provided by a U.S.-based vendor. Your personal data will be collected through Leap in the United States and processed in the United States, as well as accessed, received, and further processed by Venue Experiences S.L. in Spain or the European Economic Area.

When personal data is transferred from Spain or the European Economic Area to recipients in the United States or made available to U.S.-based providers in a manner subject to Chapter V of the GDPR, we will rely on appropriate safeguards or transfer mechanisms, such as the EU-U.S. Data Privacy Framework, when the recipient is certified and the relevant processing is covered, and/or the European Commission’s Standard Contractual Clauses, together with any supplementary measures required by applicable law.

You may contact us at for more information about the applicable transfer mechanism.

9. Cookies and Similar Technologies

The ticket purchase process may use cookies and similar technologies that are strictly necessary for the platform’s operation, security maintenance, purchase processing, and ticket validation. Analytics, advertising, or marketing cookies, pixels, or similar technologies will be used solely in accordance with the applicable cookie notice and consent/preference mechanism.

If any use of cookies or similar technologies could constitute a sale, exchange, targeted advertising, or similar activity under applicable U.S. state privacy laws, you will be offered the relevant opt-out or privacy choice mechanism when necessary.

10. Automated Decision-Making

We do not use ticket purchase data to make decisions based solely on automated processing that produce legal effects or similarly significant effects affecting you. Security and fraud prevention tools may flag transactions or activities for review in order to protect the ticket sales process and the Event.

11. Security

We implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We also require our data processors to implement appropriate security measures. Since the Event takes place in New York and certain vendors are located in the United States, we will cooperate with the relevant parties to comply with applicable data breach and security notification obligations, including U.S. state requirements where applicable.

12. Your Rights

Subject to the conditions and limitations set forth in applicable law, you may exercise the following rights:

• Access your personal data;
• Rectify inaccurate or incomplete personal data;
• Request the erasure of your personal data;
• Request the restriction of processing;
• Object to processing based on legitimate interests;
• Request the portability of the data you have provided to us, where applicable;
• Withdraw consent at any time, when processing is based on consent, without this affecting the lawfulness of processing prior to withdrawal.

You may exercise your rights by contacting us at . We may need to verify your identity before responding to your request.

You also have the right to file a complaint with the Spanish Data Protection Agency at www.aepd.es. Depending on your state of residence in the United States, you may also have additional privacy rights under applicable U.S. state privacy laws.

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. The latest version will be available through the ticket purchase process and/or on the event website. If we make material changes, we will provide appropriate notice when required by law.

14. Related notices and policies

• Ticket Purchase Terms and Conditions: https://nyc.theblackmirrorexperience.com/?page_id=651
• Event admission terms and venue rules: https://nyc.theblackmirrorexperience.com/?page_id=3 
• Leap Event Technology Privacy Policy: https://leapevents.com/privacy-policy/
• Leap Event Technology Terms of Service: https://leapevents.com/terms-and-conditions/
• The Shed Privacy Notice: https://www.theshed.org/privacy-policy
• Cookie Notice / Privacy Options: https://nyc.theblackmirrorexperience.com/?page_id=653
  https://nyc.theblackmirrorexperience.com/?page_id=646
• Separate privacy notice form for biometric and AI-based features: https://www.univr.se/legal/privacy-policy

Last updated: May 26, 2026