Privacy Policy

1. Introduction

Welcome to Gig List. We are committed to protecting your privacy and ensuring transparency about how we collect, use, and safeguard your personal information. This Privacy Policy explains our practices regarding data collection, usage, and your rights under applicable privacy laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

By using Gig List, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Information We Collect

2.1 Account Information

• Name and email address (provided via authentication service)
• Profile image (optional, if you choose to upload one)
• Username (optional, customisable)
• Authentication identifiers (managed by Clerk authentication service)

2.2 Gig and Event Data

• Gig entries including artists, venues, dates, and locations
• Personal notes and ratings for your gigs
• Images uploaded for your gigs
• Import notes and metadata

2.3 Social Interaction Data

• Follow relationships and follow requests
• Blocked users
• Likes on gigs, artists, and venues
• Wishlist items (artists, venues, or events you want to attend)

2.4 Usage Data

• Artist selection history (for improving autocomplete suggestions)
• User interface preferences (table sorting, filtering, column widths)
• Privacy settings (discoverability, data visibility, leaderboard preferences)

2.5 Technical Data

• Authentication tokens (managed securely by Clerk)
• Rate limiting data (to prevent abuse and ensure service stability)
• Server logs (for debugging and security purposes)

3. How We Use Your Information

• Service Provision: To provide, maintain, and improve our service, including gig tracking, social features, and data visualisation
• Social Features: To enable following, sharing, and interaction with other users based on your privacy settings
• User Experience: To personalise your experience, provide intelligent suggestions, and remember your preferences
• Security: To protect against fraud, abuse, and unauthorised access through rate limiting and authentication
• Communication: To respond to your inquiries and provide customer support
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

4. Third-Party Services

We use the following third-party services to provide our platform. Each service has its own privacy policy, and we encourage you to review them:

4.1 Clerk

We use Clerk for authentication and user management. Clerk processes your authentication credentials and manages user sessions. For more information, please review Clerk's Privacy Policy.

4.2 Convex

We use Convex as our backend database and file storage provider. All your data is stored securely on Convex infrastructure. For more information, please review Convex's Privacy Policy.

4.3 Google Gemini API

We use Google's Gemini API for AI-assisted features such as bulk enrichment of gig data. When you use these features, your data may be processed by Google. For more information, please review Google's Privacy Policy.

4.4 Clashfinder

We optionally integrate with Clashfinder for festival data. This integration is only used if you provide Clashfinder credentials. For more information, please review Clashfinder's terms.

5. Data Sharing and Disclosure

5.1 User-Controlled Sharing

You have full control over who can see your data through privacy settings:

• Public: Your gig data is visible to all users
• Friends Only: Your gig data is visible only to users you follow
• Private: Your gig data is visible only to you

You can also control your discoverability (whether others can find you by username) and leaderboard visibility independently.

5.2 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Your Rights (GDPR and CCPA)

Depending on your location, you have the following rights regarding your personal data:

6.1 Right to Access

You have the right to access your personal data. You can export all your gig data at any time using the Data Export feature in Settings, which provides a complete JSON download of your gig entries.

6.2 Right to Deletion

You have the right to request deletion of your personal data. To delete your account and all associated data, please contact us using the information provided in the Contact section below. We will process your request within 30 days, subject to legal retention requirements.

6.3 Right to Rectification

You can update your profile information, username, and gig data at any time through the Settings page and individual gig pages. You can also correct any inaccuracies in your data directly within the application.

6.4 Right to Data Portability

You have the right to receive your data in a structured, commonly used format. The Data Export feature in Settings allows you to download your gig data in JSON format at any time.

6.5 Right to Object and Opt-Out

You can control how your data is shared through privacy settings:

• Disable discoverability to prevent others from finding you
• Set gig data visibility to private, friends only, or public
• Require approval for follow requests
• Opt out of appearing on public leaderboards

6.6 Right to Withdraw Consent

You can withdraw your consent for data processing at any time by adjusting your privacy settings or by deleting your account. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6.7 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the CCPA:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by us
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes.

Backup copies of data may be retained for a limited period for disaster recovery purposes, but will be deleted in accordance with our retention schedule.

8. Security Measures

We implement appropriate technical and organisational measures to protect your personal data:

• Encryption: Data is encrypted in transit using HTTPS/TLS and at rest using industry-standard encryption
• Authentication: Secure authentication is managed by Clerk, using industry-standard protocols
• Rate Limiting: We implement rate limiting to prevent abuse and protect against unauthorised access
• Secure Storage: File storage is handled securely through Convex's infrastructure
• Access Controls: Access to your data is restricted based on your privacy settings and authentication status

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard security practices.

9. Children's Privacy

Gig List is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will delete such information from our systems.

If you are between the ages of 13 and 18, you must have your parent's or guardian's permission to use Gig List. By using our service, you represent that you are at least 13 years old or have obtained parental consent.

10. International Data Transfers

Your data may be stored and processed on servers located outside your country of residence. Our service providers (Clerk and Convex) may transfer data to servers in various locations as part of their global infrastructure.

When we transfer your data internationally, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant data protection authorities
• Compliance with applicable data protection laws
• Security measures to protect data during transfer

11. Cookies and Tracking

We use the following types of cookies and similar technologies:

11.1 Authentication Cookies

Clerk uses authentication cookies to maintain your login session. These cookies are essential for the service to function and cannot be disabled.

11.2 No Third-Party Advertising

We do not use third-party advertising cookies or tracking pixels. We do not share your data with advertising networks.

11.3 Analytics

We may collect basic usage analytics to improve our service. This data is anonymised and aggregated and does not identify individual users.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Displaying a notice in the application for significant changes
• Sending an email notification if the changes materially affect your rights (if we have your email address)

Your continued use of Gig List after any changes to this Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this page periodically to stay informed about how we protect your information.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@gig-list.live
• Website: https://gig-list.live

For users in the European Economic Area (EEA), you also have the right to lodge a complaint with your local data protection authority if you believe we have not addressed your concerns adequately.