BandGigz

Privacy Policy

Last updated: June 6, 2026  ·  Effective: April 15, 2026

Your privacy matters to us. This Privacy Policy explains what information BandGigz collects, how we use it, how we protect it, and your rights regarding it. By using BandGigz, you agree to the practices described in this policy.

Contents

  1. Who We Are
  2. Information We Collect
  3. How We Use Your Information
  4. How We Share Your Information
  5. Payment Information
  6. Data Storage, Security, and Breach Notification
  7. Account Deletion and Data Retention
  8. Your Rights and Communication Preferences
  9. California Residents (CCPA)
  10. European Economic Area and United Kingdom Residents (GDPR)
  11. International Users
  12. Cookies, Tracking, and Do Not Track
  13. Children's Privacy
  14. Governing Law
  15. Changes to This Policy
  16. Legal Notices
  17. General Contact

1. Who We Are

BandGigz is operated by BandGigz LLC, an Arkansas limited liability company. References to "BandGigz," "we," "us," or "our" in this policy refer to BandGigz LLC.

Our platform is accessible at bandgigz.com and connects live music venues with performing artists.

2. Information We Collect

Information you provide directly

Information collected automatically

We do not currently run any third-party analytics, advertising pixels, or behavior-tracking services on BandGigz. We do not track you across other websites.

3. How We Use Your Information

We use the information we collect to:

We do not, and will not, sell or rent personal information to third parties. We do not use your information for behavioral advertising, and we do not allow third-party advertisers to track you through our platform.

Payment processing. A subset of your information (name, email, and — where you are an artist receiving payouts — identity and tax information required by Stripe) is used to facilitate in-platform payments and payouts through Stripe Connect. Stripe collects and processes payment and banking information directly; BandGigz does not see, store, or have access to that information. See Section 5 for details.

4. How We Share Your Information

We share your information only in the circumstances described below. We do not sell or rent personal information under any circumstance.

With other users of the platform

Your public profile information — name or act name, photo, bio, genre, act size, location, ratings, and written reviews — is visible to all registered users. Reviews are displayed anonymously on public profiles (attributed as "Verified Artist" or "Verified Venue"), though we retain internal records of which user submitted each review for moderation and fraud prevention. Your email address and phone number are never displayed publicly on the platform, though limited contact information may become visible to a confirmed booking partner for coordination purposes.

With service providers (sub-processors)

We share your information with the following service providers strictly to the extent necessary for them to provide services to BandGigz:

For legal reasons

We may disclose your information if required by law, court order, subpoena, or government authority, or if we believe in good faith that disclosure is reasonably necessary to (a) comply with legal process, (b) protect the rights, property, or safety of BandGigz, our users, or others, (c) detect, prevent, or address fraud, security, or technical issues, or (d) enforce our Terms of Service.

Business transfers

If BandGigz is acquired, merges with another company, or transfers substantially all of its assets, your information may be transferred as part of that transaction. We will notify you and provide choices regarding your information to the extent required by applicable law.

5. Payment Information

BandGigz processes booking payments through Stripe Connect, operated by Stripe, Inc. Payment information — card details from venues funding bookings, and bank account, routing, identity, and tax information from artists onboarding to receive payouts — is entered directly into Stripe's secure system. BandGigz does not store, see, or have access to bank account numbers, routing numbers, or card details. Stripe's handling of payment data is governed by Stripe's Privacy Policy.

BandGigz stores the following booking-related metadata, which is not the same as payment information: the booking amount, the platform fee associated with each booking, the Stripe processing fee retained on the venue's charge, the artist payout amount, the Stripe payment-intent identifier and transfer identifier for each booking, payout status, and timestamps for funding, release, and refund events. This metadata is necessary to operate the platform, present financial history to users, support dispute resolution, and meet tax and accounting obligations.

6. Data Storage, Security, and Breach Notification

Your data is stored on Supabase's secure infrastructure, hosted in the United States. Supabase uses industry-standard encryption for data in transit (TLS) and at rest. Authentication is handled through Supabase Auth with secure password hashing and session management.

We take reasonable technical and organizational measures to protect your information from unauthorized access, loss, misuse, or alteration. However, no internet transmission or electronic storage system is completely secure, and we cannot guarantee the absolute security of your data.

Data breach notification. In the event of a data breach that affects your personal information, BandGigz will notify affected users by email as soon as reasonably possible after the incident is identified and assessed, and will comply with all applicable state and federal breach notification laws. Notifications will describe, to the extent known, the nature of the breach, the categories of information involved, steps BandGigz is taking in response, and recommended steps you can take to protect yourself.

If you believe your account has been compromised, please contact us immediately through the Help Center.

7. Account Deletion and Data Retention

How to delete your account. You may request deletion of your account at any time from your profile settings using the "Delete my account" option. Submitting the request begins a 72-hour grace period during which you may cancel the request from the same place. After the grace period ends, your account is automatically de-identified by a scheduled process and your login is permanently disabled.

Holds on finalization. Deletion is held until each of the following, if applicable, is resolved: funds held in escrow tied to your account; an open dispute or chargeback; and, for venue accounts, an active gig in finalization. We will notify you if such a hold applies and process the deletion once the hold clears.

Accounts under review. If your account is flagged or suspended pending review, self-service deletion is not available. You may contact support to request closure, and the request will be processed once the review is complete (within thirty (30) days of receipt, or within the time required by applicable law). This is to prevent deletion from being used to avoid a pending for-cause removal.

What deletion does. Upon finalization, we de-identify your profile, contact information, photos, and external links. Your login email is replaced with an internal sentinel address, which frees your original email address for future re-use. Past bookings, payments, payouts, reviews, and negotiation messages tied to completed transactions are retained but de-identified, referencing a "Removed user" placeholder rather than your name or contact information.

Retention after deletion. We retain different categories of information for different purposes, as set out below:

CategoryRetention periodPurpose
De-identified profile shell ("Removed user" placeholder)IndefiniteMaintains the integrity of historical bookings, payments, reviews, and dispute records that reference the account.
Recoverable identity snapshot (name, email, phone)Up to 7 yearsHeld in a separate internal archive for tax and accounting obligations, dispute and chargeback resolution, and trust-and-safety purposes. Permanently deleted after 7 years by a scheduled purge.
Completed business records (bookings, payments, payouts, reviews, negotiation messages on completed bookings, dispute and enforcement records)Retained per applicable legal, tax, accounting, and trust-and-safety obligationsSupports our legal and regulatory obligations. De-identified where reasonably possible.
Support messages submitted through the Help Center2 yearsRetained to administer and improve support, independent of account deletion.
SMS opt-in and opt-out recordsRetained as required by carrier and regulatory compliance (A2P 10DLC, CTIA)Required independent of account deletion to demonstrate consent.
For-cause identifier hashes (see "Removal for cause" below)Retained for as long as reasonably necessary to support trust-and-safety enforcementUsed to prevent re-registration following a for-cause removal.

The 7-year retention of the recoverable identity snapshot aligns with our retention of completed-booking records and with applicable U.S. recordkeeping requirements for business records.

Removal for cause. If we remove your account for violation of our Terms of Service, for fraud, or for safety or trust reasons (a "for-cause" removal), additional consequences apply. Cryptographic hashes of your normalized email address and phone number may be retained to support enforcement against the creation of new accounts under the same identity. For artist accounts, the associated Stripe Connect payout account is permanently disqualified from receiving payouts through the platform. These additional consequences are further described in Section 13 of our Terms of Service.

Re-registration after voluntary deletion. Voluntary self-service deletion does not record any hashed identifier from your account. You are free to create a new account using the same email address or phone number. This does not apply to accounts removed for cause.

GDPR, CCPA, and other privacy rights. Where applicable law affords you a right to erasure, deletion, or correction of your personal information, you may exercise that right as described above and in the Rights sections of this Policy. Our retention of de-identified data, hashed identifiers, SMS consent records, and completed business records following a deletion request is performed under the exceptions afforded by those laws, including for compliance with legal obligations, establishment or defense of legal claims, and detection and prevention of fraud, security incidents, and abuse of the platform.

8. Your Rights and Communication Preferences

Regardless of where you live, you have the following rights with respect to the personal information we hold about you:

To exercise any of these rights, contact us through the Help Center or at the legal notice address in Section 16. We will respond within thirty (30) days, or within the time required by applicable law.

SMS notifications and consent

How consent is obtained. No phone number is collected at signup, and signup does not opt you in to SMS notifications. After signup, if you want to receive SMS notifications, you can enroll from your account settings (Profile → Notifications). The enrollment flow asks for a US mobile number, sends a one-time verification code via Twilio Verify to confirm you control the number, and presents a separate consent checkbox containing the verbatim disclosure of what BandGigz SMS messages cover, message frequency, costs, opt-out instructions, and our mobile-information non-disclosure commitment. You must explicitly check this consent box before SMS notifications are enabled. The verbatim consent text is published at /sms-consent.html for reference. You may turn SMS notifications off at any time from the same Notifications section. You will not receive marketing or promotional SMS messages from BandGigz unless you opt in to them separately.

Message frequency and costs. Message frequency varies based on your activity on the platform. Message and data rates may apply depending on your mobile carrier and plan. BandGigz does not charge for SMS notifications themselves.

How to opt out. You can opt out of SMS notifications at any time by:

Opting out of SMS will not affect access to your account, but you may miss time-sensitive notifications that can only be delivered by text. Email notifications will continue.

How we handle your mobile information. BandGigz does not sell, rent, share, or otherwise disclose mobile phone numbers, SMS opt-in status, SMS consent records, or any other information collected as part of the SMS notification program to any third party or affiliate for marketing, promotional, or advertising purposes. Mobile information is shared only with the service providers strictly necessary to deliver the SMS notifications a user has opted into — currently Twilio, as identified in Section 4 — and only to the extent required to send those notifications. No third party receives your mobile information for their own marketing or promotional purposes. This commitment applies whether or not you have opted in to SMS notifications.

Email notifications

You may not opt out of transactional emails required to operate your account (such as booking confirmations, dispute notices, or security alerts), but you may unsubscribe from any non-transactional communications via the link in those emails.

9. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information. The rights described in Section 8 apply to you in the manner required by CCPA, including:

To exercise any CCPA right, contact us through the Help Center or at the legal notice address in Section 16. We may need to verify your identity before processing certain requests.

10. European Economic Area and United Kingdom Residents (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the EU General Data Protection Regulation (GDPR) or the UK GDPR applies to our processing of your personal data. This section describes how your rights under those regimes are handled.

Data controller

BandGigz LLC, an Arkansas limited liability company, acts as the data controller for personal information collected through the BandGigz platform. Contact information is provided in Section 16.

Legal bases for processing

We process your personal data on the following legal bases:

Your GDPR rights

Under GDPR and UK GDPR you have the right to:

International data transfers

BandGigz and our service providers are based in the United States. If you are located in the EEA or UK, your personal data will be transferred to and processed in the United States. The United States does not currently have an adequacy decision from the European Commission, and we rely on your consent to the transfer (provided when you create an account) as the basis for the transfer. In the future, we may implement additional transfer safeguards (such as Standard Contractual Clauses) as the platform grows.

How to exercise your rights

To exercise any GDPR or UK GDPR right, contact us through the Help Center or at the legal notice address in Section 16. We will respond within one (1) month of receipt, or notify you if an extension is required.

11. International Users

BandGigz is operated from the United States and our service providers' infrastructure is also based in the United States. If you access or use BandGigz from outside the United States, you acknowledge and agree that your information will be transferred to, stored in, and processed in the United States, which may have data protection laws that differ from those of your country.

By using BandGigz, users located outside the United States consent to this transfer and processing of their information in the United States. If you do not consent to this transfer, please do not use the platform. Residents of the European Economic Area and the United Kingdom should also review Section 10, which describes additional rights under GDPR and UK GDPR.

12. Cookies, Tracking, and Do Not Track

BandGigz uses only the session cookies necessary for authentication and keeping you logged in. We do not use advertising cookies, third-party tracking pixels, behavioral analytics, or services that track you across other websites.

You can disable cookies in your browser settings, but doing so will prevent you from staying logged in to BandGigz.

Do Not Track. Some browsers send a "Do Not Track" (DNT) signal to websites. Because BandGigz does not engage in cross-site tracking or behavioral advertising, we do not alter our practices in response to DNT signals — there is no tracking for us to disable. Our baseline practice already matches what a DNT signal is intended to request.

13. Children's Privacy

BandGigz is not intended for users under the age of 18, and we do not knowingly collect personal information from minors. If we become aware that a minor has created an account, we will delete it promptly. If you are a parent or guardian and believe a minor is using our platform, please contact us through the Help Center immediately.

14. Governing Law

This Privacy Policy is governed by the laws of the State of Arkansas, without regard to its conflict of law provisions. Disputes arising from this Privacy Policy are subject to the dispute resolution and venue provisions set forth in the BandGigz Terms of Service.

Nothing in this Privacy Policy limits or waives any non-waivable statutory rights you may have under the data protection laws of your jurisdiction, including those described in Sections 9 and 10.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and note material changes in the changelog at the bottom of this page. For material changes, we will also notify users by email. Continued use of BandGigz after changes take effect constitutes acceptance of the updated policy.

If you do not agree to any change, you must discontinue use of the platform before the change takes effect.

17. General Contact

If you have general questions or concerns about this Privacy Policy or how we handle your data, please contact us through the Help Center.

BandGigz LLC  ·  Arkansas, United States

Changelog

June 6, 2026
Rewrote Section 7 (renamed to "Account Deletion and Data Retention") to describe the live self-service account-deletion flow: a 72-hour cancellable grace window initiated from profile settings, automated de-identification on finalization, holds while escrow, disputes, or active gigs are unresolved, and the contact-support path for accounts under review. Added a retention table distinguishing the indefinitely retained de-identified profile shell from the recoverable identity snapshot (name, email, phone) purged after 7 years, and covering completed business records, the 2-year support-message retention, SMS opt-in/opt-out records, and for-cause identifier hashes. Added a Removal for Cause subsection disclosing that, for accounts removed for policy, fraud, or safety reasons, cryptographic hashes of email and phone may be retained to prevent re-registration and an artist Stripe payout account is permanently disqualified (cross-referenced to Terms Section 13). Characterized post-deletion data as de-identified (pseudonymized) rather than anonymized, relying on lawful-basis retention exceptions. No changes to data-collection scope or user rights.
May 30, 2026
Updated Sections 3 (How We Use Your Information), 4 (How We Share Your Information), 5 (Payment Information), and 7 (Data Retention and Deletion) to reflect that the Stripe Connect in-platform payment system is live. Stripe, Inc. is now listed as a sub-processor in Section 4 alongside Supabase, Vercel, Resend, Twilio, and Google. Section 5 now describes the payment data flow in present tense: Stripe collects and processes card details and artist bank/identity/tax information directly; BandGigz does not store payment information, only booking-related financial metadata (booking amount, platform fee, processing fee passthrough, payout amount, Stripe identifiers, payout status, and timestamps). Section 7's retention list no longer qualifies payment and payout history with "(once the in-platform payment system is active)" since that system is now live. Section 3 replaces the "Coming soon — payment processing" rollout-note with an inline present-tense paragraph and corrects the enforcement-rollout language. No changes to data-collection scope, retention periods, user rights, or sharing limitations.
May 11, 2026
Added new “How we handle your mobile information” sub-block to Section 8 (Your Rights and Communication Preferences) inside the SMS notifications and consent subsection. The new paragraph explicitly states that BandGigz does not sell, rent, share, or otherwise disclose mobile phone numbers, SMS opt-in status, or SMS consent records to any third party or affiliate for marketing, promotional, or advertising purposes, and identifies Twilio as the sole sub-processor that receives mobile information for the purpose of delivering opted-in notifications. This carrier-required disclosure was added in response to A2P 10DLC campaign vetting requirements from The Campaign Registry (TCR), which enforces the mobile-specific non-sharing clause separately from the broader no-sale-of-personal-information commitment that already appears in Section 3.
May 6, 2026
Revised the “SMS notifications and consent” subsection of Section 8 (Your Rights and Communication Preferences) to reflect that SMS notification consent is optional and is not obtained simply by providing a phone number at signup. Phone verification and SMS notification consent are now described as two separate steps at signup, with the SMS consent checkbox unchecked by default and not required to create or use a BandGigz account. Added language describing the in-app SMS notifications toggle (Profile → Notifications) for turning SMS on or off at any time after signup, and updated the opt-out methods to reference the toggle in place of removing the phone number from account settings. This change aligns the Privacy Policy with the optional-consent model documented in Terms of Service Section 6.5 and on the public reviewer page at bandgigz.com/sms-consent.html.
April 20, 2026
Added new Section 10 (European Economic Area and United Kingdom Residents / GDPR) covering data controller identity, legal bases for processing under GDPR Art. 6, the full set of GDPR rights including lodging complaints with a Data Protection Authority, and international data transfer disclosure. Expanded Section 8 (Your Rights and Communication Preferences) with a dedicated SMS Notifications and Consent subsection describing how express consent is obtained at signup, message frequency, costs, and the full set of opt-out methods (STOP/HELP keywords, account settings, Help Center). Added Section 2 clarification that IP addresses are used for security and fraud prevention only, not advertising. Added Section 6 data breach notification commitment. Renamed Section 7 to include "Deletion" in the heading and clarified the 30-day manual deletion timeline. Added Do Not Track disclosure to Section 12. Minor cleanup of Section 5 to remove "payout amounts" from current state (currently off-platform) while retaining it in the Stripe rollout note. Updated Section 14 to clarify that statutory data protection rights are never waived. Renumbered all affected sections accordingly.
April 18, 2026
Revised for accuracy in advance of Stripe Connect integration and for completeness. Rewrote Section 2 (Information We Collect) to accurately describe authentication logs, server logs, and the absence of third-party analytics; added Google Maps Platform address autocomplete disclosure. Rewrote Section 3 (How We Use) to separate currently-active uses from the forthcoming payment processing use. Rewrote Section 4 (How We Share) to correctly list current sub-processors (Supabase, Vercel, Resend, Twilio, Google) and mark Stripe as a forthcoming sub-processor. Rewrote Section 5 (Payment Information) to reflect that payments are currently arranged off-platform. Added Section 9 (California Residents / CCPA), Section 10 (International Users), Section 13 (Governing Law), and Section 15 (Legal Notices with registered agent address). Strengthened the no-sale / no-behavioral-advertising commitment in Section 3. Clarified review display as "publicly anonymized, internally attributed" in Section 4.
April 15, 2026
Initial Privacy Policy published.