Privacy Policy

1. Who We Are

Band Social is a software-as-a-service platform for bands, artists, band managers, and music teams. It helps users manage social media scheduling and publishing across Facebook, Instagram, TikTok, and YouTube, create public band pages, electronic press kits, event calendars, photo galleries, and related operational data.

For the purposes of applicable data protection law, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Lavinci Portugal Unip. Lda. is generally the controller of personal data collected directly from account users.

Where users upload, import, or enter personal data about third parties, such as band members, contacts, or other business contacts, the user may be the controller of that data and Band Social may act as a processor by hosting and processing that data on the user's behalf.

2. Scope of This Policy

This Privacy Policy applies to personal data processed when you:

• visit or use Band Social;
• create or manage an account;
• create or manage band profiles;
• connect social media accounts;
• create, schedule, and publish social media posts;
• upload media files such as images and videos;
• create and manage public band pages and press kits;
• manage events, photo galleries, and albums;
• contact us for support;
• subscribe, pay, cancel, or request a refund.

This policy does not apply to third-party websites or services that are not controlled by us.

3. Personal Data We Collect

Depending on how you use Band Social, we may collect and process the following categories of personal data.

3.1 Account Data

• name;
• email address;
• password authentication data, where email/password login is used;
• Google account data, where Google SSO is used;
• account status;
• login and authentication records.

3.2 Band and Profile Data

• band name;
• genre and style tags;
• band description and band voice;
• band member details (name, instrument, bio, photo);
• website and social media links;
• streaming platform links;
• subscription status linked to each band.

3.3 Social Media and Publishing Data

Band Social may process:

• connected social media account details (platform, account ID, access tokens);
• post content, hashtags, and media files;
• scheduled and published post dates;
• platform-specific post settings;
• publishing logs and status.

3.4 Public Band Page Data

We may process:

• public profile configuration and layout settings;
• event details (title, date, venue, location);
• photo galleries and albums;
• electronic press kit content;
• contact form submissions from visitors;
• page view and link click analytics.

3.5 Payment and Subscription Data

Payments are processed through Stripe. We may process:

• subscription plan;
• band subscription status;
• payment status;
• invoice or billing information;
• refund request details;
• Stripe customer, subscription, or transaction identifiers.

We do not store full card numbers on our own systems.

3.6 Technical and Usage Data

We may process technical data needed to operate and secure the platform, such as:

• IP address;
• browser and device information;
• operating system;
• login timestamps;
• activity logs;
• security logs;
• error logs;
• session data;
• usage events within the platform.

3.7 Support Data

If you contact us, we may process:

• your name and email;
• support messages;
• screenshots or attachments you provide;
• correspondence history;
• issue resolution notes.

4. How We Use Personal Data

We use personal data to:

• create and manage user accounts;
• authenticate users through email/password login or Google SSO;
• provide the Band Social platform and its features;
• store and manage band data, social media accounts, posts, media, events, and galleries;
• publish posts to connected social media platforms;
• host public band pages and electronic press kits;
• manage subscriptions, billing, refunds, and payment status;
• provide support and respond to requests;
• secure the platform and prevent fraud, abuse, spam, or unauthorized access;
• troubleshoot errors and improve reliability;
• comply with legal, tax, accounting, and regulatory obligations;
• enforce our Terms of Use.

5. Legal Bases for Processing

Where GDPR applies, we rely on one or more of the following legal bases:

• Contractual necessity: to provide the Service, manage accounts, process subscriptions, and deliver requested features.
• Legitimate interests: to secure, maintain, improve, and protect Band Social, prevent abuse, respond to support requests, and manage business operations.
• Legal obligation: to comply with applicable tax, accounting, consumer protection, data protection, and legal requirements.
• Consent: where we ask for specific consent, such as for optional communications or features that legally require consent.

6. Hosting, Database, and Service Providers

Band Social is hosted using cloud infrastructure providers.

We may also use selected third-party providers to operate the Service, including:

• cloud hosting and database infrastructure providers;
• Stripe for payment processing and subscription billing;
• social media platform APIs (Facebook, Instagram, TikTok, YouTube) for post publishing;
• cloud storage providers for media files;
• Google for authentication (SSO);
• technical providers for security, monitoring, infrastructure, or support.

These providers may process personal data only as necessary to provide their services to us and are expected to protect personal data using appropriate technical and organizational measures.

7. International Data Transfers

Because Band Social uses cloud-based service providers, personal data may be processed or stored outside Portugal or the European Economic Area.

Where personal data is transferred internationally, we take reasonable steps to ensure appropriate safeguards are in place, such as contractual protections, standard contractual clauses where applicable, or reliance on providers that maintain appropriate data protection and security standards.

8. Cookies and Analytics

Band Social does not currently use analytics tools such as Google Analytics, Meta Pixel, PostHog, Hotjar, or similar analytics/tracking tools.

Band Social does not currently use cookies beyond those necessary for login, session management, authentication, security, and operation of the platform.

If this changes, we will update this Privacy Policy and, where required, request consent.

9. Disclosure of Personal Data

We do not sell personal data.

We may share personal data with:

• service providers that help us operate Band Social;
• Stripe and payment-related providers;
• social media platforms where you connect accounts and publish content;
• authentication providers;
• professional advisers, such as accountants or legal advisers, where necessary;
• public authorities, courts, or regulators where required by law;
• another entity in connection with a merger, acquisition, restructuring, or sale of the business, subject to appropriate safeguards.

We may also disclose data where necessary to protect our rights, users, systems, security, or to investigate fraud, abuse, or unlawful activity.

10. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this policy.

In general:

• account and band data are retained while the account or band profile remains active;
• subscription and billing records may be retained for tax, accounting, and legal compliance periods;
• social media posts, media files, events, and gallery data are retained while the user keeps them in the account, unless deletion is requested or required;
• support records may be retained for customer service and legal purposes;
• technical and security logs are retained for a limited period unless needed to investigate abuse, fraud, security incidents, or legal claims.

When data is no longer needed, we delete, anonymize, or securely retain it where legally required.

11. Security

We take reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

These measures may include:

• secure hosting infrastructure;
• access controls;
• authentication protections;
• HTTPS/TLS encryption in transit;
• role-based access where applicable;
• monitoring and logging for security and troubleshooting;
• limiting access to data to authorized personnel and providers who need it.

No online service can guarantee absolute security. You are responsible for protecting your login credentials and keeping your account secure.

12. Your Rights

Subject to applicable law, you may have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion of your personal data;
• request restriction of processing;
• object to certain processing based on legitimate interests;
• request data portability;
• withdraw consent where processing is based on consent;
• lodge a complaint with a data protection authority.

In Portugal, the relevant supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD).

To exercise your rights, contact us at hello@backstager.io.

We may need to verify your identity before fulfilling a request. Some requests may be limited where we need to retain data for legal, tax, accounting, security, fraud prevention, or contractual reasons.

13. Account and Data Deletion

You may request deletion of your account or certain personal data by contacting hello@backstager.io.

Deletion may not be immediate where data must be retained for legal, tax, accounting, billing, security, fraud prevention, dispute resolution, or backup purposes.

If a band has multiple members, deletion of one user account may not automatically delete the band's records where those records are needed by other authorized users.

14. Children

Band Social is intended for professional, business, and music project management use. It is not directed at children.

We do not knowingly collect personal data from children. If you believe a child has provided personal data to Band Social, contact us at hello@backstager.io so we can take appropriate action.

15. Automated Decision-Making

Band Social does not use automated decision-making that produces legal or similarly significant effects on users.

We may use limited automated checks for security, authentication, abuse prevention, or fraud prevention. These checks are used to protect the platform and users.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When changes are material, we will take reasonable steps to notify users, such as by email or through the platform.

The updated version will apply from the date it is posted or otherwise communicated.

17. Contact

For privacy questions or requests, contact: