Privacy

Your data, on your terms.

We collect data to run live music well and, where you allow it, to build insights the industry will pay for. This page is the plain-language version of exactly what we hold, why, who sees it, and the controls you have. Last updated May 30, 2026.

What We Collect

Account & contact. Your name, email, phone (if you add it), and role (fan, artist, venue, crew). Created when you sign up or buy a ticket.

Purchases & tickets. Orders, amounts, fees, discounts, the shows you bought, check-in records, and resale activity. We need this to deliver and support your tickets.

Coarse location. When you check out, we may record the city/region/country your request came from (derived at our edge — never your IP address). It powers demand and tour-routing insights, nothing more.

Product usage. Anonymous, aggregate signals about how the product is used (page views, feature usage), so we can improve it.

Why We're Allowed to Hold It

Every meaningful event we record carries a stated basis: transaction (needed to deliver your purchase), legitimate interest (running and securing the platform), or marketing / data-sharing (only when you've opted in). We separate these so that data you didn't consent to share is never treated as if you did.

How We Use It

To sell, deliver, and support tickets; to pay venues, artists, and crew; to prevent fraud and abuse; to send you the alerts and reminders you ask for; and to produce analytics that help venues and artists book smarter shows.

We do not sell ad space against your identity, and we don't let third parties target you inside BandPass.

Who We Share It With

Service providers who make the product work — payment processing (Stripe), email (Resend), hosting (Vercel), database (Supabase) — under contracts that bar them from using your data for their own purposes.

The other side of your transaction — a venue or artist sees the data needed to honor and service the show you bought into.

Aggregated, de-identified industry insights. Part of our business is producing market intelligence (e.g. cross-venue demand, genre trends) that labels, festivals, and venues may license. We only ever share data for this in aggregated or de-identified form, and only where you've given a marketing / data-sharing basis. We do not sell records that identify you personally.

Legal — when required by law or to protect rights and safety.

Your Controls

Export. Download everything tied to your account — profile, orders, tickets, activity, and your data preferences — as JSON or CSV from your data & privacy page.

Delete. Request deletion of your account and associated data; we complete it within 30 days. Upcoming tickets stay valid and refundable.

Opt out. Turn off marketing and data-sharing consent at any time; we stop using your data for those purposes going forward.

Depending on where you live (including under GDPR, CCPA, and Colorado's privacy law), you may have additional rights to access, correct, or restrict processing. Email us and we'll honor them.

How Long We Keep It

As long as your account is active, plus the period we're legally required to retain financial records. De-identified analytics may persist after deletion because they no longer identify you.

How We Protect It

Encryption in transit, row-level access controls on our database, scoped access for staff, signed ticket tokens, and audited check-in. Payment details are handled by Stripe and never touch our servers.

Contact

Questions or requests: privacy@thebandpass.com. We reply within 30 days.

This policy describes our current practices and may change as the product evolves; we'll update the date above and, for material changes, notify you. It is provided for transparency and is not legal advice.