Privacy Policy

1. Introduction

The Backstage ("we," "our," "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our music platform at thebackstage.app ("Service").

This policy complies with the General Data Protection Regulation (GDPR), CAN-SPAM Act, and other applicable data protection laws.

Quick Summary: We collect your email address and basic information to send you music notifications from artists you follow. We track email opens and clicks only if you consent. You can unsubscribe anytime with one click.

2. Data Controller Information

The data controller responsible for your personal data is:

The Backstage
Email: privacy@thebackstage.app
Support: support@thebackstage.app
Website: thebackstage.app

If you have any questions about this Privacy Policy or our data practices, please contact us at the above address.

3. What Data We Collect

We collect the following categories of personal data:

3.1 Information You Provide

• Email Address: Required for account creation and email notifications
• Name: Optional, used for personalization (e.g., "Hi John")
• Artist/Fan Preferences: Which artists you follow, notification preferences
• Account Credentials: Password (encrypted), authentication tokens

3.2 Automatically Collected Data

• IP Address: Collected when you sign up, unsubscribe, or interact with emails (required for GDPR consent logging)
• User Agent: Browser and device information (required for GDPR consent logging)
• Timestamps: When you perform actions (subscribe, unsubscribe, consent changes)

3.3 Email Engagement Data (Only with Consent)

• Email Opens: Whether you opened an email (tracked via pixel)
• Link Clicks: Which links you clicked in emails
• Device/Client: Email client used (Gmail, Outlook, etc.)
• Location: General geographic location (city/country level)

Note: Email tracking requires separate consent (see Section 7). You can subscribe without tracking.

3.4 Consent History (Legal Requirement)

• Consent Records: When you consented, how, and for what purpose
• IP Address at Consent: Required proof of consent (GDPR Article 7)
• User Agent at Consent: Device/browser used during consent
• Source: Where consent was obtained (signup form, settings page)

3.5 Pre-Selected Consents

In some forms (e.g., Download Gates), marketing consents may be pre-selected to provide you with added value (exclusive music content, industry tips). You can always uncheck these options before submitting the form. Pre-selection does not affect your ability to download content - it is simply a convenience feature to help you discover relevant content.

• Download Gates: Gee Beat subscription is pre-selected to provide exclusive releases
• Easy Opt-Out: Simply uncheck the box before clicking submit
• Unsubscribe Anytime: One-click unsubscribe in every email footer
• GDPR Compliance: Pre-selection is transparent, clearly visible, and easily reversible

4. How We Collect Data

• Signup Forms: When you create an account or subscribe to an artist
• Settings Pages: When you update preferences or manage subscriptions
• Email Interactions: When you open or click links in our emails (if tracking enabled)
• Unsubscribe Links: When you unsubscribe via email link or settings
• APIs/Integrations: If you connect third-party services (e.g., Spotify)

5. Why We Use Your Data (Legal Basis)

Under GDPR Article 6, we process your personal data based on the following legal grounds:

5.1 Consent (GDPR Art. 6(1)(a))

• Email Notifications: We send you music updates only if you opt-in
• Email Tracking: We track opens/clicks only with separate, explicit consent

You can withdraw consent at any time by unsubscribing (emails) or disabling tracking (settings).

5.2 Contract Performance (GDPR Art. 6(1)(b))

• Account Management: Creating and maintaining your account
• Service Delivery: Providing platform features (artist subscriptions, content access)

5.3 Legal Obligation (GDPR Art. 6(1)(c))

• Consent Logging: GDPR Article 7 requires proof of consent
• Audit Trails: Maintaining records for legal compliance and disputes
• Tax/Accounting: Retaining payment records as required by law

5.4 Legitimate Interest (GDPR Art. 6(1)(f))

• Security: Fraud prevention, abuse detection
• Service Improvement: Analyzing aggregated, anonymized usage data
• Communications: Sending essential service updates (not marketing)

6. How We Use Your Data

• Send Email Notifications: Deliver music updates from artists you follow
• Personalize Content: Use your name and preferences to customize emails
• Measure Engagement: Track opens/clicks to help artists understand their audience (with consent)
• Improve Service: Analyze aggregated data to enhance platform features
• Prevent Abuse: Detect spam, fraud, and Terms of Service violations
• Legal Compliance: Maintain consent records and respond to legal requests
• Customer Support: Respond to inquiries and resolve issues

7. Email Tracking and Cookies

7.1 Tracking Pixels

We use tracking pixels (small, invisible images) in emails to measure:

• Whether you opened the email
• Which links you clicked
• Your email client (Gmail, Outlook, etc.)
• General location (city/country)

7.2 Separate Consent Required

Per GDPR and ePrivacy Directive, email tracking requires explicit prior consent, separate from your email subscription consent.

• During signup, you'll see two checkboxes: (1) Receive emails, (2) Enable tracking
• You can subscribe without tracking
• You can withdraw tracking consent anytime in settings (while staying subscribed)

7.3 How to Opt Out

• Disable Tracking: Go to Settings → Privacy → Disable "Email Analytics"
• Unsubscribe Entirely: Click "Unsubscribe" in any email footer
• Block Pixels: Use email client privacy features (Apple Mail Privacy Protection, Gmail "Always ask before displaying external images")

7.4 Cookie Policy

Our website uses the following cookies:

• Essential Cookies: Session management, authentication, security (no consent required)
• Analytics Cookies: Website usage statistics (requires consent)
• Preference Cookies: Remember your settings (theme, language)

You can manage cookie preferences in your browser settings or via our cookie consent banner.

8. Who We Share Data With

We share your personal data only with trusted service providers who help us operate the platform. We do NOT sell, rent, or share your data for marketing purposes.

8.1 Service Providers (Data Processors)

We share data with the following third-party processors:

• Email Delivery: Resend (email sending infrastructure)
  Privacy Policy
• Web Hosting: Vercel (platform infrastructure)
  Privacy Policy
• Database Hosting: Neon (PostgreSQL database)
  Privacy Policy
• Authentication: NextAuth (authentication services)
  Security

8.2 Data Processing Agreements (DPAs)

All service providers have signed Data Processing Agreements that ensure GDPR compliance and commit them to:

• Process data only on our instructions
• Implement appropriate security measures
• Assist with your rights requests (access, deletion, etc.)
• Delete data when no longer needed

8.3 Legal Disclosures

We may disclose your data if required by law:

• Court orders or subpoenas
• Government investigations
• Compliance with legal obligations
• Protection of our legal rights

9. International Data Transfers

9.1 Transfer Locations

Your data may be transferred to and processed in:

• European Union: Primary database and hosting servers
• United States: Some service providers (Vercel, Resend)

9.2 Transfer Safeguards

For transfers outside the EU/EEA, we rely on:

• Adequacy Decisions: EU Commission-approved countries (UK, Switzerland)
• Standard Contractual Clauses (SCCs): EU-approved contract templates with US processors
• Data Privacy Framework: US organizations certified under EU-US Data Privacy Framework

All transfers comply with GDPR Chapter V requirements and include appropriate safeguards to protect your data.

9.3 Request Copy of Safeguards

You can request a copy of the safeguards we have in place by contacting privacy@thebackstage.app.

10. How Long We Keep Data

10.1 Active Subscribers

• Email Address: Until you unsubscribe or delete your account
• Name & Preferences: Until you delete your account

10.2 Unsubscribed Users

• Immediate Anonymization: Email replaced with "deleted-[ID]@anonymized.local" within 30 days
• Retention Period: Anonymized records kept for 7 years (legal defense, fraud prevention)
• GDPR Compliance: Article 17 allows retention for "establishment, exercise or defense of legal claims"

10.3 Consent Logs (Exception)

• Retention: Indefinite or minimum 7 years
• Legal Basis: GDPR Article 7(1) requires proof of consent
• What's Logged: Who consented, when, how, IP address, user agent
• Important: Even after email deletion, consent logs are retained for legal compliance

10.4 Email Engagement Data

• Opens/Clicks: Retained for 2 years (analytics purposes)
• Automated Deletion: Data older than 2 years is automatically deleted

10.5 Security Logs

• Access Logs: Retained for 30 days (security monitoring, debugging)
• Automated Deletion: Logs older than 30 days are automatically deleted

10.6 Backup Data

• Retention: 30 days in encrypted backups
• Purpose: Service reliability and disaster recovery
• Deletion: Old backups automatically deleted after 30 days

11. Your Rights Under GDPR

You have the following rights regarding your personal data:

11.1 Right to Access

You can request a copy of all personal data we hold about you.

• How: Email privacy@thebackstage.app or use "Export Data" in settings
• Response Time: 30 days (may extend to 90 days if complex)
• Format: CSV or JSON (structured, machine-readable)
• Cost: Free (first request)

11.2 Right to Rectification

You can correct inaccurate or incomplete data.

• How: Update in Settings or contact privacy@thebackstage.app
• Response Time: 30 days

11.3 Right to Erasure ("Right to Be Forgotten")

You can request deletion of all your personal data.

• How: Email privacy@thebackstage.app or use "Delete Account" in settings
• Scope: More comprehensive than unsubscribe - deletes all account data
• Exceptions: Anonymized consent logs (legal requirement), accounting records (tax law)
• Response Time: 30 days

11.4 Right to Restriction

You can request we temporarily stop processing your data (e.g., while resolving a dispute).

• How: Contact privacy@thebackstage.app
• Response Time: 30 days

11.5 Right to Data Portability

You can receive your data in a portable format and transmit it to another service.

• How: Use "Export Data" in settings or email privacy@thebackstage.app
• Format: CSV or JSON
• Included: Email, name, subscription preferences, engagement history
• Response Time: 30 days

11.6 Right to Object (Marketing)

You have an absolute right to object to direct marketing at any time.

• How: Click "Unsubscribe" in any email or go to Settings
• Response Time: Immediate (no delay allowed)
• Effect: All marketing emails stop immediately

11.7 Right to Withdraw Consent

You can withdraw consent for data processing at any time.

• Email Notifications: Click "Unsubscribe" in any email
• Email Tracking: Disable in Settings → Privacy
• Effect: Processing stops immediately (does not affect past processing)

11.8 Right to Lodge a Complaint

You have the right to complain to a data protection authority.

• Spain: Agencia Española de Protección de Datos (AEPD) - www.aepd.es
• UK: Information Commissioner's Office (ICO) - ico.org.uk
• EU: Find your authority at edpb.europa.eu

11.9 How to Exercise Your Rights

To exercise any of these rights:

1. Email privacy@thebackstage.app with your request
2. Include your account email for verification
3. We may request additional information to verify your identity (security measure)
4. We will respond within 30 days (may extend to 90 days if complex)
5. All requests are free of charge (unless manifestly unfounded or excessive)

12. Data Security

We implement industry-standard security measures to protect your data:

12.1 Technical Safeguards

• Encryption in Transit: TLS/SSL for all connections (HTTPS)
• Encryption at Rest: Database encryption for stored data
• Password Security: Bcrypt hashing with salt
• Secure Authentication: Multi-factor authentication available

12.2 Organizational Safeguards

• Access Controls: Role-based access (least privilege principle)
• Employee Training: Regular security and privacy training
• Vendor Audits: Annual review of service provider security
• Incident Response: Documented breach notification process

12.3 Data Breach Notification

In the event of a data breach affecting your personal data:

• We will notify you within 72 hours of discovery (GDPR requirement)
• Notification will include nature of breach, likely consequences, and mitigation measures
• We will also notify relevant data protection authorities

12.4 Your Responsibilities

• Keep your password secure and confidential
• Use a strong, unique password
• Enable multi-factor authentication
• Log out after using shared devices
• Report suspicious activity immediately

13. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@thebackstage.app. We will delete such data promptly.

For users in the EU, the minimum age is 16 (or lower if permitted by Member State law with parental consent).

14. Your Choices

14.1 Email Preferences

• Unsubscribe: Click "Unsubscribe" in any email footer (one-click)
• Manage Subscriptions: Go to Settings → Subscriptions to choose which artists to follow
• Frequency Control: Set maximum email frequency per artist

14.2 Tracking Preferences

• Disable Email Tracking: Settings → Privacy → Disable "Email Analytics"
• Effect: We won't track opens/clicks (but emails still deliver)

14.3 Account Deletion

• Delete Account: Settings → Account → Delete Account
• Effect: All personal data deleted (except anonymized audit logs)

14.4 Cookie Preferences

• Manage Cookies: Use cookie consent banner or browser settings
• Block All Cookies: Browser settings (may affect functionality)

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last Updated" date at the top
• We will notify you via email (to the address on your account)
• We will provide at least 30 days' notice before changes take effect
• Your continued use after changes take effect constitutes acceptance

If you do not agree to the changes, you may delete your account before the effective date.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy Inquiries
Email: privacy@thebackstage.app
Subject: "Privacy Inquiry - [Your Name]"
Response Time: Within 30 days

General Support
Email: support@thebackstage.app
Website: thebackstage.app

17. Supervisory Authority

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a supervisory authority:

Spain (Primary Authority)
Agencia Española de Protección de Datos (AEPD)
Website: www.aepd.es
Address: C/ Jorge Juan, 6, 28001 Madrid, Spain

Other EU/EEA Authorities
Find your local data protection authority at:
European Data Protection Board - Member List

Summary: Your Key Privacy Rights