Privacy policy.

ShareTheStage ("we," "us," "our") operates the ShareTheStage.com website, mobile applications, and related services (the "Platform"). For the purposes of EU/UK data-protection law, ShareTheStage is the data controller for personal data processed through the Platform.

Postal address: [COMPANY ADDRESS]. Privacy contact: privacy@sharethestage.com.

From you directly. Profile data (name, stage name, bio, photos, social URLs, city + region), verification materials (documents, photos, EPK links), the content of messages + applications + invites you send through the Platform, gigs you post, reviews and feedback you submit, and account credentials (email + a hashed password — we never store the plaintext).

Automatically. Signup IP, device + browser identifiers, rate-limit events, session cookies, sign-in attempts, an audit log of safety-relevant actions (blocks, reports, suspicious-activity flags), and basic usage telemetry (which pages and endpoints you hit). Image uploads include their original byte size + content type.

Optional integrations. Calendar events (when you connect Google Calendar); social-platform handles or IDs (when you verify ownership of a social account); Stripe customer + payment-method identifiers (when you subscribe to a paid plan — we never see full card numbers).

Location. City + region from your profile, and coarse approximate location from your IP for geo-relevant defaults. Precise GPS coordinates are not collected from your device unless you explicitly add them.

• Run the service (deliver gigs, route notifications, render your profile, process applications). Legal basis: performance of a contract (Art. 6(1)(b)).
• Keep it safe (detect duplicate accounts, rate-limit abuse, run the content filter on outbound messages, support admin review of reports, prevent fraud). Legal basis: legitimate interests (Art. 6(1)(f)).
• Verify identity (human review of verification submissions). Legal basis: legitimate interests + your consent when you submit the materials (Art. 6(1)(a) + (f)).
• Bill paid plans (process subscription payments through Stripe). Legal basis: performance of a contract.
• Send transactional + critical notices (booking updates, password resets, security alerts, legal notices). Legal basis: performance of a contract + legal obligation.
• Send marketing/digest emails (only if you've opted in). Legal basis: consent (Art. 6(1)(a)); withdrawable at any time from notification preferences.
• Comply with legal obligations (respond to subpoenas, court orders, tax requirements). Legal basis: legal obligation (Art. 6(1)(c)).

• Other users, only the parts of your profile you've marked public + any messages you've sent them.
• Stripe processes payments. We never see full card details. Stripe's privacy policy: stripe.com/privacy.
• Resend sends transactional + notification emails.
• Cloudflare R2 hosts uploaded images, screenshots, and documents (private bucket; all reads go through our auth gate).
• Vercel hosts the application and the database (via the Neon integration).
• Google (when you sign in with Google or connect Calendar) — only the OAuth scopes you grant.
• Apple (when you sign in with Apple) — only the identifier you authorize.
• OpenAI Moderation API screens outbound messages for threats / sexual content / harassment. The message body is sent for classification only and is not retained by the provider beyond the API call window.
• Sentry receives error reports (stack traces, request metadata, user ID where relevant) so we can fix bugs.
• Law enforcement when we receive a valid legal request. We notify the affected user unless legally prohibited.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. See "Your rights — California" below for the formal disclosure.

ShareTheStage is operated from the United States. If you access the Platform from outside the U.S., your personal data will be transferred to and processed in the U.S. and other countries where our service providers operate. Where required by law (e.g., transfers from the EU/UK), we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards.

Active accounts keep their data for as long as the account exists. When you delete your account from Settings → Account we cascade through your messages, applications, invites, blocks, notifications, and uploads. Some categories are retained longer for specific reasons:

• Safety-critical audit trails (rate-limit events, moderation flags, ban records) — up to 24 months, in anonymized form where possible, to defend against repeat abuse.
• Financial / tax records (when you've used a paid plan) — as required by U.S. tax law (typically 7 years).
• Active disputes or legal claims — until resolution, plus the applicable limitations period.

Wherever you're reading from, you can:

• Access your data — request a full export from Settings or by email.
• Correct anything inaccurate — edit your profile or email support.
• Delete your account — one-click in Settings.
• Object to specific processing — email privacy@sharethestage.com.
• Port your data to another platform — the export is machine-readable JSON.
• Withdraw consent for any processing based on consent (marketing emails, optional integrations) — without affecting the lawfulness of earlier processing.

In addition to the rights above, if you're in the EU, UK, or Switzerland you also have the right to lodge a complaint with your local data-protection supervisory authority. For the UK, that's the Information Commissioner's Office. For the EU, the list of national authorities is on the EDPB website.

California residents have additional rights under the California Consumer Privacy Act, as amended by the CPRA:

• Right to know what personal information we collect, the sources, purposes, and categories of recipients.
• Right to delete personal information we hold about you, subject to limited exceptions.
• Right to correct inaccurate information.
• Right to limit the use of sensitive personal information.
• Right to opt out of any "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioral advertising, so there is no opt-out to exercise. If that ever changes we'll add a clear "Do Not Sell or Share My Personal Information" link.
• Right to non-discrimination — we won't deny service, charge a different price, or provide a lower quality of service because you exercised any of these rights.

To exercise these rights, email privacy@sharethestage.com with "CCPA Request" in the subject. We may need to verify your identity before fulfilling the request. You can authorize an agent to submit a request on your behalf; the agent must provide written authorization and we may verify directly with you.

The Platform is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If we learn that we've collected data from someone under 18, we'll delete it. Parents or guardians who believe their child has signed up should email privacy@sharethestage.com and we'll act promptly.

We use only the cookies we need:

• Session cookie — keeps you signed in.
• CSRF token — protects against cross-site request forgery.
• Geo preference (sts-city) — remembers your saved location filter.
• Referral attribution (sts-ref) — credits a referral code to a signup, when one is present in the URL.
• Pre-launch gateway (sts-gate) — remembers you've entered the beta access code so you don't see the gate on every page.
• Consent — remembers your cookie preferences.

No advertising trackers, no cross-site analytics. If we add analytics in future, it'll be privacy-preserving (no PII shared, configured to honor Do Not Track) and clearly opt-out via the cookie banner.

We use industry-standard measures to protect your data: TLS in transit, encryption at rest for our database and object store, hashed passwords (bcrypt, cost factor 12), rate-limiting on sensitive endpoints, server-side authorization on every protected route, two-factor authentication available on every account, and principle-of-least-privilege admin access. No system is unbreakable, and we make no representation that the Platform is impenetrable.

If we suffer a security incident that compromises the confidentiality or integrity of your personal data, we'll notify you and the appropriate supervisory authorities without undue delay — and within 72 hours where required by law (e.g., GDPR Article 33). Notice will describe the nature of the breach, the categories of data affected, and the steps you should take to protect yourself.

We'll update this Privacy Policy as the service evolves or as the law changes. Material changes get an email notice and a banner on the site for at least 30 days. The "Effective" date at the top of this page always reflects the latest version.

Privacy questions, data-export requests, GDPR/CCPA requests, or anything else related to your personal data: privacy@sharethestage.com.