1. Data Controller

The Platform is operated by TerminBooking LLC, a Wyoming limited liability company with its registered office at 30 N Gould St Ste N, Sheridan, WY 82801, USA. TerminBooking LLC, doing business as Band Artist Booking("we", "us", "our"), is the data controller responsible for your personal data. If you have questions about how we handle your data, contact us at our contact page.

2. Information We Collect

We collect the following categories of personal data:

2.1 Information you provide directly

Account data: Name, email address, password (stored hashed)
Profile data: Display name, bio, profile photo, genres, instruments, gig types
Location data: Country, state/region, city, postal code (voluntarily provided)
Contact data: Phone number (optional, visibility controlled by you)
Social links: Instagram, YouTube, Facebook, Spotify URLs
Content: Gig photos, videos, audio recordings, messages, booking details
Consent records: Timestamps of your terms acceptance and marketing consent

2.2 Information collected automatically

Device data: Browser type, operating system, device type
Connection data: IP address (used for rate limiting, abuse prevention, and audit logs; obtained via the CF-Connecting-IP header forwarded by Cloudflare)
Usage data: Pages visited, features used, profile views (anonymized)
Analytics data: Only collected if you consent to analytics cookies
Push notification tokens: If you enable push notifications on mobile

2.3 Information from non-registered visitors

We also collect limited personal data from people who have not registered an account, in two specific situations:

Booking requests: When a visitor submits a booking request through an artist or band's public profile, we collect the visitor's name, phone number, optional email address, event date, event location, and a free-text description. This data is stored solely to forward the request to the relevant artist or band and is processed under our legitimate interest in operating the booking marketplace (GDPR Art. 6(1)(f)). Booking requests are soft-deletable on request — see Section 11 for retention.
Referral invitations: When an existing user uses the referral program to invite a friend by email, we receive and store that friend's email address solely to (a) send a one-time invitation email containing the referrer's link, (b) track whether the invite converted into a signup so we can credit the referrer's rewards, and (c) prevent duplicate invitations to the same address. Invitee email addresses are not added to any marketing list and are not shared outside our processors.

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data based on:

Contract performance (Art. 6(1)(b)): Processing necessary to provide you the Platform services — account management, bookings, messaging, profile display
Consent (Art. 6(1)(a)): Marketing use of your profile and content, analytics cookies, marketing cookies
Legitimate interest (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, forwarding booking requests from non-users to the addressed artist/band, internal operational alerts
Legal obligation (Art. 6(1)(c)): Compliance with applicable laws, responding to lawful requests

4. How We Use Your Information

Provide, operate, and maintain the Platform
Display your public artist/band profile in the feed, search results, and on affiliated websites operated by Band Artist Booking (e.g. bendzavencanja.com, bendzaveselja.com, bendzarodjendan.com, and other niche booking domains) to increase your visibility to potential clients
Process bookings and facilitate communication between users
Forward booking requests submitted through public profile pages to the relevant artist or band
Provide authorized managers (talent agents or representatives invited and approved by an artist or band) with access to view and manage that artist's or band's bookings, profile, and gig posts (see Section 6)
Send referral invitation emails on your behalf when you use the referral program
Send transactional emails (verification, booking confirmations, password resets, magic-login tokens for cross-device sign-in)
Send push notifications (if enabled) for bookings, messages, and platform activity
Improve the Platform based on anonymized usage patterns
Prevent fraud, abuse, and Terms of Service violations
With your explicit marketing consent: use your profile and content for promotional purposes

5. Marketing Use of Profiles and Content

If you have given explicit marketing consent (opt-in during registration or through your account settings), we may use your public profile information, uploaded images, gig photos, and other content for promotional purposes. This includes social media posts, advertisements, newsletters, app store listings, and press materials.

Marketing consent is:

Optional: Not required to use the Platform
Separate: Independent from your acceptance of Terms of Service
Revocable: You can withdraw consent at any time in your account settings
Recorded: We store the timestamp of when consent was given or withdrawn

6. Authorized Access by Managers

The Platform supports a Manager role: an artist or band may invite a third party (typically a talent agent or personal manager) to view and act on their behalf. When an artist or band accepts a Manager invitation, that Manager is granted access to:

The artist's or band's calendar, bookings, and booking requests
The artist's or band's profile and gig posts (view and edit)
Notifications related to the managed account

Managers do not see your private subscription tier, payment details, password, or any account-management actions outside the granted scope. The Manager relationship can be revoked at any time by the artist or band through Settings, immediately removing the Manager's access. Managers process the data they access on the same legal basis (contract performance) and are bound by these terms.

7. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with the following categories of processors, all of whom are contractually bound to protect your data:

Service	Purpose	Data shared
DigitalOcean (droplet)	Application server & database hosting	All Platform data
DigitalOcean Spaces	File storage (images, audio, video)	Uploaded media
Cloudflare	CDN, DDoS protection, DNS, edge proxy for the API and media domains	IP addresses, request metadata, headers
Vercel	Frontend hosting (Next.js, edge cache)	IP addresses, request metadata
RunCloud	Server management & encrypted backups	Encrypted snapshots of all Platform data
SendGrid	Transactional email delivery	Email address, name, message body
Postmark	Email deliverability monitoring (DMARC reports)	Envelope metadata only — no message content
LemonSqueezy	Payment processing & subscription billing	Email, name, billing details, subscription state
Expo (Apple APNs & Google FCM)	Push notification delivery on iOS and Android	Push token, notification content
Sentry	Application error monitoring (mobile, frontend, backend)	Stack traces, browser/device info, occasional user identifiers
Slack	Internal operational alerts (registrations, errors)	User names, event metadata, error messages
Discord	Internal operational alerts (subset of Slack alerts)	User names, event metadata
Google Analytics	Website analytics (only if you consent)	Anonymized usage data

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights:

Right of access (Art. 15): Request a copy of all personal data we hold about you. Use the "Download my data" feature in Settings.
Right to rectification (Art. 16): Correct inaccurate data through your profile settings, including your name and email.
Right to erasure (Art. 17): Delete your account and all associated data through Settings → Delete Account.
Right to restrict processing (Art. 18): Request that we limit how we use your data. Contact us to exercise this right.
Right to data portability (Art. 20): Export your data in machine-readable JSON format via Settings → Download my data.
Right to object (Art. 21): Object to processing based on legitimate interest. Contact us to exercise this right.
Right to withdraw consent (Art. 7): Withdraw marketing consent at any time via Settings without affecting the lawfulness of prior processing.

If you are a non-registered visitor who submitted a booking request or whose email was used to send a referral invitation, you may exercise your rights of access, rectification, and erasure by contacting us through our contact page.

To exercise any of these rights, use the self-service options in your account settings or contact us at our contact page. We will respond within 30 days.

9. Cookies and Tracking Technologies

Necessary Cookies (Always Active)

Essential for authentication, security, and core Platform functionality. Cannot be disabled.

Analytics Cookies (Opt-in)

Help us understand how visitors interact with the Platform. Only activated if you consent via the cookie banner.

Marketing Cookies (Opt-in)

Used for targeted advertising. Only activated if you consent via the cookie banner.

You can change your cookie preferences at any time by clearing your browser cookies and revisiting the Platform.

10. Data Retention

Active accounts: Data is retained for as long as your account is active
Deleted accounts: Personal data is permanently deleted upon account deletion. Anonymized analytics data may be retained.
Booking requests from non-users: Retained until the addressed artist/band marks the request as accepted, declined, or deletes it; otherwise pruned after 12 months. Soft-deletable on request via our contact page.
Referral invitations: Invitee email addresses are retained for up to 90 days after the invitation is sent, or until the invitee signs up (in which case the link is preserved as part of the signup record). Pending invitations are pruned daily once expired.
Magic-login tokens: Single-use, expire automatically after 5 minutes. Not retained after redemption or expiry.
Legal obligations: Payment records may be retained for up to 5 years as required by tax and financial regulations
Consent records: Records of consent (timestamps) are retained for compliance purposes even after withdrawal
Backups: Encrypted server snapshots are retained for up to 7 days; deletions propagate to backups within this window.

11. Data Security

We implement industry-standard security measures including:

HTTPS encryption for all data in transit
Bcrypt hashing for passwords (never stored in plain text)
Token-based authentication with automatic rotation
Encrypted file storage on DigitalOcean Spaces
Encrypted nightly backups via RunCloud
Rate limiting and abuse prevention on all API endpoints
IP-restricted access to administrative interfaces (Filament admin, Horizon queue dashboard)

12. International Data Transfers

Your data may be processed by third-party services located outside the EEA (e.g., DigitalOcean, Cloudflare, SendGrid, Vercel, Sentry, Slack, Discord, all primarily US-based). Where applicable, these transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.

13. Children's Privacy

The Platform is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Platform or via email at least 30 days before taking effect. The version number and date at the top of this page indicate the current version.

15. Supervisory Authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your local data protection authority. For users in Serbia, this is the Commissioner for Information of Public Importance and Personal Data Protection.

16. Contact Us

For any questions about this Privacy Policy or to exercise your data rights, contact us at our contact page. The legal entity behind the Platform is TerminBooking LLC, with registered office at 30 N Gould St Ste N, Sheridan, WY 82801, USA.