Privacy Policy

Resistor ("the Platform", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our tour booking marketplace platform. This policy is designed to comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Data Controller

The data controller responsible for your personal data is:

Resistor — Chicago, Illinois, USA — andy@resistor.technology

For any privacy-related inquiries, you may contact our Data Protection Officer at:

andy@resistor.technology

2. Data We Collect

2.1 Account Information

When you register, we collect:

• Name (or artist/venue name)
• Email address
• Password (stored as a salted bcrypt hash; we never store plaintext passwords)
• Account role (artist, promoter, or venue)
• Optional verification links (social media, website)
• Timestamp of Terms of Service acceptance

2.2 Profile Data

Information you provide for your public or semi-public profile:

• Display name, bio, and genre tags
• Profile photos and media
• Social media links and website URLs
• Technical rider information (artists)
• Home city and location preferences
• Venue details: address, capacity, amenities, sound system specs (venues)

2.3 Booking and Transaction Data

• Availability postings (cities, dates, fee ranges)
• Booking offers, counter-offers, and negotiation messages
• Agreed fees, travel contributions, and contract terms
• Booking status history and event dates
• Digital contract signatures

2.4 Payment Records

• Payout email address and Stripe account ID (encrypted at rest)
• Transaction records: payment amounts, types, statuses, and timestamps
• Stripe payment intent IDs, transfer IDs, and capture IDs
• Disbursement schedules

Note: We do not store credit card numbers, bank account numbers, or other direct financial instrument details. All payment processing is handled by Stripe.

2.5 Messages

• Direct messages between users (subject and body)
• Negotiation messages within bookings
• Dispute descriptions and evidence uploads

2.6 Usage and Analytics Data

• IP address (for rate limiting and security; not stored long-term)
• Browser type and device information (via error tracking)
• Profile view counts and sources
• Feature interaction patterns
• Error logs and performance metrics

3. How We Use Your Data

3.1 Service Delivery

• Creating and managing your account
• Displaying your profile to relevant users (based on your visibility settings)
• Facilitating the booking, negotiation, and payment process
• Generating and managing digital contracts
• Processing payments and disbursements through Stripe

3.2 Communication

• Sending booking notifications (new offers, counter-offers, acceptances)
• Email verification and password reset messages
• Account approval/rejection notifications
• Payment and disbursement confirmations
• Platform updates and service announcements

3.3 Analytics and Improvement

• Aggregated platform statistics (booking counts, artist counts, city coverage)
• Error tracking and debugging to improve platform stability
• Feature usage analysis to inform product development

3.4 Security

• Rate limiting to prevent abuse
• Account lockout after repeated failed login attempts
• Fraud detection and prevention
• Admin audit logging for accountability

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract performance — Processing necessary to provide the booking marketplace service you signed up for (Article 6(1)(b)).
• Legitimate interests — Platform security, fraud prevention, and service improvement (Article 6(1)(f)).
• Consent — Where you have explicitly consented, such as accepting the Terms of Service (Article 6(1)(a)).
• Legal obligation — Where required to comply with applicable laws, such as financial record keeping (Article 6(1)(c)).

5. Third-Party Data Sharing

We share your data with the following third-party service providers, each for a specific and limited purpose:

We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers.

6. Cookies and Similar Technologies

We do not use advertising cookies, tracking pixels, or third-party analytics cookies (such as Google Analytics). The only analytics data collected is through Sentry for error tracking purposes.

7. Data Retention

When data reaches the end of its retention period, it is securely deleted or anonymised. Soft-deleted accounts (marked with a deletedAt timestamp) are permanently purged after the retention period.

8. Your Rights

Under the GDPR (Articles 15-22) and CCPA, you have the following rights regarding your personal data:

CCPA-Specific Rights

California residents additionally have the right to:

• Know what personal information is collected, used, and shared.
• Request deletion of personal information.
• Opt out of the sale of personal information (we do not sell personal information).
• Non-discrimination for exercising privacy rights.

9. Data Export

You may request an export of your personal data at any time. Resistor provides a data export feature accessible via the API:

GET /api/user/data-export

The export includes your account information, profile data, booking history, messages, and transaction records in JSON format. You may also contact us directly to request a data export.

10. Data Security

We implement the following security measures to protect your data:

• Passwords are hashed using bcrypt with a cost factor of 12.
• Sensitive fields (Stripe credentials) are encrypted at rest using AES-256-GCM.
• All data in transit is encrypted via TLS/HTTPS.
• Rate limiting protects against brute-force attacks.
• Account lockout after repeated failed login attempts.
• Two-factor authentication (2FA) is available for additional account security.
• Admin actions are logged in an audit trail.
• Regular dependency security audits.

11. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our hosting provider (Vercel) and third-party services operate. Where such transfers occur, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data processing agreements with all third-party service providers.
• Adequacy decisions where applicable.

12. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or a notice on the Platform at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact and Complaints

For privacy-related questions, data access requests, or to exercise any of your rights, please contact:

Data Protection Officer — andy@resistor.technology

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. For EU residents, a list of supervisory authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members