Resistor ("the Platform", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our tour booking marketplace platform. This policy is designed to comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Data Controller
The data controller responsible for your personal data is:
[Data controller name and contact information to be provided before launch]
For any privacy-related inquiries, you may contact our Data Protection Officer at:
[DPO contact email to be provided before launch]
2. Data We Collect
2.1 Account Information
When you register, we collect:
- Name (or artist/venue name)
- Email address
- Password (stored as a salted bcrypt hash; we never store plaintext passwords)
- Account role (artist, promoter, or venue)
- Optional verification links (social media, website)
- Timestamp of Terms of Service acceptance
2.2 Profile Data
Information you provide for your public or semi-public profile:
- Display name, bio, and genre tags
- Profile photos and media
- Social media links and website URLs
- Technical rider information (artists)
- Home city and location preferences
- Venue details: address, capacity, amenities, sound system specs (venues)
2.3 Booking and Transaction Data
- Availability postings (cities, dates, fee ranges)
- Booking offers, counter-offers, and negotiation messages
- Agreed fees, travel contributions, and contract terms
- Booking status history and event dates
- Digital contract signatures
2.4 Payment Records
- PayPal email address and merchant ID (encrypted at rest)
- Transaction records: payment amounts, types, statuses, and timestamps
- PayPal order IDs, capture IDs, and payout IDs
- Disbursement schedules
Note: We do not store credit card numbers, bank account numbers, or other direct financial instrument details. All payment processing is handled by PayPal.
2.5 Messages
- Direct messages between users (subject and body)
- Negotiation messages within bookings
- Dispute descriptions and evidence uploads
2.6 Usage and Analytics Data
- IP address (for rate limiting and security; not stored long-term)
- Browser type and device information (via error tracking)
- Profile view counts and sources
- Feature interaction patterns
- Error logs and performance metrics
3. How We Use Your Data
3.1 Service Delivery
- Creating and managing your account
- Displaying your profile to relevant users (based on your visibility settings)
- Facilitating the booking, negotiation, and payment process
- Generating and managing digital contracts
- Processing payments and disbursements through PayPal
3.2 Communication
- Sending booking notifications (new offers, counter-offers, acceptances)
- Email verification and password reset messages
- Account approval/rejection notifications
- Payment and disbursement confirmations
- Platform updates and service announcements
3.3 Analytics and Improvement
- Aggregated platform statistics (booking counts, artist counts, city coverage)
- Error tracking and debugging to improve platform stability
- Feature usage analysis to inform product development
3.4 Security
- Rate limiting to prevent abuse
- Account lockout after repeated failed login attempts
- Fraud detection and prevention
- Admin audit logging for accountability
4. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance — Processing necessary to provide the booking marketplace service you signed up for (Article 6(1)(b)).
- Legitimate interests — Platform security, fraud prevention, and service improvement (Article 6(1)(f)).
- Consent — Where you have explicitly consented, such as accepting the Terms of Service (Article 6(1)(a)).
- Legal obligation — Where required to comply with applicable laws, such as financial record keeping (Article 6(1)(c)).
5. Third-Party Data Sharing
We share your data with the following third-party service providers, each for a specific and limited purpose:
PayPal — Payment Processing
Your PayPal email, transaction amounts, and booking details are shared with PayPal to process payments, collect funds, and disburse earnings. PayPal operates as an independent data controller for payment data.
Privacy policy: paypal.com/privacy
Cloudinary — Image Hosting
Profile photos and uploaded images are stored on Cloudinary's content delivery network. Image metadata (file type, size) is processed by Cloudinary.
Privacy policy: cloudinary.com/privacy
Google — Authentication & Maps
If you sign in with Google OAuth, your Google account name, email, and profile image are shared with us by Google. Google Maps API is used for city selection and map display; your IP address may be visible to Google during map interactions.
Privacy policy: policies.google.com/privacy
Sentry — Error Tracking
When errors occur, Sentry receives error details, stack traces, browser/device information, and anonymised user context to help us debug and fix issues. No personally identifiable information is intentionally sent to Sentry.
Privacy policy: sentry.io/privacy
Resend — Email Delivery
Your email address and name are shared with Resend to deliver transactional emails (verification, notifications, booking updates, password resets).
Privacy policy: resend.com/legal/privacy-policy
Upstash — Caching
Upstash Redis is used for rate limiting and caching. Rate limit data (hashed IP addresses) is temporarily stored. Cached data is ephemeral and automatically expires.
Privacy policy: upstash.com/trust/privacy
We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers.
6. Cookies and Similar Technologies
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential (Session) | Authentication session token. Required for the Platform to function. | Session / 30 days |
| Functional (Locale) | Stores your language/locale preference for the interface. | 1 year |
| Analytics (Sentry) | Error tracking and performance monitoring. No advertising or tracking cookies. | Session |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies (such as Google Analytics). The only analytics data collected is through Sentry for error tracking purposes.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion request |
| Profile data | Duration of account (deleted with account) |
| Booking and transaction records | 7 years (financial record-keeping obligations) |
| Payment records | 7 years (financial/tax compliance) |
| Messages and negotiations | Duration of account + 90 days after deletion |
| Dispute records and evidence | 3 years after resolution |
| Error logs (Sentry) | 90 days |
| Rate limiting data | 24 hours |
| Admin audit logs | 5 years |
When data reaches the end of its retention period, it is securely deleted or anonymised. Soft-deleted accounts (marked with a deletedAt timestamp) are permanently purged after the retention period.
8. Your Rights
Under the GDPR (Articles 15-22) and CCPA, you have the following rights regarding your personal data:
Right of Access (Article 15)
You may request a copy of all personal data we hold about you.
Right to Rectification (Article 16)
You may request correction of inaccurate or incomplete personal data. You can update most data directly through your account settings.
Right to Erasure (Article 17)
You may request deletion of your personal data, subject to legal retention requirements (e.g., financial records retained for 7 years).
Right to Restriction of Processing (Article 18)
You may request that we limit how we process your data in certain circumstances.
Right to Data Portability (Article 20)
You may request your data in a structured, commonly used, machine-readable format (JSON).
Right to Object (Article 21)
You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
CCPA-Specific Rights
California residents additionally have the right to:
- Know what personal information is collected, used, and shared.
- Request deletion of personal information.
- Opt out of the sale of personal information (we do not sell personal information).
- Non-discrimination for exercising privacy rights.
9. Data Export
You may request an export of your personal data at any time. Resistor provides a data export feature accessible via the API:
GET /api/user/data-export
The export includes your account information, profile data, booking history, messages, and transaction records in JSON format. You may also contact us directly to request a data export.
10. Data Security
We implement the following security measures to protect your data:
- Passwords are hashed using bcrypt with a cost factor of 12.
- Sensitive fields (PayPal credentials) are encrypted at rest using AES-256-GCM.
- All data in transit is encrypted via TLS/HTTPS.
- Rate limiting protects against brute-force attacks.
- Account lockout after repeated failed login attempts.
- Two-factor authentication (2FA) is available for additional account security.
- Admin actions are logged in an audit trail.
- Regular dependency security audits.
11. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our hosting provider (Vercel) and third-party services operate. Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data processing agreements with all third-party service providers.
- Adequacy decisions where applicable.
12. Children's Privacy
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take steps to delete that data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or a notice on the Platform at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact and Complaints
For privacy-related questions, data access requests, or to exercise any of your rights, please contact:
[Data Protection Officer contact information to be provided before launch]
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. For EU residents, a list of supervisory authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members
Please also review our Terms of Service which governs your use of the Platform.