Privacy Policy

This privacy policy explains how Gig Pool Pty Ltd (“Gig Pool”, “we”, “us”, “our”) collects, uses, stores, discloses, and protects your personal information when you use the Gig Pool platform at gigpool.app (“the Platform”), including our website, progressive web application (PWA), and related services. Gig Pool is an artist booking and rostering platform that connects performers, booking agents, and entertainment venues. We are committed to handling your personal information responsibly and in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we provide services to users in the United Kingdom or European Economic Area, we also comply with applicable data protection laws in those jurisdictions. We encourage you to read this policy carefully. By using the Platform, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please do not use the Platform.

The types of personal information we collect depend on how you use the Platform and which role you hold (performer, venue booker, venue contact, or visitor). Information you provide directly Account registration: name, email address, password, and role selection (performer or venue booker). Performer profile information: stage name, biography, profile photo, genre preferences, vibe/energy level selections, social media links, SoundCloud or Mixcloud profile URLs, availability schedule, and performance rates. Business and tax information: Australian Business Number (ABN), tax identification numbers for other jurisdictions (such as VAT numbers, EIN, IRD numbers, NIF, or other local equivalents), entity type (sole trader, company, partnership, trust), GST or VAT registration status, and business name. For Australian artists, we verify ABN details through the Australian Business Register (ABR) API. Venue information: venue name, address (including country, and state or province where applicable), room names and descriptions, venue brief, genre preferences, contact details, and default performance rates. Invoicing information: invoice line items, amounts, tax calculations, payment terms, bank account details (if provided for payment instructions on invoices), and recipient details. Invoice PDFs are stored indefinitely. Communication data: messages sent through in-app chat (per-booking message threads), file attachments shared in chat, and any correspondence you send to us directly. Contact details: phone number (if provided for SMS notifications), email address, and postal address. Notification preferences: push notification subscription data, SMS opt-in status, email notification preferences, and quiet hours settings. Information we collect automatically Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language settings. Usage information: pages visited, features used, timestamps of actions, booking and invoicing activity, and interaction patterns within the Platform. Push notification data: when you subscribe to push notifications, we store the subscription endpoint URL and encryption keys required to send notifications to your device. We do not access the content of other notifications on your device. Location information: we do not collect precise geolocation data. We may infer your approximate location from your IP address for the purpose of setting default language, currency, and jurisdiction settings. Information from third parties Calendar authentication: if you connect your Google Calendar account for real-time gig synchronisation, we receive an OAuth token that allows us to create and update calendar events on your behalf. We do not read your existing calendar events. ABN verification: for Australian artists, we query the Australian Business Register (ABR) API to verify your ABN, which returns your registered business name, entity type, and GST registration status. Payment processing: if you purchase a subscription or SMS credits, our payment processor (Stripe) collects your payment card details directly. We do not store your full card number. We receive from Stripe your subscription status, payment history, and the last four digits of your card for display purposes. Sensitive information We do not intentionally collect sensitive information as defined under the Privacy Act (such as health information, racial or ethnic origin, political opinions, or sexual orientation). If you include sensitive information in free-text fields (such as your DJ biography), you consent to us holding that information as part of your profile.

We use your personal information for the following purposes: Providing the Platform: creating and managing your account, facilitating bookings between performers and venues, generating rosters and schedules, enabling in-app messaging, processing invoices, and synchronising gig schedules with your calendar. Notifications and communications: sending booking confirmations, gig reminders, fill-in broadcast alerts, and other transactional notifications via push notification, email, and SMS. SMS notifications are sent only with your explicit opt-in consent. Invoicing and tax compliance: generating invoices that comply with the tax requirements of the venue’s jurisdiction, calculating applicable taxes (GST, VAT, or other local taxes), and storing invoices as business records. Identity verification: verifying your ABN or other tax identification numbers to ensure invoices contain accurate business information, and determining your tax registration status for correct invoice labelling. Improving the Platform: analysing usage patterns to identify bugs, improve features, and understand how users interact with the Platform. We use Vercel Analytics for this purpose, which collects aggregated, non-personally-identifiable usage data. Customer support: responding to your enquiries, resolving disputes, and providing technical assistance. Legal and regulatory compliance: meeting our obligations under Australian law, including tax record-keeping requirements, responding to lawful requests from regulatory authorities, and protecting our legal rights. Safety and security: detecting and preventing fraud, abuse, and security incidents, and enforcing our Terms of Service.

If you are located in the United Kingdom or European Economic Area, we process your personal information on the following legal bases under the UK GDPR or EU GDPR: Performance of a contract: processing necessary to provide the Platform services you have signed up for, including account management, booking facilitation, invoice generation, and notifications related to your bookings. Legitimate interests: processing necessary for our legitimate business interests, including improving the Platform, ensuring security, preventing fraud, and providing customer support. We balance these interests against your rights and freedoms. Legal obligation: processing necessary to comply with legal obligations, including tax record-keeping, responding to lawful data requests, and meeting our obligations under the Privacy Act, GDPR, or other applicable laws. Consent: where we rely on your consent (such as for SMS notifications or marketing communications), you may withdraw your consent at any time through your account settings or by contacting us.

We do not sell your personal information. We share your personal information only in the following circumstances: Between platform users Performer profiles: your stage name, biography, profile photo, genres, vibe selections, and availability are visible to venue bookers and booking agents who use the Platform. Your performance rates may be visible to bookers depending on the account owner’s visibility settings. Venue information: venue name, address, room details, and venue briefs are visible to DJs in the booker’s DJ pool. Booking details: when a booking is confirmed, the DJ and the venue booker can see each other’s relevant contact and booking information within the Platform. Invoices: when you send an invoice through the Platform, the recipient (venue) receives the invoice containing your name, address, ABN or tax ID, and payment details as included by you. With service providers We use third-party service providers to operate the Platform. These providers process your information on our behalf and are contractually required to protect it: • Supabase — database hosting, authentication, file storage, real-time messaging (Sydney, Australia) • Vercel — web application hosting, edge network, serverless functions (Global CDN, primary: Sydney) • Stripe — subscription billing, payment processing (United States) • Resend — transactional email delivery (United States) • Cellcast — SMS notifications, Australia (Melbourne, Australia) • Twilio — SMS notifications, international (United States) • Australian Business Register — ABN verification (Australia) For legal reasons We may disclose your personal information if required or permitted to do so by law, including in response to a court order, subpoena, or lawful request from a government authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others. Business transfers If Gig Pool is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.

Some of our service providers are located outside Australia. By using the Platform, you acknowledge that your personal information may be transferred to, stored, and processed in countries outside Australia, including the United States (Stripe, Resend, Twilio) and other countries where Vercel operates edge servers. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to that information. This includes entering into contractual arrangements that require the recipient to handle your information in accordance with standards substantially similar to the APPs. For users in the United Kingdom or European Economic Area, transfers of personal data outside the UK or EEA are made in compliance with Chapter V of the UK GDPR or EU GDPR, using appropriate safeguards such as Standard Contractual Clauses.

We retain your personal information for as long as your account is active and for a reasonable period afterwards, subject to the following: Active accounts: your profile, booking history, and invoices are retained for the life of your account. Deleted accounts: when you request account deletion, we anonymise your personal information (name, email, phone number, profile data) within 30 days. During this 30-day grace period, you may reactivate your account. Financial records: invoices, payment records, and related tax information are retained for a minimum of 7 years after the relevant financial year, in accordance with ATO record-keeping requirements and the Corporations Act 2001 (Cth). These records are anonymised (personal identifiers removed) but the financial data is preserved. Chat messages: message content is retained for the life of the associated booking. When a booking is deleted, associated messages are also deleted. Push notification subscriptions: subscription records are deleted when you unsubscribe, uninstall the PWA, or when the subscription endpoint expires. SMS and notification logs: delivery logs are retained for 12 months for troubleshooting and then deleted.

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include: Encryption in transit: all data transmitted between your device and the Platform is encrypted using TLS 1.2 or higher (HTTPS). Encryption at rest: database contents are encrypted at rest using AES-256 encryption provided by Supabase’s infrastructure. Access controls: Row Level Security (RLS) policies are enforced at the database level, ensuring users can only access data they are authorised to view. Administrative access is restricted to authorised personnel. Authentication: user authentication is managed through Supabase Auth with secure session handling. Passwords are hashed using bcrypt. Infrastructure security: the Platform is hosted on Vercel (SOC 2 Type II certified) and Supabase (SOC 2 Type II certified), both of which maintain comprehensive security programs. Payment security: payment card data is handled exclusively by Stripe (PCI DSS Level 1 certified). We do not store, process, or transmit full card numbers on our servers. While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your information.

The Platform uses only functional cookies that are necessary for the Platform to operate correctly (such as session authentication cookies). We do not use advertising cookies, tracking pixels, or third-party marketing cookies. Vercel Analytics: we use Vercel Analytics to understand how the Platform is used in aggregate. Vercel Analytics is privacy-focused and does not use cookies. It collects anonymised usage data such as page views, visit duration, and device type. No personally identifiable information is collected by Vercel Analytics. Referral tracking: if you arrive at the Platform via a referral link (containing a ?ref= parameter), we store the referral code in a first-party cookie for 60 days to attribute the referral. This cookie contains only the referral code, not any personal information. You can manage cookies through your browser settings. Disabling functional cookies may affect the Platform’s operation.

Under Australian Privacy Law If you are an Australian resident, you have the following rights under the Privacy Act: Access: you may request access to the personal information we hold about you. We will respond to your request within 30 days. Correction: you may request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. You can update most information directly through your account settings. Complaint: you may complain about how we have handled your personal information. We will investigate your complaint and respond within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. Under UK and EU Data Protection Law If you are in the United Kingdom or European Economic Area, you have additional rights under the UK GDPR or EU GDPR: Right to erasure: you may request that we delete your personal information, subject to our legal obligations to retain certain records (such as financial records for tax compliance). Right to restriction: you may request that we restrict the processing of your personal information in certain circumstances. Right to data portability: you may request a copy of your personal information in a structured, commonly used, machine-readable format. Right to object: you may object to the processing of your personal information where we rely on legitimate interests as the legal basis. Right to withdraw consent: where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Right to lodge a complaint: you may lodge a complaint with the Information Commissioner’s Office (ICO) in the UK (ico.org.uk) or the relevant supervisory authority in your EEA country of residence. To exercise any of these rights, contact us using the details in the Contact section below.

Gig Pool does not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on users. If we introduce automated decision-making features in the future (such as algorithmic DJ matching or AI-generated recommendations), we will update this policy to describe those processes and provide you with the right to request human review of any automated decision.

The Platform is not directed at children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us.

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by posting the updated policy on the Platform with a revised “Last updated” date, and where appropriate, by email or in-app notification. We encourage you to review this policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this privacy policy or how we handle your personal information, please contact us: Gig Pool Pty Ltd Email: support@gigpool.app For privacy complaints: if you believe we have breached the Australian Privacy Principles, please contact us first. We will investigate your complaint and respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with: Office of the Australian Information Commissioner (OAIC) Website: www.oaic.gov.au Phone: 1300 363 992 Email: enquiries@oaic.gov.au For users in the United Kingdom: Information Commissioner’s Office (ICO) Website: ico.org.uk Phone: +44 303 123 1113