Privacy Policy

This privacy policy explains how Gig Pool Pty Ltd (“Gig Pool”, “we”, “us”, “our”) collects, uses, stores, discloses, and protects your personal information when you use the Gig Pool platform at gigpool.app (“the Platform”), including our website, progressive web application (PWA), email notifications, and related services. Gig Pool is an artist booking and rostering platform that connects performers, booking agents, and entertainment venues. We are committed to handling your personal information responsibly and in accordance with the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Where we provide services to users in the United Kingdom or European Economic Area, we also comply with the UK GDPR and EU GDPR respectively. Our primary database, file storage, and authentication infrastructure are hosted in the Sydney region of Australia. Some supporting services are located overseas; section 6 sets out the full picture. We encourage you to read this policy carefully. By using the Platform, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please do not use the Platform.

The types of personal information we collect depend on how you use the Platform and which role you hold (performer, account owner, venue booker, venue viewer, support agent, or visitor). Information you provide directly Account registration: name, email address, password, role selection (performer or venue booker), and country of operation. Performer profile information: stage name, biography, profile photo, genre preferences, vibe/energy level selections, social media and audio platform links, availability schedule, and performance rates. Business and tax information: Australian Business Number (ABN), tax identification numbers for other jurisdictions (such as VAT numbers, EIN, IRD numbers, NIF, or other local equivalents), entity type (sole trader, company, partnership, trust), GST or VAT registration status, and business name. For Australian artists, we verify ABN details through the Australian Business Register (ABR) API. Venue information: venue name, address (including country, and state or province where applicable), room names and descriptions, venue brief, genre preferences, contact details, and default performance rates. Invoicing information: invoice line items, amounts, tax calculations, payment terms, bank account details (if provided for payment instructions on invoices), and recipient details. Communication data: messages sent through in-app chat (per-booking message threads and support conversations), file attachments shared in chat, support tickets, and any correspondence you send to us directly. Guest artist details: if you are a venue booker, the name and email address of a guest artist you book who does not have a Gig Pool account. We hold these so the venue can communicate with that artist about the booking, and we email the artist on the venue’s behalf. If you are that guest artist, you can unsubscribe from those emails at any time using the link in each one, and your details are linked to your own account if you later sign up with the same email address. Contact details: phone number (if provided for SMS notifications), email address, and postal address. Notification preferences: push notification subscription data, SMS opt-in status, email category preferences, and quiet hours settings. Information we collect automatically Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and language settings. Usage information: pages visited, features used, timestamps of actions, booking and invoicing activity, and a small set of typed product events (for example: signup completed, first invoice sent) recorded in our “product_events” log to help us understand activation and engagement at an aggregate level. Authentication and security data: hashed password (bcrypt), two-factor authentication state, short-lived email verification codes (10-minute TTL, SHA-256 hashed and stored in “email_mfa_codes”), TOTP secret and single-use recovery codes (where you have enabled authenticator-app 2FA), and a signed “trusted device” cookie (HMAC-SHA256, 1-year TTL) that lets your device skip 2FA on future logins. Login timestamps, last-login-at, and account-status history are retained as part of our security and lifecycle audit trail. Push notification data: when you subscribe to push notifications, we store the subscription endpoint URL and encryption keys required to send notifications to your device. We do not access the content of other notifications on your device. Location information: we do not collect precise geolocation data. We may infer your approximate country from your IP address for the purpose of setting default language, currency, and tax-jurisdiction settings. Information from third parties Calendar authentication: if you connect your Google Calendar account for real-time gig synchronisation, we receive an OAuth token that allows us to create and update calendar events on your behalf. We do not read your existing calendar events. ABN verification: for Australian artists, we query the Australian Business Register (ABR) API to verify your ABN, which returns your registered business name, entity type, and GST registration status. Payment processing: if you purchase a subscription or SMS credits, our payment processor (Stripe) collects your payment card details directly. We do not store, process, or transmit full card numbers. We receive from Stripe your subscription status, payment history, last four digits and brand of your card for display purposes, and event-mirror records of refunds, disputes, and payment-method updates which we store to keep our billing state consistent with Stripe. Sensitive information We do not intentionally collect sensitive information as defined under section 6 of the Privacy Act (such as health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual orientation). If you include sensitive information in free-text fields (such as your artist biography), you consent to us holding that information as part of your profile, and you may remove it at any time by editing your profile.

We use your personal information for the following purposes: Providing the Platform: creating and managing your account, facilitating bookings between performers and venues, generating rosters and schedules, enabling in-app messaging and support, processing invoices, and synchronising gig schedules with your calendar. Account communications: sending booking confirmations, gig reminders, fill-in broadcast alerts, invoice receipts, payment reminders, and lifecycle notices (such as trial-ending, payment-failed, inactivity, and account-deletion notices) via email, push notification, and (where you have opted in) SMS. Section 10 sets out which categories you can opt out of. Authentication and account security: verifying logins, sending one-time codes for two-factor authentication, recognising trusted devices, detecting and preventing fraud, abuse, and unauthorised access, and enforcing our Terms of Service. Invoicing and tax compliance: generating invoices that comply with the tax requirements of the venue’s jurisdiction, calculating applicable taxes (GST, VAT, or other local taxes), and storing invoices as business records. Identity verification: verifying ABN or other tax identification numbers to ensure invoices contain accurate business information, and determining your tax-registration status for correct invoice labelling. Improving the Platform: analysing usage patterns and a small set of typed product events to identify bugs, improve features, and understand how users interact with the Platform. We use Vercel Analytics for aggregate web traffic data; this is privacy-focused and cookieless. Customer support: responding to your enquiries, resolving disputes, and providing technical assistance. Support agents may see your name and conversation history when handling your ticket. Legal and regulatory compliance: meeting our obligations under Australian law, including tax record-keeping requirements, responding to lawful requests from regulatory authorities, and protecting our legal rights.

If you are located in the United Kingdom or European Economic Area, we process your personal information on the following legal bases under the UK GDPR or EU GDPR: Performance of a contract (Article 6(1)(b)): processing necessary to provide the Platform services you have signed up for, including account management, booking facilitation, invoice generation, and notifications related to your bookings. Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate business interests, including improving the Platform, ensuring security, preventing fraud, providing customer support, and giving you reasonable notice before any account is deleted for inactivity. We balance these interests against your rights and freedoms. Legal obligation (Article 6(1)(c)): processing necessary to comply with legal obligations, including tax record-keeping, responding to lawful data requests, and meeting our obligations under the Privacy Act, GDPR, or other applicable laws. Consent (Article 6(1)(a)): where we rely on your consent (such as for SMS notifications, marketing communications, or product-update emails to dormant accounts), you may withdraw your consent at any time through your account settings or by contacting us.

We do not sell your personal information. We share it only in the circumstances below. Between platform users Performer profiles: your stage name, biography, profile photo, genres, vibe selections, and availability are visible to venue bookers and booking agents who use the Platform. Your performance rates may be visible to bookers depending on the account owner’s visibility settings. Contact details (email and phone): shown to venue bookers and on your public profile only when you have enabled the corresponding visibility toggle in your profile settings. If a venue also applies an account-level hide, that always wins. Bookers can still reach you in-app through Gig Pool chat regardless of these toggles. Public-profile email addresses are obfuscated and gated by click-to-reveal to protect against scraping. Venue information: venue name, address, room details, and venue briefs are visible to artists in the booker’s artist pool. Booking details: when a booking is confirmed, the artist and the venue booker can see each other’s relevant contact and booking information within the Platform. Guest artists reached by email: when a venue books an artist who does not have a Gig Pool account, we send that artist transactional emails on the venue’s behalf about the booking (for example, the gig brief or a set-time change), with the sender clearly identified and a working unsubscribe link in every email. We do this only for an artist the venue has actually booked, never an arbitrary address. Invoices: when you send an invoice through the Platform, the recipient (venue) receives the invoice containing your name, address, ABN or tax ID, and payment details as included by you. With service providers We use third-party service providers to operate the Platform. They process information on our behalf under contractual obligations to protect it: • Supabase: database hosting, authentication, file storage (chat attachments), real-time messaging (Sydney, Australia) • Vercel: web application hosting, edge network, serverless functions (primary region: Sydney; static assets served from Vercel’s global edge network) • Cloudflare R2: public CDN mirror of profile avatars only (United States by default; we do not store any other personal information in R2) • Stripe: subscription billing, payment processing (United States) • Resend: transactional email delivery (United States) • Cellcast: SMS notifications, Australian numbers (Australia) • Twilio: SMS notifications, international numbers (United States) • Australian Business Register: ABN verification (Australia) • Google: Calendar OAuth integration, only if you opt in (United States) For legal reasons We may disclose your personal information if required or permitted to do so by law, including in response to a court order, subpoena, or lawful request from a government authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others. Business transfers If Gig Pool is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.

Some of our service providers are located outside Australia. By using the Platform, you acknowledge that your personal information may be transferred to, stored, and processed in: • The United States: Stripe (billing data), Resend (email metadata and content), Twilio (international SMS), Cloudflare R2 (avatar images only), and Google (Calendar OAuth, only if you connect it). • Other countries: Vercel’s edge network may serve cached static content from regional points of presence outside Australia. No personal information is stored at the edge; it is only transited. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to that information, in accordance with APP 8. This includes entering into contractual arrangements (typically each provider’s Data Processing Addendum) that require the recipient to handle your information in accordance with standards substantially similar to the APPs. For users in the United Kingdom or European Economic Area, transfers of personal data outside the UK or EEA are made in compliance with Chapter V of the UK GDPR or EU GDPR, using appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.

We retain your data while your account is useful to you, and we delete it within a reasonable period after sustained inactivity, in line with APP 11.2 (destruction or de-identification of unneeded personal information). Active accounts. Your profile, booking history, invoices, and other personal data are retained for the life of your account. Read-only access on subscription expiry. If your trial, beta, or paid subscription ends without renewal, your account moves to read-only mode. You can still log in, view your historical data, and export it (CSVs and invoice PDFs). To create new records or use paid features, you need to re-subscribe. Your data is preserved subject to the inactivity rule below. For performers: only Pro features (invoicing, earnings, tax reports) lock when a Pro subscription ends. Core features (availability, profile, gig responses, discovery) remain free and active. For venues: all venue editing features lock when a venue subscription ends, but your roster history and invoices remain readable and exportable. Inactivity-based deletion. We retain your account data for up to 12 months after your last login. If you have not logged in within 12 months, we will email you a 30-day notice. The notice includes a one-click “preserve my account” button (a single-use signed link that extends your account by 6 months without requiring login, up to twice per cycle). We send reminders at 14 days and 3 days before deletion. If you log in, click the preserve link, or subscribe at any point, your account returns to active and the inactivity clock resets. If you take no action within the 30-day window, your personal data, including your profile, venues, bookings, invoices, chat messages, and notification subscriptions, will be deleted. Aggregate, non-identifying analytics may be retained for product improvement purposes (consistent with APP 11.2, which permits retention of de-identified data). Financial records: your obligation. You are responsible for retaining your own financial records (invoices you generate, earnings reports, tax statements) under Australian taxation law. Typical retention periods are 5 years for tax records under the Income Tax Assessment Act 1997 and Taxation Administration Act 1953, and up to 7 years for some corporate records under the Corporations Act 2001 (Cth), depending on your circumstances. We recommend consulting a registered tax agent. To help you meet that obligation, the Service generates downloadable PDFs for every invoice you create and CCs a copy of every invoice email to your registered email address, so a record automatically lives in your own inbox. You should download or archive what you need before deleting your account or letting it lapse. Financial records: our obligation. Separately, we retain our own business records (the subscription invoices we issue to you, our payment processor logs, and our own GST and revenue records) for as long as Australian law requires us to do so, typically up to 7 years under the Corporations Act 2001 (Cth) and the relevant tax legislation. These are our records for our compliance, not yours, and they may remain after your account is deleted only as required by law. User-initiated deletion. You can request immediate deletion of your account at any time from your account settings (Danger Zone). Owner accounts trigger a 30-day grace period during which the deletion can be cancelled; this is to give you a recovery window for accidental deletions. Before you confirm deletion, download any of your own financial records you need to keep, because once your account is removed the data is gone from our active systems. Our own business records are retained per the rule above. Audit logs. A minimal audit trail of account-status transitions (when an account became dormant, when notices were sent, when a deletion completed) is retained indefinitely with only the historical user UUID, for compliance and dispute-resolution purposes. It does not contain re-identifiable personal data after hard deletion. Other retention specifics • Chat messages: retained for the life of the associated booking. When a booking is deleted, associated messages are also deleted. • Push notification subscriptions: deleted when you unsubscribe, uninstall the PWA, or when the subscription endpoint expires. • SMS, email, and notification delivery logs: retained for up to 90 days for troubleshooting and deliverability monitoring, then deleted. • Email 2FA codes: deleted automatically 10 minutes after issue (whether used or not). • TOTP recovery codes: deleted when used (single-use) or when you disable TOTP 2FA. • Trusted-device cookies: 1-year TTL; cleared when you sign out of all sessions or clear cookies. • Signed snooze and unsubscribe tokens: cleared 90 days after use; tokens are time-bounded and single-use.

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11.1). Our security measures include: Encryption in transit: all data transmitted between your device and the Platform is encrypted using TLS 1.2 or higher (HTTPS). Encryption at rest: database contents are encrypted at rest using AES-256 encryption provided by Supabase’s infrastructure. Avatar images stored in Cloudflare R2 are encrypted at rest by Cloudflare. Access controls: Row Level Security (RLS) policies are enforced at the database level, ensuring users can only access data they are authorised to view. Administrative access is restricted to a small number of authorised personnel and is audit-logged. Authentication: user authentication is managed through Supabase Auth with secure session handling. Passwords are hashed using bcrypt. Two-factor authentication (email codes or TOTP) is available for all users and required for administrators and support agents. Token security: HMAC-SHA256 with timing-safe comparison is used for all signed tokens (booking confirmations, fill-in actions, deletion-notice snooze, magic-link logins, trusted-device cookies). Infrastructure security: the Platform is hosted on Vercel (SOC 2 Type II) and Supabase (SOC 2 Type II), both of which maintain comprehensive security programs. Cloudflare R2 (used for avatars only) is also SOC 2 Type II. Payment security: payment card data is handled exclusively by Stripe (PCI DSS Level 1 certified). We do not store, process, or transmit full card numbers on our servers; we only ever see the last four digits and the brand for display purposes. While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your information.

The Platform uses only first-party cookies that are necessary for it to operate or to remember your preferences. We do not use advertising cookies, third-party tracking pixels, or marketing cookies. Authentication session cookies (sb-access-token, sb-refresh-token, and related Supabase auth cookies): used to keep you signed in. Required for any logged-in functionality. Trusted-device cookie (gp_trusted_device): an HMAC-signed cookie set after you complete two-factor authentication, valid for up to 1 year. It lets your device skip 2FA on subsequent logins on the same browser. You can clear it by signing out of all sessions or clearing cookies. Theme preference cookie: stores your light/dark mode preference. Referral attribution cookie (gp_ref): if you arrive at the Platform via a referral link (containing a ?ref= parameter), we store the referral code in a first-party cookie for 60 days to attribute the referral. The cookie contains only the referral code, not any personal information. Vercel Analytics: we use Vercel Analytics for aggregate website usage data. Vercel Analytics is privacy-focused, cookieless, and does not personally identify visitors. It collects anonymised usage data such as page views, visit duration, and device type. You can manage cookies through your browser settings. Disabling functional cookies will affect the Platform’s operation. For example, you will not be able to stay signed in.

Gig Pool sends emails to keep you informed about your account, your bookings, and the status of your subscription. This section explains what we send, how we categorise it, and what you can opt out of. Categories of email • Critical (always on, cannot be disabled): booking confirmations, invoice receipts, payment reminders for outstanding invoices to bookers, fill-in responses you receive, and account-deletion notices (see below). • Actionable (can be disabled in settings): gig offers, fill-in broadcasts, pool invitations, chat-message notifications, venue broadcasts, opportunity applications, and lifecycle emails (trial/beta countdowns, payment-failed warnings, inactivity nudges, snooze confirmations). • Informational (can be disabled in settings): pool-invite reminders, team invitations, and product-update emails to dormant accounts. You can update your preferences at any time in your account settings, or by clicking the unsubscribe link at the bottom of any non-critical email. Identification and unsubscribe (Spam Act 2003 (Cth) compliance) Every commercial or transactional email we send identifies the sender (Gig Pool Pty Ltd, Brisbane, Australia) and includes a functional unsubscribe link where Schedule 1 of the Spam Act requires it. Unsubscribe requests are honoured within 5 business days, in practice immediately via the signed-token unsubscribe handler. Account-deletion notice exception The 30-day, 14-day, and 3-day account-deletion notices, plus the deletion-confirmation email, are classified as critical and cannot be opted out of. This is because we have an obligation under APP 11.2 to give you a reasonable opportunity to log in, export your data, or subscribe before any account is deleted. Sending you no warning before deleting your data would, in our view, be a worse privacy outcome than sending a small number of notices to a previously-unsubscribed user. These notices are sent only when an account is genuinely scheduled for deletion under section 7 above; they stop the moment you log in, click the preserve link, or subscribe.

Under Australian Privacy Law If you are an Australian resident, you have the following rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles: Access (APP 12): you may request access to the personal information we hold about you. We will respond within 30 days. Most data is also accessible directly through your account settings, including in-app export of invoices and bookings. Correction (APP 13): you may request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. You can update most information directly through your account settings. If your subscription is in read-only mode, you can still update core profile information; editing of paid-feature data (such as invoice content) requires re-subscribing or contacting support. Complaint: you may complain about how we have handled your personal information. We will investigate and respond within 30 days. If you are not satisfied, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. Anonymity and pseudonymity (APP 2): we offer the use of a stage name as your public identity, so you can transact under a name that is not your legal name. Some functions (such as ABN-verified invoicing) require your legal name as the law requires it on tax documents. Under UK and EU Data Protection Law If you are in the United Kingdom or European Economic Area, you have additional rights under the UK GDPR or EU GDPR: Right to erasure (Article 17): you may request that we delete your personal information, subject to our legal obligations to retain a minimal set of our own business records (the subscription invoices we issue to you, payment processor logs, and our own tax and corporate records) for tax and corporate-law compliance. Right to restriction (Article 18): you may request that we restrict the processing of your personal information in certain circumstances. Right to data portability (Article 20): you may request a copy of your personal information in a structured, commonly used, machine-readable format. In practice the in-app export tools cover most of this; contact us if you need a fuller export. Right to object (Article 21): you may object to the processing of your personal information where we rely on legitimate interests as the legal basis. Right to withdraw consent: where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Right to lodge a complaint: you may lodge a complaint with the Information Commissioner’s Office (ICO) in the UK (ico.org.uk) or the relevant supervisory authority in your EEA country of residence. To exercise any of these rights, contact us using the details in section 16 below.

Gig Pool does not use automated decision-making or profiling that produces legal effects or similarly significant effects on users. We do not use algorithmic matching, recommendation engines, or AI ranking to decide which artists are offered to which venues. Booking decisions are made by humans using the tools we provide. Aggregate analytics (Vercel Analytics, our internal product-events log) operate at a non-individual level and are used for product improvement, not for any decision affecting an individual user. If we introduce automated decision-making in the future, we will update this policy to describe the process and your rights, including the right to request human review under Article 22 of the GDPR for UK and EEA users.

The Platform is not directed at children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us.

Gig Pool is operated from Australia. If you access the Platform from outside Australia, you do so on your own initiative and are responsible for compliance with local laws. We aim to provide a consistent privacy standard for users in the United Kingdom and European Economic Area by complying with the UK GDPR and EU GDPR in addition to the Australian Privacy Principles. Where local law in your country provides stronger rights, we will honour those rights to the extent practical.

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, in particular changes to how we retain or delete your data, or to who we share it with, we will notify you by email and in-app at least 30 days before the changes take effect. Other changes will be announced by posting the updated policy on the Platform with a revised “Last updated” date. We encourage you to review this policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the revised policy, except where applicable law requires a fresh opt-in.

If you have any questions, concerns, or requests regarding this privacy policy or how we handle your personal information, please contact us: Gig Pool Pty Ltd Brisbane, Australia Email: support@gigpool.app For privacy complaints: if you believe we have breached the Australian Privacy Principles, please contact us first. We will investigate your complaint and respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with: Office of the Australian Information Commissioner (OAIC) Website: www.oaic.gov.au Phone: 1300 363 992 Email: enquiries@oaic.gov.au For users in the United Kingdom: Information Commissioner’s Office (ICO) Website: ico.org.uk Phone: +44 303 123 1113 For users in the EEA, you may lodge a complaint with the data protection supervisory authority of your country of residence.