Privacy Policy

GigScenes is operated by GigScenes Ltd, a UK company. We collect the minimum personal data needed to run the platform, store it on UK and EU infrastructure, never sell it to third parties, and give you full UK GDPR rights to access, correct, and delete it at any time.

This page explains what we collect, why, and how we handle it. The detailed exercise of your rights is on the GDPR page.

GigScenes processes personal data in accordance with the UK GDPR and the Data Protection Act 2018. Where applicable, we also consider EU GDPR requirements for visitors or members based in the European Economic Area.

Account data: email address, display name, password (hashed), and the role you registered as (Fan, Band, Venue, Promoter, Service).

Profile data (optional): bio, location, photos, social and streaming links — whatever you choose to add to your public profile.

Activity data: which gigs you save, follow, or click through to. Used for personalised recommendations and watchlist alerts.

Technical data: browser type, IP address (truncated), and device info. Used for security, debugging, and aggregated usage stats.

Payment data: handled entirely by Stripe. We never see or store full card numbers — only a Stripe customer token.

Contract: account, profile, and activity data are processed under the contract of providing you the GigScenes service.

Consent: marketing emails (newsletter, gig alerts) and personalised recommendations require explicit consent given at registration. You can withdraw consent at any time from your account settings.

Legitimate interest: technical and security data is processed to keep the platform running and protect against fraud.

Legal obligation: where required for tax, fraud prevention, or law-enforcement requests.

Cloudflare — hosting (UK and EU edges), database (D1), and file storage (R2).

Stripe — payment processing. Stripe receives payment-method data directly; we never see card numbers.

Postmark — transactional and marketing email delivery.

OpenRouter / Anthropic — AI-assisted gig import (only public event-page URLs you submit, never your account data).

We never sell, rent, or trade your personal data to advertisers or other third parties.

Active accounts: indefinitely, while you have an account.

Closed accounts: personal data is deleted within 30 days of account closure. Anonymised analytics (no identifying info) may be retained for product improvement.

Inactive accounts: we'll email you after 24 months of inactivity. If we don't hear back within 60 days, the account is closed and data deleted.

Payment records: retained for 7 years to meet UK tax and accounting obligations.

All traffic is HTTPS-only. Passwords are hashed with bcrypt — we never store them in plaintext and our team cannot see them.

Database access is restricted to a small ops team and logged. Backups are encrypted at rest.

We use Cloudflare's built-in DDoS protection and rate limiting. Suspicious activity triggers automatic account lockouts.

Under UK GDPR, you have the right to access, correct, delete, restrict, and port your personal data, and to object to processing.

You can exercise most rights from your account settings. For full data exports or deletion requests, see the GDPR page.

If you're unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) — see the GDPR page for contact details.

Essential cookies: required to keep you logged in. No way to opt out without losing access.

Analytics cookies: aggregated usage stats only, no third-party advertising trackers. Set by Cloudflare Web Analytics, which is privacy-respecting and does not use third-party cookies.

We do not use marketing or advertising cookies.

GigScenes is not for under-16s. UK GDPR sets the digital age of consent at 16. We do not knowingly collect data from anyone under that age.

If you believe a child has registered, contact privacy@gigscenes.co.uk and we'll delete the account immediately.

We'll notify you by email and via a notice on the platform if we make material changes — at least 14 days before they take effect.

Questions about your data, this policy, or to exercise any of your rights — email privacy@gigscenes.co.uk or use our Contact page.