We use analytics to improve reliability and usability. This is only active with your consent.

You can change this anytime in Settings or in our Privacy Policy.

Send feedback

Tell us about a bug, an idea, or anything else. We store your category, message, the page you are on (if you allow it), and technical details from your browser (such as user agent) to reproduce issues. If you are signed in, we link this to your account to help follow up. See our Privacy Policy for how we handle personal data.

0 / 5000

Concerts

Home

Privacy Policy

This privacy policy explains how we collect, use, store, and protect your personal data when you use Concerts. It complies with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Last updated: 14 March 2025 .

1. Controller Identity and Contact

The controller responsible for data processing is Juuronina GbR (Sebastian Engel, Janina Michl). For contact details, including our data protection contact, see our Imprint. For data subject requests, you may contact us at privacy@concertivity.app.

We are currently not obliged to appoint a data protection officer under the GDPR; therefore, no data protection officer has been designated. If this changes, we will update this privacy policy with the relevant contact details.

2. Purposes and Legal Basis of Processing

We process your personal data for the following purposes and legal bases (Art. 6 GDPR):

  • Account creation and login: To provide the service, we process your email, name, password (hashed), and optional username. Legal basis: Contract performance (Art. 6(1)(b) GDPR).
  • Authentication via GitHub: If you sign in with GitHub, we receive your GitHub profile data (e.g. name, email, profile picture) from GitHub. Legal basis: Contract performance (Art. 6(1)(b) GDPR) and your consent when you authorise GitHub.
  • Email verification and password reset: We send verification and password reset emails via our email provider. Legal basis: Contract performance (Art. 6(1)(b) GDPR).
  • Concert and profile data: Your concert attendance, band preferences, profile settings (including public profile option), currency, and visibility settings are processed to provide the service. Legal basis: Contract performance (Art. 6(1)(b) GDPR).
  • Session cookies: Session cookies are used to keep you logged in. Legal basis: Legitimate interest in secure and reliable authentication (Art. 6(1)(f) GDPR).
  • Admin functions and audit logs: For administrative and security purposes, we may log actions (e.g. band edits, user bans) to ensure security, abuse prevention, and accountability. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
  • Product feedback: When you use the in-app feedback form, we process the text you enter, the feedback type you select (bug report, feature request, or general), the page path you were on (if provided by the app), and the browser user-agent string to understand and improve the service. If you are logged in, we also store your account identifier with the submission. Legal basis: Legitimate interest in improving the service (Art. 6(1)(f) GDPR) and, where you are logged in, contract performance (Art. 6(1)(b) GDPR).
  • Admin triage and escalation: Authorized admins may process feedback internally (status, priority, notes, ownership) and may, when necessary to resolve product issues, create a linked GitHub issue from selected feedback. We aim to minimize exported data and avoid unnecessary personal identifiers. Legal basis: Legitimate interest in secure service operation and product improvement (Art. 6(1)(f) GDPR).
  • Technical logs and security monitoring: Our hosting and infrastructure providers temporarily process IP addresses, timestamps, User-Agent information, requested URLs, and error logs to detect misuse, defend against attacks, and ensure the stability of the service. Legal basis: Legitimate interest in security, fraud prevention, and service reliability (Art. 6(1)(f) GDPR).
  • Error and performance monitoring: We use a third-party service (Sentry) to detect, diagnose and fix errors, and to monitor application performance. When you are logged in and have not opted out, an internal user identifier (no email or name) may be included in error reports so we can associate issues with accounts and fix them faster. You can turn off inclusion of your identifier in error reports at any time in Settings. Legal basis: Legitimate interest in service stability and quality (Art. 6(1)(f) GDPR).

3. Recipients and Processors

Your data may be processed by or shared with the following categories of processors. All processors act on our instructions under data processing agreements (DPAs) in accordance with Art. 28 GDPR.

  • Hosting: Vercel Inc. (USA) – application hosting. Data transfer is governed by the EU-US Data Privacy Framework or Standard Contractual Clauses.
  • Database: PostgreSQL database (e.g. Prisma Postgres / Vercel Postgres, or your configured provider). Data may be stored in the EU or USA depending on configuration.
  • Email: Resend Inc. – transactional emails (verification, password reset). Resend processes data in the USA; transfers are governed by Standard Contractual Clauses or equivalent safeguards.
  • GitHub: For OAuth sign-in, GitHub (GitHub Inc.) processes your profile data. Their privacy policy applies: GitHub Privacy Statement
  • Error and performance monitoring: Sentry (Sentry Inc. / Functional Software Inc.) – we send error reports and performance data to Sentry. When you are logged in and have not opted out in Settings, an internal user ID (no email) is included so we can correlate errors with accounts. Data may be processed in the USA; transfers are governed by Standard Contractual Clauses or the EU-US Data Privacy Framework. We have a data processing agreement with Sentry in accordance with Art. 28 GDPR.
  • Optional services (only if enabled in your deployment):
    • Last.fm: Band metadata enrichment (no personal user data sent; only band identifiers).
    • Photon (OpenStreetMap): Venue search and reverse geocoding (only venue/city-related data). Approximate geographic coordinates derived from your IP address may be used to bias venue search results toward your location. This data is not stored.
    • Map tiles: Map tiles may be loaded from third parties (e.g. OpenFreeMap); typically no personal data is sent.

4. Transfers to Third Countries

Some processors (e.g. Vercel, Resend, GitHub, Sentry) may process data in the USA or other non‑EEA countries. We ensure appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, or the EU-US Data Privacy Framework where applicable, in addition to the data processing agreements mentioned above.

5. Retention Periods

  • Sessions: Session data is retained for the duration of your session; session cookies expire after 7 days of inactivity.
  • Account data: Retained until you delete your account. After account deletion, data is removed within 30 days, subject to legal retention requirements.
  • Concert and band data: Retained as long as associated with your account or until deletion.
  • Admin audit logs: Retained as needed for security and legal compliance, typically for 12 months and no longer than 24 months where necessary for the establishment, exercise, or defence of legal claims or for the investigation of security incidents.
  • Technical logs and IP data: Log files (such as IP address, timestamps, request URLs, and User-Agent information) are generally retained for 7–30 days, unless a longer retention period is required in the context of specific security incidents or legal obligations.
  • Product feedback submissions: Stored until they are no longer needed for handling your request and improving the service, typically for up to 24 months, unless a shorter or longer period is required for legal claims or compliance.

6. Your Rights (Art. 15–22 GDPR)

You have the following data subject rights:

  • Right of access (Art. 15): Obtain confirmation as to whether we process your data and a copy of your data.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data under certain conditions (e.g. withdrawal of consent, unlawful processing).
  • Right to restriction (Art. 18): Request restriction of processing in specific situations.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and, where technically feasible, have it transmitted to another controller.
  • Right to object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Withdrawal of consent (Art. 7(3)): If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority in your country. For Germany: the competent Landesdatenschutzbehörde or the Federal Commissioner for Data Protection (BfDI), www.bfdi.bund.de.

To exercise these rights, contact us at privacy@concertivity.app or via the address in our Imprint.

7. Statutory or Contractual Requirement

The provision of personal data for account creation and use of the service is necessary to perform the contract. Without it, we cannot provide the service. There is no obligation to provide data for optional features (e.g. public profile, username).

8. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

9. Cookies and usage analytics

We use strictly necessary cookies for authentication (session cookies). These are required for the service to function. Session cookies typically expire after 7 days of inactivity. Strictly necessary cookies such as session cookies do not require consent under § 25(2) TTDSG where they are essential to provide a service explicitly requested by you.

For aggregated usage measurement (for example which pages are viewed and how users navigate the app), we use PostHog (PostHog Inc.), hosted in the European Union (EU Cloud). PostHog receives pseudonymous identifiers (for example a random distinct id stored in localStorage on your device), technical metadata related to your visit (such as browser type and coarse network information as processed by PostHog), and page URLs. If you are signed in, we link events to your internal user identifier only — we do not send your email address or name to PostHog for this purpose. We configure PostHog without DOM autocapture of clicks or form fields. If you explicitly consent and session replay is enabled in our deployment configuration, we may also process session replay data (for example, page transitions, interaction timeline, and technical rendering state) to diagnose usability and reliability issues.

PostHog acts as a processor on our instructions. Their privacy information and data processing agreement are available at posthog.com/privacy and posthog.com/dpa. Analytics is only active when we enable it in our deployment configuration and when you have granted consent. You can withdraw consent at any time in Settings.

Legal basis: Consent (Art. 6(1)(a) GDPR and, where applicable, § 25 TTDSG for storage/access on your end device). We do not activate PostHog analytics or session replay before your consent. You may withdraw consent at any time for future processing, without affecting processing performed before withdrawal.

The use of storage and similar technologies is carried out in accordance with the GDPR and the German Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG).

10. Changes to This Privacy Policy

We may update this privacy policy from time to time. Material changes will be communicated via the website or by email where appropriate. Continued use of the service after changes constitutes acceptance of the updated policy.

© 2025·Imprint·Terms and Conditions·Right of Withdrawal·Privacy·Built with ❤️ on 🌍! 🤟🏳️‍🌈