1. Introduction

Welcome to Band in Tour. Whether you are a band, a venue, a promoter or a music fan, the respect of your privacy is important to us.

This Privacy Policy describes how Band in Tour ("we", "us", "our") collects, uses and protects your personal data when you use our platform and services. It has been written in compliance with Regulation (EU) 2016/679 ("GDPR"), Directive 2002/58/EC ("ePrivacy"), Regulation (EU) 2022/2065 ("Digital Services Act" or "DSA") and applicable Italian data-protection law (D.lgs. 196/2003 as amended by D.lgs. 101/2018).

This policy applies to personal data collected through bandintour.com and any related pages or services operated by us. It does not apply to third-party websites you may reach through links on our platform.

2. Definitions

• Personal data: any information relating to an identified or identifiable natural person (name, email address, location, online identifier, etc.).
• Services: all features and functionalities made available through bandintour.com, including event discovery, profile management, the Live Music Club, the Live Music Club Agenda, the support and reporting system, and (when activated) the boost and membership system.
• User: any visitor or registered individual on the platform, including bands, venues, promoters and fans.
• Profile: the registered account and public page associated with a User on Band in Tour.
• Processing: any operation performed on personal data, whether automated or not, including collection, storage, use, disclosure and deletion.
• GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
• DSA: Regulation (EU) 2022/2065 of 19 October 2022 on a Single Market for Digital Services.

3. Data Controller

The data controller is IOCOS di G.C. (P.IVA 02758080804), with registered office at Via F. Baracca traversa De Salvo 158, 89123 Reggio Calabria, Italy. Band in Tour is developed under the Sunakoma project; legal responsibility for processing rests with IOCOS di G.C.

Band in Tour qualifies as a micro-enterprise online platform under Article 19 of the DSA. We do not have a statutory obligation to appoint a Data Protection Officer (DPO) under GDPR Art. 37, but our designated point of contact for privacy matters and for Member State authorities is:

• Privacy matters: privacy@bandintour.com
• Legal and authority requests: legal@bandintour.com
• Working language: English and Italian

4. Personal Data We Collect

The data we collect depends on how you use the platform.

4.1 All visitors

• Aggregate usage data (pages visited, time on site) derived solely from our own server logs. We do not use Google Analytics, third-party analytics SDKs or tracking pixels.
• Technical data: browser type, device type, approximate country (derived from IP address). IP addresses are used only for rate limiting and anti-abuse and are automatically purged after 30 days.
• Data collected through cookies and local storage, as described in our Cookie Policy.

4.2 Registered users (all roles)

• Required at registration: username (public alias), email address, password (stored as a bcrypt hash, never in plain text), role (band / venue / promoter), city.
• Optional profile data: display name, biography, profile photo, trailer or video link, genre tags, repertoire type, social media links.
• Location data (venues): full address and GPS coordinates, used to display your venue on the map. This data is public.
• Session data: a JWT token stored in your browser's localStorage, used to authenticate your requests. It expires after 24 hours.

4.3 Event data (bands, venues, promoters)

• Event details you publish: band name, event type, date, venue, city, GPS coordinates, ticket link, and (Pro Members only) event flier image.
• Participation in events as a linked profile (band, venue or promoter role on an event).
• Availability dates you set on your calendar (visible to registered users in the Live Music Club; the Live Music Club Agenda is available to Pro Members only when that feature is activated).

4.4 Activity data (all registered users)

• Support actions ("heart") on events.
• Abuse reports submitted through the platform, including the reason text you provide.
• Membership status (free or Pro) and the date it was activated.
• Inputs and outputs of the transparent ranking algorithm (profile links, support votes, activity, boost tier where applicable, crowdfunding badge).

4.5 Interest and recommendation data

• City preferences: up to three cities you choose to follow (stored with display name and GPS coordinates).
• Genre preferences: musical genres you select from our standard list.
• Band type filter: whether you want to see local acts, touring bands, or international artists in your recommended feed.
• Recommendation history: the timestamp of your last visit to the "Recommended for you" section, used solely to compute the notification badge.
• Newsletter opt-in: your choice to receive the biweekly recommendation email. You can withdraw consent at any time from Profile > Settings.

All interest data is voluntary and can be deleted at any time from your Profile settings or by contacting us.

4.6 Membership and payment data (future)

Stripe is our designated payment provider for Pro Membership and Boost purchases. Payment processing is not yet active on the platform: no card or transaction data is currently collected. When payments go live, all card data will be handled directly by Stripe and will never transit through or be stored on our servers. We will retain only the record of the tier purchased, the associated event or subscription, the expiry date and the fiscal invoice data required by Italian tax law. This section will be updated, and where required additional consent collected, before the payment feature is activated.

5. Purposes and Legal Bases

6. Recipients of Your Data

We do not sell, rent or share your personal data with third parties for commercial or marketing purposes. We do not currently transfer personal data outside the European Economic Area.

Your data may be disclosed only in the following cases:

• Internal team: authorised team members of IOCOS di G.C. and the Sunakoma development team who need access to operate and maintain the platform (development, support, moderation), under confidentiality obligations.
• Hosting and infrastructure: the EU-based servers and database services that store platform data operate as data processors under written agreements compliant with GDPR Art. 28.
• Email delivery: we use a transactional email service to send service notifications and newsletters. Only your email address and the content of the message are shared with that processor.
• Payment provider (when activated): Stripe will act as an independent controller for card data and as a processor for invoice metadata. Until the payment feature is live, no data is transferred to Stripe.
• Other users: information you publish on your profile (name, alias, city, bio, genre, events, social links) is public and visible to all visitors. Availability dates are visible to registered users. Support actions are publicly counted.
• Legal authorities: we may disclose personal data if required by law, court order or a request from a competent authority (including DSA points of contact, judicial police, supervisory authorities), or to protect the rights and safety of the platform and its users.

7. Data Retention

• Account and profile data: retained while your account is active. Permanently deleted within 30 days of an account deletion request.
• Events: deleted events are soft-deleted and permanently removed from the database after 90 days.
• Uploaded images (avatar, event flier): deleted from our servers immediately when you replace or remove them. Event flier images are automatically deleted when the event date passes.
• IP and rate-limit logs: automatically purged after 30 days.
• Abuse reports and moderation records: retained for 12 months after the report is closed, to allow appeal and accountability under the DSA, then deleted.
• Internal admin audit logs: actions performed by platform administrators (such as content moderation decisions and access events) are logged for security and accountability purposes and automatically deleted after 12 months, in line with ENISA guidance and the NIS2 Directive (Directive (EU) 2022/2555).
• Payment and fiscal records (when activated): retained for the period required by Italian fiscal and accounting law (generally 10 years), in a restricted archive accessible only for tax, audit or legal-defence purposes.
• Availability dates: deleted when you remove them from your calendar, or when your account is deleted.
• Newsletter subscription record: retained while you remain subscribed; the proof of opt-in is kept for a further 12 months after unsubscription to demonstrate lawful processing.

8. Your Rights Under the GDPR

If you are located in the EU or EEA, you have the following rights regarding your personal data:

• Right to access: request a copy of the personal data we hold about you.
• Right to rectification: correct inaccurate or incomplete data. Most profile data can be updated directly from your account settings.
• Right to erasure ("right to be forgotten"): request the deletion of your personal data. You can delete your account directly from the platform settings.
• Right to restriction: request that we limit the processing of your data in certain circumstances.
• Right to data portability: receive a copy of your data in a structured, commonly used and machine-readable format. We currently do not offer an automated export tool; on written request to privacy@bandintour.com we will prepare and deliver your data within 30 days.
• Right to object: object to processing based on our legitimate interest.
• Right to withdraw consent: where processing is based on your consent (such as the recommendations newsletter or interest-based personalisation), you may withdraw it at any time and free of charge, without affecting the lawfulness of processing carried out prior to withdrawal.
• Right not to be subject to automated decision-making: we do not take decisions that produce legal or similarly significant effects based solely on automated processing. The ranking algorithm is transparent and does not exclude users from any feature.

To exercise any of these rights, contact us at privacy@bandintour.com. We will respond within 30 days. We may need to verify your identity before processing the request.

You have the right to lodge a complaint with the Italian Garante per la protezione dei dati personali (garanteprivacy.it) or with the supervisory authority of your country of residence.

9. Cookies and Local Storage

We use only first-party essential technical cookies and local-storage items required to operate the platform (session management, CSRF protection, login token, consent preference). We do not currently use advertising cookies, tracking pixels or third-party analytics cookies that share data with external parties.

For full details, including the planned future activation of Google Analytics 4 and Google AdSense — which will be enabled only after a renewed consent mechanism — see our Cookie Policy.

10. Security

We apply appropriate technical and organisational measures to protect your personal data:

• Passwords are hashed using bcrypt and never stored in plain text.
• All communication between your browser and our servers is encrypted via HTTPS (TLS).
• Session tokens (JWT) are signed and expire after 24 hours.
• Uploaded files are validated for type and size before storage.
• Admin access to the platform is segregated and protected by separate authentication and audit logging.
• Rate limiting and input validation protect against brute force, injection and abuse.

No system is completely immune from risk. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Italian Garante within 72 hours and, where the risk is high, communicate the breach to affected users without undue delay, as required by GDPR Art. 33 and 34.

11. Minors

Band in Tour is not directed at minors. In compliance with GDPR Art. 8 and the Italian implementing rules (D.lgs. 101/2018), users must be at least 16 years old to register on the platform. If we become aware that we have collected personal data from a minor without appropriate parental consent, we will delete it promptly. If you believe a minor has registered on our platform, please contact us at privacy@bandintour.com.

12. Third-Party Links

Profiles on Band in Tour may contain links to external websites (social media, artist websites, streaming platforms, ticket vendors). We are not responsible for the privacy practices of those third-party services. We encourage you to read their privacy policies before sharing any personal data with them.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in the law, our services or our data practices. If we make material changes — including before activating Stripe payments, Google Analytics 4 or Google AdSense — we will notify registered users by email and update the version date at the top of this page. Continued use of the platform after the effective date of changes constitutes acceptance of the updated policy.

14. Contact

For any questions, requests or concerns regarding this Privacy Policy or your personal data:

• Privacy: privacy@bandintour.com
• Legal and authority requests: legal@bandintour.com
• Postal address: IOCOS di G.C., Via F. Baracca traversa De Salvo 158, 89123 Reggio Calabria, Italy
• Supervisory authority: Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma — garanteprivacy.it