What we collect, what we do with it.

This policy covers everyone who uses Bandwagon — fans, bands, venues, vendors, brand sponsors, and visitors who haven't signed up. It applies to every surface we run: web app, marketing pages, email, SMS, push, and any future native apps.

You must be at least 13 years old to use Bandwagon (US COPPA minimum). Some features require you to be 18+ or 21+ — payments, alcohol-served venue events, etc.

From you, when you sign up and use the product:

• Account info — name, email, phone (optional), role (Fan/Band/Venue/Brand), city, profile photo, bio.
• Content you create — posts, comments, reels, story slides, votes, pledges, reviews, messages, contracts, signatures, merch listings, sponsorship terms.
• Payment info — handled entirely by Stripe Connect. We never see or store your full card number. We do see and store the last 4 digits, card brand, expiration, and tokenized customer ID.
• Tax info — for paid accounts (bands, venues, vendors, sponsors) collecting more than $600/yr, Stripe collects EIN or SSN and issues 1099s on our behalf.
• Identity verification — for KYC on Stripe Connect Express accounts. Stripe holds the documents; we receive a verification status only.
• Communications — emails you send us, support tickets, replies to our notifications.

Automatically, when you visit:

• IP address, browser type, device type, OS, screen size, language.
• Pages viewed, time on page, scroll depth, clicks — collected by our analytics provider (currently Umami in self-host mode; PostHog if we move to cloud).
• Approximate location (city-level) inferred from IP. We do not collect precise GPS unless you explicitly grant permission.
• Referring URL and UTM parameters when you arrive from a link.
• Cookies and similar storage — see our /cookies policy.

From third parties:

• Stripe sends us payout status, dispute notifications, payment method updates.
• OAuth providers (Google/Apple/etc.) send us the basic profile fields you consent to share, if you sign in with them.
• Our DMCA agent receives third-party copyright complaints which become part of your account record if you're the alleged infringer.

We use the information above to:

• Run the product — show your feed, route your votes, settle your invoices, process your pledges.
• Authenticate you and keep your account secure.
• Send you transactional messages (receipts, confirmations, DMCA notices, payout confirmations).
• Send you product updates and the weekly digest — both opt-out at any time.
• Detect and prevent fraud, scams, harassment, and abuse.
• Comply with US law — DMCA, ESIGN Act, IRS reporting via Stripe, FL state law.
• Improve the product — what features get used, where people drop off, what crashes.

We do notsell your personal information to third parties. We don't serve ad targeting based on your activity. Bandwagon makes money from platform fees on transactions — not from your data.

We share data only in these specific cases:

• Stripe Connect — required to process payments. Stripe is the data processor for everything payment-related. Stripe's privacy policy.
• Other users you transact with — when you pledge to a band, the band sees your name and pledge amount. When a venue books a band, the band sees the venue's business info, and vice versa.
• Service providers — email delivery (Resend), error monitoring (GlitchTip or Sentry), analytics (Umami or PostHog), background jobs (pg-boss or Inngest). Each is bound by a Data Processing Agreement that limits their use to running our service.
• Legal compliance — court orders, subpoenas, IRS requirements. We push back on overly broad requests.
• Aggregated, de-identified data for product analytics and public dashboards (e.g., "total tips collected during October" without naming any individual tipper).
• Successors if Bandwagon is acquired or merged. You'll get notice with at least 30 days' opt-out.

Regardless of where you live, you can:

• Access a copy of the data we hold on you — request via [email protected].
• Correct any inaccuracies — most fields are self-editable in /settings.
• Delete your account and associated data — see /settings → Delete account. Some records (transactions, tax forms, DMCA actions) we're required to retain for 7 years.
• Port your data — we'll export your account in JSON within 30 days of request.
• Opt out of marketing communications — every email has an unsubscribe link. Transactional emails (receipts, password resets) are not optional.

If you're in California, you have additional rights under the CCPA / CPRA — including the right to know what we collect, the right to delete, and the right to opt out of "sales" (we don't sell, but the CCPA defines that broadly). Submit a verifiable consumer request to [email protected].

If you're in the EU/UK (we don't actively market there yet but if you signed up): you have GDPR rights — access, rectification, erasure, restriction, portability, objection. Our lawful basis is contract performance for account features and legitimate interest for analytics, security, and product improvement.

• Account data — for the life of your account.
• Transactional data (payouts, invoices, refunds) — 7 years per US tax law.
• DMCA notices and counter-notices — 7 years.
• Trust & Safety reports — 2 years after resolution.
• Analytics events — 13 months rolling window.
• Server logs — 30 days.
• Stripe Connect data — governed by Stripe's retention.

When you delete your account, we purge or de-identify everything not subject to a legal retention requirement within 30 days.

We hash passwords with industry-standard algorithms (Argon2id). We use TLS 1.2+ for all traffic. Database backups are encrypted at rest. Secrets are stored in encrypted environment variables, not in code. Stripe handles all card data — it never touches our servers.

No service is 100% secure. If we ever experience a breach affecting your personal information, we'll notify you as required by applicable law: within 30 days for Florida residents under Fla. Stat. § 501.171, within 72 hoursfor EEA / UK residents under GDPR Art. 33–34, and on the timelines required by other state breach-notification statutes (e.g., California Civ. Code § 1798.82). Where we determine a breach to be material, we'll notify affected users as soon as reasonably practicable regardless of the regulatory minimum.

Bandwagon is not directed to children under 13. We don't knowingly collect data from them. If you believe we've received data from a child under 13, email [email protected]and we'll delete it within 7 days.

Bandwagon is operated from Florida, USA. Servers are in the US. If you use the product from outside the US, you consent to your data being transferred to and processed in the United States. We don't currently market in the EU/UK and we plan US-first expansion through 2027.

We may update this policy. Material changes get email notice and a 30-day window before they take effect. Minor changes (typos, clarifications) take effect when posted. The "Last updated" date at the top of the page reflects the most recent edit.

• Privacy questions: [email protected]
• Data requests (access / delete / port): [email protected]
• DMCA (designated agent · Carmelo Milian): [email protected]
• General: [email protected]
• Mail: Bandwagon, LLC · 67 Del Palma Dr · Palm Coast, FL 32137-1327