Concert Calendar ("Concert Calendar," "we," "us," "our") is a social network for live music fans operated by Headwind Holdings LLC, a Texas limited liability company with a business contact address at privacy@concertcalendar.app.
This Privacy Policy explains what personal information we collect, how we use and share it, how long we keep it, and the choices you have. It applies to the websites www.concertcalendar.app and my.concertcalendar.app, the Concert Calendar progressive web application, and related services (together, the "Service").
For residents of the European Economic Area, the United Kingdom, and Switzerland, Headwind Holdings LLC is the data controller for the personal data described here.
Contact for all privacy inquiries: privacy@concertcalendar.app.
| Category | Examples |
|---|---|
| Registration | Email address, password (stored only as a bcrypt hash with cost factor 12), username, display name, date of birth (for age verification), and optional OAuth identifiers if you sign in with Google or Apple. |
| Profile | Profile picture (avatar), bio, privacy setting, notification preferences, and time-zone or locale settings. |
| Concert and attendance data | Concerts you add or join, dates, venues, bands, opening acts, door and show times, festival associations, ticket section/row/seat (friends-only visibility), and personal notes. |
| Social graph | Your follow relationships, friend relationships, follow requests, and friend requests. |
| User-generated content | Photos you upload (processed into thumbnail, medium, large, and WebP variants), multi-dimensional concert ratings, venue ratings, chat messages, and content reports you submit. |
| Knowledge-base contributions | New band, venue, or festival records you create, which become part of the shared knowledge base. |
| Communications | Messages and information you send when you contact support, report content, or interact with the moderation team. |
| Beta access requests | Email address, name, and self-reported approximate location (e.g., city and country, entered freely by you). Used to manage beta invite waves and local launch prioritization. Not derived from IP geolocation. Retained for 90 days after account creation or 12 months if no account is created, then deleted. |
| Moderation review data | Usernames, display names, bios, and other profile fields automatically flagged by our content filters are retained pending admin review. Items dismissed as non-violations are deleted; items confirmed as violations are retained alongside the enforcement record. |
| Category | Examples |
|---|---|
| Technical and device | IP address, device and browser type, operating system, referring URL, time zone, and language. |
| Usage and activity | Pages visited, features used, session duration, and events recorded in our ActivityLog for analytics and abuse prevention. |
| Security and rate-limiting | Login timestamps, failed login attempts, and IP ranges used by API rate-limiting and abuse detection during an active session. |
| Push notifications | Web push subscription endpoints and keys issued by your browser when you opt in. |
| Calendar integration | The iCal token tied to your account and the times your feed was accessed. |
| Cookies and similar technologies | Session cookies, JWT refresh tokens, and local storage entries needed to keep you signed in, maintain CSRF protection, and remember interface preferences. See Section 9. |
We do not use advertising cookies, third-party ad trackers, or cross-site behavioral advertising SDKs.
Any location associated with your account (for example, the location you enter on a beta access request) is self-reported at signup and is not derived from your IP address or device signals.
| Purpose | Legal basis (EEA/UK/CH) |
|---|---|
| Create and maintain your account, authenticate you, and operate the Service's core features. | Contract (Art. 6(1)(b)) |
| Personalize your feed, suggest concerts based on your follows and friends, and compute your stats. | Contract (Art. 6(1)(b)) |
| Send transactional emails through Resend (verification, password reset, notifications you've opted into). | Contract and legitimate interests (Art. 6(1)(b), (f)) |
| Deliver web push notifications if you've opted in through your browser. | Consent (Art. 6(1)(a)) |
| Monitor, diagnose, and improve the Service; fix bugs; measure performance and reliability. | Legitimate interests (Art. 6(1)(f)) |
| Keep the Service secure: detect abuse, prevent fraud, enforce rate limits, investigate reports, moderate content. | Legitimate interests and legal obligation (Art. 6(1)(f), (c)) |
| Respond to your support requests and privacy rights requests. | Contract and legal obligation (Art. 6(1)(b), (c)) |
| Comply with legal obligations, including responding to lawful requests and DMCA notices. | Legal obligation (Art. 6(1)(c)) |
| Enforce our Terms of Service and protect rights, property, or safety. | Legitimate interests (Art. 6(1)(f)) |
| Send occasional product announcements (in-app only by default; email only if you opt in). | Consent or legitimate interests (Art. 6(1)(a) or (f)) |
We do not use your personal data for automated decision-making that produces legal or similarly significant effects about you, and we do not profile you for advertising.
We share the minimum personal information necessary with vendors that help us operate the Service. Each is bound by a data-processing agreement.
| Provider | Purpose | Data categories | Location |
|---|---|---|---|
| Self-Hosted | Application and database hosting | All categories listed in Section 3 | U.S. |
| Resend | Transactional email delivery | Email address, name, message content | U.S. |
| Google (OAuth) | Sign-in if you choose Google | OAuth tokens, profile scope | U.S. |
| Apple (Sign in with Apple) | Sign-in if you choose Apple | OAuth tokens, profile scope | U.S. |
| Browser push services | Web Push notification delivery | Push subscription endpoint and keys | Varies |
| MusicBrainz | Band and venue knowledge base | None about you | International |
| Google Places | Venue address resolution | Venue search queries; no personal data | U.S. |
We may disclose personal information when we believe in good faith that it is necessary to comply with law, respond to lawful requests, enforce our Terms of Service, or protect the rights, property, or safety of Concert Calendar, our users, or the public.
If Concert Calendar is involved in a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you before your information becomes subject to a different privacy policy.
We may share your information in other ways if you explicitly direct or consent to it.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA or similar state laws.
We and our service providers may process your personal information in countries outside your country of residence, including the United States. When we transfer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards including Standard Contractual Clauses. You may request a copy by emailing privacy@concertcalendar.app.
| Data | Retention |
|---|---|
| Account profile | Until you delete your account. |
| Concerts, photos, ratings | Until you delete the item or your account. |
| Chat messages | Retained within chat threads; may be anonymized from deleted accounts. |
| iCal token | Until you revoke or regenerate it. |
| Knowledge-base contributions | Retained as part of the public dataset. |
| Usage activity log (ActivityLog) | 12 months on a rolling basis. Used for platform analytics, admin dashboards, and abuse detection. |
| Security events and rate-limit state | Not retained as a persistent audit trail. Held only in memory or short-lived caches (typically minutes to hours). |
| Encrypted backups | 30 days on a rolling basis. |
| Deleted accounts | Purged from production within 30 days. |
You have the right of access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent, and the right to lodge a complaint with your local supervisory authority. To exercise any of these rights, email privacy@concertcalendar.app.
You have the right to know, access, correct, and delete personal information. As we do not sell or share personal information, the opt-out right is moot. We will not discriminate against you for exercising any CCPA/CPRA right. Email privacy@concertcalendar.app with the subject "California Privacy Request."
If you live in a state with comprehensive privacy laws (CO, CT, VA, UT, TX, OR, and others), you generally have similar rights. Contact privacy@concertcalendar.app.
If we deny your rights request, you may appeal by replying to our denial or emailing privacy@concertcalendar.app with the subject "Privacy Appeal."
We do not use third-party advertising cookies or cross-site trackers.
The Service is intended for users 16 years of age or older. We do not knowingly collect personal information from anyone under 16. If you believe a minor under 16 is using the Service, please contact privacy@concertcalendar.app.
We use industry-standard measures to protect your information, including TLS 1.3 encryption, bcrypt password hashing, short-lived JWT tokens, rate limiting, input validation, parameterized queries, and CORS restrictions. No security measure is perfect โ if we become aware of a security incident affecting your data, we will notify you and applicable regulators as required by law.
The Service may include links to third-party websites. Those third parties operate independently, and this Privacy Policy does not apply to them.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by prominent notice in the Service before the changes take effect.
Headwind Holdings LLC
5900 Balcones Drive, Suite 100
Austin, Texas, 78731
privacy@seasonticketmanager.app