Logo
← Back to Home

Privacy Policy

Last updated: July 7, 2025

1. Introduction

Bandora ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our band management platform and services.

As a UK-based company, we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For users in the European Union, we also comply with the EU General Data Protection Regulation (GDPR).

By using Bandora, you agree to the collection and use of information in accordance with this policy.

2. Data Controller and Contact Information

Bandora Ltd is the data controller for your personal information. You can contact us regarding any data protection matters:

Data Protection Officer: dpo@bandora.app

Company: Bandora Ltd

Address: [UK Business Address]

ICO Registration: [Registration Number]

3. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: To provide our band management services and fulfill our contractual obligations
  • Legitimate Interest: For service improvement, security, and business operations
  • Consent: For marketing communications and non-essential cookies (where required)
  • Legal Obligation: To comply with applicable laws and regulations
  • Vital Interest: To protect the safety and security of our users

4. Information We Collect

Personal Information

  • • Name and email address
  • • Phone number (optional)
  • • Profile picture and bio
  • • Band information and member details
  • • Payment information (processed securely by Stripe)

Usage Information

  • • How you use our platform and features
  • • Device information and IP address
  • • Browser type and operating system
  • • Pages visited and time spent on our platform

Content Information

  • • Songs, set lists, and repertoire data
  • • Event and gig information
  • • Chat messages and communications
  • • Media files (photos, audio, documents)

3. How We Use Your Information

  • Provide Services: To operate and maintain the Bandora platform
  • Communication: To send you important updates, notifications, and support messages
  • Improvement: To analyze usage patterns and improve our services
  • Security: To protect against fraud, abuse, and security threats
  • Legal Compliance: To comply with applicable laws and regulations
  • Marketing: To send promotional emails (with your consent)

4. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

  • Band Members: Information is shared within your band as necessary for collaboration
  • Service Providers: With trusted third-party services (Supabase, Stripe, Vercel) that help us operate our platform
  • Legal Requirements: When required by law or to protect our rights and safety
  • Business Transfers: In the event of a merger, acquisition, or sale of assets

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

  • • SSL/TLS encryption for data transmission
  • • Secure database storage with Supabase
  • • Regular security audits and updates
  • • Access controls and authentication
  • • Payment security handled by Stripe (PCI DSS compliant)

6. Your Rights and Choices

You have the following rights regarding your personal information:

  • Access: Request access to your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your personal data
  • Portability: Export your data in a machine-readable format
  • Opt-out: Unsubscribe from marketing communications
  • Account Deletion: Delete your account and associated data

6a. Your GDPR Rights (Detailed)

Under UK GDPR and EU GDPR, you have the following specific rights regarding your personal data:

Right of Access (Article 15)

You can request access to your personal data and information about how we process it, including the purposes, categories of data, recipients, and retention periods.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data without undue delay.

Right to Erasure - "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when it's no longer necessary, you withdraw consent, or there are no overriding legitimate grounds for processing.

Right to Restrict Processing (Article 18)

You can request limitation of processing when you contest accuracy, object to processing, or need data for legal claims.

Right to Data Portability (Article 20)

You can request transfer of your data in a structured, commonly used, machine-readable format to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests, direct marketing, or research purposes.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of past processing.

How to Exercise Your Rights: Contact us at dpo@bandora.app with your request. We will respond within one month (or two months for complex requests). These rights are free of charge unless requests are manifestly unfounded or excessive. You may also need to verify your identity for security purposes.

6b. Data Transfers and International Safeguards

Your personal data may be transferred to and processed in countries outside the UK/EEA. We ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries deemed adequate by the UK ICO/EU Commission
  • Standard Contractual Clauses (SCCs): EU-approved contractual terms with data processors
  • Binding Corporate Rules: For transfers within multinational corporate groups
  • Certification Schemes: Processors certified under approved data protection schemes

Our Key Processors: Supabase (USA - SCCs), Vercel (USA - SCCs), Stripe (USA - Adequacy/SCCs). All have appropriate GDPR safeguards in place for international transfers.

6c. Data Breach Notification

In accordance with GDPR requirements (Articles 33 & 34):

  • • We will notify the ICO within 72 hours of becoming aware of a personal data breach
  • • If the breach poses a high risk to your rights and freedoms, we will notify you without undue delay
  • • We maintain detailed records of all personal data breaches
  • • We have implemented technical and organizational measures to prevent and detect breaches
  • • We conduct regular security assessments and staff training

6d. Automated Decision Making and Profiling

Currently, Bandora does not engage in automated decision-making or profiling that produces legal or similarly significant effects. If this changes in the future, we will:

  • • Inform you about the automated decision-making process
  • • Provide meaningful information about the logic, significance, and consequences
  • • Give you the right to request human intervention
  • • Allow you to express your point of view and contest the decision
  • • Update this privacy policy with relevant details

6e. Supervisory Authority and Complaints

You have the right to lodge a complaint with the relevant supervisory authority if you believe we have violated your data protection rights:

UK Users:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Live Chat: Available on website

EU Users:

Contact your local data protection authority

Find your local authority:

ec.europa.eu/justice/data-protection

While you have the right to complain to a supervisory authority, we encourage you to contact us first at dpo@bandora.app so we can try to resolve any concerns directly.

7. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

  • • Account data: Until account deletion
  • • Usage logs: Up to 2 years
  • • Payment records: As required by law (typically 7 years)
  • • Support communications: Up to 3 years

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your personal information in accordance with this Privacy Policy and applicable data protection laws.

9. Children's Privacy

Bandora is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of Bandora after any changes constitutes acceptance of the new Privacy Policy.

11. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Email: privacy@bandora.app

Address: Bandora Ltd, Privacy Department

Response Time: We aim to respond within 30 days