Banded is a social gig diary app that lets you log, rate, and share the live music events you attend. Banded is operated from the United Kingdom.
If you have any questions about this policy or your data, contact us at hello@banded.uk.
2. What Data We Collect
2.1 Account Data
When you create an account we collect:
Email address — used for magic-link sign-in and account communications
Apple ID token — if you choose Sign in with Apple (we receive the identity token Apple provides; we do not access your Apple ID password)
Username and display name — chosen by you during onboarding
Profile photo — optionally uploaded by you, stored in our cloud storage
Bio — an optional short description you write
City — set during onboarding to personalise event recommendations
Genre preferences — music genres you select to tailor your Discover feed
Privacy settings — whether your profile is public or private, and your default gig visibility preference
2.2 Gig Diary Data
When you log a gig we collect:
Artist name, venue name, city, and country
Gig date, tour name, and support acts
Ticket price
Your ratings (Artist and Venue, each on a 0.5–5 scale)
Your written review
Gig photos you upload (compressed to JPEG quality, max 1200 px before storage)
Setlist (list of songs performed)
Genre, festival name, and context tag
Visibility setting (public, friends-only, or private)
External identifiers linking the gig to third-party databases (Ticketmaster event ID, MusicBrainz artist ID, Spotify artist ID) — these contain no personal data
2.3 Social Data
Who you follow and who follows you
Likes and "also been" reactions you leave on gig posts
Comments you write on gig posts, and likes on comments
Users you block
Comment thread subscriptions (so you receive notifications for replies)
2.4 Wishlist and Events Data
Artists you add to your wishlist, including whether you have opted in to gig alerts for that artist
Upcoming events you save or mark as attending
Event metadata sourced from Ticketmaster (artist, venue, date, ticket URL)
2.5 Photos and Camera Data
Photos captured via the in-app camera (front and rear) are uploaded to our cloud storage
Photos may be temporarily stored as "pending" until you attach them to a gig log
Profile avatars you upload (max 5 MB; JPEG, PNG, WebP, or HEIC)
If you choose to save photos to your device camera roll, Banded writes to your photo library but does not read or access existing photos
2.6 Notification Data
Your Apple Push Notification service (APNs) device token — used to deliver push notifications to your device
Your notification preferences (which types of notifications you have enabled or disabled)
A record of notifications sent to you (type, read status, timestamps)
2.7 Location Data
If you grant location permission, we access your approximate location (accuracy of approximately 100 metres) only while the app is in use to show nearby events on the Discover map and to centre the map on your current position
Your location is sent to our backend server as latitude and longitude coordinates to query for events within a 30 km radius
We do not track your location in the background or store a history of your locations
2.8 Calendar Data
If you grant calendar permission, Banded can write events to your Apple Calendar (artist, venue, city, date, and time). Banded does not read or access existing calendar events
2.9 Top Four
You may select up to four gigs as your all-time favourites, displayed on your profile
2.10 Analytics Data
We use Mixpanel to understand how people use Banded so we can improve the app. Mixpanel collects:
User properties — your username, display name, and city (linked to your user ID)
Analytics data is processed on Mixpanel's EU servers. We do not use analytics data for advertising or share it with third parties.
3. What We Do Not Collect
Banded does not collect:
Health or fitness data
Financial information (no payment processing is currently implemented)
Contacts or address book data
Browsing history or search history outside the app
Precise GPS tracking or background location
Crash reporting or telemetry data beyond the analytics described in Section 2.10
4. Legal Basis for Processing (UK GDPR)
We process your personal data under the following legal bases:
Data
Legal Basis
Account data, gig diary data, social data, wishlist data
Contract performance — necessary to provide the Banded service you signed up for
Photos and camera data
Contract performance — core feature of logging gigs
Push notifications and device token
Consent — you choose to enable notifications via the iOS permission prompt; you can revoke this at any time in device settings
Location data
Consent — you choose to grant location access via the iOS permission prompt; you can revoke this at any time in device settings
Calendar access
Consent — you choose to grant calendar access; you can revoke this at any time
Analytics data
Legitimate interest — to understand how the app is used and improve the experience; processed on EU servers
5. How We Use Your Data
Account data — to authenticate you, display your profile to other users (according to your privacy settings), and personalise your experience (event recommendations based on city and genre preferences)
Gig diary data — to store and display your gig history, enable ratings and reviews, and show your activity in friends' feeds
Social data — to enable following, likes, comments, and the "also been" feature; to enforce blocks
Wishlist and events data — to show you upcoming events for artists you are interested in and to send gig alerts when a wishlisted artist announces a show
Photos — to attach images to your gig logs and display them to other users; to set your profile avatar
Notification data — to send you push notifications about activity on your posts (likes, comments, new followers), wishlist artist alerts, and show-time reminders
Location data — to find and display nearby upcoming events on the Discover map
Calendar data — to add upcoming gigs you have saved to your Apple Calendar with a 30-minute reminder
6. Third-Party Services
Banded uses the following third-party services. For each service, we describe what data (if any) is shared and why.
6.1 Supabase
Purpose: Database, user authentication, and file storage (photos and avatars).
Data shared: All user data described in this policy is stored in Supabase. Authentication tokens (JWT) are managed by Supabase.
Location: Supabase infrastructure may be hosted in the EU or US. See Section 9 (International Data Transfers) below.
Purpose: To search for upcoming events, retrieve event details, and fetch artist images.
Data shared: Search parameters only — artist name, city or approximate location coordinates, date range, and genre filters. No account data or personal information is sent to Ticketmaster.
Purpose: Product analytics — to understand how users interact with Banded so we can improve the app experience.
Data shared: Your user ID (UUID), username, display name, and city. Mixpanel also collects automatic interaction events (app opens, screen views). No gig diary content, photos, or social data is sent to Mixpanel.
Location: Data is sent to Mixpanel's EU servers (api-eu.mixpanel.com).
Sign in with Apple — used for account authentication. Apple provides us with an identity token; we do not receive your Apple ID password. Apple Privacy Policy
Apple Push Notification service (APNs) — used to deliver push notifications to your device. We send your device token and notification content to Apple's servers.
Apple MapKit — used to display maps and search for venues within the app. MapKit runs locally on your device; map tile requests are handled by Apple.
Apple EventKit — used to write events to your Apple Calendar. This runs locally on your device; no calendar data is sent to our servers.
7. Data Retention
We retain your data for as long as your account is active and you continue to use Banded.
Account deletion: When you delete your account (via Profile → Settings → Account → Delete Account), all your personal data is permanently removed from our database, including your profile, gig logs, photos, comments, likes, follows, wishlist entries, and notification tokens. This action cannot be undone.
Photos: Gig photos and profile avatars stored in our cloud storage are deleted when the associated gig log or account is deleted.
Push tokens: Your device token is removed from our database when you sign out or delete your account.
Backups: Deleted data may persist in encrypted database backups for up to 30 days before being permanently purged.
8. Your Rights Under UK GDPR
As a user in the United Kingdom, you have the following rights regarding your personal data:
Right of access — You can request a copy of all personal data we hold about you.
Right to rectification — You can ask us to correct any inaccurate or incomplete data. You can also update most of your data directly in the app (profile, gig logs, reviews).
Right to erasure ("right to be forgotten") — You can request that we delete your personal data. The simplest way to do this is to delete your account in the app. You can also email us to request deletion.
Right to restrict processing — You can ask us to temporarily stop processing your data in certain circumstances.
Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
Right to object — You can object to processing of your data where we rely on legitimate interest as the legal basis.
To exercise any of these rights, email us at hello@banded.uk. We will respond within one month as required by law. If your request is complex, we may extend this by a further two months and will let you know.
Banded uses Supabase as its backend infrastructure provider. Supabase may process and store data on servers located outside the United Kingdom, including in the United States and the European Union.
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the UK government
Transfers to countries recognised by the UK as providing an adequate level of data protection
Third-party music data services (Ticketmaster, MusicBrainz, Setlist.fm, Fanart.tv, Wikimedia) may process API requests on servers located worldwide. However, no personal user data is sent to these services — only search parameters such as artist names, locations, and dates.
10. Children's Privacy
Banded is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us at hello@banded.uk and we will promptly delete the account and associated data.
11. Apple App Store Privacy Disclosures
In accordance with Apple's App Store requirements, here is a summary of the data Banded collects and its purpose:
Category
Collected
Purpose
Contact Info (email)
Yes
Authentication, account recovery
Identifiers (user ID)
Yes
App functionality
Identifiers (device ID)
Yes
Push notifications (APNs token)
User Content (photos, reviews, ratings)
Yes
App functionality
Location (coarse)
Yes
Nearby event discovery
Health & Fitness
No
—
Financial Info
No
—
Sensitive Info
No
—
Contacts
No
—
Browsing History
No
—
Search History
No
—
Usage Data (app interactions)
Yes
Analytics (Mixpanel)
Diagnostics
No
—
Banded does not use any data for tracking purposes as defined by Apple. We do not share your data with data brokers or use it for advertising.
12. Data Security
We take reasonable measures to protect your personal data:
All data is transmitted over HTTPS (TLS encryption in transit)
Database access is protected by row-level security policies, ensuring users can only access their own data or data that has been made public
Authentication tokens are short-lived JWTs with automatic refresh
API endpoints are rate-limited to prevent abuse
Backend API keys for third-party services are stored securely on the server and are never exposed to the app
13. Changes to This Policy
We may update this privacy policy from time to time. If we make material changes, we will notify you by:
Posting the updated policy on this page with a new "Last updated" date
Sending a notification within the app for significant changes
We encourage you to review this page periodically.
14. Contact Us
If you have any questions, concerns, or requests regarding this privacy policy or your personal data, please contact us: