Privacy Policy
Version: 1.1 (draft) Effective date: 19 May 2026 Last updated: 7 July 2026
⚠️ Draft notice — not yet legally reviewed. This is a starter privacy policy generated as part of the GA4 / consent initiative. It is plain-language and structured to meet GDPR Articles 13–14 and UK GDPR equivalents, but it has not been reviewed by a qualified privacy lawyer. Before this policy is linked from a production consent banner or made public to EU/UK users, it should be reviewed by counsel. Keep §5 and §7 aligned with your live stack (processors, retention); update §14 when you add material processors; ensure privacy@dap505.com is monitored.
1. Who we are
DAP/505 is a platform that connects DJs and other live-music artists with promoters, agents, and venue hosts to make and manage bookings.
- Company name (data controller): DAP/505 LDA
- Registered address: Rua Nova de São Pedro 54, 2e ander, Freguesia da Sé, 9000-048 Funchal, Madeira, Portugal
- Privacy contact: privacy@dap505.com
- Data Protection Officer (DPO): Not applicable — DAP/505 does not meet the GDPR Article 37 criteria requiring DPO appointment.
If you have questions about this policy or about how your data is handled, email us at privacy@dap505.com
2. What this policy covers
This policy explains what personal data we collect when you use DAP/505 (the website, app, and connected services), why we collect it, who we share it with, how long we keep it, and the rights you have over your data. Your use of DAP/505 is also governed by our Terms of Service, which sets out the rules for using the platform (including bookings, contracts, fees, and payments).
It does not cover:
- Third-party services that we link to but don't operate (for example, an artist's Spotify or Instagram page linked from their DAP/505 profile — those have their own privacy policies).
- Information you share with other DAP/505 users directly through chat or in your public profile, beyond our role in transmitting and storing it.
3. What data we collect
We collect data in three ways: data you give us, data we automatically collect when you use the service, and data we receive from others (when you sign in via Google, etc.).
3.1 Data you give us
When you create an account and use the platform:
- Account data: email address, phone number (when you choose to verify), password (stored hashed — we never see it in plain text), and your profile UUID.
- Profile data: the information you choose to add to your DAP/505 profile, such as: artist name or handle, headline, biography, location (city/region), profile photo, genres, social-media handles, music-platform links, milestones, agent or representation details. For agent/promoter/host profiles, this also includes business affiliations and roles.
- Booking data: event details (title, dates, location, lineup), applications and invitations between artists and promoters, fees discussed during negotiations, technical/hospitality/travel/contract requirements, and any contracts you upload or sign on the platform.
- Payment data: when you make or receive payments through the platform, we and our payments provider (Stripe) process transaction details such as the amount, currency, installment schedule, booking reference, and payment/payout status. Payments and payouts are handled by Stripe; we receive confirmation and status information but do not receive or store your full card or bank-account numbers (see §3.4 and §5).
- Chat data: messages you send through the in-app chat, including text and any attachments.
- Verification data: evidence we ask for when you verify your email or phone, or, in some cases, identity.
- Support and feedback: anything you send us when you contact support, give feedback, or report a problem.
3.2 Data we collect automatically
When you use DAP/505:
- Technical data: IP address, browser type and version, operating system, time zone, and device identifiers our servers see in HTTP requests.
- Usage data: which pages you visit, which features you use, how long sessions last, and which links you click. This is collected through Google Analytics 4 only with your consent — see §8 (Cookies and analytics).
- Service worker / PWA data: if you install DAP/505 as a Progressive Web App, your browser stores assets locally for offline use. No personal data is added to that store beyond what is needed to keep you signed in.
- Cookies and local storage: see §8.
3.3 Data we receive from others
- Social sign-in: if you sign in with Google, Google provides us with your email address, name, and Google account ID. We use this only to authenticate you.
- Other users: when another user invites you to an event, applies to your event, or sends you a message, they share information about you (such as your handle or profile id) with our service in the course of that action.
3.4 What we do not collect
- We do not collect or store full payment-card or bank-account numbers. Payments on the platform are processed by Stripe, our payments provider; Stripe — not DAP/505 — handles and stores your card and bank details. We receive only transaction metadata such as amounts, currency, and payment/payout status (see §3.1 and §5).
- We do not collect sensitive personal data ("special categories" under GDPR Article 9 — health, religion, sexual orientation, biometric data, etc.) deliberately. If you choose to add such information to your profile or send it in chat, that's your decision and not something we ask for.
- We do not collect data from children under 16. See §13.
4. Why we collect it (legal basis)
Under the GDPR, we must have a lawful basis for every kind of processing we do. Here is ours:
| What | Why | Legal basis |
|---|---|---|
| Creating and operating your account | So you can use DAP/505 — sign in, see your data, get notifications. | Contract (GDPR Art. 6(1)(b)) — necessary to perform the service you signed up for. |
| Storing and displaying your profile to other users | So you can be discovered and booked on the platform. | Contract (Art. 6(1)(b)). |
| Sending booking-related messages, invitations, notifications | Core to how the platform works. | Contract (Art. 6(1)(b)). |
| Storing chat messages between users | Core to the negotiation feature. | Contract (Art. 6(1)(b)). |
| Processing booking payments and payouts (via Stripe) | So you can pay for, and get paid for, bookings on the platform. | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for related accounting and tax records. |
| Security, fraud prevention, and abuse detection | To keep the platform safe for everyone. | Legitimate interests (Art. 6(1)(f)). |
| Product improvement via aggregated, non-personal analytics | To understand how the product is used and improve it. | Consent (Art. 6(1)(a)) for analytics cookies that may identify you; otherwise legitimate interests for fully anonymous aggregates. |
| Marketing communications (when sent) | To tell you about new features or related opportunities. | Consent (Art. 6(1)(a)). You can opt out at any time. |
| Complying with legal obligations | E.g., responding to lawful requests, retaining accounting records. | Legal obligation (Art. 6(1)(c)). |
You can withdraw any consent you have given at any time, without affecting the lawfulness of processing already carried out. See §9 (Your rights) and §8.3 (Managing analytics preferences).
5. Who we share data with
We share personal data only with the categories of recipients below. We do not sell personal data.
- Other DAP/505 users, where the platform is designed to share it — e.g., your profile is visible to the people you connect with for bookings; your messages are visible to the other participant in a chat.
- Service providers (processors) who help us run DAP/505 under contract and only on our instructions. As of the effective date of this policy, these include:
- Cloud hosting: Amazon Web Services (AWS) — hosts our servers and databases.
- Transactional email to users: Amazon Web Services (AWS) (for example Amazon Simple Email Service (Amazon SES)) — sends automated emails on our instructions, such as verification messages and booking-related notifications.
- Payments and payouts: Stripe (Stripe Payments Europe, Ltd. and Stripe, Inc.) — processes booking payments and pays out to artists and agents, including via Stripe Connect, and carries out the identity, tax, and anti-fraud checks required to do so. For some of this activity Stripe acts as an independent controller under its own privacy policy.
- Business email and productivity: Google LLC (Google Workspace) — internal email and related collaboration services we use to operate DAP/505.
- Analytics: Google LLC — Google Analytics 4 (GA4) via Google Tag Manager; only if you consent. See §8.
- Authentication / social sign-in: Google LLC — when you choose to sign in with Google.
- Error monitoring: None that we treat as a separate analytics or crash-reporting processor in this list as of the effective date of this policy. If we introduce a third-party tool that processes personal data for observability, we will add it here and in our processor register (ask privacy@dap505.com for the latest list).
- Legal recipients — courts, regulators, or law-enforcement bodies — only where we are legally required to disclose data.
- Acquirers — if DAP/505 is involved in a merger, acquisition, or asset sale, your data may be transferred to the relevant counter-party, subject to confidentiality obligations and continued application of this policy (or a successor policy you'll be notified about).
A current list of our processors can be made available on request.
6. International data transfers
Some of our service providers (notably Google, Amazon Web Services (AWS), and Stripe) may process data in, or transfer it to, the United States. When personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) or, where applicable, the EU-US Data Privacy Framework, to provide an adequate level of protection.
You can request a copy of the safeguards in place by emailing privacy@dap505.com
7. How long we keep your data
We keep personal data for as long as we need it for the purposes set out in §4, and then we delete or anonymize it.
| Data category | Retention |
|---|---|
| Active account & profile data | While your account is active. |
| Account data after deletion | Up to 30 days for backups and recovery; then permanent deletion. |
| Chat messages | While the related booking is active and for up to 24 months after the event date, then deletion. |
| Booking, contract, and payment records | Up to 7 years after the booking for accounting and tax purposes (a legal obligation under most EU jurisdictions). |
| Consent records | While your account exists, plus 5 years after deletion, as evidence under GDPR Art. 7(1). |
| Analytics data (GA4) | 14 months (configured in our GA4 properties). |
| Error logs / technical logs | Up to 90 days. |
| Records of legal disputes | For the duration of the dispute plus applicable limitation periods. |
If you want your data deleted sooner than these timelines, see §9 (Your rights).
8. Cookies, local storage, and analytics
8.1 What we store on your device
- Strictly necessary items in
localStorageand cookies: things needed to keep you signed in, remember your consent decision, and operate the app offline. These are always set, regardless of consent. - Analytics cookies (Google Analytics 4 via Google Tag Manager): set only after you grant analytics consent in our cookie banner. These help us understand how the product is used at an aggregate level. We do not send personal identifiers like email or phone numbers to Google. The opaque DAP/505 user ID we do send is a random UUID that has no meaning outside our system.
- Marketing / advertising cookies: we do not currently use any, but if we do in the future, they will require separate consent.
8.2 Consent banner
When you first visit DAP/505 we show you a banner that lets you Accept all, Reject all, or Manage individual categories. You can change your decision at any time from your account preferences. Until you make a choice, we keep analytics and advertising categories denied.
8.3 Managing analytics preferences
You can change your analytics preferences at any time:
- In-app: Preferences → Privacy → Cookies & analytics.
- In your browser: most browsers let you block all cookies or only third-party cookies from settings; doing this may affect the app's ability to keep you signed in.
You can also opt out of Google Analytics specifically by installing the Google Analytics Opt-out Browser Add-on.
9. Your rights
Under the GDPR (and UK GDPR), you have the following rights regarding your personal data. You can exercise any of them by emailing privacy@dap505.com. We will respond within one month, as required by Article 12(3) of the GDPR.
- Right of access (Art. 15): ask for a copy of the personal data we hold about you.
- Right to rectification (Art. 16): ask us to correct data that is wrong.
- Right to erasure (Art. 17): ask us to delete your data ("right to be forgotten"), subject to exceptions such as retention obligations in §7.
- Right to restriction (Art. 18): ask us to limit how we use your data while a question about it is resolved.
- Right to portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests, including any direct marketing.
- Right to withdraw consent: at any time, with no impact on processing carried out before withdrawal.
- Right to lodge a complaint: with the supervisory authority in your country. In Italy, this is the Garante per la protezione dei dati personali. You can also complain to the authority in any other EU member state where you live or work.
We do not currently make any decisions about you using purely automated processing (GDPR Art. 22).
10. Security
We take security seriously. We encrypt data in transit (HTTPS), encrypt passwords using industry-standard one-way hashing, restrict access to production data to a small number of engineers with audited access, and run regular dependency and vulnerability checks.
No service is 100% secure, but if we ever discover a breach of personal data likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and notify you directly when required by Article 34.
11. Links to other services
DAP/505 contains links to third-party services like Spotify, SoundCloud, Instagram, and others that artists, agents, promoters, and venues link from their profiles. We have no control over those services' privacy practices. When you follow such a link, you are leaving DAP/505 and we encourage you to read that service's own privacy policy.
12. Marketing communications
If you opt in to product updates or marketing, we may send you emails about new features, the company, or industry topics. You can unsubscribe from any of these emails by clicking the link at the bottom of the email or by emailing privacy@dap505.com. Even if you unsubscribe from marketing, we will continue to send you transactional messages necessary to operate your account (e.g., booking notifications, security alerts).
13. Children
DAP/505 is not directed at people under the age of 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact privacy@dap505.com and we will delete it.
14. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. If the change is material — for example, we add a new category of processing, change the legal basis, or add a new processor with significant access to personal data — we will notify you in the app or by email before the change takes effect.
Previous versions of this policy are kept on request.
15. Contact
For any question, request, or complaint about your personal data or this policy:
- Email: privacy@dap505.com
- Postal address: Rua Nova de São Pedro 54, 2e ander, Freguesia da Sé, 9000-048 Funchal, Madeira, Portugal