Privacy Policy — My Band

. 1. Who We Are

My Band (“we”, “us”, “our”) operates the band management platform at myband.uk, including all sub-sites, mobile applications, and related services (the “Service”).

For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), we are the data controller for personal data collected through the Service.

If you have any questions about how we handle your data, you can reach us at hello@myband.uk.

. 2. What Data We Collect

We collect the following categories of personal data:

Account information: name, email address, and password (hashed) when you create an account
Band data: band name, subdomain, ensemble type, and member roles
Usage data: events created, availability responses, setlists, song data, and other content you enter into the Service
Communications: messages sent through the Service, including Ask Admin threads and announcements
Technical data: IP address, browser type, device information, and access timestamps for security and troubleshooting
Billing data: payment information is processed directly by Stripe; we store only your Stripe customer ID, subscription status, and billing history

. 3. How We Use Your Data

We use your personal data to:

Provide, maintain, and improve the Service
Create and manage your account and band workspace
Process payments and manage your subscription
Send transactional emails (account verification, password resets, event notifications)
Send product updates and marketing communications (only with your consent)
Monitor and prevent abuse, fraud, and security threats
Comply with legal obligations

Our legal bases for processing are: performance of a contract (providing the Service), legitimate interests (security, improvement), consent (marketing), and legal obligation (tax and regulatory requirements).

. 4. Third-Party Services

We use the following third-party services to operate the platform:

Stripe — payment processing. Stripe’s privacy policy: stripe.com/privacy
SendGrid — transactional email delivery. SendGrid’s privacy policy: twilio.com/legal/privacy
Expo Push Service — push notifications for the mobile app (no personal data is shared beyond device push tokens)

We do not sell your personal data to third parties. We do not use third-party advertising or analytics tracking services.

. 5. Contact Visibility Within Bands

When you join a band on the Service, certain information is visible to other members of that band, including your name and role. Band Admins may also see your email address for administrative purposes.

Your availability responses, lineup assignments, and contributions to band communications are visible to other members of the same band, according to the permissions set by the Band Admin.

Your data from one band is not visible to members of other bands you belong to, unless you choose to share it.

. 6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service.

If you close your account or request deletion, we retain your data for a 30-day cooling-off period, during which you may request reinstatement. After 30 days, your personal data is permanently deleted.

Inactive bands (no logins for 12 months) may be archived. We will notify the Band Admin by email before archiving and provide 30 days to reactivate.

Certain data may be retained longer where required by law (for example, financial records for tax purposes).

. 7. Your Rights Under GDPR

Under UK GDPR, you have the following rights:

Access: request a copy of the personal data we hold about you
Rectification: request correction of inaccurate data
Erasure: request deletion of your data (“right to be forgotten”)
Restriction: request that we limit processing of your data
Portability: request your data in a structured, machine-readable format
Objection: object to processing based on legitimate interests
Withdraw consent: withdraw consent for marketing communications at any time

You can exercise these rights through the My Account section of the Service, or by emailing hello@myband.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

. 8. Cookies

We use only essential cookies required for the Service to function:

Authentication cookies: keep you signed in to your account
Security cookies: protect against cross-site request forgery (CSRF) and other attacks
Preference cookies: remember your cookie consent choice

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

Because we only use strictly necessary cookies, consent is not required under UK cookie regulations. However, we display a notice to inform you of our cookie use.

. 9. Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

HTTPS encryption for all data in transit
Passwords hashed using industry-standard algorithms
Rate limiting on authentication and API endpoints
Regular security reviews and updates
Capability-based access controls ensuring users can only access data they are authorised to see

No system is 100% secure. If you discover a security vulnerability, please report it to hello@myband.uk and we will investigate promptly.

. 10. Children's Privacy

The Service is not directed at children under 16. Band Admins must not invite members under 16 without parental or guardian consent.

If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.

. 11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service at least 14 days before the changes take effect.

The “Last updated” date at the top of this page indicates when the policy was last revised.

. 12. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Email: hello@myband.uk
Website: myband.uk