Skip to main content

Privacy Policy

Last updated: April 2026

BandSlate ("we," "us," or "our") is a band management platform. This Privacy Policy explains how we collect, use, share, and protect your information when you use our website at bandslate.com and our services.

We built BandSlate for musicians, and we respect your privacy the way we'd want ours respected. We collect only what we need, we protect what we have, and we never sell your data.

1. Information We Collect

Account Information

When you sign up, we collect your email address and password (hashed, never stored in plain text) via Supabase Auth. You may also provide your name, phone number, and instrument.

Band & Organization Data

Information you enter about your band, including:

  • Band member names, emails, phone numbers, and instruments
  • Gig details (dates, venues, set times, payments, hospitality info)
  • Venue information (addresses, contacts, production specs, photos)
  • Songs, setlists, chord charts, and recordings
  • Contracts, invoices, and payment records
  • Announcements, rehearsal schedules, and equipment inventory

Sensitive Information

Some band members may optionally provide medical information, allergies, dietary restrictions, and emergency contacts. This data is encrypted at rest using a per-field encryption key (DEK pattern) and is only accessible to organization managers.

Calendar Data

When you connect Google Calendar or Apple Calendar, we store encrypted OAuth tokens to sync your calendar events and check availability. We access only the calendar data necessary to display free/busy information and sync gig events. We never store your Google or Apple passwords.

Spotify Data

When you connect Spotify, we access song metadata only (track names, artists, album art, BPM, key). We store encrypted OAuth tokens. We do not access your listening history or personal playlists beyond what you explicitly import.

Usage & Analytics Data

We collect anonymized usage data through Vercel Analytics and Vercel Speed Insights, including page views, load times, and device types. We use Sentry for error tracking, which may capture technical details about errors you encounter. This data does not include personal information.

Payment Information

Subscription and credit pack payments are processed by Stripe. We never see or store your credit card number. Stripe handles all payment data under their own privacy policy.

2. How We Use Your Information

We use your information to:

  • Provide and improve the BandSlate platform
  • Process your gig schedules, payments, and member coordination
  • Generate AI-powered content (social media posts, contract drafts, setlists, band bios, gig briefings) via Vercel AI Gateway using your band data as context
  • Send transactional emails via Resend (gig notifications, contract signing requests, payment reminders, weekly digests, and 5 other user-configurable notification types)
  • Sync with your connected calendar and Spotify accounts
  • Analyze anonymized performance data to improve the service
  • Monitor and fix technical issues
  • Enforce our Terms of Service

3. AI Features & Your Data

BandSlate uses AI services to generate content for you, including social media posts, posters, contracts, setlists, band bios, and gig briefings. When you use an AI feature:

  • Your relevant band data (gig details, venue info, member names) is sent to the AI provider as context for that single request.
  • AI requests are routed through Vercel AI Gateway. Providers include Anthropic (Claude), OpenAI, and Black Forest Labs (Flux for image generation). These providers process your data to generate responses and do not use your data to train their models.
  • BandSlate itself may use anonymized data from your account to improve our own AI features. This includes aggregate patterns from gigs, setlists, chord charts, and venue profiles. We do not train on sensitive data (compensation amounts, medical info, emergency contacts, OAuth tokens, or personally-identifying details).
  • You can opt out of BandSlate's use of your data for AI training at any time from Settings → Privacy. Opt-out applies prospectively; past AI outputs remain in your account.
  • Generated content is stored in your BandSlate account.
  • AI features consume credits, which are tracked and deducted server-side.

4. Data Sharing

We do not sell your personal information. We share data only in these cases:

  • Within your organization — band members in your organization can see shared band data based on their role permissions
  • Service providers — we use Supabase (database/auth), Vercel (hosting/analytics/AI gateway), Stripe (payments), Resend (email), and AI providers as described above
  • Contract recipients — when you send a contract for signing, the recipient receives the contract content via a secure link
  • Gig share links— if you create a public share link for a gig, anyone with the link can view that gig's basic details
  • Legal requirements — if required by law, regulation, or legal process

5. Data Security

We take security seriously:

  • All data is stored in Supabase (PostgreSQL hosted on AWS us-east-1), encrypted in transit (TLS/HTTPS) and at rest
  • Sensitive fields (medical info, emergency contacts, OAuth tokens) use additional per-field encryption (DEK pattern)
  • Row-Level Security (RLS) on every database table ensures organizations can only access their own data
  • Passwords are hashed using bcrypt via Supabase Auth
  • We use HTTP-only cookies for authentication sessions
  • All communication between your browser and our servers uses HTTPS

6. Your Rights

You have the right to:

  • Access your data — all your data is visible in your BandSlate dashboard
  • Export your data — use the CSV export features for payments and reports
  • Delete your account — contact us and we will delete your account and personal data
  • Disconnect third-party integrations at any time from Settings
  • Opt out of non-essential emails via notification preferences in Settings

7. Cookies

We use essential cookies for authentication (Supabase Auth session cookies). These are required for the platform to function. We do not use advertising cookies or tracking cookies. Vercel Analytics collects anonymous performance data without cookies.

8. Third-Party Services

BandSlate integrates with the following services, each with their own privacy policies:

  • Supabase — database, authentication, and file storage
  • Vercel — hosting, analytics, speed insights, and AI gateway
  • Stripe — payment processing for subscriptions and credit packs
  • Resend — transactional email delivery
  • Spotify — song import and playlist export
  • Google Calendar — calendar sync and free/busy availability
  • Apple Calendar — calendar sync via iCal feed
  • Anthropic, OpenAI, Black Forest Labs — AI content generation via Vercel AI Gateway
  • Sentry — error tracking and monitoring

9. Children's Privacy

BandSlate is not intended for children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or compliance purposes. Anonymized analytics data may be retained indefinitely.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our website. Your continued use of BandSlate after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or your data, contact us at: privacy@bandslate.com