Legal
Privacy Policy
How GigBook collects, uses, shares, and protects personal information for DJ businesses and the couples they serve.
DRAFT — pending legal review. This document is a thorough working draft generated from GigBook's actual data practices. It has not been reviewed by a lawyer and must not be published as-is. Every
[[FILL: …]]marker below is a fact or decision that must be resolved before this goes live. Scope prepared for United States (CCPA/CPRA) and Canada (PIPEDA/CASL). If GigBook begins serving users in the EU/UK, this policy needs GDPR additions (legal bases, Standard Contractual Clauses for international transfers, DPO/representative).
Effective date: [[FILL: EFFECTIVE_DATE]] Last updated: 2026-07-01
1. Who we are and what this policy covers
GigBook ("GigBook," "we," "us") is a software platform operated by [[FILL: ENTITY_LEGAL_NAME]], a [[FILL: ENTITY_TYPE — e.g. Delaware LLC]] located at [[FILL: BUSINESS_MAILING_ADDRESS]]. GigBook provides a business portal that DJ and event-services businesses ("DJ Businesses") use to manage bookings, planning, contracts, and payments with their clients — typically engaged couples planning a wedding or event ("Clients" or "Couples").
This Privacy Policy explains how we handle personal information across:
- djgigbook.com and the DJ Business portal;
- the Client portal each DJ Business shares with its Couples;
- our public booking forms, help site (support.djgigbook.com), and APIs.
Our two roles (please read — this is important)
GigBook operates a business-to-business-to-consumer service, so our role depends on whose information is involved:
- For a DJ Business's own account information (the business's login, settings, and billing), GigBook is the business/controller and handles that data under this policy.
- For a Couple's information that a DJ Business collects and manages through GigBook (names, event details, planning notes, contracts), the DJ Business decides how that information is used — GigBook acts as its service provider and processes the data on the DJ Business's behalf and instructions.
If you are a Couple and want to access, correct, or delete information held by a specific DJ Business, contact that DJ Business directly; we will support them in responding. See Section 9.
2. Information we collect
We collect only what the service needs. We do not run advertising trackers or sell your information.
2a. Information DJ Businesses provide
- Account & identity: name, email address, password (stored hashed by our authentication provider).
- Business profile: business name, portal slug, logo, brand colors, fonts.
- Payout handles: the Venmo, PayPal, or Zelle handles a DJ Business chooses to display to Couples (these may be an email address, phone number, or username).
- Billing information for a GigBook subscription: [[FILL: describe billing — e.g. handled by a payment processor; see Section 5. Confirm processor.]]
- API keys and webhook settings the DJ Business creates (we store only a one-way hash of each API key, never the key itself).
2b. Information about Couples (collected by DJ Businesses through GigBook)
Collected via a DJ Business's booking form and planning tools:
- Contact details: primary and partner names, email address, phone number.
- Event details: event date and time, venue name and address, guest count, package/service selected, event type, lead source, and any custom questions the DJ Business adds to its booking form.
- Planning details: ceremony/reception timeline, must-play and do-not-play song lists, MC and dance notes, vendor notes, and other free-text planning fields.
- Contract records: the exact contract text presented, the typed signer name, a drawn signature image, the date and time of signing, and the IP address of the signer. We capture the IP address to verify and evidence electronic signatures, as is standard for e-signature records.
- Payment records: the amount, label (e.g. "Deposit"), status (pending/paid), method noted (Venmo/PayPal/Zelle/other), and dates. We do not collect or store payment card numbers or bank account details — Couples pay DJ Businesses through external services, and GigBook records only that a payment was made.
2c. Information we collect automatically
- Authentication cookies: to keep you signed in (see Section 4).
- Log and technical data: IP address, browser/device type, pages requested, and timestamps, processed by our hosting and (planned) error/performance monitoring providers to operate, secure, and troubleshoot the service.
- We do not use analytics or advertising cookies, cross-site trackers, or behavioral profiling.
3. How we use information
We use personal information to:
- provide, operate, and maintain the GigBook platform and the DJ Business and Client portals;
- create and manage accounts and authenticate sign-ins;
- enable booking, planning, contracts, and payment tracking between DJ Businesses and their Couples;
- send transactional messages (sign-in links, booking and event notifications, payment reminders, contract status);
- send marketing or promotional messages where permitted and with the consent required by law (see Section 8);
- provide customer support and troubleshoot issues, including via our support team and support tooling;
- secure the service, prevent fraud and abuse, and maintain audit and e-signature records;
- comply with legal obligations and enforce our Terms of Service.
Under CCPA/CPRA we collect and use the categories of personal information listed in Section 9 for these business purposes. Under PIPEDA we rely on your consent (express or implied) and other lawful bases, and use information only for the purposes identified here or as otherwise permitted by law.
4. Cookies
GigBook uses a small number of strictly necessary cookies, set by our authentication provider, to keep you signed in and to secure your session. These are essential to the service and cannot be turned off while using it. We do not set advertising, analytics, or cross-site tracking cookies, so GigBook does not display a tracking-consent banner. If this ever changes, we will update this policy and add the required consent controls.
5. How we share information
We share personal information only as described here.
5a. Service providers (sub-processors)
We use vetted providers to run GigBook. They may process personal information only to provide services to us, under contract. Our current and planned providers:
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Database, authentication, file storage, sign-in emails | All stored personal information; account emails |
| Cloudflare | Application hosting, content delivery, security, logs | Technical/log data; all traffic in transit |
| [[FILL: EMAIL_PROVIDER — e.g. Resend]] | Transactional & marketing email delivery | Recipient name and email, message content |
| Axiom (planned) | Log management & troubleshooting | Technical/log data (personal fields redacted) |
| Sentry (planned) | Error monitoring | Error/diagnostic data (personal fields redacted) |
| Chatwoot (planned) | Customer support / help desk | Contact details and support conversation content |
| [[FILL: BILLING_PROCESSOR — if any]] | Subscription billing | DJ Business billing details |
A current list of sub-processors is maintained by GigBook and available on request. We update this table when providers change.
5b. International support and processing
GigBook is operated from and hosts data primarily in the United States. We (and our providers) may process and support personal information from other countries, including support staff located in the Philippines. Where information crosses borders, we require contractual protections comparable to those in this policy, as required by PIPEDA and applicable law.
5c. Sharing directed by a DJ Business (webhooks and integrations)
A DJ Business may connect GigBook to its own automation tools (for example Make, Zapier, or n8n) using webhooks. When enabled, GigBook sends event data — which can include Couple names, email addresses, and event details — to the URL the DJ Business configures. That transfer is directed and controlled by the DJ Business, which is responsible for the destination and its handling of the data.
5d. Within a DJ Business
A Couple's information is accessible to the staff of the DJ Business they are working with, so that business can serve them.
5e. Legal, safety, and business transfers
We may disclose information to comply with law, respond to lawful requests, protect rights and safety, or in connection with a merger, acquisition, financing, or sale of assets (with notice as required by law).
5f. We do not sell or "share" personal information
GigBook does not sell personal information, and does not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not done so in the preceding 12 months.
6. Data retention
We keep personal information for as long as an account is active and as needed to provide the service, then as required to meet legal, tax, accounting, audit, and dispute-resolution obligations. Signed contract records (including signature and IP) are retained as durable legal records even after an event is archived. Data may be archived rather than immediately deleted. When information is no longer needed, we delete or de-identify it. To request deletion, see the next section.
[[FILL: RETENTION_SPECIFICS]] — confirm concrete retention periods (e.g. "contracts retained 7 years," "inactive accounts deleted after 24 months"). Note for the implementation team: self-service deletion/export is not yet built; requests are currently handled manually — see the legal-check process.
7. Security
We protect information with encryption in transit (HTTPS/TLS), tenant isolation between DJ Businesses (row-level security), hashed storage of credentials and API keys, and access controls that limit staff and support access to what their role requires, with support access logged. No system is perfectly secure, but we work to protect your information and to notify affected users and regulators of a breach as required by law (including PIPEDA's breach-notification rules).
8. Communications and consent
- Transactional messages (sign-in links, booking/event/payment/contract notifications) are part of the service and are sent to operate your account.
- Marketing messages are sent only where permitted. In the United States we comply with CAN-SPAM — every marketing email identifies us, includes a valid postal address, and offers a working unsubscribe link we honor promptly. In Canada we comply with CASL, which generally requires your express consent before we send commercial electronic messages, clear sender identification, and an unsubscribe mechanism. You can opt out of marketing at any time using the unsubscribe link or by contacting us; you will still receive transactional messages.
9. Your privacy rights
9a. California (CCPA/CPRA)
If you are a California resident, you have the right to: know/access the personal information we collect and how we use and disclose it; delete your personal information; correct inaccurate information; and be free from discrimination for exercising your rights. Because we do not sell or share personal information for cross-context behavioral advertising, no opt-out of sale/sharing is needed.
Categories of personal information we collect (CCPA categories): identifiers (name, email, phone, IP address); customer records (contact and payment-status details); commercial information (bookings, packages, payment history); internet/network activity (log data); geolocation (venue address, IP-derived location); and other information you provide (planning notes, signatures). We disclose these categories to the service providers and recipients in Section 5 for business purposes.
9b. Canada (PIPEDA)
If you are in Canada, you may access the personal information we hold about you, request correction, and withdraw consent (subject to legal or contractual limits). You may also challenge our compliance with PIPEDA by contacting our privacy contact below, and escalate to the Office of the Privacy Commissioner of Canada.
9c. How to exercise your rights
Email [[FILL: PRIVACY_CONTACT_EMAIL]] with your request. We will verify your identity before acting and respond within the timeframes required by law. An authorized agent may submit a request with proof of authorization.
Couples: for information a DJ Business manages about you through GigBook, please send your request to that DJ Business (they decide how that data is used). If you are unsure who to contact, reach us and we will help route your request.
10. Children's privacy
GigBook is not directed to children and is intended for users 18 and older. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
11. Third-party sites
GigBook may link to third-party websites and services (for example a DJ Business's external payment app). We are not responsible for their privacy practices; review their policies.
12. Changes to this policy
We may update this policy as GigBook evolves or the law changes. We will revise the "Last updated" date and, for material changes, provide additional notice. Continued use of GigBook after changes take effect means you accept the updated policy.
13. Contact us
Questions or privacy requests:
- Email: [[FILL: PRIVACY_CONTACT_EMAIL]]
- Mail: [[FILL: ENTITY_LEGAL_NAME]], [[FILL: BUSINESS_MAILING_ADDRESS]]
- Canada — privacy contact / accountable individual: [[FILL: PRIVACY_OFFICER_NAME_OR_ROLE]]
See also our Terms of Service.