---
title: Privacy Policy
id: privacy-policy
description: How GigBook collects, uses, shares, and protects personal information for DJ businesses and the couples they serve.
category: Legal
order: 100
tags: [privacy, legal, ccpa, pipeda, data-protection]
related: [terms-of-service]
updated: 2026-07-01
status: draft
---

> **DRAFT — pending legal review.** This document is a thorough working draft
> generated from GigBook's actual data practices. It has **not** been reviewed by
> a lawyer and must not be published as-is. Every `[[FILL: …]]` marker below is a
> fact or decision that must be resolved before this goes live. Scope prepared for
> **United States (CCPA/CPRA)** and **Canada (PIPEDA/CASL)**. If GigBook begins
> serving users in the EU/UK, this policy needs GDPR additions (legal bases,
> Standard Contractual Clauses for international transfers, DPO/representative).

**Effective date:** [[FILL: EFFECTIVE_DATE]]
**Last updated:** 2026-07-01

## 1. Who we are and what this policy covers

GigBook ("**GigBook**," "**we**," "**us**") is a software platform operated by
[[FILL: ENTITY_LEGAL_NAME]], a [[FILL: ENTITY_TYPE — e.g. Delaware LLC]] located at
[[FILL: BUSINESS_MAILING_ADDRESS]]. GigBook provides a business portal that DJ and
event-services businesses ("**DJ Businesses**") use to manage bookings, planning,
contracts, and payments with their clients — typically engaged couples planning a
wedding or event ("**Clients**" or "**Couples**").

This Privacy Policy explains how we handle **personal information** across:

- **djgigbook.com** and the DJ Business portal;
- the **Client portal** each DJ Business shares with its Couples;
- our public booking forms, help site (**support.djgigbook.com**), and APIs.

### Our two roles (please read — this is important)

GigBook operates a business-to-business-to-consumer service, so our role depends on
whose information is involved:

- **For a DJ Business's own account information** (the business's login, settings,
  and billing), GigBook is the **business/controller** and handles that data under
  this policy.
- **For a Couple's information that a DJ Business collects and manages through
  GigBook** (names, event details, planning notes, contracts), the **DJ Business
  decides how that information is used** — GigBook acts as its **service provider**
  and processes the data on the DJ Business's behalf and instructions.

If you are a Couple and want to access, correct, or delete information held by a
specific DJ Business, contact that DJ Business directly; we will support them in
responding. See [Section 9](#9-your-privacy-rights).

## 2. Information we collect

We collect only what the service needs. We do **not** run advertising trackers or
sell your information.

### 2a. Information DJ Businesses provide
- **Account & identity:** name, email address, password (stored hashed by our
  authentication provider).
- **Business profile:** business name, portal slug, logo, brand colors, fonts.
- **Payout handles:** the Venmo, PayPal, or Zelle handles a DJ Business chooses to
  display to Couples (these may be an email address, phone number, or username).
- **Billing information** for a GigBook subscription: [[FILL: describe billing —
  e.g. handled by a payment processor; see Section 5. Confirm processor.]]
- **API keys and webhook settings** the DJ Business creates (we store only a
  one-way hash of each API key, never the key itself).

### 2b. Information about Couples (collected by DJ Businesses through GigBook)
Collected via a DJ Business's booking form and planning tools:
- **Contact details:** primary and partner names, email address, phone number.
- **Event details:** event date and time, venue name and address, guest count,
  package/service selected, event type, lead source, and any custom questions the
  DJ Business adds to its booking form.
- **Planning details:** ceremony/reception timeline, must-play and do-not-play song
  lists, MC and dance notes, vendor notes, and other free-text planning fields.
- **Contract records:** the exact contract text presented, the typed signer name,
  a drawn signature image, the date and time of signing, and the **IP address** of
  the signer. We capture the IP address to verify and evidence electronic
  signatures, as is standard for e-signature records.
- **Payment records:** the amount, label (e.g. "Deposit"), status (pending/paid),
  method noted (Venmo/PayPal/Zelle/other), and dates. **We do not collect or store
  payment card numbers or bank account details** — Couples pay DJ Businesses through
  external services, and GigBook records only that a payment was made.

### 2c. Information we collect automatically
- **Authentication cookies:** to keep you signed in (see [Section 4](#4-cookies)).
- **Log and technical data:** IP address, browser/device type, pages requested, and
  timestamps, processed by our hosting and (planned) error/performance monitoring
  providers to operate, secure, and troubleshoot the service.
- We do **not** use analytics or advertising cookies, cross-site trackers, or
  behavioral profiling.

## 3. How we use information

We use personal information to:
- provide, operate, and maintain the GigBook platform and the DJ Business and Client
  portals;
- create and manage accounts and authenticate sign-ins;
- enable booking, planning, contracts, and payment tracking between DJ Businesses
  and their Couples;
- send **transactional messages** (sign-in links, booking and event notifications,
  payment reminders, contract status);
- send **marketing or promotional messages** where permitted and with the consent
  required by law (see [Section 8](#8-communications-and-consent));
- provide customer support and troubleshoot issues, including via our support
  team and support tooling;
- secure the service, prevent fraud and abuse, and maintain audit and e-signature
  records;
- comply with legal obligations and enforce our [Terms of Service](/terms-of-service).

Under CCPA/CPRA we collect and use the categories of personal information listed in
[Section 9](#9-your-privacy-rights) for these business purposes. Under PIPEDA we
rely on your consent (express or implied) and other lawful bases, and use
information only for the purposes identified here or as otherwise permitted by law.

## 4. Cookies

GigBook uses a small number of **strictly necessary cookies**, set by our
authentication provider, to keep you signed in and to secure your session. These are
essential to the service and cannot be turned off while using it. We do **not** set
advertising, analytics, or cross-site tracking cookies, so GigBook does not display a
tracking-consent banner. If this ever changes, we will update this policy and add the
required consent controls.

## 5. How we share information

We share personal information only as described here.

### 5a. Service providers (sub-processors)
We use vetted providers to run GigBook. They may process personal information only to
provide services to us, under contract. Our current and planned providers:

| Provider | Purpose | Data involved |
|---|---|---|
| **Supabase** | Database, authentication, file storage, sign-in emails | All stored personal information; account emails |
| **Cloudflare** | Application hosting, content delivery, security, logs | Technical/log data; all traffic in transit |
| [[FILL: EMAIL_PROVIDER — e.g. Resend]] | Transactional & marketing email delivery | Recipient name and email, message content |
| **Axiom** *(planned)* | Log management & troubleshooting | Technical/log data (personal fields redacted) |
| **Sentry** *(planned)* | Error monitoring | Error/diagnostic data (personal fields redacted) |
| **Chatwoot** *(planned)* | Customer support / help desk | Contact details and support conversation content |
| [[FILL: BILLING_PROCESSOR — if any]] | Subscription billing | DJ Business billing details |

A current list of sub-processors is maintained by GigBook and available on request.
We update this table when providers change.

### 5b. International support and processing
GigBook is operated from and hosts data primarily in the **United States**. We (and
our providers) may process and support personal information from other countries,
**including support staff located in the Philippines**. Where information crosses
borders, we require contractual protections comparable to those in this policy, as
required by PIPEDA and applicable law.

### 5c. Sharing directed by a DJ Business (webhooks and integrations)
A DJ Business may connect GigBook to its own automation tools (for example Make,
Zapier, or n8n) using **webhooks**. When enabled, GigBook sends event data — which
can include Couple names, email addresses, and event details — to the URL the DJ
Business configures. That transfer is directed and controlled by the DJ Business,
which is responsible for the destination and its handling of the data.

### 5d. Within a DJ Business
A Couple's information is accessible to the staff of the DJ Business they are working
with, so that business can serve them.

### 5e. Legal, safety, and business transfers
We may disclose information to comply with law, respond to lawful requests, protect
rights and safety, or in connection with a merger, acquisition, financing, or sale of
assets (with notice as required by law).

### 5f. We do not sell or "share" personal information
GigBook does **not** sell personal information, and does **not** "share" it for
cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.
We have not done so in the preceding 12 months.

## 6. Data retention

We keep personal information for as long as an account is active and as needed to
provide the service, then as required to meet legal, tax, accounting, audit, and
dispute-resolution obligations. **Signed contract records (including signature and
IP) are retained as durable legal records** even after an event is archived. Data may
be archived rather than immediately deleted. When information is no longer needed, we
delete or de-identify it. To request deletion, see the next section.

> **[[FILL: RETENTION_SPECIFICS]]** — confirm concrete retention periods (e.g.
> "contracts retained 7 years," "inactive accounts deleted after 24 months"). Note
> for the implementation team: self-service deletion/export is **not yet built**;
> requests are currently handled manually — see the [legal-check process](/terms-of-service).

## 7. Security

We protect information with encryption in transit (HTTPS/TLS), tenant isolation
between DJ Businesses (row-level security), hashed storage of credentials and API
keys, and access controls that limit staff and support access to what their role
requires, with support access logged. No system is perfectly secure, but we work to
protect your information and to notify affected users and regulators of a breach as
required by law (including PIPEDA's breach-notification rules).

## 8. Communications and consent

- **Transactional messages** (sign-in links, booking/event/payment/contract
  notifications) are part of the service and are sent to operate your account.
- **Marketing messages** are sent only where permitted. In the United States we
  comply with **CAN-SPAM** — every marketing email identifies us, includes a valid
  postal address, and offers a working unsubscribe link we honor promptly. In Canada
  we comply with **CASL**, which generally requires your **express consent** before
  we send commercial electronic messages, clear sender identification, and an
  unsubscribe mechanism. You can opt out of marketing at any time using the
  unsubscribe link or by contacting us; you will still receive transactional
  messages.

## 9. Your privacy rights

### 9a. California (CCPA/CPRA)
If you are a California resident, you have the right to: **know/access** the personal
information we collect and how we use and disclose it; **delete** your personal
information; **correct** inaccurate information; and be free from **discrimination**
for exercising your rights. Because we do not sell or share personal information for
cross-context behavioral advertising, no opt-out of sale/sharing is needed.

Categories of personal information we collect (CCPA categories): **identifiers**
(name, email, phone, IP address); **customer records** (contact and payment-status
details); **commercial information** (bookings, packages, payment history);
**internet/network activity** (log data); **geolocation** (venue address, IP-derived
location); and **other information you provide** (planning notes, signatures). We
disclose these categories to the service providers and recipients in
[Section 5](#5-how-we-share-information) for business purposes.

### 9b. Canada (PIPEDA)
If you are in Canada, you may **access** the personal information we hold about you,
request **correction**, and **withdraw consent** (subject to legal or contractual
limits). You may also **challenge our compliance** with PIPEDA by contacting our
privacy contact below, and escalate to the Office of the Privacy Commissioner of
Canada.

### 9c. How to exercise your rights
Email **[[FILL: PRIVACY_CONTACT_EMAIL]]** with your request. We will verify your
identity before acting and respond within the timeframes required by law. An
authorized agent may submit a request with proof of authorization.

**Couples:** for information a DJ Business manages about you through GigBook, please
send your request to that DJ Business (they decide how that data is used). If you are
unsure who to contact, reach us and we will help route your request.

## 10. Children's privacy

GigBook is not directed to children and is intended for users **18 and older**. We do
not knowingly collect personal information from children. If you believe a child has
provided us information, contact us and we will delete it.

## 11. Third-party sites

GigBook may link to third-party websites and services (for example a DJ Business's
external payment app). We are not responsible for their privacy practices; review
their policies.

## 12. Changes to this policy

We may update this policy as GigBook evolves or the law changes. We will revise the
"Last updated" date and, for material changes, provide additional notice. Continued
use of GigBook after changes take effect means you accept the updated policy.

## 13. Contact us

Questions or privacy requests:

- **Email:** [[FILL: PRIVACY_CONTACT_EMAIL]]
- **Mail:** [[FILL: ENTITY_LEGAL_NAME]], [[FILL: BUSINESS_MAILING_ADDRESS]]
- **Canada — privacy contact / accountable individual:** [[FILL: PRIVACY_OFFICER_NAME_OR_ROLE]]

See also our [Terms of Service](/terms-of-service).
