Privacy Policy

1. Information We Collect

1.1 Information You Provide

We collect information that you voluntarily provide when using our Service:

• Account Information: Email address and password when you create an account.
• User Content: Songs (title, artist, key, BPM, duration, lyrics, notes, tags, URLs), setlists, and band/member information you create within BandPilot.
• Communications: Messages sent through our support system and any feedback you provide.

1.2 Automatically Collected Information

We use Umami, a privacy-first analytics tool, to collect limited usage data:

• Usage Data: Pages visited, referral source, browser type, and operating system.
• Device Information: Screen resolution and device type.

Umami does not use cookies, does not store IP addresses, and does not collect any personally identifiable information. All analytics data is aggregated and anonymous.

2. How We Use Your Information

We use the collected information for the following purposes:

• To provide, maintain, and improve the Service
• To authenticate your account and keep it secure
• To process payments and send related notifications
• To communicate with you about your account and respond to inquiries
• To analyze aggregated usage patterns and improve our features
• To detect, prevent, and address security issues
• To comply with legal obligations and enforce our terms

3. Information Sharing

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: We share information with trusted third-party service providers who assist in operating our Service, subject to confidentiality obligations.
• Payment Processing: Payment information is shared with Stripe for processing transactions securely. BandPilot never sees or stores your credit card numbers.
• Legal Requirements: We may disclose information when required by law, court order, or to protect our rights and safety.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new owner.

We never sell your personal information to third parties for advertising purposes.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption of data in transit (TLS/SSL) and at rest
• Row-level security in our database (Supabase/PostgreSQL) — only you can access your data
• Authentication handled by Supabase (SOC 2 compliant)
• Payment processing by Stripe (PCI DSS compliant)

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. After account termination, we retain certain information for up to 30 days to allow data export. Backups may retain data for up to 90 days. You may request deletion of your data by contacting us, subject to legal retention requirements.

6. Your Rights

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you, or export your data via CSV at any time.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal requirements.
• Data Portability: Export your data in a machine-readable format.
• Withdraw Consent: Withdraw consent for optional data processing at any time.

To exercise these rights, please contact us at support@bandpilotapp.com. We will respond to your request within 30 days.

7. Cookies and Tracking

BandPilot uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party cookies. Our analytics tool (Umami) is completely cookie-free.

8. Third-Party Services

We integrate with third-party services that have their own privacy policies:

• Supabase — Authentication and data storage. Privacy Policy
• Stripe — Payment processing. Privacy Policy
• Umami — Privacy-first analytics (no cookies, no PII). Privacy Policy

9. International Data Transfers

BandPilot is based in Canada. Your data is stored on Supabase infrastructure (AWS). If you access the Service from outside Canada, your information may be transferred to and processed in Canada or the United States. By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place for international data transfers.

10. Canadian Privacy Law (PIPEDA)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. This includes:

• Obtaining meaningful consent for collection and use of personal information
• Limiting collection to purposes identified at the time of collection
• Providing access to your personal information upon request
• Keeping personal information accurate and up-to-date
• Implementing appropriate security safeguards

11. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this policy indicates when it was last revised.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

• Email: support@bandpilotapp.com
• Website: bandpilotapp.com