Privacy Policy

1. Introduction

StageSub is a cloud-based platform for symphony orchestras to manage musician substitutes, availability tracking, and project staffing. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and Swedish data protection laws.

We are committed to transparency and your right to privacy. This policy applies to all users of our platform, including orchestra administrators, staff members, and musicians.

2. Data Controller & Contact Information

Company Name: StageSub AB
Organization Number: 559541-2569
Address: Ymsenvägen 8, 120 38 Årsta, Sweden
Email: admin@stagesub.com
Data Protection Contact: admin@stagesub.com

For data protection inquiries or to exercise your rights under GDPR, please contact us at the email address above.

3. Data Processing Roles & Responsibilities

3.1 StageSub as Data Processor

StageSub acts primarily as a data processor when orchestras use our platform to manage musician data. In this role:

• Orchestras are the data controllers and determine what personal data is collected and how it is used
• StageSub processes data on behalf of orchestras according to their instructions
• We maintain appropriate technical and organizational measures to protect musician data
• We do not use musician data for our own purposes beyond providing the service

3.2 StageSub as Data Controller

StageSub acts as a data controller for:

• Orchestra administrator and staff user accounts
• Billing and subscription information
• Platform usage analytics and system logs
• Customer support communications
• Marketing communications (with consent)

4. Personal Data We Collect

4.1 Orchestra Administrator & Staff Data

• Account Information: Name, email address, phone number, job title, role (Admin, Manager, Viewer)
• Authentication Data: Password (encrypted), login timestamps, session tokens
• Organization Information: Orchestra name, address, billing details
• Usage Data: Activity logs, feature usage, access patterns

4.2 Musician Data (Processed on Behalf of Orchestras)

• Contact Information: Name, email address, phone number (mobile and landline)
• Professional Information: Instrument(s), qualifications, positions, ranking, availability status
• Project Data: Requests sent, responses received, acceptance/decline history, project assignments
• Communication Records: Email and SMS messages sent via the platform, read receipts, response timestamps
• Custom Fields: Any additional data fields created by the orchestra
• Notes & Comments: Internal notes added by orchestra staff

4.3 Automatically Collected Technical Data

• Log Data: IP addresses, browser type, operating system, timestamps
• Cookies: Session cookies for authentication, preference cookies for language settings
• Performance Data: Page load times, error logs, system diagnostics

4.4 Payment & Billing Data

• Billing Information: Organization name, billing address, VAT number
• Payment Data: We do not store credit card information. Payment processing is handled by third-party payment processors
• Transaction Records: Invoices, payment history, subscription tier changes

5. Legal Basis for Processing (GDPR Article 6)

We process personal data based on the following legal grounds:

5.1 Contract Performance (Article 6(1)(b))

• Processing necessary to provide the StageSub service to orchestras
• User account creation and authentication
• Sending musician requests via email and SMS as instructed by orchestra administrators
• Project management and staffing coordination

5.2 Legitimate Interests (Article 6(1)(f))

• Platform security, fraud prevention, and abuse detection
• Technical performance monitoring and error logging
• Customer support and service improvement
• Internal analytics to understand feature usage

5.3 Legal Obligation (Article 6(1)(c))

• Compliance with Swedish accounting and tax laws
• Retention of financial records as required by law
• Responding to lawful requests from authorities

5.4 Consent (Article 6(1)(a))

• Marketing communications and product updates (you can withdraw consent at any time)
• Optional features and data processing beyond core service functionality

6. How We Use Your Data

6.1 Service Provision

• Create and manage orchestra accounts and user profiles
• Maintain musician databases with ranking and qualification information
• Send automated substitute requests via email and SMS
• Track musician responses, availability, and project assignments
• Generate reports, exports, and analytics for orchestras
• Provide real-time notifications and status updates

6.2 Platform Operation & Security

• Authenticate users and maintain secure access controls
• Monitor system performance and diagnose technical issues
• Detect and prevent fraud, abuse, and unauthorized access
• Maintain comprehensive audit logs for security purposes
• Ensure data isolation between orchestras using Row-Level Security (RLS)

6.3 Communication & Support

• Respond to customer support inquiries
• Send service notifications and important updates
• Notify users of system changes or policy updates
• Provide technical assistance and troubleshooting

6.4 Service Improvement

• Analyze usage patterns to improve features and user experience
• Identify bugs and areas for optimization
• Develop new features based on customer needs
• Conduct aggregated, anonymized analysis (we do not use individual data for marketing or selling to third parties)

7. Data Sharing & Third-Party Services

We only share personal data with trusted third-party service providers who help us deliver our service. All providers are GDPR-compliant and operate under data processing agreements (DPAs).

7.1 Infrastructure & Hosting

• Supabase (EU Region): Database hosting and authentication services. Data stored in EU data centers with GDPR compliance
• Vercel: Application hosting and content delivery network (CDN)

7.2 Communication Services

• SendGrid (Primary): Email delivery service for musician requests and system notifications
• Resend (Failover): Backup email delivery service
• 46elks: SMS delivery service for Swedish phone numbers
• Twilio: SMS delivery service for international phone numbers

Note: These services only receive the minimum data necessary to deliver messages (email address or phone number, message content). They do not have access to your full database.

7.3 Data Sharing with Orchestras

For musicians: Your contact information, professional details, and project response history are visible to the orchestras you are associated with. Orchestras control and manage this data as data controllers.

7.4 Legal Requirements

• We may disclose data if required by Swedish law or lawful requests from authorities
• We will notify you of such disclosures unless legally prohibited from doing so

7.5 No Data Selling

We do not sell, rent, or trade your personal data to third parties for marketing or commercial purposes.

8. Data Retention & Deletion

We retain personal data only as long as necessary for the purposes outlined in this policy.

8.1 Active Accounts

• Data is retained while your orchestra account is active and in use
• Musician data is retained as long as orchestras maintain their records

8.2 Soft Deletion (30-Day Recovery Period)

When musicians are deleted from the system:

• Records are soft-deleted and marked as inactive
• Data can be restored within 30 days if needed
• After 30 days, the data is permanently deleted from our systems

8.3 Legal Retention Requirements

• Financial records: Retained for 7 years as required by Swedish accounting law
• Audit logs: Retained for security and compliance purposes (typically 1-2 years)
• Communication logs: Retained for dispute resolution and service quality (typically 1 year)

8.4 Account Closure

When an orchestra cancels their subscription:

• Access to the platform is disabled at the end of the billing period
• Data is retained for 90 days to allow for reactivation and to fulfill legal obligations
• After 90 days, all data is permanently deleted, except for financial records required by law

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

9.1 Right of Access (Article 15)

Request a copy of all personal data we hold about you. We will provide this information free of charge in a commonly used electronic format within 30 days.

9.2 Right to Rectification (Article 16)

Correct any inaccurate or incomplete personal data. For musicians, contact your orchestra administrator who can update your profile. For administrator accounts, update your profile directly or contact us.

9.3 Right to Erasure - "Right to be Forgotten" (Article 17)

Request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

Note: This right does not apply when we must retain data to comply with legal obligations (e.g., accounting records).

9.4 Right to Restriction of Processing (Article 18)

Request that we limit how we use your data while a dispute is being resolved or while verifying the accuracy of your data.

9.5 Right to Data Portability (Article 20)

Receive your personal data in a structured, commonly used, machine-readable format (typically CSV or JSON). Orchestras can export their full database at any time via the platform.

9.6 Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests.

9.7 Right to Withdraw Consent (Article 7(3))

Withdraw consent at any time for processing based on consent (e.g., marketing communications). This does not affect the lawfulness of processing before withdrawal.

9.8 How to Exercise Your Rights

To exercise any of these rights, contact us at admin@stagesub.com. We will respond within 30 days (extendable to 60 days for complex requests).

For musicians: Some requests may need to go through your orchestra, as they are the data controller for musician records.

10. Data Security Measures

We implement industry-standard technical and organizational security measures to protect your personal data:

10.1 Technical Measures

• Encryption in Transit: All data transmission uses HTTPS/TLS encryption (TLS 1.2 or higher)
• Encryption at Rest: Database encryption provided by Supabase with AES-256 encryption
• Row-Level Security (RLS): Database policies ensure orchestras can only access their own data
• Authentication: Secure password hashing (bcrypt) and session management
• Access Controls: Role-based permissions (Superadmin, Admin, Manager, Viewer)
• Activity Logging: Comprehensive audit trails for all data access and modifications

10.2 Organizational Measures

• Data Minimization: We only collect data necessary for service provision
• Access Restrictions: Staff access to production data is limited and logged
• Security Monitoring: Continuous monitoring for suspicious activity and security threats
• Regular Updates: Timely security patches and system updates
• Incident Response: Documented procedures for data breach response

10.3 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Swedish Data Protection Authority (IMY) within 72 hours
• Notify affected users without undue delay
• Provide clear information about the breach and recommended protective actions

11. International Data Transfers

While we primarily store data in the EU, some third-party services may process data outside the European Economic Area (EEA).

11.1 EU Data Storage

• Primary Database: Hosted by Supabase in EU data centers (Frankfurt, Germany region)
• All musician and orchestra data is stored exclusively in the EU

11.2 Third-Party Services with International Transfer

• SendGrid (USA): Email delivery service - protected by Standard Contractual Clauses (SCCs)
• Twilio (USA): International SMS delivery - protected by Standard Contractual Clauses
• Vercel (USA/Global CDN): Application hosting - GDPR-compliant with EU-US Data Privacy Framework participation

11.3 Safeguards

All international transfers are protected by:

• Standard Contractual Clauses (SCCs): EU-approved contract terms ensuring GDPR-level protection
• Data Processing Agreements: Signed with all third-party processors
• Encryption: All data transfers use encrypted connections
• Minimal Data Transfer: Only the minimum necessary data is transferred (e.g., only email addresses to SendGrid)

12. Cookies & Tracking Technologies

12.1 Essential Cookies

We use only essential cookies required for the platform to function:

• Authentication cookies: To keep you logged in securely
• Session cookies: To maintain your session state
• Preference cookies: To remember your language and settings

12.2 No Third-Party Tracking

We do not use:

• Google Analytics or similar third-party analytics
• Advertising cookies or remarketing pixels
• Social media tracking pixels
• Cross-site tracking technologies

12.3 Cookie Management

You can disable cookies in your browser settings, but this may affect platform functionality. Essential cookies are necessary for the service to work properly.

13. Children's Privacy

StageSub is designed for professional use by orchestras and adult musicians. Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18.

If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information as quickly as possible. If you believe we might have data from or about a child under 18, please contact us at admin@stagesub.com.

14. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes:

• Minor changes: Updated on this page with a new "Last updated" date
• Significant changes: Notified via email to registered users and prominent notice on the platform
• Users will have 30 days to review changes before they take effect for material changes

Continued use of the service after changes indicates acceptance of the updated policy.

15. Contact & Complaints

15.1 Contact Us

For privacy-related questions, data requests, or to exercise your GDPR rights:

StageSub AB
Ymsenvägen 8, 120 38 Årsta, Sweden
Email: admin@stagesub.com
Organization Number: 559541-2569

15.2 Supervisory Authority

You have the right to lodge a complaint with the Swedish Data Protection Authority:

Swedish Data Protection Authority (IMY)
Box 8114, 104 20 Stockholm, Sweden
Phone: +46 (0)8-657 61 00
Website: www.imy.se

If you are located in another EU country, you may also contact your local data protection authority.