Privacy Policy

1. Information We Collect

Information you provide:

• Account information: name, email address, and password when you create an account.
• Profile information: display name, bio, and profile photos you choose to add.
• Event information: event details, descriptions, and images if you create events.
• Payment information: payment card details are collected and processed directly by Stripe. We do not store your full card number, expiration date, or CVV.
• Uploaded media: images, logos, and other media uploaded by users are stored on Cloudflare R2 (uploads.out4.events) and may be displayed publicly on published events.

Information collected automatically:

• Usage data: pages visited, features used, and interactions with the platform.
• Device information: browser type, operating system, and device identifiers.
• Location data: approximate location based on IP address, used for event discovery and search. We do not track precise GPS location without your explicit consent.
• Push notification tokens: Expo push tokens are collected when you opt in to notifications on the mobile app. These tokens are used to deliver event reminders and account notifications.
• Device identifiers for scanning: when promoters scan QR codes for event check-in, the scanning device's identifier (Android ID or iOS app ID) is recorded for audit purposes.
• CAPTCHA verification data: Google reCAPTCHA collects IP address, device fingerprints, and interaction data on signup and checkout forms to prevent bot abuse.
• Analytics data: see Section 8 (Analytics) below.

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account.
• Process ticket purchases and deliver confirmation emails and QR code tickets.
• Display events relevant to your location and interests.
• Provide event organizers with attendee and sales analytics.
• Send transactional emails, including: welcome emails, order confirmations with QR codes, email verification, password reset links, day-of event reminders, and complimentary ticket notifications.
• Deliver push notifications for event reminders and account updates (when opted in).
• Improve and maintain the Service.
• Detect and prevent fraud, abuse, and security issues.

3. Third-Party Services

We share information with the following third parties as necessary to operate the Service:

• Stripe: processes all payments on the platform. Stripe collects and stores payment card information under its own privacy policy. See stripe.com/privacy.
• Mapbox: provides map and location services for event discovery. See mapbox.com/legal/privacy.
• Resend: sends transactional emails on our behalf, including welcome emails, order confirmations, email verification, password reset links, event reminders, and complimentary ticket notifications. See resend.com/privacy.
• Supabase: hosts our PostgreSQL database. See supabase.com/privacy.
• Upstash: provides Redis caching infrastructure. See upstash.com/privacy.
• Cloudflare: provides CDN, Pages hosting, R2 object storage for uploaded images (uploads.out4.events), and DNS services. See cloudflare.com/privacypolicy.
• Google Analytics: collects usage analytics via gtag.js. See policies.google.com/privacy and Section 8 below.
• Ticketmaster: event data is synced from Ticketmaster for discovery purposes. See ticketmaster.com/privacy.
• Spotify: artist catalog metadata (names, images, genres) is sourced from the Spotify Web API using application-level credentials to enrich artist profile pages and event discovery. We do not link your Spotify account or read any user-level Spotify data. See the Spotify subsection below. Spotify's privacy practices are governed by spotify.com/privacy.
• Expo: delivers push notifications to mobile app users. See expo.dev/privacy.
• Google reCAPTCHA: provides bot prevention on signup and checkout forms. See google.com/recaptcha/about.

We do not sell your personal information to third parties.

Spotify

out4 uses Spotify's public catalog (via the Spotify Web API with application-level credentials, no user consent required) to enrich artist profile pages with canonical artist names, images, and genres. All Spotify-sourced data is displayed with a "Powered by Spotify" attribution and a link back to the artist on Spotify. We do not request access to your Spotify account, read your listening history, modify your Spotify library, or post on your behalf.

Spotify's own handling of your data is governed by the Spotify Privacy Policy.

4. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Email verification tokens expire after 24 hours.
• Password reset tokens expire after 1 hour.
• Push notification tokens are deleted upon logout or when you unregister from notifications.
• Upon account deletion, your profile is anonymized immediately (see Section 5), but transaction records may be retained for up to 7 years for tax and legal compliance.

5. Account Deletion

You may delete your account at any time from your account settings or by contacting us at privacy@out4.events. Your account will be anonymized (email, name, and personal information removed), but transaction records may be retained as required by law for tax and accounting purposes (up to 7 years).

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request that we correct inaccurate or incomplete data.
• Deletion: request that we anonymize your account and delete your personal data (transaction records may be retained as required by law).
• Portability: you may request a copy of your personal data by contacting privacy@out4.events. We will respond within 30 days.
• Opt-out: opt out of non-essential communications at any time.

To exercise any of these rights, contact us at privacy@out4.events. We will respond within 30 days.

7. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• The right to know what personal information we collect and how it is used.
• The right to request deletion of your personal information.
• The right to opt out of the sale of personal information. We do not sell personal information.
• The right to non-discrimination for exercising your privacy rights.

You can manage push notification preferences directly in the mobile app settings. For all other data requests, contact privacy@out4.events.

8. Analytics

We use Google Analytics (gtag.js) to collect usage analytics, including:

• IP address and approximate geographic location.
• Browser type and operating system.
• Pages visited and interactions with the Service.

Google Analytics sets tracking cookies to distinguish users and sessions. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

9. European Residents (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases: performance of a contract (providing the Service), legitimate interest (improving the Service, preventing fraud), and consent (where required). You have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights under the GDPR.

10. Cookies and Local Storage

We use the following browser storage mechanisms:

• localStorage: authentication tokens (JWT) are stored in browser localStorage and cleared on logout. These are essential for the Service to function.
• Google Analytics cookies: tracking cookies set by Google Analytics to distinguish users and sessions (see Section 8).
• Essential cookies: cookies required for core site functionality that cannot be disabled.

11. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Encrypted connections (TLS/SSL) for all data in transit.
• Secure password hashing and access controls.
• Rate limiting on authentication and checkout endpoints.
• Account lockout for 30 minutes after 5 failed login attempts.
• IP-based request throttling to prevent abuse.

However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

12. Children's Privacy

You must be at least 18 years old to create an account. If we learn that a user under 13 has created an account, we will delete that account and associated data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.