Privacy Policy

The controller of the personal data covered by this policy is Romain Vause, a natural person trading under the name Airdev, established at Rue du Horloz 63A, 4420 Liège, Belgium. As controller, Airdev determines the main purposes and essential means of the processing activities described in this policy.

This policy applies to people who browse the website, create an account, use the application, contact support, subscribe to communications, purchase a paid plan, or whose personal data is entered into the service by an authorized user. Where collaborative workspaces and role-based permissions are used, some personal data may also be visible to other authorized members within the same workspace depending on the configuration chosen by the users.

For any privacy-related question or request concerning your rights, you may contact us at support@bandger.com. In the absence of a formally appointed data protection officer, this email address is the main privacy contact point.

Depending on how you interact with Bandger, we may process several categories of personal data. Not all categories are collected for every person. Some data is only processed where a specific feature is used, where a specific sign-in method is selected, where a subscription exists, or where a particular interaction with the service takes place.

The data processed may include identification data, contact data, account data, technical data, content data, browsing data, billing-related data and logs required for security, abuse prevention and technical maintenance. We seek, within reasonable limits, to avoid collecting data that is not necessary in light of the purposes described in this policy.

Account data: first name, last name, email address, hashed password, preferences, account status and workspace role.

Third-party authentication data: when Google Sign-In is used, the information strictly needed to authenticate and create or match an account, such as name, email address and, where applicable, profile picture.

Content data: information relating to bands, members, events, setlists, songs, notes, contacts, documents, files and other content entered, created, imported or shared through the application.

Contact and support data: identity details, email address, subject line and message contents submitted through the contact form, support requests or other communication channels.

Subscription and billing data: selected plan, subscription status, billing identifiers, renewal history, amounts due or paid and administrative information required for contract and accounting follow-up.

Technical and security data: IP address, browser type, device type, operating system, access logs, error logs, timestamps, technical identifiers and other traces reasonably necessary for abuse prevention or incident resolution.

Browsing and preference data: required cookies, display preferences such as theme, language, local settings and, where the appropriate consent has been obtained, audience measurement data.

A significant part of the data processed by Bandger is provided directly by users themselves, either when they create an account or during the normal use of the service. This includes profile information, data entered in collaborative workspaces, uploaded files and information shared with other authorized members.

Some data may also be provided indirectly, for example when you use a third-party sign-in option, when another user invites you into a shared workspace, when an administrator assigns you a role or when a user stores data relating to other people. In that latter case, the person entering such data remains responsible for ensuring that an appropriate legal basis exists for doing so.

The main purpose of the processing carried out through Bandger is to ensure the normal operation of the service, account management, collaboration between users, and the storage and organization of information useful to the internal communication and day-to-day coordination of music bands.

In addition to that core purpose, certain data is processed to protect the service, prevent fraud, spam and abuse, handle support requests, manage subscriptions, comply with accounting and tax obligations, measure website use and improve the usability, performance and overall quality of the product.

Where permitted by law, certain contact data may also be used to send communications about the service, its development, its features, its updates or similar offers, subject to compliance with the applicable rules on electronic marketing and the relevant rights to object or withdraw consent.

Creating, managing and securing user accounts.

Providing, operating, maintaining and improving the service.

Organizing, synchronizing, sharing and backing up content used in Bandger.

Managing roles, access rights, invitations and collaborative workspaces.

Handling subscriptions, renewals, payments and customer relations.

Responding to contact requests, support requests and complaints.

Measuring audience, understanding usage and improving the website and application.

Preventing abuse, protecting the infrastructure and keeping technical traces useful for security.

Complying with legal, accounting, tax and regulatory obligations.

Under the GDPR, each processing activity must rely on a valid legal basis. Depending on the circumstances, processing carried out through Bandger may rely on the performance of a contract, the legitimate interests of the controller, the consent of the data subject or a legal obligation imposed on the controller.

Where data is required to create an account, grant access to the application, provide requested features, manage a subscription or supply support directly linked to the service, processing is generally based on the performance of a contract or on steps taken at the request of the data subject before entering into a contract.

Where data is used for security, abuse prevention, maintenance, backups, product improvement, defense of rights or communications about similar services to existing customers, the processing is generally based on our legitimate interests, provided that such interests are not overridden by the rights and freedoms of the persons concerned.

Performance of a contract or pre-contractual steps: registration, access to the service, feature operation, billing and account-related support.

Legitimate interests: security, logging, fraud prevention, maintenance, improvement, backups and defense of legal rights.

Consent: analytics cookies, certain audience measurement activities, certain marketing communications and any processing for which prior consent is legally required.

Legal obligation: retention of accounting, tax, administrative or security-related records and responses to lawful requests from competent authorities.

Personal data may be accessed only by persons who need to know it for legitimate operational purposes. This includes, first, persons acting on behalf of Airdev to the extent strictly necessary for operating, maintaining, securing and supporting Bandger.

As part of the normal operation of the application, some information may also be visible to other users belonging to the same workspace, group or organization, depending on the roles, permissions, invitations and sharing settings configured by the users themselves. Administrators and authorized users are expected to manage such access carefully and only in line with actual collaboration needs.

Some data may also be made available to processors or technical providers acting on behalf of Airdev, strictly to the extent needed for the services they perform and subject, where required, to an appropriate contractual framework.

To ensure hosting, storage, security, audience measurement, messaging, abuse prevention and payment processing, Bandger may rely on several specialized providers. The identity or combination of those providers may change over time as a result of technical, economic, security or compliance needs.

Using a provider does not entitle that provider to use the data for its own purposes beyond what results from its own applicable terms and the role it plays as a separate controller for certain specific operations. Airdev seeks, where reasonably possible, to select providers offering sufficient safeguards in terms of security and compliance.

OVHcloud: primary hosting of the website and application.

Amazon Web Services (AWS): file storage, notably in eu-west-3 (Paris).

Stripe: technical payment processing and certain billing-related operations.

Google: depending on activated features, notably Google Analytics, Google Sign-In and Google reCAPTCHA.

Mailcoach: certain mailing, list management or unsubscribe handling operations.

Where reasonably possible, Bandger prioritizes technical solutions located in the European Union or, more broadly, within the European Economic Area. However, some providers used by the service, especially certain global providers for payments, authentication, abuse prevention or audience measurement, may involve access from, transfers to or processing in countries outside the EEA, including the United States.

Where such transfers exist, they are framed through legally recognized transfer tools, such as the European Commission's Standard Contractual Clauses, an adequacy decision where one exists, or another valid safeguard available at the relevant time. Even where those mechanisms are in place, international transfers may involve a residual level of risk that differs from the level of protection applicable within the EEA.

By using the service, users acknowledge that some international providers may be technically necessary for certain features. That acknowledgment does not amount to a waiver of rights and does not affect the protections granted by applicable law.

Bandger uses cookies and similar technologies to ensure the technical functioning of the website and application, remember certain user preferences, maintain a session, support security-related mechanisms and, where enabled in a compliant manner, measure audience and service usage.

Strictly necessary cookies are those required for the normal functioning of the site or a feature expressly requested by the user. Without them, certain parts of the service may not work properly. Other cookies, including analytics cookies, are not strictly necessary and, where subject to consent, should only be activated after valid, informed and freely given consent has been obtained.

Some forms or entry points may also use automated abuse prevention tools such as Google reCAPTCHA. The use of such tools may involve the processing of technical data, browsing information or indicators used to assess whether an interaction appears legitimate or automated. Where legally required, their use should be framed by the appropriate consent or notice mechanisms.

Bandger may send emails concerning the service, its new features, updates, offers or similar services, either on the basis of the user's consent or, where permitted by law, on the basis of an existing customer relationship for similar services.

Subscribing to such communications is not a prerequisite for using the service, except where a message is strictly linked to security, contract performance, account status or the normal provision of the service. Whenever a message has a promotional purpose, a simple and workable unsubscribe mechanism should remain available.

Withdrawal of consent or the exercise of the right to object does not affect the lawfulness of processing carried out before that withdrawal and does not prevent the sending of strictly transactional, administrative or account-related emails.

Personal data is not retained indefinitely. It is retained for the time necessary in light of the purposes for which it was collected, plus, where applicable, the period needed to comply with legal obligations, establish or defend a right, respond to a dispute or manage a technical or security incident.

The periods listed below are general reference periods. They may be extended where justified by a legal obligation, a dispute, a request from an authority, a security incident or a proof requirement, or reduced where earlier deletion is technically possible and legally appropriate.

Contact requests and support messages kept for reference: generally 12 months.

Audience measurement data: generally 14 months, subject to the actual tool settings used.

Inactive accounts without an active subscription: generally 24 months before deletion or anonymization, unless a longer retention is justified.

Technical backups: generally 30 days, unless restoration, incident handling or exceptional security needs require more.

Technical and security logs: generally 12 months, unless longer retention is needed in connection with incident analysis or a legal obligation.

Billing data and accounting records: 10 years, in accordance with applicable legal obligations.

Marketing data: until consent is withdrawn or an objection is made, then retained only in limited technical suppression lists where necessary to avoid further mailings.

Airdev implements appropriate technical and organizational measures designed to protect personal data against loss, unauthorized access, disclosure, alteration, destruction or misuse. Those measures take into account the state of the art, implementation costs, the nature of the processed data, the context of processing and the risks for the rights and freedoms of data subjects.

The measures that may be used include encryption or equivalent protection mechanisms, regular backups, logical access controls, role separation, technical logging, monitoring tools and stronger authentication for certain administrative accounts. Since no system is completely immune from risk, absolute security cannot be guaranteed.

If a security incident affects personal data, Airdev assesses the nature, seriousness and likely impact of the incident in order to determine the corrective measures to implement and any notification obligations that may arise under the GDPR.

Bandger allows users to enter information about other people, such as contact details of members, external collaborators, venue contacts, service providers, technicians, partners or any other person relevant to the band's organization. Uploaded documents may also contain personal data relating to third parties.

Where a user chooses to enter such data into the service, that user is responsible for ensuring that an appropriate legal basis exists, that any relevant information obligations are met and that the data entered is relevant, accurate and limited to what is necessary for the intended purpose. Airdev does not provide legal advice to users on that point.

Subject to the conditions, limitations and exceptions provided by applicable law, you have rights regarding your personal data. Those rights may include the right of access, rectification, erasure, restriction, objection, portability and, where processing is based on consent, the right to withdraw that consent at any time.

The exercise of those rights is not absolute. Certain requests may be refused, limited or adapted where a legal obligation requires retention, where the rights of others must be protected, where deletion would compromise the integrity of a shared workspace or where there is another compelling legitimate reason to continue the processing.

To exercise your rights, you may contact support@bandger.com, ideally specifying the subject of your request and the email address associated with the relevant account. To avoid unauthorized disclosure, reasonable information may be requested to verify your identity before action is taken.

Right of access to your personal data.

Right to rectify inaccurate or incomplete data.

Right to erasure in the cases provided by law.

Right to restriction of certain processing activities.

Right to object, especially to certain marketing communications.

Right to portability where the legal conditions are met.

Right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA).

Bandger is not specifically designed for minors, even though access may not be technically blocked below a certain age. Its use is recommended from the age of 16. Where a younger person uses the service, parents or legal guardians remain responsible, where applicable, for ensuring that such use is appropriate and lawful.

This policy may be amended at any time to reflect legal, technical, contractual or functional developments affecting the service. The most recent version published on the website is the one that applies from the date it is made available online, subject to any specific notice obligations that may apply to material changes.

For any question relating to this policy or to the personal data processing carried out through Bandger, you may contact us at support@bandger.com.