GigXchange is currently in beta. This privacy policy is subject to change as the platform evolves. We will notify registered users of any material changes via email. By using the platform during the beta period, you acknowledge that data practices and policies may be updated without prior notice.
1. Who We Are
GigXchange is operated by Eclipse Labs AI Ltd, registered in England and Wales (company number 17177477, incorporated 23 April 2026), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are the data controller for the personal data described in this policy.
Eclipse Labs AI Ltd is registered as a data controller with the UK Information Commissioner's Office (ICO) and listed on the public ICO register. Our registration reference is available on request to privacy@gigxchange.app.
Data Protection Contact: privacy@gigxchange.app
2. What Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Name, email, password (hashed), account type | Account creation and authentication |
| Profile | Bio, photos, location, genre, links, availability | Public profile display, search and discovery |
| Booking | Event dates, fees, messages, booking status | Facilitating and managing bookings |
| Payment | Transaction amounts, payment status | Processing payments, escrow, refunds |
| Usage | Pages visited, features used, device/browser info | Improving the platform, analytics |
3. Legal Basis for Processing
We process your personal data under the following legal bases (UK GDPR Article 6):
- Contract — Processing necessary to provide the service you signed up for (account management, bookings, payments)
- Legitimate interest — Platform improvement, fraud prevention, analytics
- Consent — Marketing communications (you can opt out at any time)
- Legal obligation — Tax records, regulatory compliance
4. How We Use Your Data
- To create and maintain your account
- To display your public profile to other users
- To facilitate bookings and payments between users
- To send transactional notifications (booking confirmations, messages)
- To improve the platform through analytics
- To prevent fraud and enforce our Terms of Service
5. Data Sharing & Sub-Processors
We do not sell your personal data. We share the minimum data required with the following categories of recipients:
- Other GigXchange users — Your public profile information is visible to other users as part of the service.
- AI assistants and search tools — A limited subset of your public profile (name, city, genre, aggregate rating, profile URL) is available via a read-only public API so AI assistants and search crawlers can surface your profile in response to user queries. No contact details, fees, or private data are included. This mirrors what is already visible on your public profile page.
- Sub-processors — The third-party services listed in the table below, which process data on our behalf under contract (UK GDPR Art 28).
- Law enforcement or regulators — Where required by law, court order, or to protect the safety of users.
Sub-processors we use
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase (Supabase Inc.) | Database, authentication, file storage | All account, profile, booking, message and uploaded file data | EU (Frankfurt, Germany) |
| Stripe (Stripe Payments UK Ltd / Stripe Inc.) | Payment processing, payouts, KYC for Connect accounts | Name, email, card details (tokenised), payout bank details, transaction data | UK & United States |
| Resend (Resend, Inc.) | Transactional & outreach email delivery | Name, email address, email content | United States |
| Google Analytics 4 (Google Ireland Ltd / Google LLC) | Website analytics (only with your consent — see section 8) | IP address (truncated), device / browser info, pages visited | United States (EU data is routed via EU servers where possible) |
| Cloudflare (Cloudflare, Inc.) | Hosting (Cloudflare Pages), CDN, DDoS protection, worker-based edge logic | IP address, request metadata, served page content | Global edge network; company headquartered in the United States |
| Anthropic (Anthropic PBC) | AI-assisted features (e.g. AI matching, SEO content generation) — only processed on explicit action | Prompt content you submit, which may include profile or booking data you choose to include | United States |
| Google Workspace (Google Ireland Ltd) | Company email (e.g. support@, privacy@, legal@) | Any personal data included in emails you send to us | EU & United States |
International transfers
Several of the sub-processors above are located in, or transfer data to, the United States. Where we transfer your personal data outside the UK, we rely on one of the following lawful safeguards under UK GDPR Article 46:
- UK adequacy regulations — where the UK Government has made an adequacy decision for the destination country.
- UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, incorporated into our contract with the sub-processor.
- UK-US Data Bridge extension to the EU-US Data Privacy Framework, where the US recipient is certified under that scheme.
A transfer risk assessment has been completed where required. You can request a copy of the specific safeguard used for a transfer by emailing privacy@gigxchange.app.
6. Data Retention
We retain your data for as long as your account is active. After account deletion:
- Profile data is deleted within 30 days
- Transaction records are retained for 6 years (HMRC requirements)
- Anonymised analytics data may be retained indefinitely
For business contact records held for B2B outreach (venue names and business email addresses sourced from public directories), we apply the following retention schedule:
- Contacts who have not engaged with any outreach are retained for a maximum of 24 months from the date of collection, after which they are moved to a forensic quarantine table and deleted from active processing systems.
- Contacts who have actively engaged (replied, met with us, entered into a commercial relationship) are retained for the duration of the relationship plus 24 months.
- Unsubscribe / opt-out records are retained indefinitely in a persistent suppression register. This outlives any lead record, so if you opt out your email is permanently blocked from future outreach, even if we re-encounter it in a public directory later.
- Audit trail records (who / when / what was processed) are retained for 6 years for accountability purposes under Art 5(2) UK GDPR.
7. Your Rights
Under UK GDPR, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate data
- Erasure — Request deletion of your data ("right to be forgotten")
- Restriction — Limit how we process your data
- Portability — Receive your data in a machine-readable format
- Objection — Object to processing based on legitimate interest
To exercise any of these rights, contact privacy@gigxchange.app. We will respond within 30 days.
8. Cookies
We use two categories of cookies. Essential cookies are always on (they're needed for the site to work); analytics cookies only run if you accept them in the banner.
Essential (always on)
These items are strictly necessary for the site to work or to remember preferences you have actively set. They do not track you across other websites. All first-party.
- Supabase auth cookies (
sb-access-token,sb-refresh-token) — keep you signed in. Session + 30 days. - Consent record (
gx-cookie-consent-v2, localStorage) — remembers your banner choice so we don't ask again on every visit. - Theme preference (
sb-theme, localStorage) — remembers whether you chose light or dark mode. - Territory (
gx_territory, localStorage) — remembers the UK region you selected for localised content (e.g. city gig pages). - User type (
gx_user_type, localStorage) — remembers whether you identified as an artist, venue, agent or promoter so the homepage shows relevant content. - Email-capture dismissal (
sb-email-capture-dismissed, localStorage) — remembers that you dismissed the "Get notified when we launch" ribbon so it doesn't come back.
Analytics (consent required — off by default)
We use Google Analytics 4 with Consent Mode v2. Until you click Accept all, GA4 does not set cookies and only receives anonymous, cookieless pings. If you accept:
_ga— distinguishes unique visitors. 2 years. Google._ga_G-4PXZQCWRHJ— session state for our GA4 property. 2 years. Google.
Google processes this data under its privacy policy. You can change your mind at any time via Cookie settings in the footer.
9. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS)
- Hashed passwords (never stored in plain text)
- Row-level security on database access
- Regular security reviews
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a notice on the Platform. The "Last updated" date at the top of this page reflects the most recent revision.
11. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
See also: Terms of Service