Privacy Policy

Last updated: 13 June 2026. How we collect, use, and protect your personal data under UK GDPR.

Data We Collect

Categories & purposes

Your Rights

Access, erasure & more

What we use & why

Security

How we protect you

Beta Notice

GigXchange is currently in beta. This privacy policy is subject to change as the platform evolves. We will notify registered users of any material changes via email. By using the platform during the beta period, you acknowledge that data practices and policies may be updated without prior notice.

1. Who We Are

This policy applies to the GigXchange website, the GigXchange mobile apps for iOS and Android, and all related services (together, the “Platform”).

GigXchange is operated by Eclipse Labs AI Ltd, registered in England and Wales (company number 17177477, incorporated 23 April 2026), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are the data controller for the personal data described in this policy.

Eclipse Labs AI Ltd is registered as a data controller with the UK Information Commissioner's Office (ICO) and listed on the public ICO register. Our registration reference is available on request to privacy@gigxchange.app.

Data Protection Contact: privacy@gigxchange.app

2. What Data We Collect

Category	Data	Purpose
Account	Name, email, password (hashed), account type	Account creation and authentication
Profile	Bio, photos, location, genre, links, availability	Public profile display, search and discovery
Booking	Event dates, fees, messages, booking status	Facilitating and managing bookings
Payment	Transaction amounts, payment status	Processing payments, escrow, refunds
Usage	Pages visited, features used, device/browser info	Improving the platform, analytics
Device permissions (mobile app)	Camera access	Scanning event-ticket QR codes at the door. Images are processed live on your device and are not stored or uploaded.
Device permissions (mobile app)	Photos & media access	Uploading a profile photo, cover image, or media you choose from your device. Only the files you select are uploaded.

3. Legal Basis for Processing

We process your personal data under the following legal bases (UK GDPR Article 6):

Contract — Processing necessary to provide the service you signed up for (account management, bookings, payments)
Legitimate interest — Platform improvement, fraud prevention, analytics
Consent — Marketing communications (you can opt out at any time)
Legal obligation — Tax records, regulatory compliance

4. How We Use Your Data

To create and maintain your account
To display your public profile to other users
To facilitate bookings and payments between users
To send transactional notifications (booking confirmations, messages)
To improve the platform through analytics
To prevent fraud and enforce our Terms of Service
To let event organisers scan ticket QR codes using the device camera (mobile app only)

5. Data Sharing & Sub-Processors

We do not sell your personal data. We share the minimum data required with the following categories of recipients:

Other GigXchange users — Your public profile information is visible to other users as part of the service.
AI assistants and search tools — A limited subset of your public profile (name, city, genre, aggregate rating, profile URL) is available via a read-only public API so AI assistants and search crawlers can surface your profile in response to user queries. No contact details, fees, or private data are included. This mirrors what is already visible on your public profile page.
A note on AI-assisted features. Where you actively use an AI feature on the Platform, the prompt content you submit is sent to the AI sub-processor listed in the table below (currently Anthropic). You control what you put into that prompt. Please do not include personal data unless necessary for the feature to work, and do not include special-category data (e.g. health, biometric, racial or ethnic origin, religious belief, sex life or sexual orientation). Our current AI API provider states that API prompts and outputs are not used to train its models unless we expressly opt in, and we have not opted in. Standard provider retention may apply, currently up to 30 days for Anthropic API data unless zero-data-retention terms are enabled or an exception applies. Core Platform features remain available without using optional AI assistance.
Sub-processors — The third-party services listed in the table below, which process data on our behalf under contract (UK GDPR Art 28).
Law enforcement or regulators — Where required by law, court order, or to protect the safety of users.

Sub-processors we use

Provider	Purpose	Data processed	Location
Supabase (Supabase Inc.)	Database, authentication, file storage	All account, profile, booking, message and uploaded file data	EU (Frankfurt, Germany)
Stripe (Stripe Payments UK Ltd / Stripe Inc.)	Payment processing, payouts, KYC for Connect accounts	Name, email, card details (tokenised), payout bank details, transaction data	UK & United States
Resend (Resend, Inc.)	Transactional & outreach email delivery	Name, email address, email content	United States
Google Analytics 4 (Google Ireland Ltd / Google LLC)	Website analytics (only with your consent — see section 8)	IP address (truncated), device / browser info, pages visited	United States (EU data is routed via EU servers where possible)
Cloudflare (Cloudflare, Inc.)	Hosting (Cloudflare Pages), CDN, DDoS protection, worker-based edge logic	IP address, request metadata, served page content	Global edge network; company headquartered in the United States
Anthropic (Anthropic PBC)	AI-assisted features (e.g. AI matching, SEO content generation) — only processed on explicit action	Prompt content you submit, which may include profile or booking data you choose to include	United States
Google Workspace (Google Ireland Ltd)	Company email (e.g. support@, privacy@, legal@)	Any personal data included in emails you send to us	EU & United States

Each provider’s name above links to its own privacy policy, where you can read how it handles the data it processes on our behalf.

International transfers

Several of the sub-processors above are located in, or transfer data to, the United States. Where we transfer your personal data outside the UK, we rely on one of the following lawful safeguards under UK GDPR Article 46:

UK adequacy regulations — where the UK Government has made an adequacy decision for the destination country.
UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, incorporated into our contract with the sub-processor.
UK-US Data Bridge extension to the EU-US Data Privacy Framework, where the US recipient is certified under that scheme.

A transfer risk assessment has been completed where required. You can request a copy of the specific safeguard used for a transfer by emailing privacy@gigxchange.app.

6. Account Deletion & Data Retention

You can delete your account two ways: in the app via Settings → Delete Account, or — if you can no longer sign in — by requesting it at gigxchange.app/delete-account, where we email a confirmation link to verify the request is yours. Either way, your account then enters a 28-day grace period. During this time:

Your profile is immediately hidden from search results and other users
You can still sign in during the grace period — simply signing back in immediately cancels the scheduled deletion and restores your account
You can also cancel by contacting us at privacy@gigxchange.app within 28 days

We will not permanently delete your account while you have unresolved activity that affects another user — specifically an open or in-progress booking, an active dispute, or an outstanding balance or pending payout. While any of these exist, your account stays in the pending-deletion state (hidden from other users), we restrict our use of your data to what is needed to conclude that activity, and the deletion completes automatically once it is resolved. This protects the people you have live bookings with.

Once any such activity is resolved (and the 28-day grace period has passed), we permanently delete:

Your profile information (name, bio, location, contact details, photos)
Your messages, notifications, and social connections
Your uploaded media (photos, audio tracks, videos)

Messages you sent to other users are deleted along with your account, including the recipient’s copy of those messages. Photos, audio, and files you shared in messages are also deleted from our storage, and may no longer display in the recipient’s copy of the conversation.

We retain the following records in anonymised form (your name and personal identifiers removed) for 6 years as required by HMRC for tax and legal compliance:

Booking records
Payment records
Contract records

Our payment processor (Stripe) independently retains transaction data as required by payment regulations and its own legal obligations. See Stripe’s privacy policy for details.

We keep a minimal deletion record (an internal account identifier and the date your account was deleted) as evidence that your erasure request was honoured, under our accountability obligation (UK GDPR Art 5(2)). Any contact identifier held in that record is removed within 12 months.

Where a booking involved another user, we remove your personal details from that record and show your side of it as “deleted user” to the other party, rather than erasing the booking entirely. This keeps the other party’s own records, payments, and obligations intact.

Reviews written about you by other users are anonymised (attributed to “deleted user”) but not removed, as they form part of another user’s content.

Anonymised, aggregated analytics data that cannot identify you may be retained indefinitely.

For business contact records held for B2B outreach (venue names and business email addresses sourced from public directories), we apply the following retention schedule:

Contacts who have not engaged with any outreach are retained for a maximum of 24 months from the date of collection, after which they are moved to a forensic quarantine table and deleted from active processing systems.
Contacts who have actively engaged (replied, met with us, entered into a commercial relationship) are retained for the duration of the relationship plus 24 months.
Unsubscribe / opt-out records are retained indefinitely in a persistent suppression register. This outlives any lead record, so if you opt out your email is permanently blocked from future outreach, even if we re-encounter it in a public directory later.
Audit trail records (who / when / what was processed) are retained for 6 years for accountability purposes under Art 5(2) UK GDPR.

7. Your Rights

Under UK GDPR, you have the right to:

Access — Request a copy of your personal data
Rectification — Correct inaccurate data
Erasure — Request deletion of your data (“right to be forgotten”). Account deletion follows the 28-day grace period described in section 6.
Restriction — Limit how we process your data
Portability — Receive your data in a machine-readable format
Objection — Object to processing based on legitimate interest

To exercise any of these rights, contact privacy@gigxchange.app. We will respond within one month.

8. Cookies

We use two categories of cookies. Essential cookies are always on (they're needed for the site to work); analytics cookies only run if you accept them in the banner.

Essential (always on)

These items are strictly necessary for the site to work or to remember preferences you have actively set. They do not track you across other websites. All first-party.

Supabase auth cookies (sb-access-token, sb-refresh-token) — keep you signed in. Session + 30 days.
Consent record (gx-cookie-consent-v2, localStorage) — remembers your banner choice so we don't ask again on every visit.
Theme preference (sb-theme, localStorage) — remembers whether you chose light or dark mode.
Territory (gx_territory, localStorage) — remembers the UK region you selected for localised content (e.g. city gig pages).
User type (gx_user_type, localStorage) — remembers whether you identified as an artist, venue, agent or promoter so the homepage shows relevant content.
Email-capture dismissal (sb-email-capture-dismissed, localStorage) — remembers that you dismissed the "Get notified when we launch" ribbon so it doesn't come back.

Analytics (consent required — off by default)

We use Google Analytics 4 with Consent Mode v2. Until you click Accept all, GA4 does not set cookies and only receives anonymous, cookieless pings. If you accept:

_ga — distinguishes unique visitors. 2 years. Google.
_ga_G-4PXZQCWRHJ — session state for our GA4 property. 2 years. Google.

Google processes this data under its privacy policy. You can change your mind at any time via Cookie settings in the footer.

9. Security

We implement appropriate technical and organisational measures to protect your data, including:

Encryption in transit (TLS/HTTPS)
Hashed passwords (never stored in plain text)
Row-level security on database access
Regular security reviews

10. Children’s Privacy

GigXchange is intended for users aged 18 and over. The Platform involves entering into bookings and handling payments, which require the legal capacity to contract. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact privacy@gigxchange.app and we will delete it.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on the Platform. The "Last updated" date at the top of this page reflects the most recent revision.

11. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.