Privacy Policy

1. Introduction

StageLink is a platform for artists, DJs, musicians, and creators to publish profiles, Press Kits (EPKs), links, media, merch, and audience analytics. This policy explains what personal data we process and why.

It applies to account holders, artists and team members, public visitors, fans who submit forms, and business contacts. [TODO legal review: insert the final legal entity, registered address, and privacy contact.]

2. StageLink's role

StageLink is the data controller for platform accounts, billing, security, analytics, support, and platform operations.

For an artist’s own fan or subscriber lists, the artist may be the controller and StageLink may process that data on the artist’s behalf. StageLink remains controller for security, fraud prevention, and service operation.

3. Data we collect

Data you provide: account information, artist profile, EPK, public content, contact emails, and uploaded assets.

Data from fans and public visitors: email capture, contact forms, page and link events, device and country, and a hashed IP address.

Data from integrations you connect (Spotify, YouTube, SoundCloud, Shopify, merch providers), from payments (Stripe customer/subscription IDs and billing state), and automatically (cookies, analytics, logs, security events).

4. How we use your data

To provide, secure, and maintain accounts; publish artist pages and EPKs; process subscriptions and payments; provide analytics dashboards; operate integrations; send service messages and communications you request; prevent abuse, fraud, and security incidents; provide support and improve StageLink; and comply with legal obligations.

5. Legal bases (GDPR)

Where GDPR applies, we rely on: contract (accounts, profiles, EPKs, billing, integrations); legitimate interests (security, abuse prevention, limited operational analytics, reliability); consent (non-essential cookies/analytics, marketing, email capture where applicable, OAuth authorization); and legal obligation (accounting, tax, compliance, incident response).

6. Public content

Artist pages, EPKs, links, images, biographies, media, and selected contact information may be public when you publish them. You are responsible for having the rights and permissions for content you upload or publish.

Removing content from StageLink may not immediately remove third-party copies, search-engine caches, or previously shared links.

7. Fan and subscriber data

Fans may submit email addresses to artists through StageLink blocks. Artists may use those lists subject to their own legal responsibilities, and should provide an unsubscribe or deletion path. StageLink stores consent text and metadata to support consent records.

[TODO implementation: define whether subscriber data requests go to StageLink, the artist, or both.]

8. Cookies and analytics

We use strictly necessary cookies for authentication, session, localization, and security, and analytics cookies/events subject to consent. See the Cookie Policy for details and how to change your choices.

[TODO legal review: for EU users, non-essential analytics should be opt-in at launch rather than default-on.]

9. Sharing and providers

We share data with provider categories needed to run the service: authentication, payment processing, hosting/database/storage, analytics, email, user-selected integrations, and legal/compliance/safety providers where needed. StageLink does not sell personal information as a product feature.

[TODO legal review: validate CCPA/CPRA sale/share status for analytics.]

10. International transfers

Your data may be processed in countries outside your own. Where required, we use contractual and technical safeguards such as Data Processing Agreements or Standard Contractual Clauses, or comparable mechanisms.

11. Retention

We keep personal data only as long as needed for the purposes above or as required by law, by category: account/profile, public content/assets, subscriber lists, analytics events, billing records, security/audit logs, and integration tokens.

[TODO legal review: insert the final retention periods per category.]

12. Your rights

Subject to applicable law you may request access/export, correction, deletion, restriction or objection, and portability; withdraw consent; and opt out of marketing. CCPA/CPRA rights apply to California residents and Argentine data-protection rights (access, rectification, update, deletion) apply where relevant.

[TODO implementation: define the data-request intake email, identity verification, response SLA, and logging.]

13. Security

We use HTTPS, WorkOS-managed authentication and sessions, role and ownership checks, audit logging, rate limiting and anti-abuse controls, upload controls, and managed provider secrets. No online service can be guaranteed fully secure.

14. Children

StageLink accounts are for users 18 or older, and the service is not directed to children under 13. Contact us if you believe a child’s data was submitted.

15. Changes to this policy

We may update this policy. Material changes will be communicated through appropriate channels, with an effective date and version history.

16. Contact

[TODO legal review: insert the privacy contact email, legal entity and address, any data-protection contact, and the data-request path.]