bandwagon
Home
Privacy Policy

What we collect, what we do with it.

Effective · Oct 8, 2026Last updated · Oct 1, 2026DRAFT · pending counsel review
Heads up · This is a working draft pending review by counsel. The mechanics described below match how the product actually works. If anything reads weird, email privacy@bandwagon.run and we'll fix it.

Bandwagon, Inc. ("we", "us", or "Bandwagon") operates the website at bandwagon.run and the live-music marketplace described there. This Privacy Policy explains what we collect, how we use it, who we share it with, and the rights you have over it.

We tried to write it in plain English. Where a term has a specific legal meaning we've linked or italicized it.

01

Who this applies to

This policy covers everyone who uses Bandwagon — fans, bands, venues, vendors, brand sponsors, and visitors who haven't signed up. It applies to every surface we run: web app, marketing pages, email, SMS, push, and any future native apps.

You must be at least 13 years old to use Bandwagon (US COPPA minimum). Some features require you to be 18+ or 21+ — payments, alcohol-served venue events, etc.

02

Information we collect

From you, when you sign up and use the product:

  • Account info — name, email, phone (optional), role (Fan/Band/Venue/Brand), city, profile photo, bio.
  • Content you create — posts, comments, reels, story slides, votes, pledges, reviews, messages, contracts, signatures, merch listings, sponsorship terms.
  • Payment info — handled entirely by Stripe Connect. We never see or store your full card number. We do see and store the last 4 digits, card brand, expiration, and tokenized customer ID.
  • Tax info — for paid accounts (bands, venues, vendors, sponsors) collecting more than $600/yr, Stripe collects EIN or SSN and issues 1099s on our behalf.
  • Identity verification — for KYC on Stripe Connect Express accounts. Stripe holds the documents; we receive a verification status only.
  • Communications — emails you send us, support tickets, replies to our notifications.

Automatically, when you visit:

  • IP address, browser type, device type, OS, screen size, language.
  • Pages viewed, time on page, scroll depth, clicks — collected by our analytics provider (currently Umami in self-host mode; PostHog if we move to cloud).
  • Approximate location (city-level) inferred from IP. We do not collect precise GPS unless you explicitly grant permission.
  • Referring URL and UTM parameters when you arrive from a link.
  • Cookies and similar storage — see our /cookies policy.

From third parties:

  • Stripe sends us payout status, dispute notifications, payment method updates.
  • OAuth providers (Google/Apple/etc.) send us the basic profile fields you consent to share, if you sign in with them.
  • Our DMCA agent receives third-party copyright complaints which become part of your account record if you're the alleged infringer.
03

How we use it

We use the information above to:

  • Run the product — show your feed, route your votes, settle your invoices, process your pledges.
  • Authenticate you and keep your account secure.
  • Send you transactional messages (receipts, confirmations, DMCA notices, payout confirmations).
  • Send you product updates and the weekly digest — both opt-out at any time.
  • Detect and prevent fraud, scams, harassment, and abuse.
  • Comply with US law — DMCA, ESIGN Act, IRS reporting via Stripe, FL state law.
  • Improve the product — what features get used, where people drop off, what crashes.

We do notsell your personal information to third parties. We don't serve ad targeting based on your activity. Bandwagon makes money from platform fees on transactions — not from your data.

04

Who we share it with

We share data only in these specific cases:

  • Stripe Connect — required to process payments. Stripe is the data processor for everything payment-related. Stripe's privacy policy.
  • Other users you transact with — when you pledge to a band, the band sees your name and pledge amount. When a venue books a band, the band sees the venue's business info, and vice versa.
  • Service providers — email delivery (Resend), error monitoring (GlitchTip or Sentry), analytics (Umami or PostHog), background jobs (pg-boss or Inngest). Each is bound by a Data Processing Agreement that limits their use to running our service.
  • Legal compliance — court orders, subpoenas, IRS requirements. We push back on overly broad requests.
  • Aggregated, de-identified data for product analytics and public dashboards (e.g., "total tips collected during October" without naming any individual tipper).
  • Successors if Bandwagon is acquired or merged. You'll get notice with at least 30 days' opt-out.
05

Your rights

Regardless of where you live, you can:

  • Access a copy of the data we hold on you — request via privacy@bandwagon.run.
  • Correct any inaccuracies — most fields are self-editable in /settings.
  • Delete your account and associated data — see /settings → Delete account. Some records (transactions, tax forms, DMCA actions) we're required to retain for 7 years.
  • Port your data — we'll export your account in JSON within 30 days of request.
  • Opt out of marketing communications — every email has an unsubscribe link. Transactional emails (receipts, password resets) are not optional.

If you're in California, you have additional rights under the CCPA / CPRA — including the right to know what we collect, the right to delete, and the right to opt out of "sales" (we don't sell, but the CCPA defines that broadly). Submit a verifiable consumer request to privacy@bandwagon.run.

If you're in the EU/UK (we don't actively market there yet but if you signed up): you have GDPR rights — access, rectification, erasure, restriction, portability, objection. Our lawful basis is contract performance for account features and legitimate interest for analytics, security, and product improvement.

06

How long we keep it

  • Account data — for the life of your account.
  • Transactional data (payouts, invoices, refunds) — 7 years per US tax law.
  • DMCA notices and counter-notices — 7 years.
  • Trust & Safety reports — 2 years after resolution.
  • Analytics events — 13 months rolling window.
  • Server logs — 30 days.
  • Stripe Connect data — governed by Stripe's retention.

When you delete your account, we purge or de-identify everything not subject to a legal retention requirement within 30 days.

07

Security

We hash passwords with industry-standard algorithms (Argon2id). We use TLS 1.2+ for all traffic. Database backups are encrypted at rest. Secrets are stored in encrypted environment variables, not in code. Stripe handles all card data — it never touches our servers.

No service is 100% secure. If we ever experience a breach affecting your personal information, we'll notify you within 72 hours per state breach-notification laws.

08

Children under 13

Bandwagon is not directed to children under 13. We don't knowingly collect data from them. If you believe we've received data from a child under 13, email privacy@bandwagon.runand we'll delete it within 7 days.

09

International users

Bandwagon is operated from Florida, USA. Servers are in the US. If you use the product from outside the US, you consent to your data being transferred to and processed in the United States. We don't currently market in the EU/UK and we plan US-first expansion through 2027.

10

Changes to this policy

We may update this policy. Material changes get email notice and a 30-day window before they take effect. Minor changes (typos, clarifications) take effect when posted. The "Last updated" date at the top of the page reflects the most recent edit.

11

Contact us

  • Privacy questions: privacy@bandwagon.run
  • Data requests (access / delete / port): privacy@bandwagon.run
  • DMCA: dmca@bandwagon.run
  • General: hello@bandwagon.run
  • Mail: Bandwagon, Inc. · PO Box [TBD] · Daytona Beach, FL 32114
© 2026 Bandwagon · Daytona Beach, FL · Florida law governs