Privacy Policy

MyStages is a platform for live-music artists and the fans who come to see them. It is operated by MyStages LLC, a Tennessee limited liability company with registered address 1616 West End Ave, Nashville, TN 37203, USA ("MyStages", "we", "us"). We are the business responsible for your personal information under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA") and the comparable laws of other US states.

Privacy questions and rights requests: privacy@mystages.app. General support: support@mystages.app.

This policy applies to:

• the MyStages mobile application on iOS and Android,
• the MyStages website at mystages.app,
• email we or our artist users send through MyStages to ticket holders.

It does not cover third-party services we integrate with (Apple, Google, Stripe, and the others listed in section 8), each of which handles your information under its own privacy policy.

We collect the following categories of personal information, in the language of CCPA § 1798.140. Plain-language examples follow each category.

• Identifiers (A): name, email address, mailing address (for artists), phone number (optional), account identifier, Apple or Google sign-in identifier, Apple private-relay email, device identifiers, IP address.
• Customer records (B): the information you give us when you create an account or an artist profile.
• Commercial information (D): tickets you buy or sell, tips you send or receive, subscription status, transaction history.
• Financial information (I): payment-card token and Stripe payment identifiers. We do not receive your card number. For artists, Stripe also collects identity-verification data (date of birth, address, tax identifier, identification document) during Connect onboarding; that information goes to Stripe, not to our database.
• Internet and other network activity (F): pages viewed, features used, email delivery and (with your consent) open and click events, diagnostic logs.
• Geolocation (G): precise foreground location, only when you enable the "events near me" feature and grant the OS permission.
• Sensory data (G): camera stream during a ticket QR scan, processed on your device only; photos you choose to upload from your photo library.
• Professional or employment information (I): for artists only — bio, social links, merch links, photos.
• Inferences (K): limited; we do not build marketing profiles about you.

We also collect free-text content you choose to provide, including optional messages attached to tips. Please do not include sensitive information in those messages.

Sources: most of the information above comes directly from you when you create an account, buy a ticket, send a tip, or edit your profile. A small amount (device type, operating system, crash reports) comes from your device. A small amount (payment result, subscription state) comes from Stripe, RevenueCat, Apple, or Google after you transact with them through MyStages.

We use your personal information to:

• create and secure your account, including sign-in with Apple or Google;
• publish your artist profile, if you are a pro user;
• show you events near you when you use the discovery feature;
• sell, issue, and validate tickets;
• process payments, tips, and subscriptions;
• onboard artists for payouts through Stripe Connect;
• send transactional messages (ticket confirmations, reminders, check-in);
• send marketing messages when you have opted in;
• detect fraud, abuse, and bugs;
• comply with tax, accounting, and anti-money-laundering law;
• respond to rights requests and legal process.

We do not use your personal information for cross-context behavioral advertising, and we do not sell it. See section 9.

Some of what we collect is sensitive personal information under CCPA § 1798.140(ae):

• account log-in credentials and session tokens held by our authentication provider (Clerk);
• payment-account identifiers (Stripe tokens);
• precise geolocation, if you use nearby-events discovery;
• identification-document data for artist payout KYC, held by Stripe.

We use this sensitive information only to provide the features you requested, process payments, keep your account secure, prevent fraud, and comply with law. We do not infer characteristics about you from sensitive information, and we do not sell or share it. Because we do not use sensitive information beyond these purposes, the CCPA right to limit its use does not give you anything additional to request from us — but if you disagree with this assessment, write to us and we will review.

We keep personal information for as long as we need it for the purpose we collected it:

• Account and profile data: for the life of your account. If you delete your account, we clear identifying fields immediately and keep only a de-identified internal reference (see section 16).
• Ticket, tip, and payment records: up to 7 years, to satisfy US federal tax record-keeping guidance (IRS retention periods) and state sales-tax rules. After that, records are hard-deleted.
• Artist KYC data: held by Stripe under its own regulatory obligations (31 CFR § 1022.410, typically 5 years after the end of the relationship).
• Email deliverability data: 12 months. Unsubscribe and suppression data is retained indefinitely so we can honor your opt-out (CAN-SPAM § 7704(a)(4)).
• Crash and error logs (Sentry): 90 days.
• Location: processed in memory; we do not store precise location server-side.
• Push tokens: until your device deregisters, you uninstall the app, or you delete your account.

We share personal information in four ways:

7.1 Service providers

Vendors who process personal information on our behalf under a contract that limits their use to providing services to MyStages (CCPA § 1798.140(ag)). See the sub-processor list in section 8.

7.2 Organizers and artists (third parties, at your direction)

When you buy a ticket, we share your name, email, and ticket details with the organizer of that event so they can admit you and run the event. The organizer is a third party under CCPA § 1798.140(ai), not a service provider, and will handle your information under its own privacy practices. When you tip an artist, the artist sees your display name, the amount, and any optional message you include. When an artist sends an email broadcast through our platform, the artist chooses the content and recipients; we transmit it via Resend and honor your unsubscribe across the platform. These disclosures happen at your direction and are not "sales" under CCPA § 1798.140(ad)(2)(A)(ii).

7.3 Stores and payment networks (independent businesses)

Apple and Google receive information about your use of the App Store and Play Store, including purchases made through in-app purchase, under their own privacy policies. Stripe processes payments and, for artist payouts, holds KYC data as the responsible business for that data under financial-services regulation.

7.4 Legal and safety

We may disclose personal information to respond to valid legal process, investigate fraud or abuse, protect the rights or safety of a person, or enforce our Terms of Use.

The service providers and other business recipients below receive personal information in the course of MyStages operating:

Clerk, Inc.

Authentication. Receives account identifiers, email, avatar, session metadata. Privacy policy.

Convex, Inc.

Primary database and backend functions. Holds the user-generated content and metadata described in section 3. Privacy policy.

Stripe, Inc. and Stripe Payments Company

Payment processing for tickets, tips, and subscriptions. For artist payouts, Stripe Connect additionally handles identity verification and reports as the responsible business under federal and state money-transmission law. Receives payment identifiers, billing information, fraud signals, and — for artists — KYC data. Privacy policy.

RevenueCat, Inc.

Subscription entitlement management. Receives app user identifier, subscription status, Apple receipt data. Privacy policy.

Apple Inc.

App Store distribution, Sign in with Apple, Apple Pay, in-app purchases, APNs push delivery. Privacy policy.

Google LLC

Play Store distribution, Google OAuth, Google Pay, Firebase Cloud Messaging. Privacy policy.

Expo / 650 Industries, Inc.

Mobile builds, over-the-air updates, and push relay to APNs and FCM. Privacy policy.

Functional Software, Inc. (Sentry)

Crash and error reporting. We configure Sentry with sendDefaultPii: false and strip the user email, IP address, and username from error events before they leave the device or server. Privacy policy.

Resend, Inc.

Transactional and broadcast email delivery. Privacy policy.

Mapbox, Inc.

Map tiles and geocoding in the mobile app. Mapbox's SDK collects telemetry under its own policy; you can disable Mapbox telemetry in the app's map settings. Privacy policy.

MyStages does not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioral advertising within the meaning of CCPA § 1798.140(ad) and (ah), or the comparable definitions in other state laws.

Because we do not sell or share, we do not operate a "Do Not Sell or Share My Personal Information" link. We recognize the Global Privacy Control (GPC) signal on our website: if your browser sends GPC, we treat it as a valid opt-out even though we have nothing to opt you out of today. If that changes, we will update this policy before the change takes effect.

Depending on the state you live in, you have some or all of the following rights:

• Know / access: confirm whether we process your information, and receive a copy of what we hold.
• Correct: ask us to fix information that is inaccurate.
• Delete: ask us to erase your information, subject to the retention described in section 6.
• Portability: receive a machine-readable copy of your information.
• Opt out of sale / sharing / targeted advertising: we do not do any of these, but you can submit a request anyway and we will confirm.
• Limit the use of sensitive personal information: described in section 5.
• Appeal: if we deny a rights request, you can appeal — see section 11.
• Non-discrimination: we will not deny service, charge you more, or give you a lower-quality experience because you exercised a right.

The table below summarizes what your state gives you and who enforces it. Laws not listed were not yet in force as of the date of this policy; if your state passes one, this policy applies to the extent the law grants you rights.

California (CCPA/CPRA)

All of the rights above, plus a right against automated decision-making that produces legal or similarly significant effects (we do not engage in such decision-making; see section 15). Enforced by the California Privacy Protection Agency (cppa.ca.gov) and the California Attorney General (oag.ca.gov/privacy). California residents can also request the list of categories of personal information we disclosed for a business purpose in the past 12 months — we do not sell or share, so the sale/share disclosure is "none."

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA)

Access, correct, delete, portability, opt-out of targeted advertising / sale / profiling, and appeal. Enforced by each state's Attorney General.

Utah (UCPA)

Access, delete, portability, and opt-out of sale and targeted advertising. No correction right, no appeal right, no sensitive-data opt-in. Enforced by the Utah Attorney General.

Texas (TDPSA)

Access, correct, delete, portability, opt-out of targeted advertising, sale, and profiling, and appeal. Texas requires opt-in consent for any sale of sensitive data — we do not sell. Enforced by the Texas Attorney General.

Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island

Broadly similar rights (access, correct, delete, portability, opt-out, appeal). Maryland additionally imposes strict data-minimization and bans the sale of sensitive data. Minnesota grants a right to question the result of a profiling decision. Tennessee provides an affirmative defense for businesses that maintain a NIST-aligned privacy program. All are enforced by the respective state Attorney General.

Florida (FDBR)

FDBR applies only to very large technology businesses. It most likely does not apply to MyStages, but Florida residents still receive the rights above to the extent we provide them to residents of other states.

Washington (MHMDA)

We do not knowingly collect consumer health data as defined by RCW 19.373. If you believe we have, contact privacy@mystages.app.

Other states

Residents of any US state with a comprehensive privacy law in force can exercise the rights described above at privacy@mystages.app. If your state grants you a specific right we have not listed, tell us and we will honor it.

Write to privacy@mystages.app from the email address associated with your account, or submit a request from within the app at Profile → Privacy. We verify requests by matching the request to the authenticated account; for non-account requests we may ask for additional information to confirm identity.

Authorized agents. You can designate an agent to submit a request for you. We will ask for written permission signed by you and for independent verification of your identity.

Timing. We respond within 45 days. If we need more time we may extend once for another 45 days and tell you why.

Appeals. If we deny a rights request, you can appeal by replying to our decision. We review appeals within 60 days. If we deny the appeal, you can complain to your state Attorney General (links in section 10) or the Federal Trade Commission at reportfraud.ftc.gov.

No retaliation. We will not penalize you for exercising a right.

MyStages is not directed to children under 13. We do not knowingly collect personal information from children under 13 as defined by the Children's Online Privacy Protection Act (COPPA) and the 2025 amended COPPA Rule. If you are a parent or guardian and believe we have collected information from your child, write to privacy@mystages.app and we will delete it.

Some states (including Maryland, Minnesota, Nebraska, and others) impose additional protections for users under 18. Where those laws apply, we do not sell or share personal information of users we know to be minors, and we do not process minors' information for targeted advertising.

Transactional messages (ticket confirmations, reminders to people who have a ticket, account alerts) are part of the service and are sent under our agreement with you.

Marketing messages — including email broadcasts from artists you have bought a ticket from — are sent on an opt-in basis and include a functional unsubscribe link. Under the CAN-SPAM Act, we honor unsubscribe requests within 10 business days and we maintain the suppression list indefinitely so you do not receive further messages after opting out.

Who is the sender. When an artist sends a broadcast through MyStages, the artist is the message's sender under 16 CFR § 316.2(m); MyStages transmits the message and is responsible for platform-level suppression and for making sure every broadcast includes a valid postal address and a functional unsubscribe.

Push notifications follow the same pattern: transactional push is part of the service; marketing push is sent only when you have opted in and you can disable it in your OS settings or in-app preferences.

Our website at mystages.app uses only the cookies and browser storage that the site needs to function — Clerk authentication cookies, CSRF tokens, and connection state. We do not use advertising cookies and we do not embed third-party advertising pixels.

On mobile, our apps use iOS and Android platform identifiers as described in the App Store Privacy Label and Play Data Safety disclosures. Our third-party SDKs (see section 8) may collect diagnostic information under their own policies; we disable or scrub personally identifying fields where we can (for example, Sentry runs with sendDefaultPii: false and we scrub user email, IP, and username).

MyStages does not make fully automated decisions that produce legal or similarly significant effects on you within the meaning of CCPA § 1798.185(a)(16) or comparable state rules. Our payment processor Stripe uses automated fraud screening on the transactions it processes — see Stripe's privacy notice.

You can delete your account from the app (Profile → Delete account). On deletion we immediately clear identifying information from your record: email, display name, avatar, Clerk identifiers, push tokens, profile content, and artist photos.

We keep an internal reference to your past records that contains no direct identifiers, so that:

• ticket and tip records you are part of remain internally consistent,
• we can meet tax and accounting record-keeping obligations (IRS, state),
• we can detect and investigate fraud,
• we can respond to legal holds and pending claims,
• we can honor your unsubscribe indefinitely and avoid accidentally emailing you again.

Once the applicable retention window expires (typically 7 years from the last related transaction), the internal reference and any remaining associated records are hard-deleted.

Stripe separately retains payout and KYC records for its own regulatory obligations, under its privacy policy.

We protect your information with transport encryption (TLS) on every network link, encryption at rest in our database, least-privilege access controls, two-factor authentication for administrative accounts, scoped API keys, and regular security reviews of our sub-processors. We configure our crash-reporting provider to strip personally identifying fields before upload.

No system is perfectly secure. If a security incident affects your personal information we notify affected users and the appropriate authorities as required by applicable state breach-notification laws.

We may update this policy. If we make a change that affects how we handle your personal information — for example, adding a new sub-processor, a new processing purpose, or beginning to sell or share information — we will notify you before the change takes effect. The current version, with its effective date, is always at mystages.app/privacy.

• Privacy questions and rights requests: privacy@mystages.app
• General support: support@mystages.app
• Postal address: MyStages LLC, 1616 West End Ave, Nashville, TN 37203, USA
• Federal Trade Commission: reportfraud.ftc.gov

MyStages is a US-based service operated from the United States. We do not actively target users in the European Economic Area or the United Kingdom, and the Article 3(2) GDPR reach test is typically not met by mere availability of an app on Apple's or Google's global stores. This section applies to any EU/UK individual whose personal information we nonetheless process.

Legal bases (Art. 6 GDPR / UK GDPR). We rely on: performance of a contract (Art. 6(1)(b)) for account, ticket, and subscription processing; consent (Art. 6(1)(a)) for location, marketing push and email, and optional email engagement tracking; legitimate interests (Art. 6(1)(f)) for fraud prevention, service improvement, and crash diagnostics; and legal obligations (Art. 6(1)(c)) for tax, accounting, and anti-money-laundering retention.

Your rights. Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent without retroactive effect (Art. 7(3)), and the right to complain to a supervisory authority (Art. 77) in your country of residence — the list is at edpb.europa.eu. In the UK, the Information Commissioner's Office (ico.org.uk). To exercise any of these, write to privacy@mystages.app.

International transfers. If you are in the EU or the UK, your information is transferred to the United States. Where required, we rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, together with supplementary contractual and technical safeguards. You can request a copy at privacy@mystages.app.

No DPO and no EU representative. Based on the nature, scope, context, and purposes of our processing, we are not required to appoint a Data Protection Officer under Art. 37 GDPR or an EU representative under Art. 27 GDPR. We will reassess if we begin targeting EU/UK users.