Privacy Policy

Last updated: 2026-05-19

What we collect

• Account data — email, display name, avatar URL when you sign in via Supabase auth.
• Activity data— artists you follow, shows you mark as "going" / "went" / "wishlist", reviews and setlist edits you submit.
• Notification data — push subscription endpoint and keys when you opt in to browser notifications, and the email address we send digest emails to.
• Location (optional)— when you allow it, your latest latitude/longitude so we can rank "Near you" concerts. Stored in a cookie you can clear at any time.
• Spotify connection (optional) — when you link your Spotify account we read your top artists for personalised recommendations. We never write to your Spotify account.

What we do with it

• Show you concerts that match your taste and location.
• Send you ticket reminders, setlist updates, and weekly digests.
• Display your follow / attendance state on the artist and event pages.

What we never do

• Sell your personal data.
• Run third-party ad trackers, fingerprinting, or behavioural ad targeting.
• Read or write to your Spotify account beyond reading top artists.

Third parties we share data with

• Supabase hosts the database and auth — required to run the service.
• Vercel hosts the application code — required to serve the site.
• Concert data we display comes from Ticketmaster, Songkick, Bubilet, Biletinial and setlist.fm. We do not send personal data back to them.

Your rights

• Access — request a copy of all data we hold on you.
• Deletion — request full account deletion, including all activity rows.
• Withdraw consent — you can disable push and email notifications from Settings at any time. Disabling notifications immediately deletes the subscription.

To exercise any of these, write to hello@gigora.live.

How long we keep it

• Account + activity data — kept as long as your account is active. When you delete your account, all attendance / follow / review / setlist-edit rows are deleted with it, immediately and permanently.
• Notification subscriptions — deleted when you disable push or unsubscribe from email; otherwise kept for the lifetime of your account.
• Logs — application logs (Vercel) and database logs (Supabase) hold IP addresses + request paths for up to 30 days for abuse-prevention and debugging, after which they roll off.
• Backups — encrypted database backups retain a copy for up to 90 days. Account-deletion requests purge live data instantly; backup purge happens on the rolling 90-day window.

Data protection laws

Visitors from the European Economic Area (EEA) and the United Kingdom are protected under the GDPR; Turkish visitors under the KVKK (Kişisel Verilerin Korunması Kanunu); California residents under the CCPA / CPRA. For other US states (Virginia, Colorado, Connecticut, Utah, Texas, etc.) and other jurisdictions, the rights listed above apply as a best-effort baseline.

The lawful basis for processing your account and activity data is your consent (granted when you sign up) and our legitimate interest in operating the service. You may withdraw consent at any time by deleting your account from Settings.

CCPA note: California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. For CCPA / CPRA requests, email hello@gigora.live.

Cookies

We use a small number of strictly-necessary cookies for sign-in sessions and your location preference. We do not set advertising or analytics cookies that profile you across other sites.

Children

Gigora is intended for users 16 and over. We do not knowingly collect data from anyone younger.

Changes

When we change this policy we update the date at the top. Material changes (new third parties, new data classes) trigger an in-app notice before they take effect.