Privacy Policy

Last updated: 2026-05-08

What we collect

• Account data — email, display name, avatar URL when you sign in via Supabase auth.
• Activity data— artists you follow, shows you mark as "going" / "went" / "wishlist", reviews and setlist edits you submit.
• Notification data — push subscription endpoint and keys when you opt in to browser notifications, and the email address we send digest emails to.
• Location (optional)— when you allow it, your latest latitude/longitude so we can rank "Near you" concerts. Stored in a cookie you can clear at any time.
• Spotify connection (optional) — when you link your Spotify account we read your top artists for personalised recommendations. We never write to your Spotify account.

What we do with it

• Show you concerts that match your taste and location.
• Send you ticket reminders, setlist updates, and weekly digests.
• Display your follow / attendance state on the artist and event pages.

What we never do

• Sell your personal data.
• Run third-party ad trackers, fingerprinting, or behavioural ad targeting.
• Read or write to your Spotify account beyond reading top artists.

Third parties we share data with

• Supabase hosts the database and auth — required to run the service.
• Vercel hosts the application code — required to serve the site.
• Concert data we display comes from Ticketmaster, Songkick, Bubilet, Biletinial and setlist.fm. We do not send personal data back to them.

Your rights

• Access — request a copy of all data we hold on you.
• Deletion — request full account deletion, including all activity rows.
• Withdraw consent — you can disable push and email notifications from Settings at any time. Disabling notifications immediately deletes the subscription.

To exercise any of these, write to hello@gigora.live.

How long we keep it

• Account + activity data — kept as long as your account is active. When you delete your account, all attendance / follow / review / setlist-edit rows are deleted with it, immediately and permanently.
• Notification subscriptions — deleted when you disable push or unsubscribe from email; otherwise kept for the lifetime of your account.
• Logs — application logs (Vercel) and database logs (Supabase) hold IP addresses + request paths for up to 30 days for abuse-prevention and debugging, after which they roll off.
• Backups — encrypted database backups retain a copy for up to 90 days. Account-deletion requests purge live data instantly; backup purge happens on the rolling 90-day window.

Data protection laws

Visitors from the European Economic Area are protected under the GDPR; Turkish visitors are protected under the KVKK (Kişisel Verilerin Korunması Kanunu). The rights listed above apply equally under both — the lawful basis for processing your account + activity data is your consent (granted when you sign up) and our legitimate interest in operating the service.

Cookies

We use a small number of strictly-necessary cookies for sign-in sessions and your location preference. We do not set advertising or analytics cookies that profile you across other sites.

Children

Gigora is intended for users 16 and over. We do not knowingly collect data from anyone younger.

Changes

When we change this policy we update the date at the top. Material changes (new third parties, new data classes) trigger an in-app notice before they take effect.