Privacy Policy - Bandy

Effective Date: August 11, 2025
Last Updated: August 11, 2025

1. Introduction

Welcome to Bandy. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our musician collaboration platform.

Data Controller: Dimitrios Daskaleas d/b/a FineApps
Contact: bandy@fineapps.gr
Location: Athens, Greece

2. Information We Collect

2.1 Information You Provide

Account Information

• Email address (required)
• Password (encrypted)
• Stage name
• Gender (optional)
• Profile photo (optional)

Profile Information

• Instruments you play
• Skill levels (beginner/hobbyist/session)
• Favorite songs
• Weekly availability schedule
• Unavailable dates

Band Information

• Bands you create or join
• Band roles and permissions
• Member color selections
• Custom band schedules

Content You Create

• Song suggestions and dream songs
• Playlists
• Messages (band chat and private)
• Rehearsal proposals
• Song ratings and feedback

2.2 Information Collected Automatically

Device Information

• Device type and model
• Operating system version
• App version
• Unique device identifiers
• IP address
• Time zone

Log Information

• Access times and dates
• Features used
• Error logs
• Performance data

2.3 Information from Third Parties

Spotify Integration

• Song verification data
• Track metadata
• No access to your Spotify account or playlists

Firebase Authentication

• Authentication tokens
• Account verification status
• No access to Google account data beyond email

3. How We Use Your Information

3.1 To Provide Core Services

• Create and manage your account
• Connect you with other musicians
• Facilitate band formation and management
• Enable messaging between users
• Schedule rehearsals and manage availability
• Process song suggestions and playlists

3.2 To Improve Our Service

• Analyze usage patterns
• Fix bugs and improve performance
• Develop new features
• Personalize your experience
• Provide customer support

3.3 To Ensure Safety

• Enforce our Terms of Service
• Investigate reported violations
• Prevent fraud and abuse
• Maintain platform integrity

4. Information Sharing and Disclosure

4.1 With Other Users

Public Information (visible to all users)

• Stage name
• Instruments and skill levels
• Bands you're in

Band Members See

• Your submitted availability schedule
• Song suggestions and ratings
• Band chat messages
• Rehearsal responses
• Member color

Private Information (never shared publicly)

• Email address
• Private messages
• Account settings
• Payment information

4.2 With Service Providers

We share data with trusted third parties who help us operate:

• Firebase (Google): Authentication and database
• Render: Server hosting
• Spotify API: Song verification only
• Payment Processors: Premium subscriptions (encrypted)

4.3 Legal Requirements

We may disclose information if required by:

• Court orders
• Legal proceedings
• Government requests
• To protect rights and safety

5. Data Retention

5.1 Active Accounts

We retain your data as long as your account is active or as needed to provide services.

5.2 Deleted Accounts

When you delete your account:

• Profile data removed within 30 days
• Messages retained for band history
• Anonymized contributions may remain
• Some data retained for legal compliance (90 days)

5.3 Inactive Accounts

Accounts inactive for 2 years may be deleted after notification.

6. Data Security

6.1 Security Measures

• Encryption: All passwords encrypted using bcrypt
• HTTPS: All data transmitted over secure connections
• Firebase Security: Industry-standard Google infrastructure
• Access Control: Limited employee access to user data
• Regular Updates: Security patches applied promptly

6.2 Your Responsibilities

• Keep your password secure
• Don't share account credentials
• Log out on shared devices
• Report suspicious activity

6.3 Breach Notification

If a data breach occurs, we will:

• Notify affected users within 72 hours
• Provide details of compromised data
• Offer guidance on protective measures
• Cooperate with authorities

7. Your Rights and Choices

7.1 Access and Portability

You can:

• Access your personal data through the app
• Download your data in JSON format
• Request a copy via email

7.2 Correction

You can:

• Update profile information anytime
• Correct inaccurate data
• Change privacy settings

7.3 Deletion

You can:

• Delete specific content
• Remove yourself from bands
• Delete your entire account

7.4 Restriction

You can:

• Limit data processing
• Opt out of non-essential features
• Control visibility settings

8. Children's Privacy

Bandy is not intended for children under 13. We do not knowingly collect data from children under 13. If we discover such data, we will delete it immediately.

Parents who believe their child has provided information should contact: bandy@fineapps.gr

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards through:

• Standard contractual clauses
• Privacy Shield frameworks (where applicable)
• Adequate protection assessments

10. Cookies and Tracking

10.1 Mobile App

The Bandy mobile app does not use cookies but may use:

• Local storage for preferences
• Session tokens for authentication
• Analytics identifiers (anonymized)

11. Third-Party Links

Bandy may contain links to third-party services (Spotify, etc.). We are not responsible for their privacy practices. Please review their policies separately.

12. Marketing Communications

We do not send marketing emails. We will only contact you for essential service-related communications such as security updates, account issues, or important changes to our Terms of Service or Privacy Policy.

13. California Privacy Rights (CCPA)

California residents have additional rights:

• Right to know what personal information is collected
• Right to know if information is sold or disclosed
• Right to say no to sale of personal information
• Right to equal service and price

We do not sell personal information.

14. European Privacy Rights (GDPR)

EU residents have additional rights:

• Lawful basis for processing
• Data protection officer contact
• Supervisory authority complaints
• Automated decision-making disclosure

Lawful Basis: Contract performance and legitimate interests

15. Changes to This Policy

We may update this Privacy Policy. Changes will be notified via:

• In-app notifications
• Email to registered users
• Policy update date

Review the policy periodically for changes.

16. Specific Feature Policies

16.1 Messaging

• Messages encrypted in transit
• Not read by us except when reported
• Retained for band history
• Deleted with account (except band messages)

16.2 Schedule Data

• Used only for band coordination
• Not shared outside your bands
• Can be made band-specific
• Deleted when you leave bands

16.3 Song Suggestions

• Linked to Spotify for verification
• Ratings anonymous to other users
• Can be deleted anytime
• Not used for marketing

16.4 Red Flag System

• Tracks songs members cannot play
• Helps bands avoid problematic song choices
• Can be updated anytime by users

17. Contact Us

For privacy questions, concerns, or requests:

Email: bandy@fineapps.gr
Website: fineapps.gr/bandy
Address: Athens, Greece

Response Times:

• General inquiries: 7 days
• Rights requests: 30 days
• Urgent security: 48 hours

18. Additional Information

18.1 No Sale of Data

We never sell, rent, or trade your personal information.

18.2 Privacy by Design

Privacy considerations are built into new features from the start.

18.3 Transparency Reports

We may publish transparency reports about data requests and platform safety.