Privacy Policy

1. Data Controller

The controller of your personal data is Evans Consulting, registered with the Dutch Chamber of Commerce (KVK) under number 69763143, with its registered address at Vredenrijkstraat 47, 2021CD Haarlem, the Netherlands ("we", "us", "our").

We operate the Riffboard platform at riffboard.com. For any questions regarding this policy or your personal data, you can reach us at privacy@riffboard.com.

2. What Personal Data We Collect

Account Information

When you sign in with Google or via a magic link, we receive and store your name, email address, and profile picture. If you sign in with Google, this data is provided by your Google account.

User Content

You may provide content including artist profiles, release metadata, contact information, fan data, venue details, calendar events, task descriptions, and financial data (budgets, transactions). This data is stored to provide the Service.

Uploaded Files

You may upload images such as cover art, venue photos, EPK hero images, and artist photos. These are stored in Supabase Storage (EU region).

Waitlist Information

If you join our waitlist, we collect your email address to notify you when access becomes available.

Google Calendar Integration

If you choose to connect your Google Calendar, we request read-only access (calendar.readonly) to display your Google Calendar events alongside your Riffboard calendar. We store your Google account email address, an authentication token to maintain the connection, and your selected calendar IDs. We do not store your Google Calendar event data — events are fetched on demand from Google's servers each time you view the calendar page. You can disconnect your Google Calendar at any time from your profile settings, which revokes our access and deletes the stored connection data.

Cookies and Session Data

We use strictly necessary cookies to maintain your authentication session (session cookie, CSRF token). We also store your cookie consent preference in your browser's local storage. We do not use advertising or third-party tracking cookies. See Section 10 for details.

Billing Information

If you subscribe to a paid plan, your payment is processed by Stripe, our payment processor. We store your Stripe customer ID and subscription status (plan, billing interval, period dates) but do not store your credit card number or full payment details. Stripe handles payment data securely in accordance with PCI DSS standards.

Analytics on Public Pages (First-Party)

When visitors interact with public pages (such as EPK pages, smart link pages, and Linkboard pages), we collect anonymised usage data to help artists understand how their content performs. This first-party analytics data includes: page views (impressions), button clicks (which streaming platform was chosen), referrer information, country (derived from IP by our hosting provider), and view duration. IP addresses are immediately hashed using HMAC-SHA256 with a daily-rotating key and never stored in plaintext — after the key rotates at midnight UTC, previous days' hashes become unlinkable. We do not store browser user agent strings. This data is collected under our legitimate interest (GDPR Article 6(1)(f)) and does not require consent, as no cookies or device storage are accessed for this purpose. We have conducted a Legitimate Interest Assessment confirming that this minimal, anonymised processing does not override visitors' rights and freedoms.

Optional Third-Party Tracking Pixels

Artists who use Riffboard may optionally configure a Meta (Facebook) Pixel ID in their workspace settings. When enabled, the Meta Pixel script is loaded on that artist's smart link pages only after the visitor gives consent via the cookie banner. The pixel sends page-view and click-through events to Meta on behalf of the artist for ad retargeting purposes. We do not control how Meta processes this data — please refer to Meta's Privacy Policy for details. If no Meta Pixel ID is configured, no Meta scripts are loaded.

Server-Side Conversions API (CAPI)

Artists may additionally configure a Meta Conversions API access token alongside their Pixel ID. When both are configured, Riffboard forwards smart link events (page views, button clicks) from our servers directly to Meta's Graph API, in addition to the client-side pixel. This server-side forwarding improves event accuracy for ad measurement. The data sent to Meta includes: IP address, user agent, country code, and cookie identifiers (_fbp, _fbc) set by the Meta Pixel. IP addresses and user agents are temporarily held in our event queue solely for forwarding and are deleted immediately after successful delivery to Meta (typically within one minute). This forwarding only occurs when the visitor has given consent via the cookie banner, and only when the artist has configured both a Pixel ID and a Conversions API token. The artist's access token is encrypted at rest using AES-256-GCM.

MailerLite Integration

If you connect your MailerLite account, we sync your contactable fan data (name, email address, city, country, funnel stage, and tags) from your Superfans CRM to your MailerLite subscriber list on your instruction. We store your MailerLite API key encrypted at rest (AES-256-GCM) and a subscriber ID for each synced fan to maintain the link between systems. We receive webhook notifications from MailerLite when subscribers unsubscribe, which we use to update the do-not-contact status in your CRM. Only fans you have marked as contactable and who have an email address are synced. This integration is only active when configured by the workspace owner.

2A. Data We Process on Your Behalf (Processor Data)

In addition to the personal data described above (where we act as the data controller), Riffboard also processes certain categories of third-party data on your behalf, where you are the data controller and we act as your data processor under GDPR Article 28.

This applies when you use features that store information about your fans, audience members, or other individuals. The categories of data you may ask us to process include:

• Identity data — names, handles, stage names
• Contact data — email addresses, phone numbers
• Location data — city, region, or country
• Engagement history — interactions, attendance records, purchase history, and notes you record about these individuals
• Consent records — how and when these individuals gave you permission to contact them

As the controller, you are responsible for ensuring you have a lawful basis to collect and process this data (such as consent or legitimate interest), for responding to data subject requests, and for complying with applicable data protection laws.

We process this data solely on your instructions to provide the Service. Our obligations as processor are set out in our Data Processing Agreement, which governs all processor data.

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — Account data, user content, and uploaded files are processed as necessary to provide the Service you signed up for.
• Consent (Art. 6(1)(a)) — Third-party tracking (Meta Pixel and Conversions API) on public pages is only activated when the visitor has given consent via our cookie banner. You can withdraw consent at any time by clearing your cookie preferences.
• Legitimate interest (Art. 6(1)(f)) — We process limited data for fraud prevention, security monitoring, service improvement, and first-party analytics on public pages (anonymised click and view tracking with daily-rotating IP hashes, no cookies, no user agent storage). Our legitimate interest does not override your rights or freedoms. A Legitimate Interest Assessment is available on request.
• Legal obligation (Art. 6(1)(c)) — We may retain certain data where required by Dutch or EU law (e.g., tax or accounting obligations).
• Soft opt-in for marketing re-contact (ePrivacy Directive Art. 13(2)) — When a fan provides their email address in connection with claiming a free offer, the workspace owner (as data controller) may send marketing communications about similar products and services (releases, shows, merchandise), provided the fan was given a clear opportunity to opt out at the time of collection and each subsequent message includes an easy unsubscribe option. This is consistent with Recital 32 GDPR and the ePrivacy Directive's exception for existing customer relationships.

4. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Send transactional emails (magic links, team invitations, waitlist confirmations, task notifications)
• Display your public pages (EPK, smart links, Linkboard)
• Provide anonymised analytics to artists about their public pages
• Respond to your requests and communications
• Protect against fraud, abuse, and unauthorised access

We do not sell your personal information. We do not use your data for advertising, profiling, or automated decision-making.

5. Sub-Processors and Third-Party Services

We share personal data with the following sub-processors, solely to operate the Service:

We have executed Data Processing Agreements (DPAs) with each sub-processor that processes personal data on our behalf, in accordance with Article 28 of the GDPR. For Meta Pixel and Conversions API integrations, the artist who configures the tracking is the data controller and maintains their own relationship with Meta via Meta's Business Tools Terms. Riffboard acts as a processor on the artist's behalf, forwarding events using the artist's own credentials.

6. International Data Transfers

Your primary data (database and files) is stored within the European Union via Supabase (AWS eu-west-1, Ireland). However, some sub-processors operate in the United States:

• Vercel — may process requests via edge servers outside the EU
• Google — OAuth authentication and Google Calendar event fetching involve communication with Google servers
• Resend — email delivery from US-based infrastructure
• Stripe — payment processing from US-based infrastructure
• MailerLite — optional email marketing integration; fan data synced to MailerLite servers (only when configured by the workspace owner)
• Meta (Facebook) — optional tracking pixel and server-side event forwarding (Conversions API) on smart link pages — visitor data (IP address, user agent, country, cookie identifiers) may be sent from our servers to Meta's US infrastructure (only when configured by the artist and consented to by the visitor)

Where data is transferred outside the EU/EEA, we rely on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or other appropriate safeguards in accordance with Chapter V of the GDPR.

7. Data Retention

We retain your data for no longer than necessary:

• Account data and user content — retained for the duration of your account, plus 30 days after deletion to allow for recovery
• Waitlist email addresses — retained until you are granted access or unsubscribe, and no longer than 12 months
• Public page analytics — anonymised data retained for up to 90 days
• Authentication session data — sessions expire after 30 days of inactivity
• Conversions API event queue — IP addresses and user agents are deleted immediately after forwarding to Meta or when delivery permanently fails (typically within one minute). Event metadata (event name, timestamp, delivery status) is retained for up to 7 days for debugging, then automatically deleted.

If you request deletion of your account, we will remove your personal data within 30 days, unless we are legally required to retain it (e.g., for tax or accounting purposes under Dutch law).

8. Data Storage and Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encrypted connections (HTTPS / TLS) for all data in transit
• Encrypted database storage at rest (Supabase/AWS)
• Row-level security on all database tables
• Role-based access control within the application
• Authenticated API access with session tokens
• Security headers (X-Frame-Options, CSP, HSTS)

While we strive to protect your data, no method of electronic storage or transmission is completely secure. We encourage you to use a strong password for your Google account and to keep your sign-in credentials confidential.

9. Your Rights Under the GDPR

As a data subject under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15) — obtain a copy of the personal data we hold about you
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data
• Right to erasure (Art. 17) — request deletion of your personal data
• Right to restriction (Art. 18) — request restriction of processing in certain circumstances
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (Riffboard includes a Data Export feature for this purpose)
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent (e.g., analytics). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at privacy@riffboard.com. We will respond within 30 days as required by the GDPR.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

10. Cookies

We use the following categories of cookies:

• Strictly necessary — Authentication session cookie and CSRF protection token. These are essential for the Service to function and cannot be disabled. Legal basis: contract performance (Art. 6(1)(b)) and exemption under Article 5(3) of the ePrivacy Directive / Telecommunicatiewet Art. 11.7a(3).
• First-party analytics — Basic anonymised click and view tracking on public pages (smart links, EPK, Linkboard) to provide artists with visitor insights. No cookies are set or read for this purpose — data is collected via server-side processing only. Legal basis: legitimate interest (Art. 6(1)(f)).
• Third-party embeds — Public artist pages may display embedded content from YouTube, Vimeo, Spotify, SoundCloud, Bandcamp, and Bandsintown. These embeds are only loaded after you give consent via our cookie banner or explicitly click "Load content" on an individual embed. Once loaded, these services may set their own cookies according to their respective privacy policies. We use YouTube's privacy-enhanced mode (youtube-nocookie.com) to minimise tracking. Legal basis: consent (Art. 6(1)(a) GDPR / Telecommunicatiewet Art. 11.7a).
• Optional tracking pixels — Artists may optionally configure a Meta (Facebook) Pixel on their smart link pages for ad retargeting. This pixel is only loaded after you give consent via our cookie banner. When loaded, Meta may set its own cookies (including _fbp and _fbc) to track page views and button clicks. When the artist has also configured the server-side Conversions API, these cookie values are read by our server and forwarded to Meta for event deduplication. If the artist has not configured a Meta Pixel, no tracking pixel scripts are loaded and no cookie values are read. Legal basis: consent (Art. 6(1)(a)).

We do not set our own advertising or analytics cookies. Our first-party analytics use server-side processing only and do not access any data stored on your device. When a Meta Pixel is active and consented to, Meta's pixel may set cookies which we read server-side for event deduplication via the Conversions API. We do not use third-party analytics services (such as Google Analytics). Your cookie preference is stored locally in your browser and can be changed at any time by clearing your browser data.

11. Children's Privacy

The Service is not intended for users under the age of 16 (the age of digital consent under Dutch implementation of the GDPR). We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling as defined in Article 22 of the GDPR. No decisions with legal or similarly significant effects are made about you based solely on automated processing.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes, we will notify you via email or through a notice in the Service at least 14 days before the changes take effect. The "Last updated" date at the top indicates the most recent revision.

14. Contact

For questions about this Privacy Policy, to exercise your data rights, or to raise a concern about how we handle your data:

• Email: privacy@riffboard.com
• General enquiries: hello@riffboard.com