Privacy Policy

1. Data Controller

The controller of your personal data is Evans Consulting, registered with the Dutch Chamber of Commerce (KVK) under number 69763143, with its registered address at Vredenrijkstraat 47, 2021CD Haarlem, the Netherlands ("we", "us", "our").

We operate the Riffboard platform at riffboard.com. For any questions regarding this policy or your personal data, you can reach us at privacy@riffboard.com.

2. What Personal Data We Collect

Account Information

When you sign in with Google or via a magic link, we receive and store your name, email address, and profile picture. If you sign in with Google, this data is provided by your Google account.

User Content

You may provide content including artist profiles, release metadata, contact information, fan data, venue details, calendar events, task descriptions, and financial data (budgets, transactions). This data is stored to provide the Service.

Uploaded Files

You may upload images such as cover art, venue photos, EPK hero images, and artist photos. These are stored in Supabase Storage (EU region).

Waitlist Information

If you join our waitlist, we collect your email address to notify you when access becomes available.

Google Calendar Integration

If you choose to connect your Google Calendar, we request read-only access (calendar.readonly) to display your Google Calendar events alongside your Riffboard calendar. We store your Google account email address, an authentication token to maintain the connection, and your selected calendar IDs. We do not store your Google Calendar event data — events are fetched on demand from Google's servers each time you view the calendar page. You can disconnect your Google Calendar at any time from your profile settings, which revokes our access and deletes the stored connection data.

Cookies and Session Data

We use strictly necessary cookies to maintain your authentication session (session cookie, CSRF token). We also store your cookie consent preference in your browser's local storage. We do not use advertising or third-party tracking cookies. See Section 10 for details.

Analytics on Public Pages

When visitors view public pages (such as EPK pages, smart link pages, and Linkboard pages), we collect anonymised usage data — including page views, section engagement, referrer information, and view duration — to help artists understand how their content performs. IP addresses are hashed and never stored in plaintext. This data is collected only with consent via our cookie banner.

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — Account data, user content, and uploaded files are processed as necessary to provide the Service you signed up for.
• Consent (Art. 6(1)(a)) — Analytics on public pages are only collected when the visitor has given consent via our cookie banner. You can withdraw consent at any time by clearing your cookie preferences.
• Legitimate interest (Art. 6(1)(f)) — We process limited data for fraud prevention, security monitoring, and service improvement. Our legitimate interest does not override your rights or freedoms.
• Legal obligation (Art. 6(1)(c)) — We may retain certain data where required by Dutch or EU law (e.g., tax or accounting obligations).

4. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Send transactional emails (magic links, team invitations, waitlist confirmations, task notifications)
• Display your public pages (EPK, smart links, Linkboard)
• Provide anonymised analytics to artists about their public pages
• Respond to your requests and communications
• Protect against fraud, abuse, and unauthorised access

We do not sell your personal information. We do not use your data for advertising, profiling, or automated decision-making.

5. Sub-Processors and Third-Party Services

We share personal data with the following sub-processors, solely to operate the Service:

We have executed Data Processing Agreements (DPAs) with each sub-processor that processes personal data on our behalf, in accordance with Article 28 of the GDPR.

6. International Data Transfers

Your primary data (database and files) is stored within the European Union via Supabase (AWS eu-west-1, Ireland). However, some sub-processors operate in the United States:

• Vercel — may process requests via edge servers outside the EU
• Google — OAuth authentication and Google Calendar event fetching involve communication with Google servers
• Resend — email delivery from US-based infrastructure

Where data is transferred outside the EU/EEA, we rely on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or other appropriate safeguards in accordance with Chapter V of the GDPR.

7. Data Retention

We retain your data for no longer than necessary:

• Account data and user content — retained for the duration of your account, plus 30 days after deletion to allow for recovery
• Waitlist email addresses — retained until you are granted access or unsubscribe, and no longer than 12 months
• Public page analytics — anonymised data retained for up to 90 days
• Authentication session data — sessions expire after 30 days of inactivity

If you request deletion of your account, we will remove your personal data within 30 days, unless we are legally required to retain it (e.g., for tax or accounting purposes under Dutch law).

8. Data Storage and Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encrypted connections (HTTPS / TLS) for all data in transit
• Encrypted database storage at rest (Supabase/AWS)
• Row-level security on all database tables
• Role-based access control within the application
• Authenticated API access with session tokens
• Security headers (X-Frame-Options, CSP, HSTS)

While we strive to protect your data, no method of electronic storage or transmission is completely secure. We encourage you to use a strong password for your Google account and to keep your sign-in credentials confidential.

9. Your Rights Under the GDPR

As a data subject under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15) — obtain a copy of the personal data we hold about you
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data
• Right to erasure (Art. 17) — request deletion of your personal data
• Right to restriction (Art. 18) — request restriction of processing in certain circumstances
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (Riffboard includes a Data Export feature for this purpose)
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent (e.g., analytics). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at privacy@riffboard.com. We will respond within 30 days as required by the GDPR.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

10. Cookies

We use the following categories of cookies:

• Strictly necessary — Authentication session cookie and CSRF protection token. These are essential for the Service to function and cannot be disabled. Legal basis: contract performance (Art. 6(1)(b)) and exemption under Article 5(3) of the ePrivacy Directive / Telecommunicatiewet Art. 11.7a(3).
• Analytics — Used only on public pages (EPK, smart links, Linkboard) to provide artists with anonymised visitor insights. Only set after you give consent via our cookie banner. Legal basis: consent (Art. 6(1)(a)).
• Third-party embeds — Public artist pages may display embedded content from YouTube, Vimeo, Spotify, SoundCloud, Bandcamp, and Bandsintown. These embeds are only loaded after you give consent via our cookie banner or explicitly click "Load content" on an individual embed. Once loaded, these services may set their own cookies according to their respective privacy policies. We use YouTube's privacy-enhanced mode (youtube-nocookie.com) to minimise tracking. Legal basis: consent (Art. 6(1)(a) GDPR / Telecommunicatiewet Art. 11.7a).

We do not use advertising cookies, social media tracking pixels, or third-party analytics services (such as Google Analytics). Your cookie preference is stored locally in your browser and can be changed at any time by clearing your browser data.

11. Children's Privacy

The Service is not intended for users under the age of 16 (the age of digital consent under Dutch implementation of the GDPR). We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling as defined in Article 22 of the GDPR. No decisions with legal or similarly significant effects are made about you based solely on automated processing.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes, we will notify you via email or through a notice in the Service at least 14 days before the changes take effect. The "Last updated" date at the top indicates the most recent revision.

14. Contact

For questions about this Privacy Policy, to exercise your data rights, or to raise a concern about how we handle your data:

• Email: privacy@riffboard.com
• General enquiries: hello@riffboard.com