your data,
kept private.

stubbbr ("we," "our," "us") is operated by [Legal Entity Name], a [jurisdiction] entity. our principal address is [mailing address]. you can reach our privacy team at privacy@stubbbr.com.

account information: email address, display name, and authentication identifiers managed by our auth provider (clerk).

content you create: concerts you log, ratings, notes, photos you attach to stubs, and any preferences you set.

usage data: pages visited, features used, error reports, device and browser information, and approximate location derived from IP address.

payment information: handled by stripe. we receive subscription status and the last four digits of your card for receipts; full card numbers never reach our servers.

we use your information to operate the service (display your catalog, generate ticket stubs, fetch setlists), to communicate with you about your account and changes to the service, to detect and prevent abuse, to improve product quality, and to comply with legal obligations.

we do not sell your personal information. we do not use your concert data to train third-party AI models.

we share data only with processors that help us run stubbbr. currently these include:

• clerk — authentication and identity
• supabase — database and storage
• vercel — hosting and deployment
• stripe — payment processing
• resend — transactional email
• openai — AI-assisted features
• ticketmaster, setlist.fm, spotify, mapbox — read-only metadata enrichment

each is bound by their own privacy and DPA terms. we do not share your data with advertisers or data brokers.

depending on where you live, you may have the right to access, correct, export, or delete your personal data; to withdraw consent where we rely on it; to object to or restrict processing; and to lodge a complaint with a supervisory authority. to exercise these rights, email privacy@stubbbr.com.

you can delete your stubbbr account at any time from settings. when you delete your account, we erase your concerts, notes, and photos within 30 days, except where we are required to retain records for legal or accounting purposes.

we use a small number of essential cookies for authentication and session management. we do not use third-party advertising trackers. we may use privacy-respecting analytics [confirm provider — vercel analytics, plausible, etc.] to understand which pages are working and which aren't.

we keep account data for as long as your account is active. concerts and notes you log are kept until you delete them or your account. backups are retained for [N] days. payment records are retained as required by tax and accounting law (typically 7 years).

we use industry-standard practices: encryption in transit (TLS), encryption at rest for our database, scoped access controls, and regular dependency audits. no system is perfectly secure; we recommend using a strong unique password and enabling whatever 2fa options your auth method offers.

stubbbr is not directed to children under [13 / 16 — confirm per region]. we do not knowingly collect personal information from children. if you believe a child has provided us information, contact us and we will delete it.

stubbbr is hosted in the [primary hosting region]. if you access the service from outside that region, your data will be transferred to and processed there. we rely on [SCCs / adequacy decisions / your transfer mechanism] for cross-border transfers where required.

if we make material changes to this policy, we'll notify you by email and post a notice in-product before the changes take effect. non-material edits (typo fixes, processor list updates) will be reflected here without separate notice; check the "last updated" date at the top.

questions, concerns, or requests: privacy@stubbbr.com