Privacy Policy
Effective Date: 14 July 2026
Introduction
TourNote ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal information when you use our band management platform.
By using TourNote, you agree to the collection and use of information in accordance with this policy.
Data Controller
Christopher Thomas Collis
Email: [email protected]
For formal data protection requests, we will provide our full contact details upon request.
Information We Collect
Account Information
- First and last name
- Email address
- Password hash (created using bcrypt; we do not store your plaintext password)
- Time zone preference
Band, Tour, and Show Data
- Band name and member information
- Tour dates, venues, and show details
- Promoter contact information (name, email, phone, Instagram)
- Venue contacts and technical specifications
- Show logistics (load-in times, stage times, curfews, etc.)
- Custom notes and documents
Technical Information
- IP address and session data
- Your TourNote push-notification preference
- Apple Push Notification service (APNs) device tokens and Firebase Cloud Messaging registration or Firebase Installations identifiers used to deliver mobile notifications
- Device name on iOS, or manufacturer and model on Android, together with the mobile platform and app version when registering a device
- Browser type and operating system
- Login timestamps and activity logs
Contact Form Submissions
- Name, email, phone number, and message content when you contact us for support
Legal Basis for Processing Your Data
Under the General Data Protection Regulation (GDPR) and UK data protection law, we process your personal data on the following legal bases:
• Performance of Contract: To provide band management services, process purchases, and enable collaboration features
• Legal Obligation: To comply with tax, accounting, and financial regulations
• Legitimate Interest: To improve our services, prevent fraud, ensure security, and provide customer support
• Consent: To send you marketing communications (where applicable - you can withdraw consent at any time)
How We Use Your Information
We use your personal information to:
- Provide and maintain our band management services
- Process purchases, verify store transactions, manage entitlements and refunds, and prevent purchase fraud
- Send advance sheets to promoters and venues on your behalf
- Enable collaboration between band members
- Send essential service updates, push notifications, and reminders you enable
- Respond to your enquiries and provide technical support
- Improve our services, diagnose errors and performance issues, and develop new features
- Ensure the security and integrity of our platform
- Comply with legal obligations
Cookies and Similar Technologies
TourNote uses essential cookies to provide our service:
• Session cookies to keep you logged in and manage your authentication
• Security cookies to prevent fraud and protect your account
These cookies are necessary for TourNote to function and cannot be disabled. You can control cookies through your browser settings, though disabling them will prevent you from using TourNote.
Mobile App Data Stored on Your Device
The iOS and Android apps keep limited local copies of data needed for native features:
• Local reminders: Up to 60 upcoming reminders may be scheduled on your device. A scheduled copy can include a reminder ID and type, title, message, scheduled time, time zone, in-app path, and band ID. On Android, these reminder preferences are excluded from cloud backup and device transfer.
• Pending Apple purchases: iOS may temporarily retain the product ID and key, purchase-intent ID, band ID, optional user ID, band-linked app-account token, and creation time for up to 30 days while a StoreKit purchase is pending or being recovered.
• Pending Google Play purchases: Android may temporarily retain the product ID, band ID, optional purchase-intent ID, source, trigger, and creation time for up to 7 days. These Android billing preferences are excluded from cloud backup and device transfer.
• Permission display state: Android may cache notification permission status locally so settings show the current state. This cache is excluded from cloud backup and device transfer.
These local copies are removed when no longer needed, when they expire, when you disable the related feature, or when app/session cleanup applies. The operating system may also remove them when you uninstall the app.
Third-Party Services
We use the following third-party services to operate TourNote. Each processes data in accordance with their own privacy policies:
Stripe
Web credit and pass payment processing. Stripe handles payment card information for web purchases. We never store payment card details on our servers.
Privacy Policy: https://stripe.com/privacy
Apple App Store and StoreKit
Native iOS purchase processing and verification. We receive signed transaction information, product and transaction identifiers, purchase status, and a deterministic band-linked app-account token so we can grant entitlements and process refunds. Apple handles payment credentials; we do not receive payment card details.
Privacy Policy: https://www.apple.com/legal/privacy/
Google Play Billing
Native Android purchase processing and verification. Purchase data can include product and order identifiers, a purchase token, purchase time and region, and stable pseudonymous SHA-256 identifiers derived separately from the relevant TourNote user and band IDs. New purchase flows do not send the raw database IDs in these identifiers. We send the purchase token to Google for verification and retain a SHA-256 fingerprint rather than the raw token in our purchase records. Google handles payment credentials; we do not receive payment card details.
Privacy Policy: https://policies.google.com/privacy
Resend
Email delivery for advance sheets, notifications, and password resets.
Privacy Policy: https://resend.com/legal/privacy-policy
Hosting and Storage Providers, Including Hetzner Where Configured
Infrastructure, database, backup, and file storage. Hetzner is the default object-storage option in our current production configuration, but the provider and processing region depend on the live deployment configuration.
Privacy Policy: https://www.hetzner.com/legal/privacy-policy
Apple Push Notification Service
Push notifications for the iOS app. Device tokens are used to deliver notifications.
Privacy Policy: https://www.apple.com/legal/privacy/
Firebase Cloud Messaging and Firebase Installations
Push notifications for the Android app. Firebase registration or installation identifiers and notification delivery data are used to register the device and deliver notifications.
Privacy Policy: https://firebase.google.com/support/privacy
Google Places API
Venue location autocomplete and mapping services.
Privacy Policy: https://policies.google.com/privacy
Sentry (When Configured)
Error and performance monitoring in production or staging only when a Sentry connection is configured. Diagnostic events may include request, environment, release, performance, and error context. Sending default personally identifiable information is disabled in the default configuration.
Privacy Policy: https://sentry.io/privacy/
Data Security
We implement appropriate technical and organisational security measures to protect your personal information:
• Passwords are one-way hashed using bcrypt; plaintext passwords are not stored
• All data transmission uses SSL/TLS encryption
• Secure authentication and session management
• Payment card information is handled by Stripe, Apple, or Google depending on purchase type. We retain the transaction and purchase metadata needed to verify purchases and provide entitlements, but not payment card details
• Regular security updates and monitoring
• Backups are access-controlled and protected according to the configured hosting and storage services
However, no method of transmission over the internet or electronic storage is 100% secure. Whilst we strive to protect your data using industry best practices, we cannot guarantee absolute security.
Data Retention
We retain your personal information as follows:
- Active accounts: Data is retained for as long as your account remains active
- Deleted accounts: Account data is scheduled for deletion when you delete your account, subject to backup cycles and the legal, security, and financial-record exceptions described below
- Financial records: Payment records are retained for 7 years to comply with UK tax and accounting requirements
- Support enquiries: Contact form submissions are retained for 2 years
Some metadata may be retained longer for legal, security, or administrative purposes (e.g., fraud prevention logs).
International Data Transfers
The locations used for hosting, databases, backups, and file storage depend on the providers and regions configured for the live service. Third-party services including Stripe, Resend, Apple, Google/Firebase, and Sentry when enabled may process data in other jurisdictions, including the United States.
When data is transferred outside the EU/UK, we ensure appropriate safeguards are in place, including:
• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the UK and EU authorities
• Third-party certifications and compliance frameworks
Your Rights
Under UK GDPR and data protection law, you have the following rights:
• Right to Access: Request a copy of your personal information
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your account and personal data
• Right to Restrict Processing: Limit how we use your information
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for marketing communications at any time
How to Exercise Your Rights
To exercise any of these rights:
• Email us at [email protected] or [email protected]
• Manage your settings within your TourNote account
• Use the unsubscribe link in marketing emails
We will respond to your request within 30 days.
Right to Lodge a Complaint
If you believe your data protection rights have been breached, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: https://ico.org.uk
Telephone: 0303 123 1113
Marketing Communications
We may send you marketing communications about new features, updates, or special offers if you have consented to receive them. You can unsubscribe at any time by:
• Clicking the unsubscribe link in any marketing email
• Contacting us at [email protected]
• Updating your preferences in your account settings
We will never sell your data to third parties for their marketing purposes.
Automated Decision-Making
TourNote does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
Business Transfers
If TourNote is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your personal information, and any choices you may have regarding your personal information.
Children's Privacy
TourNote is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe we have collected information from a child under 13, please contact us immediately at [email protected] and we will take steps to delete such information.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:
• Updating the effective date at the top of this policy
• Sending you an email notification (where appropriate)
• Displaying a prominent notice on our website or app
Your continued use of TourNote after any changes indicates your acceptance of the updated Privacy Policy.
Contact Us
If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your data protection rights, please contact us at:
Email: [email protected]
We aim to respond to all enquiries within 7 business days.
Last updated: 14 July 2026