gigl

Privacy Policy

Last updated: April 2026

1. Who We Are

Nomadsec Ltd (company no. 16591492), trading as Gigl, is the data controller for personal data collected through this platform. We are based in England and Wales.

Contact: privacy@getgigl.co.uk

2. What Data We Collect

  • Account data: email address, hashed password, account role (entertainer or venue), date of consent.
  • Profile data: stage name or venue name, location, biography, profile photos, video links, social media links, performance type, fee range, equipment requirements.
  • Transaction data: gig details (dates, times, budget), application messages, signed contract text, payment references and amounts. We do not store card numbers — these are handled entirely by Stripe.
  • Check-in data: timestamps of check-in events, used for payment release and dispute evidence.
  • Reviews: ratings and written feedback submitted after a gig.
  • Communications: notification content and read status.
  • Technical data: IP addresses (retained in security logs), login timestamps, failed login counts.

3. Legal Basis for Processing

  • Contractual necessity: processing your account, profile, bookings, contracts, payments, and check-ins is necessary to provide the service you signed up for.
  • Legal obligation: retaining payment records for 6 years (HMRC requirement); retaining security audit logs.
  • Legitimate interests: fraud prevention, platform security, and improving the service.
  • Consent: you provided explicit consent at signup for us to process your data in line with this policy.

4. How We Use Your Data

  • To create and manage your account and profile.
  • To facilitate bookings, generate contracts, and process payments.
  • To send transactional emails: account verification, booking confirmations, check-in reminders, payment notifications, dispute updates.
  • To display your profile to other users (entertainers visible to venues, venues visible to entertainers).
  • To investigate and resolve disputes.
  • To comply with legal obligations, including HMRC record-keeping.
  • To detect and prevent fraud and abuse.

5. Data Retention

  • Account and profile data: retained while your account is active. Anonymised within 30 days of an account deletion request (name, email, and profile details replaced with placeholder values).
  • Payment records: retained for 6 years from the transaction date, as required by HMRC.
  • Contracts: retained for 6 years to support potential legal disputes.
  • Security audit logs: retained for 2 years.
  • Inactive accounts: accounts with no activity for 3 years may be anonymised automatically.

6. Third-Party Processors

We share data with the following sub-processors, all of whom are subject to data processing agreements:

  • Stripe (USA, EU–US Data Privacy Framework) — payment processing and entertainer payouts. Stripe processes card data directly; we only receive payment references.
  • Resend (USA) — transactional email delivery. We share email addresses and personalised message content.
  • Vercel (USA, EU–US Data Privacy Framework) — platform hosting, serverless functions, and file storage for profile images.
  • Supabase (EU) — database hosting and real-time data delivery.

We do not sell your data to third parties or use it for advertising purposes.

7. Cookies

We use only essential cookies required for the platform to function:

  • Session cookie: keeps you signed in between page visits. Expires after 30 days or on sign-out.
  • CSRF token: protects against cross-site request forgery.

We do not use analytics, tracking, or advertising cookies. See our Cookies page for full details.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate data via your profile settings.
  • Erasure: delete your account from Settings. Payment records are exempt from erasure for 6 years under HMRC rules.
  • Portability: request your data in a machine-readable format.
  • Object: object to processing based on legitimate interests.
  • Withdraw consent: you may withdraw consent at any time, which will not affect the lawfulness of prior processing.

To exercise any of these rights, contact privacy@getgigl.co.uk. We will respond within 30 days.

9. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk or call 0303 123 1113.

10. Changes to This Policy

We may update this policy from time to time. We will notify you by email of any material changes. The "last updated" date at the top of this page will always reflect the most recent version.