Privacy Policy

Last updated: 28 June 2026

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Lust for Live (the “Service”), an application for music festival enthusiasts. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and, where applicable, national implementing laws of EU/EEA Member States.

1. Data Controller

The “controller” of your personal data within the meaning of Art. 4(7) GDPR is:

• Name / legal entity: Thomva
• Email: curler-pox-plating@duck.com
• Data Protection Officer (if appointed): Not appointed — no statutory obligation under Art. 37 GDPR

If you have any questions about this policy or wish to exercise your rights (see Section 8), please contact us using the details above.

2. Personal Data We Collect

We try to collect the minimum amount of personal data needed to run the Service (principle of data minimisation, Art. 5(1)(c) GDPR).

2.1 Data you provide when creating an account

• Email address — used as your login identifier (when signing in with email) or received from Google when you use “Sign in with Google”.
• Password (hashed) — only if you register with email/password. We never see or store your password in clear text; it is hashed by our authentication provider (see Section 4).
• Google account identifier and basic profile (only if you use “Sign in with Google”) — typically your email, Google user ID, name, and profile picture URL as provided by Google’s OAuth response.

2.2 Profile data

• Username (3–24 characters, letters/digits/underscore) chosen by you and shown publicly to other users of the Service.
• Avatar preferences — two colour keys and a pattern key (opaque values such as c1, p2) used to render your generated avatar. No image is uploaded.

2.3 Activity data inside the Service

• Favorite acts — the acts you mark as favorites and the festivals they belong to.
• Follow relationships — users you follow, users who follow you, and pending follow requests.
• Blocks — users you have blocked.
• Filter preferences — non-personal UI state stored locally in your browser.

2.4 Technical data collected automatically

• Server / hosting logs — IP address, user agent, request path, response status, and timestamp. Used for security, abuse prevention, and debugging.
• Authentication tokens / session cookies — strictly necessary cookies used to keep you signed in (see Section 7).

We do not knowingly collect special categories of personal data (Art. 9 GDPR) such as health, religion, or political opinions, and we ask you not to submit such data through the Service. The Service is not directed at children under 16; if we become aware that we have collected personal data from a child under 16 without parental consent, we will delete it.

3. Purposes and Legal Bases

We process your personal data only where we have a legal basis under Art. 6(1) GDPR. The table below summarises why we process each category of data and the legal basis we rely on.

Where we rely on legitimate interests under Art. 6(1)(f) GDPR, you have the right to object at any time (see Section 8). We will then stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

4. Recipients and Processors

We do not sell your personal data. We share it only with the service providers that are strictly necessary to run the Service, and only under written data processing agreements as required by Art. 28 GDPR.

4.1 Authentication and database — Supabase

We use Supabase to host our database, manage authentication, and store account and profile data. Supabase acts as our processor (Art. 28 GDPR). Information about Supabase’s privacy practices is available in their Privacy Policy and Data Processing Addendum.

4.2 Single sign-on — Google

If you choose “Sign in with Google”, Google acts as an independent controller for the authentication step and shares basic profile data with us, which we then process as described in this policy. Google’s handling of your data is governed by the Google Privacy Policy.

4.3 Hosting and infrastructure

The Service is hosted on cloud infrastructure providers that may process technical data (such as IP addresses) on our behalf as processors. Vercel, Cloudflare

4.4 Other recipients

We may disclose personal data to competent public authorities where required by EU or Member State law (Art. 6(1)(c) GDPR), or to legal advisors where necessary to establish, exercise, or defend legal claims (Art. 6(1)(f) GDPR).

5. International Data Transfers

Some of our processors (in particular Supabase and Google) may process personal data outside the European Economic Area (EEA), including in the United States. Where such transfers occur, we rely on appropriate safeguards under Chapter V GDPR, in particular:

• an adequacy decision of the European Commission under Art. 45 GDPR (for example the EU–U.S. Data Privacy Framework, where the recipient is certified); or
• the European Commission’s Standard Contractual Clauses (Art. 46(2)(c) GDPR), supplemented where appropriate by additional technical and organisational measures.

You can request a copy of the relevant safeguards by contacting us at the address in Section 1.

6. Data Retention

We keep your personal data only for as long as needed for the purposes set out in this policy:

• Account, profile, favorites, follows, blocks: for as long as your account exists. When you delete your account, the associated data is deleted from our active systems without undue delay.
• Server/security logs: typically kept for a short period (for example up to 30–90 days) and then deleted or anonymised, unless a longer period is required to investigate a security incident or comply with a legal obligation.
• Backups: deleted data may persist in encrypted backups for a limited rotation period before being overwritten.
• Data required for legal claims or obligations: retained for the period required by applicable law (e.g. statutory limitation periods).

7. Security

We implement appropriate technical and organisational measures (Art. 32 GDPR) to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (HTTPS/TLS), encryption at rest at our database provider, hashed passwords, role-based access controls, row-level security policies in the database, and restricted administrative access. No system is 100% secure; in the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and, where required, inform you without undue delay (Art. 34 GDPR).

8. Cookies and Local Storage

We use only strictly necessary cookies and similar technologies, which do not require prior consent under Art. 5(3) of the ePrivacy Directive and corresponding national rules:

• Authentication / session cookies set by Supabase to keep you signed in.
• Browser local storage used to remember UI preferences such as your selected filter view.

We do not use advertising cookies, third-party analytics, tracking pixels, or fingerprinting. If this changes in the future, we will update this policy and, where required, ask for your prior consent.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data. You can exercise them free of charge by contacting us at the address in Section 1.

• Right of access (Art. 15): obtain confirmation of whether we process your data, and a copy of it.
• Right to rectification (Art. 16): have inaccurate or incomplete data corrected.
• Right to erasure / “to be forgotten” (Art. 17): have your data deleted where the legal conditions are met. You can delete your account directly from your profile page, which removes your personal data from our active systems.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20): receive the personal data you provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
• Right to object (Art. 21): object at any time to processing based on our legitimate interests.
• Right to withdraw consent (Art. 7(3)): where processing is based on your consent, withdraw it at any time without affecting the lawfulness of processing carried out beforehand.
• Right not to be subject to solely automated decision-making (Art. 22): we do not carry out automated decision-making, including profiling, that produces legal effects on you.

We will respond to your request without undue delay and, in any event, within one month of receipt (Art. 12(3) GDPR), with a possible extension of two further months where necessary.

10. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of national supervisory authorities is available on the website of the European Data Protection Board: edpb.europa.eu/about-edpb/about-edpb/members_en.

11. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in the Service or in applicable law. The “Last updated” date at the top of this page indicates when it was last revised. For material changes we will notify you through the Service or by email where appropriate.

12. Contact

For any privacy-related question or to exercise your rights, please contact us at the address listed in Section 1.