Privacy Policy
How we collect, use, and protect your data
Last Updated: December 17, 2025 β’ Effective: December 17, 2025
Privacy in Plain English
- βWe collect minimal data - only what's needed for the service to work
- βWe never sell your data to third parties
- βAnalytics help us validate the product (PostHog, EU-hosted). You can disable them in Cookie settings.
- βYou can request your data or delete your account anytime
- βDesigned for GDPR and EU data protection standards
Who Controls Your Data
Data We Collect
Account Information (If You Subscribe)
- β’ Email address (for account access and communication)
- β’ Sign-in via one-time email links (no password stored by FestivalAtlas)
- β’ Subscription status and payment history (via Paddle)
- β’ Account preferences (saved festivals, calendar exports)
Legal Basis: Contract performance (you need an account to access paid features)
Usage Analytics
Analytics help us validate and improve FestivalAtlas. They are enabled by default during validation, and you can turn them off in Cookie settings.
- β’ Pages visited and features used
- β’ Search queries (festival searches, countries browsed)
- β’ Device type and browser (for compatibility)
- β’ Approximate location (country-level, not precise GPS)
- β’ How you found us (referral source)
Legal Basis: Legitimate interest (product improvement; optβout available)
Tool: PostHog (EU-hosted, privacy-focused analytics)
Payment Information
We do not store your credit card details. All payments are processed securely by Paddle.
- β’ Paddle receives: Payment method details, billing address, payment amount
- β’ We receive: Payment confirmation, subscription/transaction identifiers, and status
Legal Basis: Contract performance (processing your subscription)
Payment Processor: Paddle (PCI DSS compliant)
Communications
- β’ Email correspondence (when you contact us)
- β’ Transactional emails (sign-in links, subscription confirmations, important account updates)
- β’ Optional newsletter (you can opt out anytime)
Legal Basis: Contract performance + Consent (for newsletter)
How We Use Your Data
Provide Service
Track your access to full festival details (Explorer allowance and focus country), enable unlimited access for subscribers, save your preferences
Process Payments
Handle subscriptions, renewals, and refunds via Paddle
Improve Platform
Understand which features are useful, fix bugs, optimize performance
Communicate
Respond to inquiries, send account updates, share major product news (opt-in)
Prevent Abuse
Detect and prevent fraud, spam, or misuse of our systems
Who We Share Data With
We never sell your data. We only share it with trusted service providers necessary to operate FestivalAtlas:
Paddle (Payment Processing)
Handles all subscription payments. See Paddle Privacy Policy
PostHog (Privacy-Focused Analytics)
EU-hosted analytics to understand usage patterns. See PostHog Privacy Policy
Hosting Infrastructure
Our hosting providers (Vercel, Supabase) have access to database backups and application logs. All GDPR-compliant.
Affiliate Partners (Booking.com, Airalo, Skyscanner)
If you click our affiliate links, those services may receive anonymous referral data (no personal info from us). Their privacy policies apply on their sites.
Legal Disclosure Exception
We may disclose data if required by law (court orders, legal investigations) or to protect our rights and safety.
Your Rights (GDPR)
Under GDPR and EU data protection law, you have the following rights:
Right to Access
Request a copy of all data we hold about you
Right to Rectification
Correct inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten")
Request deletion of your account and all associated data
Right to Restrict Processing
Limit how we use your data while disputing accuracy or legality
Right to Data Portability
Receive your data in a machine-readable format to transfer elsewhere
Right to Object
Object to processing based on legitimate interests (e.g., analytics)
Right to Withdraw Consent
Opt out of newsletter, analytics, or other consent-based processing
How to Exercise Your Rights
You can export your data or request account deletion anytime from your account settings. You can also email contact@festivalatlas.io and weβll respond within 30 days as required by GDPR.
If unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (Germany: BfDI).
How Long We Keep Your Data
Active Accounts
As long as your account is active or your subscription is valid
Deleted Accounts
When you delete your account, we remove your personal data from our databases. Some transaction records may be retained by our payment processor (Paddle) to meet tax and legal obligations.
Analytics Data
You can disable analytics at any time in Cookie settings. Analytics event data is stored in PostHog and retained according to its configured retention settings.
How We Protect Your Data
- β’ Encryption: All data transmitted over HTTPS (TLS 1.3)
- β’ Authentication: One-time sign-in links (no password stored by FestivalAtlas)
- β’ Database Security: Encrypted at rest, access-controlled
- β’ Payment Security: Paddle PCI DSS compliance (we never see card numbers)
- β’ Access Controls: Minimal team access, two-factor authentication enforced
- β’ Regular Audits: Security reviews and dependency updates
No system is 100% secure. If we experience a data breach, we'll notify affected users within 72 hours as required by GDPR.
Children's Privacy
FestivalAtlas is not intended for users under 16. We do not knowingly collect data from children. If you're a parent and believe your child provided us with data, contact us and we'll delete it immediately.
Changes to This Policy
We may update this policy as FestivalAtlas evolves. We'll notify you of significant changes via:
- β’ Email (if you have an account)
- β’ Banner on our website
- β’ Update date at the top of this page
Continued use of FestivalAtlas after changes means you accept the updated policy.
Questions About Privacy?
We're committed to transparency. If you have questions about how we handle your data: