Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• •Email address
• •Password (stored securely hashed by our authentication provider)
• •Username and display name

2.2 Profile Information

You may voluntarily provide:

• •Profile biography
• •Profile photo/avatar
• •Favourite drink, music taste, and social preferences
• •Language and timezone preferences

2.3 Venue & Event Data

When you check in to a venue using an access code or QR scan:

• •Event and venue you checked in to
• •Check-in and check-out timestamps
• •Co-attendee information (other users at the same event)

2.4 Social & Communication Data

• •Chat messages (group and direct messages)
• •Friend connections and friend requests
• •Blocked user lists
• •Group memberships and roles

2.5 Activity Data

• •Poll votes and responses
• •Song requests submitted to DJs
• •DJ ratings and comments
• •Help/safety requests submitted to venue staff
• •Menu browsing activity (menu opens and item views, used in aggregated form for venue analytics)

2.6 Payment Data

If you subscribe to a paid plan (venue owners), payment processing is handled entirely by our payment provider, Lemon Squeezy. We store:

• •Subscription status and plan tier
• •Customer and subscription identifiers from Lemon Squeezy

We do not store credit card numbers or full payment details. These are held securely by Lemon Squeezy.

2.7 Technical Data

• •IP address (used for rate limiting and security)
• •Device type and operating system
• •App version

3. Legal Basis for Processing (GDPR Art. 6)

4. How We Use Your Data

• •To provide and maintain the Service (account management, messaging, venue check-in)
• •To enable social features (friends, groups, direct messages, discover)
• •To process subscriptions and payments
• •To send push notifications (with your consent)
• •To moderate content and ensure platform safety, including automated moderation of profile text, group names, and uploaded images, as well as a user reporting system and manual review for chat messages
• •To provide venue analytics and insights to venue operators
• •To prevent fraud, abuse, and security incidents
• •To respond to help requests and safety incidents at venues

5. Third-Party Data Processors

We share your personal data with the following third-party service providers who process data on our behalf:

All third-party processors are contractually required to handle your data in accordance with GDPR requirements and their respective terms of service include data processing provisions. Note that Lemon Squeezy, as Merchant of Record, acts as an independent data controller for payment and billing data — their processing of such data is governed by their own privacy policy.

6. International Data Transfers

Our primary infrastructure is hosted within the European Economic Area (EEA): Supabase in EU West (Ireland), Google Cloud Run in Belgium (europe-west1), and Upstash in Belgium (europe-west1). However, the following third-party processors transfer data outside the EEA:

All transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an equivalent level of protection as within the EEA.

7. Data Retention

8. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

To exercise any of these rights, contact us at hello@supclub.vip. We will respond within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt, together with the reasons for the delay.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• •Encryption in transit (HTTPS/TLS) for all data transfers
• •Secure password hashing (never stored in plain text)
• •JWT-based authentication with token expiration
• •Rate limiting to prevent abuse
• •Content moderation for user-generated content
• •Webhook signature verification for payment processing

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (GDPR Article 34).

11. Automated Decision-Making

We use a combination of automated and manual tools for content moderation. Profile text, group names, and uploaded images are subject to automated moderation (image moderation is provided by our messaging infrastructure provider, GetStream). Chat messages are not automatically scanned; instead, users may report inappropriate messages through an in-app reporting system, and our team reviews reports manually.

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. Where automated moderation results in content removal, you may request human review by contacting us at hello@supclub.vip.

12. Children's Privacy

Our Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have collected data from a minor, please contact us at hello@supclub.vip and we will promptly delete it.

13. Digital Services Act (DSA) Point of Contact

In accordance with Articles 11 and 12 of the EU Digital Services Act (Regulation 2022/2065), we designate the following single point of contact for communications with authorities and users regarding content moderation and legal matters:

14. Do Not Track Signals

Our Service does not use tracking or advertising cookies and does not track users across third-party websites. We respect browser Do Not Track (DNT) signals; however, because we do not engage in cross-site tracking, no change in behaviour occurs when a DNT signal is detected.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

16. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. Our supervisory authority is:

You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence or place of work.

17. Contact Us

For any questions or requests regarding this Privacy Policy or your personal data: