Skip to content
Legal

Privacy Policy

How we collect, use, and protect your data.

Last updated: April 21, 2026

1. Introduction

PadVox ("we," "our," or "us") is operated by Carlos Garcia. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the PadVox mobile application (iOS) and web platform at app.padvox.com (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, and profile photo when you sign up via email or Apple Sign In.
  • Project data: project profiles, event details, setlists, stage plots, riders, checklists, contracts, tour information, and financial records you create within the Service.
  • Media: photos, audio files, and documents you upload to the Service.
  • Payment information: when you subscribe to a paid plan, payment is processed by Stripe. We do not store your credit card details. Stripe handles all payment data securely under their own privacy policy.

2.2 Information Collected Automatically

  • Firebase Analytics: we use Google Firebase Analytics to collect anonymized usage data such as app opens, feature usage, and crash reports. This helps us improve the Service.
  • Device information: device type, operating system version, and app version for compatibility and debugging purposes.
  • Push notification tokens: if you enable notifications, we store your device token to deliver event reminders and updates.

2.3 Information operators may provide about their musicians

When an operator (project owner, manager, or similar) uses PadVox to manage a roster of musicians, they may upload the following data about each member:

  • Legal identity documents: passport, DNI, or national ID card data (including document numbers, expiry dates, nationality, and uploaded file scans), used for hotel police registration (carta policial) and border / travel compliance.
  • Home address and date of birth: used for legally required registrations (hotel check-in, tax forms, contracts).
  • Private operator notes: journal-style observations the operator writes about each musician (e.g., reliability comments). These notes are visible only to the operator and are not shown to the musician.
  • Availability periods with optional reasons: musicians and operators can mark unavailable dates. When an operator records a medical leave, the reason field may contain health-related information.
  • Fee / rate information: base per-event fees and rate data associated with each member. Private to the operator.
  • Check-in timestamps: when a musician confirms arrival at a venue, a timestamp is recorded for optional presence tracking.
  • Profiling metrics (reliability statistics): aggregated counts computed from lineup history: total assignments, confirmation rate, last-minute declines, and attendance rate.

Musicians added as project members may review all data held about them via our data export endpoint (see Section 8). Where availability reasons or operator notes contain health indications or other special categories of personal data, such data is processed under Article 9(2)(b) GDPR (processing necessary for carrying out obligations in the field of employment, social security, and social protection law), or under equivalent contractual basis, and is retained only for as long as operationally needed.

3. Our Role: Data Controller vs Processor

PadVox plays two different legal roles depending on how you use the Service:

  • PadVox as Data Controller: when you sign up for PadVox with your own email and create your own projects, PadVox is the Data Controller for your personal account data (name, email, login credentials, billing data).
  • PadVox as Data Processor: when an operator adds you as a member to their project and uploads data about you, that operator is the Data Controller and PadVox acts as the Data Processor on their behalf. Requests to access, correct, or delete operator-uploaded data should be directed to the operator first. PadVox can facilitate these requests but the operator decides and remains accountable.

Operators who use PadVox in a professional capacity are required to sign a Data Processing Agreement (DPA). Our standard DPA is available at /dpa.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Manage your account and process subscriptions.
  • Send event reminders, checklist notifications, and tour day sheets.
  • Enable collaboration between project members.
  • Generate tickets, passes, and documents (riders, contracts, stage plots).
  • Analyze usage patterns to improve features and fix bugs.
  • Respond to support requests.
  • Automated profiling for reliability indicators: confirm rate, attendance rate, and last-minute declines are computed by scheduled Cloud Functions from lineup history. You have the right under GDPR Article 22 to object to profiling. Contact privacy@padvox.com.
  • Email notifications: we send transactional emails to musicians when lineups are published and weekly digests of upcoming assignments, delivered through our email subprocessor (see Third-Party Services).

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

  • Service providers: Firebase (hosting, database, authentication, analytics), Stripe (payment processing), and cloud infrastructure providers that help us operate the Service.
  • Your project members: when you join or create a project, other members can see shared project data such as events, setlists, and stage plots.
  • Event attendees: if you publish public events with ticketing, limited event details (name, date, venue) are publicly visible.
  • Legal requirements: we may disclose information if required by law, legal process, or to protect the rights and safety of PadVox and its users.

6. Data Storage and Security

Your data is stored securely using Google Firebase (Cloud Firestore and Cloud Storage), hosted in the United States. We implement industry-standard security measures including encryption in transit (TLS) and at rest, role-based access control, and Firestore security rules to protect your data.

International transfers: PadVox data is stored in Google Cloud infrastructure in the United States. Transfers of personal data from the European Economic Area (EEA) to the United States are made under Google's Standard Contractual Clauses (SCCs) as approved by the European Commission. A copy of the SCCs is available from Google Cloud's legal documentation.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., financial records for tax compliance).

Project data shared with other members (events, setlists, etc.) may persist in those projects even after your account is deleted, as it is shared collaborative content.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or delete your personal data.
  • Export your data in a portable format.
  • Withdraw consent for data processing.
  • Object to or restrict certain processing activities.
  • Lodge a complaint with a data protection authority.
  • Object to automated decision-making, including profiling (GDPR Article 22).

To exercise these rights, contact us at privacy@padvox.com.

9. Children's Privacy

The Service is not intended for children below the applicable minimum age in their jurisdiction. In the United States, we do not knowingly collect personal information from children under 13 years of age (COPPA). In the European Union, the default minimum age is 16 years, unless a member state has lowered it by law. For example, Spain sets the minimum age at 14. If we become aware that we have collected data from a child below the applicable age without verifiable parental consent, we will take steps to delete it promptly.

10. Third-Party Services

The Service integrates with the following third-party services:

  • Google Firebase / Google Cloud: authentication, database, storage, analytics, push notifications, scheduled Cloud Functions (weekly digests, reliability computation), and Firebase Mail Extension. Firebase Privacy Policy
  • Stripe: payment processing for subscriptions and ticket sales. Stripe Privacy Policy
  • Apple Sign In: optional authentication method. Apple Privacy Policy
  • SendGrid (Twilio): transactional email delivery via the Firebase Mail Extension (assignment emails, weekly digests). SendGrid / Twilio Privacy Policy

See the full list of subprocessors at /subprocessors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at:

Carlos Garcia
Operating as PadVox
Email: privacy@padvox.com
Website: www.padvox.com

This document is provided for informational purposes. For legally binding advice consult a qualified attorney in your jurisdiction.