Privacy Policy

Dionysia ("we", "us", or "our") operates the Dionysia platform, a marketplace connecting artists and musicians with event organizers and venues. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website and services. By using Dionysia, you agree to the collection and use of information in accordance with this policy.

We collect the following categories of information when you create an account, use our platform, or interact with our services:

Account Information

• Full name, display name, and email address
• Password (stored securely using bcrypt hashing)
• Phone number (optional)
• Preferred language and timezone
• Account role (artist, organizer, or both)

Profile Information

• Biography and description
• Profile avatar image
• Social media links (Instagram, Facebook, YouTube, Soundcloud)
• Musical genres and performance details
• Equipment details (sound and lighting)
• Location and allowed countries for performances
• Venue information (for organizers), including address and coordinates

Activity Data

• Bookings, bids, applications, and counter-offers
• Availability slots and calendar data
• Chat messages and conversations
• Ratings and reviews
• Notification preferences and email preferences
• Event details and participation history

Technical Data

• Session data (encrypted session cookies)
• Error logs and performance data (via Sentry)
• IP address (for rate limiting and security purposes)

• To create and manage your account on the platform
• To facilitate connections between artists and event organizers
• To process bookings, bids, and applications
• To enable real-time messaging between users
• To process payments and manage subscriptions via Stripe
• To send transactional emails (booking confirmations, notifications, magic links)
• To verify artist identities through social media platforms
• To provide analytics and insights to organizers about their events
• To monitor and improve the security and performance of our platform
• To enforce our terms of service and prevent abuse

We take your privacy seriously and are committed to transparency about how your data is handled:

• We do not sell, rent, or trade your personal data to any third parties.
• We do not share your Google user data with third parties for their own marketing, advertising, or any unrelated purposes.
• Google user data (name, email, profile picture) obtained through Google Sign-in is used solely for account authentication and creation on our platform.
• YouTube channel data obtained through Google OAuth is used to verify your identity as an artist. If you choose to display YouTube videos on your profile, we fetch your publicly available videos to showcase your work to event organizers. This data is not shared with any third parties beyond what is visible on your public Dionysia profile.
• We share your data only with the third-party service providers listed below, and only to the extent necessary to operate our platform.
• We may disclose your personal data if required to do so by law, regulation, or legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We use the following third-party services to operate our platform. Each service has its own privacy policy governing how they handle your data:

Some of our third-party service providers (such as Stripe, Sentry, and UploadThing) are based in the United States. When your data is processed by these services, it may be transferred to and stored in countries outside the European Economic Area (EEA). We ensure that any such transfers are carried out in compliance with applicable data protection laws, including the use of Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

Dionysia uses a single essential session cookie to keep you logged in and maintain your session. This cookie is encrypted, HTTP-only, and uses the SameSite "Lax" attribute for security. We do not use advertising cookies, tracking cookies, or any third-party cookies for marketing purposes. The session cookie is strictly necessary for the functioning of our platform and does not require separate consent.

We take the security of your data seriously and implement the following measures to protect your information:

• Passwords are hashed using bcrypt with a high work factor
• Session data is encrypted using iron-session
• Secure, HTTP-only cookies with SameSite protection
• Rate limiting on authentication endpoints to prevent brute-force attacks
• Content Security Policy (CSP) headers to prevent cross-site scripting
• Stripe webhook signature verification for payment security
• OAuth state validation with time-limited tokens

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights regarding your personal data:

• Right of access - request a copy of the personal data we hold about you
• Right to rectification - request correction of inaccurate personal data
• Right to erasure - request deletion of your personal data
• Right to restrict processing - request that we limit how we use your data
• Right to data portability - request your data in a machine-readable format
• Right to object - object to our processing of your personal data
• Right to withdraw consent - withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us using the details provided below. We will respond to your request within 30 days.

We retain your personal data for as long as your account is active or as needed to provide you with our services. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal, tax, or regulatory purposes. Chat messages, booking records, and transaction data may be retained in anonymized form for analytics and dispute resolution purposes.

You have the right to delete your account at any time through your profile page. When you request account deletion:

• Your personal information (name, email, phone number, bio, profile photo) is permanently anonymized
• Your artist or company profile details (location, business registration) are removed
• Pending bids and applications are automatically rejected
• Future unperformed event bookings are released
• Your OAuth connections and social verifications are permanently deleted
• Historical records (past bookings, performances, ratings, and reviews) are retained in anonymized form as "Deleted User" to maintain platform data integrity
• Non-personal data such as music genres, equipment preferences, and performance statistics are retained for historical context

To delete your account, navigate to your Profile page and scroll to the Danger Zone section at the bottom. You will be asked to confirm by entering your email address. If you have an active subscription, you must cancel it before deletion. If you have upcoming confirmed performances, they must be completed or cancelled first.

Account deletion is immediate and permanent. Once deleted, your account cannot be recovered. If you need assistance, please contact us at privacy@dionysia.live.

Dionysia is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us and we will take steps to remove that information.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify registered users of significant changes via email or through a notice on our platform. We encourage you to review this policy periodically. Your continued use of Dionysia after any changes constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at privacy@dionysia.live.