Legal

Privacy Policy

Last updated: March 18, 2026

Introduction

Dionysia ("we", "us", or "our") operates the Dionysia platform, a marketplace connecting artists and musicians with event organizers and venues. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website and services. By using Dionysia, you agree to the collection and use of information in accordance with this policy.

Data We Collect

We collect the following categories of information when you create an account, use our platform, or interact with our services:

Account Information

  • Full name, display name, and email address
  • Password (stored securely using bcrypt hashing)
  • Phone number (optional)
  • Preferred language and timezone
  • Account role (artist, organizer, or both)

Profile Information

  • Biography and description
  • Profile avatar image
  • Social media links (Instagram, Facebook, YouTube, Soundcloud)
  • Musical genres and performance details
  • Equipment details (sound and lighting)
  • Location and allowed countries for performances
  • Venue information (for organizers), including address and coordinates

Activity Data

  • Bookings, bids, applications, and counter-offers
  • Availability slots and calendar data
  • Chat messages and conversations
  • Ratings and reviews
  • Notification preferences and email preferences
  • Event details and participation history

Technical Data

  • Session data (encrypted session cookies)
  • Error logs and performance data (via Sentry)
  • IP address (for rate limiting and security purposes)

How We Use Your Data

  • To create and manage your account on the platform
  • To facilitate connections between artists and event organizers
  • To process bookings, bids, and applications
  • To enable real-time messaging between users
  • To process payments and manage subscriptions via Stripe
  • To send transactional emails (booking confirmations, notifications, magic links)
  • To verify artist identities through social media platforms
  • To provide analytics and insights to organizers about their events
  • To monitor and improve the security and performance of our platform
  • To enforce our terms of service and prevent abuse

Third-Party Services

We use the following third-party services to operate our platform. Each service has its own privacy policy governing how they handle your data:

Stripe

Payment processing for organizer subscriptions. Stripe handles all payment card data directly — we do not store your card details. We store only your Stripe customer ID and subscription status.

Google OAuth

Optional sign-in method. When you sign in with Google, we receive your name and email address from your Google account.

Spotify

Optional sign-in and artist verification. We may access your Spotify profile information and top tracks to verify your artist identity and display your music.

YouTube

Artist verification. We access public channel information to verify your identity as an artist.

Sentry

Error tracking and performance monitoring. Sentry collects technical error data to help us identify and fix issues on the platform.

UploadThing

File storage service for profile images. Your uploaded avatar images are stored securely on UploadThing's servers.

OpenStreetMap & CartoDB

Map display services for venue locations. These services may collect anonymized usage data when maps are displayed.

Cookies

Dionysia uses a single essential session cookie to keep you logged in and maintain your session. This cookie is encrypted, HTTP-only, and uses the SameSite "Lax" attribute for security. We do not use advertising cookies, tracking cookies, or any third-party cookies for marketing purposes. The session cookie is strictly necessary for the functioning of our platform and does not require separate consent.

Data Security

We take the security of your data seriously and implement the following measures to protect your information:

  • Passwords are hashed using bcrypt with a high work factor
  • Session data is encrypted using iron-session
  • Secure, HTTP-only cookies with SameSite protection
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Content Security Policy (CSP) headers to prevent cross-site scripting
  • Stripe webhook signature verification for payment security
  • OAuth state validation with time-limited tokens

Your Rights

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure — request deletion of your personal data
  • Right to restrict processing — request that we limit how we use your data
  • Right to data portability — request your data in a machine-readable format
  • Right to object — object to our processing of your personal data
  • Right to withdraw consent — withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us using the details provided below. We will respond to your request within 30 days.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal, tax, or regulatory purposes. Chat messages, booking records, and transaction data may be retained in anonymized form for analytics and dispute resolution purposes.

Account Deletion & Data Erasure

You have the right to delete your account at any time through your profile page. When you request account deletion:

  • Your personal information (name, email, phone number, bio, profile photo) is permanently anonymized
  • Your artist or company profile details (location, business registration) are removed
  • Pending bids and applications are automatically rejected
  • Future unperformed event bookings are released
  • Your OAuth connections and social verifications are permanently deleted
  • Historical records (past bookings, performances, ratings, and reviews) are retained in anonymized form as "Deleted User" to maintain platform data integrity
  • Non-personal data such as music genres, equipment preferences, and performance statistics are retained for historical context

To delete your account, navigate to your Profile page and scroll to the Danger Zone section at the bottom. You will be asked to confirm by entering your email address. If you have an active subscription, you must cancel it before deletion. If you have upcoming confirmed performances, they must be completed or cancelled first.

Account deletion is immediate and permanent. Once deleted, your account cannot be recovered. If you need assistance, please contact us at privacy@dionysia.live.

Children's Privacy

Dionysia is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us and we will take steps to remove that information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify registered users of significant changes via email or through a notice on our platform. We encourage you to review this policy periodically. Your continued use of Dionysia after any changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at privacy@dionysia.live.