Privacy Policy
1. Introduction
This Privacy Policy explains how Spring Street Entertainment LLC, doing business as THECLUBISDEAD ("we," "us," "our," or the "Platform"), collects, uses, shares, and protects personal information when you use our services.
We operate two platforms:
- Mobile Application ("App"): For customers to discover events and purchase tickets
- Web Platform ("Website"): For event organizers to create and manage events
This Policy applies to all users of our services, regardless of how you access them. By using our services, you acknowledge that you have read and understood this Privacy Policy.
2. Who We Are
Spring Street Entertainment LLC doing business as THECLUBISDEAD
Registered Address: 30 N Gould Street, Suite #51994 Sheridan, Wyoming 82801 United States
Privacy Inquiries: privacy@theclubisdead.com
Our Role Under Data Protection Laws
We operate as a disclosed agent in the ticketing marketplace:
-
For Platform Operations: We are the data controller responsible for account management, platform functionality, payment processing infrastructure, and customer support.
-
For Event Organizer Customer Data: We act as a data processor on behalf of event organizers, who are the data controllers for their customers' ticket purchase data. When you purchase tickets, the event organizer is the merchant of record and determines how your data is used for their event-related purposes.
For Users in the European Union and United Kingdom
We are a US-based company. For privacy inquiries from EU/UK residents, please contact us at privacy@theclubisdead.com. We will respond to all requests within the timeframes required by applicable law.
3. Information We Collect
3.1 Information from Mobile App Users (Customers)
| Data Category | Examples | Purpose |
|---|---|---|
| Account Information | Email address | Account creation, authentication (OTP), transactional communications |
| Profile Information | Name (optional) | Ticket personalization, customer service |
| Payment Information | Card details, billing address | Processing ticket purchases (handled by Stripe) |
| Transaction Data | Purchase history, ticket details, refund records | Order management, customer support, legal/tax compliance |
| Preferences | Liked events, city selection | Personalization, event discovery |
| Device Information | Device identifiers, operating system, app version | App functionality, security, fraud prevention |
| Technical Data | IP address, access timestamps | Security, fraud prevention, platform analytics |
3.2 Information from Web Platform Users (Event Organizers)
| Data Category | Examples | Purpose |
|---|---|---|
| Account Information | Email address, password (hashed) | Account creation, authentication |
| Business Information | Business name, business type (company/individual), legal name | Platform display, invoice generation, legal compliance |
| Contact Information | Contact email, business address | Customer communications, legal compliance |
| Financial Information | Bank account details (via Stripe Connect), VAT/Tax ID number | Payment processing, payouts, invoice generation, tax compliance |
| Content | Logo, event flyers, videos, audio files, event descriptions | Event promotion, platform display |
| Social Media | Instagram handle, TikTok handle | Public profile display, marketing |
| Transaction Data | Ticket sales, payout history, invoice records | Financial management, reporting, legal compliance |
3.3 Information We Do NOT Collect
- Precise Device Location: We do not access your device's GPS or location services. The App uses a city selector where you manually choose your location.
- Biometric Data: We do not collect fingerprints, facial recognition data, or other biometric identifiers.
- Special Category Data: We do not intentionally collect data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, health data, or sexual orientation.
3.4 How We Collect Information
- Directly from you: When you create an account, make a purchase, submit an event, or contact us
- Automatically: Through cookies, server logs, and similar technologies when you use our services
- From third parties: Payment processors (Stripe) may provide transaction confirmations and fraud signals
4. How We Use Your Information
4.1 Purposes and Legal Bases
We process personal data based on the following legal grounds:
| Purpose | Legal Basis (GDPR) | Details |
|---|---|---|
| Account Management | Contract Performance | Creating and maintaining your account, authenticating your identity |
| Processing Transactions | Contract Performance | Processing ticket purchases, issuing refunds, generating invoices |
| Event Discovery | Contract Performance / Legitimate Interest | Displaying events based on your selected city, showing liked events |
| Customer Support | Contract Performance | Responding to inquiries, resolving disputes |
| Platform Communications | Contract Performance | Sending purchase confirmations, ticket delivery, refund notifications, account alerts |
| Marketing Communications | Consent | Sending promotional emails about events and platform features (only with your opt-in consent) |
| Security & Fraud Prevention | Legitimate Interest | Detecting and preventing fraudulent transactions, protecting accounts |
| Legal Compliance | Legal Obligation | Maintaining financial records, responding to legal requests, tax reporting |
| Platform Improvement | Legitimate Interest | Analyzing usage patterns (via cookieless analytics), fixing bugs, improving features |
| Organizer Payouts | Contract Performance | Calculating commissions, processing payments to event organizers |
4.2 Automated Decision-Making
We use automated systems in limited circumstances:
- Fraud Prevention: Stripe's automated systems may block suspicious transactions to protect you and organizers from fraud. If a transaction is blocked, you can contact us to resolve the issue.
- Account Moderation: Organizer accounts may be flagged or suspended automatically based on excessive event cancellations or customer complaints. Affected organizers can appeal these decisions by contacting us.
You have the right to request human review of any automated decision that significantly affects you.
5. Who We Share Your Information With
5.1 Service Providers
We share personal data with third-party service providers who help us operate the Platform:
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| Supabase | All user data | Database hosting, authentication | United States (US East) |
| Stripe | Payment data, identity verification (organizers) | Payment processing, fraud prevention | United States |
| Resend | Email addresses, names | Transactional email delivery | United States |
| Cloudflare | IP addresses, technical data | Website hosting, security, analytics | Global |
| MapBox | Location queries (web only) | Map display for events | United States |
| Apple Maps / Google Maps | Event coordinates (app only) | Map display for events | United States |
| Apple App Store / Google Play | App usage data, crash reports | App distribution | United States |
All service providers are contractually bound to protect your data and may only use it for the specific purposes we instruct.
5.2 Event Organizers
When you purchase tickets, the following information is shared with the event organizer:
- Your name and email address (for attendee lists and event communications)
- Your billing address (on invoices only, not displayed in the dashboard)
- Purchase details (ticket type, quantity, purchase date)
Event organizers are independent data controllers for this information and may use it to:
- Communicate with you about the event
- Verify your identity at entry
- Send event-related updates
Organizers must comply with applicable data protection laws. We are not responsible for how organizers use your data beyond our Platform.
5.3 Legal Requirements
We may disclose your information when required by law or when we believe disclosure is necessary to:
- Comply with legal obligations, court orders, or government requests
- Protect the rights, property, or safety of our company, users, or the public
- Detect, prevent, or address fraud, security, or technical issues
- Enforce our Terms of Service
5.4 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and your choices regarding your data.
5.5 No Sale of Personal Information
We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes. We do not engage in cross-context behavioral advertising.
6. International Data Transfers
Our servers and service providers are primarily located in the United States. If you are located outside the United States (including in the European Union or United Kingdom), your personal data will be transferred to and processed in the United States.
Safeguards for International Transfers
We ensure appropriate safeguards are in place for international data transfers:
- Standard Contractual Clauses (SCCs): Our key service providers (Supabase, Stripe, Resend) have implemented EU Standard Contractual Clauses in their data processing agreements
- Adequacy Decisions: We monitor relevant adequacy decisions between jurisdictions
- Contractual Protections: All service providers are contractually bound to protect your data
By using our services, you acknowledge that your data will be transferred to and processed in the United States, which may have different data protection standards than your country of residence.
7. Data Retention
We retain your personal data only as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Duration of account + 30 days | Account functionality, recovery period |
| Transaction Records | 7 years after transaction | Financial regulations, tax compliance, legal requirements |
| Invoice Records | 7 years after issuance | Tax compliance, legal requirements |
| Marketing Preferences | Until consent withdrawn | Respect your communication choices |
| Server Logs | 90 days | Security monitoring, troubleshooting |
| Deleted Account Data | 30 days (soft delete), then permanent deletion | Recovery period, then removal |
Exception for Financial Records: When you delete your account, we retain transaction and invoice records as required by financial regulations and tax law. This data is retained in anonymized or pseudonymized form where possible.
Automated Data Deletion
We operate automated processes to delete data that has exceeded its retention period. This ensures compliance with data minimization principles.
8. Your Rights
8.1 Rights for All Users
Regardless of where you are located, you may:
- Access your personal data
- Correct inaccurate information
- Delete your account (subject to legal retention requirements)
- Withdraw consent for marketing communications at any time
- Contact us with privacy questions or concerns
8.2 Additional Rights for UK and EU Residents (GDPR)
If you are located in the United Kingdom or European Union, you have the following rights under the UK GDPR and EU GDPR:
| Right | Description |
|---|---|
| Right of Access | Obtain confirmation of whether we process your data and receive a copy |
| Right to Rectification | Correct inaccurate or incomplete personal data |
| Right to Erasure | Request deletion of your personal data ("right to be forgotten") |
| Right to Restriction | Request that we limit how we use your data |
| Right to Data Portability | Receive your data in a structured, machine-readable format |
| Right to Object | Object to processing based on legitimate interests, including direct marketing |
| Rights Related to Automated Decisions | Not be subject to decisions based solely on automated processing that significantly affect you |
| Right to Withdraw Consent | Withdraw consent at any time (where processing is based on consent) |
| Right to Lodge a Complaint | File a complaint with your local supervisory authority |
UK Residents: You may contact the Information Commissioner's Office (ICO) at ico.org.uk
EU Residents: You may contact your local Data Protection Authority
8.3 Additional Rights for US Residents
California Residents (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
| Right | Description |
|---|---|
| Right to Know | Request disclosure of the categories and specific pieces of personal information we collect |
| Right to Delete | Request deletion of your personal information |
| Right to Correct | Request correction of inaccurate personal information |
| Right to Opt-Out of Sale/Sharing | Opt out of the sale or sharing of personal information (we do not sell your data) |
| Right to Non-Discrimination | Not receive discriminatory treatment for exercising your rights |
| Right to Limit Use of Sensitive Information | Limit how we use sensitive personal information (we do not use sensitive data for secondary purposes) |
Categories of Personal Information Collected (past 12 months):
- Identifiers (name, email, IP address)
- Commercial information (purchase history)
- Financial information (payment details via Stripe)
- Internet activity (app usage, preferences)
- Geolocation data (city selection only, not precise location)
We do NOT sell personal information. We do NOT share personal information for cross-context behavioral advertising.
Other US State Privacy Laws
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and opt-out. We honor these rights for all US residents.
8.4 Exercising Your Rights
To exercise any of these rights, contact us at:
Email: privacy@theclubisdead.com
What to Include:
- Your full name and email address associated with your account
- Which right(s) you wish to exercise
- Any details that help us locate your data
Response Times:
- UK/EU (GDPR): Within 30 days
- California (CCPA): Within 45 days
- Other requests: Within 30 days
We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.
9. Cookies and Tracking Technologies
9.1 Web Platform
We use minimal cookies on our website:
| Cookie Type | Purpose | Consent Required? |
|---|---|---|
| Authentication Cookies | Keep you logged in, maintain session state | No (strictly necessary) |
| Security Cookies | Protect against cross-site request forgery | No (strictly necessary) |
Analytics: We use Cloudflare Web Analytics, which is privacy-focused and does not use cookies. It does not track individual users across sites or collect personal data.
9.2 Mobile App
The mobile app does not use browser cookies. We use standard mobile technologies:
- Local Storage: To maintain your session and preferences
- Device Identifiers: For app functionality and security (not for advertising)
9.3 No Third-Party Tracking
We do not use:
- Advertising cookies or pixels
- Third-party tracking scripts
- Email tracking pixels in marketing emails
- Cross-site tracking technologies
10. Children's Privacy
Our services are intended for users who are 16 years of age or older. We do not knowingly collect personal information from children under 16.
Age Verification: When creating an account, users must confirm they are at least 16 years old.
If we discover that we have collected personal information from a child under 16, we will delete that information promptly. If you believe we have collected data from a child under 16, please contact us at privacy@theclubisdead.com.
11. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
Security Measures
- Encryption in Transit: All data transmitted to and from our services uses TLS (Transport Layer Security) encryption
- Encryption at Rest: Database contents are encrypted using industry-standard encryption
- Access Controls: Role-based access controls and Row Level Security (RLS) policies limit data access
- Authentication Security: Passwords are hashed using secure algorithms; organizers authenticate via email/password; customers authenticate via secure one-time passwords (OTP)
- Payment Security: All payment data is handled by Stripe, a PCI DSS Level 1 certified payment processor
- Regular Monitoring: We monitor our systems for security threats and vulnerabilities
Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authorities within 72 hours (where required by law)
- Notify affected individuals without undue delay if the breach poses a high risk
- Document all breaches and remediation steps taken
12. Marketing Communications
Your Choices
We only send marketing communications with your consent. You can:
- Opt-in during account creation or in your account settings
- Opt-out at any time by:
- Clicking the "Unsubscribe" link in any marketing email
- Updating your preferences in your account settings
- Contacting us at privacy@theclubisdead.com
Types of Communications
| Type | Consent Required? | How to Opt-Out |
|---|---|---|
| Transactional Emails (purchase confirmations, refund notifications, account alerts) | No | Cannot opt-out (necessary for service) |
| Marketing Emails (event recommendations, platform updates, promotional offers) | Yes | Unsubscribe link or account settings |
We honor opt-out requests within 10 business days.
Event Organizer Communications
Event organizers may contact you directly about events you've purchased tickets for. These communications are the responsibility of the organizer, not the Platform. Contact the organizer directly to manage those preferences.
13. Do Not Sell or Share My Personal Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Although we do not engage in these practices, we provide this disclosure for transparency and to comply with California law (CCPA/CPRA).
If you wish to exercise your right to opt-out of any future sale or sharing (should our practices change), you may:
- Email us at privacy@theclubisdead.com with the subject line "Do Not Sell or Share"
- Use a browser-based Global Privacy Control (GPC) signal, which we will honor
14. Third-Party Links
Our services may contain links to third-party websites, services, or applications (such as event organizer websites, social media pages, or payment processors). This Privacy Policy does not apply to those third-party services.
We encourage you to review the privacy policies of any third-party services before providing your personal information.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.
How We Notify You:
- Material Changes: We will notify you by email and/or prominent notice on our Platform before changes take effect
- Minor Changes: Updated policy will be posted with a new "Last Updated" date
We encourage you to review this Policy periodically. Your continued use of our services after changes take effect constitutes acceptance of the updated Policy.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: privacy@theclubisdead.com
Mail: Spring Street Entertainment LLC Attn: Privacy 30 N Gould Street, Suite #51994 Sheridan, Wyoming 82801 United States
We aim to respond to all inquiries within 30 days.
17. Additional Disclosures
For Event Organizers
As an event organizer using our Platform:
- You are a data controller for your customers' personal data related to ticket purchases for your events
- You must comply with applicable data protection laws when using customer data
- You must not use customer data for purposes unrelated to your events without obtaining separate consent
- You are responsible for responding to data subject requests related to your events
We act as your data processor for customer data and process it according to your instructions and our Data Processing Agreement (included in the Organizer Terms of Service).
Disclosure of Stripe Services
Payment processing services for ticket purchases are provided by Stripe and are subject to the Stripe Privacy Policy. By making a purchase, you agree to Stripe's collection and use of your payment information.
For event organizers, payout services are provided by Stripe Connect and are subject to the Stripe Connected Account Agreement.
Spring Street Entertainment LLC Doing business as THECLUBISDEAD