Privacy Policy

Last updated: March 24, 2026

1. What We Collect

We keep it minimal. Here's what we collect and why:

Account Information

When you create an account, we collect your email address and a hashed version of your password (we never store plain-text passwords). If you sign in with Google, we receive your name and email from Google's OAuth flow.

Poster Data

When you generate a poster, we store the creative inputs you provide (band name, venue, event details, style preferences) and the generated image. Posters appear in the public feed by default.

Payment Information

Band Pro subscriptions are processed through Stripe. We never see or store your credit card number. Stripe handles all payment data under their own privacy policy. We store your Stripe customer ID to manage your subscription and credits.

Usage Data

We log IP addresses for rate limiting and content policy enforcement. We also collect browser fingerprint data to prevent abuse. This data is used solely for security and is not shared with third parties.

Venue Addresses

If you provide a venue address when creating a poster, it is stored and displayed in the event details on the public feed. Venue addresses are optional and are never used for any purpose other than helping fans find the show.

2. How We Use Your Data

  • To generate and display your posters
  • To manage your account and subscription
  • To enforce our content policy and prevent abuse
  • To send show alerts if you subscribe to notifications (email only, and only for the areas you choose)
  • To improve the Service

We do not sell your data. We do not serve ads. We do not use your data for AI model training.

3. What We Share

We share data only with the services required to run BandAid Poster:

  • Stripe — payment processing
  • Google (Imagen) — AI image generation (your prompt text is sent to generate the poster; no personal data is included)
  • Neon — database hosting (your data is stored in Neon's PostgreSQL infrastructure)

We do not share your data with advertisers, data brokers, or anyone else.

4. Cookies

We use a single session cookie to keep you logged in. That's it. No tracking cookies, no analytics cookies, no third-party cookies. We use Vercel Analytics for basic, privacy-friendly page view metrics — it does not use cookies or track individual users. For full details, see our Cookie Policy.

5. Data Retention

Your account data and posters are retained as long as your account is active. If you delete your account, we will delete your personal data within 30 days. Generated posters that have been published to the public feed may remain visible but will be disassociated from your account.

Rate limiting and violation records are retained for 30 days, then automatically purged.

6. Your Rights

You can:

  • Request a copy of your data
  • Request deletion of your account and associated data
  • Update your email or password at any time
  • Cancel your subscription at any time through the Stripe billing portal

To exercise any of these rights, email us at jarviscarlsen@gmail.com.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know — You can request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete — You can request that we delete your personal information, subject to certain exceptions.
  • Right to Correct — You can request that we correct inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information with third parties for cross-context behavioral advertising. There is nothing to opt out of.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights.

Categories of personal information we collect: identifiers (email address, IP address), commercial information (subscription and payment history via Stripe), internet activity (browser fingerprint for abuse prevention, aggregated page views), and account credentials (hashed password).

We do not sell personal information. We do not use sensitive personal information for purposes other than providing the Service. To submit a verifiable consumer request, email jarviscarlsen@gmail.com with the subject line "CCPA Request." We will respond within 45 days.

7. Security

Passwords are hashed with bcrypt. Sessions use signed, HTTP-only cookies. All traffic is served over HTTPS. Payment data is handled entirely by Stripe and never touches our servers.

8. Children

BandAid Poster is not intended for users under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to This Policy

We may update this policy from time to time. We'll update the "Last updated" date at the top when we do. Continued use of the Service constitutes acceptance of the updated policy.

10. Contact

Questions about your privacy? Reach out at jarviscarlsen@gmail.com.