gigMarket

Privacy Policy

Last updated: May 5, 2026

This Privacy Notice describes how gigMarket LLC ("we," "us," or "our") collects, uses, shares, and protects your personal information when you:

We are responsible for decisions about how your personal information is processed. If you do not agree with any part of this notice, please do not use the Services. Questions: admin@gigmarket.io.

Summary of key points

This summary highlights the main points; full detail is in the sections below.

What we collect: information you provide when you create an account or use the Services (name, contact details, password, profile and music preferences, availability, event records, invoices), and a limited amount of information collected automatically (device, IP, usage logs, location with your permission). If you connect Google Calendar, we read calendar metadata to power availability and event invitations.

Sensitive information we collect for specific purposes: if you're an Artist receiving payment through Hiring Parties or agencies, US tax law requires us to collect your Social Security Number (or EIN if you're incorporated), date of birth, and tax-form address as part of completing IRS Form W-9. Optionally, you may also fill out a demographic survey (race, ethnicity, pronouns) to help inform diversity-aware booking and reporting. See **Sensitive information** below for the full list and how we protect it.

What we do NOT collect: we don't profile users for advertising, we don't sell or share personal data to advertisers, and we don't use your data to train third-party AI models. We don't collect biometric identifiers (fingerprints, faceprints, voiceprints) or government IDs other than the SSN/EIN required for tax reporting.

How we use it: to operate the Services, match artists with hiring parties, deliver event invitations and push notifications, process invoicing and payout records, communicate with you, prevent fraud, and comply with law.

Who we share with: a small set of named sub-processors (listed below) that help us deliver the Services — email providers, push-notification infrastructure, our self-hosted invoicing system, and our cloud infrastructure. We do not sell your personal information.

How long we keep it: as long as your account is active, plus a limited tail for legal and audit reasons. You may request deletion at any time.

Your rights: depending on where you live, you may have rights to access, correct, delete, port, or limit the use of your personal information. Contact admin@gigmarket.io to exercise them.

What information do we collect?

Information you provide directly

When you create or maintain an account, or use the Services, you may provide us with:

  • name (legal name and stage / professional name)
  • email address and password
  • phone number (optional)
  • mailing or billing address
  • profile photo
  • short profile bio
  • primary market and any additional markets where you perform
  • music preferences and self-rated genre strengths used to compute the Music DNA radar
  • equipment preferences (e.g., DJ controller / format)
  • availability (calendar nights and time ranges, per market)
  • event details you create or accept (date, time, venue, payout, notes)
  • invoice and payout records you submit, accept, reject, or pay through the Services
  • date of birth (for age verification and tax reporting)
  • pronouns (optional, for accurate display in profile and communications)
  • demographic survey responses (optional — race and ethnicity self-identification used for diversity-aware booking analytics; you may leave this blank)
  • US tax identification information when paid gigs are involved: Social Security Number (SSN) for individuals or Employer Identification Number (EIN) for incorporated entities, plus your tax-form name and address. Collected on IRS Form W-9, which is signed and stored as a completed PDF.
  • payment routing details (payment method, payment email, payment phone) used to direct payouts from Hiring Parties to you
  • communications you send to support, including their contents

Information collected automatically

  • IP address, device type, operating system, browser type, language, and approximate location (derived from IP)
  • log and usage data: pages viewed, features used, timestamps, errors and crash diagnostics
  • cookies and similar local-storage tokens used to keep you signed in and preserve preferences

We do not use online advertising trackers and we do not retarget visitors with ads.

Information from integrations

If you connect Google Calendar, we read event titles, descriptions, invitee email addresses, locations, and other calendar metadata for the calendars you authorize. We use this only to power your availability and event-invitation features. See the **Google API services disclosure** below for the full set of commitments.

If you sign up for our marketing waitlist on https://gigmarket.io, your email address is forwarded to Formspree, which delivers it to us; we do not currently use any third-party CRM for waitlist email storage.

Mobile device permissions (iOS app)

We only request the device permissions we actually use:

  • **Notifications** — to deliver event invitations, accept/decline reminders, and other account-relevant alerts. You can turn these off in iOS Settings.
  • **Calendar** (optional) — only if you connect Google Calendar to sync availability.
  • **Photo library / camera** (optional) — only when you choose to set or change a profile photo.

We do not request Bluetooth, contacts, microphone, sensors, or SMS access.

Sensitive information

We collect a small set of sensitive personal information for specific, narrow purposes:

| Field | Purpose | When collected | Voluntary? | |---|---|---|---| | Social Security Number (SSN) | US tax reporting (IRS Form W-9; required for Hiring Parties / agencies to issue 1099-NEC for non-employee compensation) | When you complete a W-9 in your Artist profile, or when an agency / venue requests one | Required for paid gigs through agency-mediated bookings; optional otherwise | | Employer Identification Number (EIN) | Same as SSN — for Artists who operate through an LLC or other incorporated entity | Same | Same — alternative to SSN for incorporated Artists | | Date of birth | Age verification (Services are 18+) and tax reporting | At account creation and on the W-9 | Required | | Race / ethnicity (self-identified) | Diversity-aware booking analytics and reporting | Optional demographic survey during onboarding or in profile settings | Voluntary — you can leave it blank or remove it later | | Pronouns | Accurate display in your profile and communications | Profile settings | Voluntary | | Precise geolocation | Location-aware availability matching and Maps integration in the iOS app | Only when you grant location permission | Voluntary — disable via iOS Settings at any time | | Account credentials | Authentication | At sign-up and on every login | Required |

**How we protect this data:**

  • All sensitive fields stored on user records — Social Security Number (SSN), EIN, date of birth, demographic survey responses, and pronouns — are encrypted at rest using application-level encryption (Laravel's encrypted cast). The database stores ciphertext; values are decrypted only when read into the application by authorized code paths.
  • Completed W-9 form contents (SSN/EIN, name, address) are stored in the `signed_documents` table with the same application-level encryption, and the corresponding signed PDF is encrypted in DigitalOcean Spaces. Access is gated by an explicit grant model — agencies and venues must be granted access to your W-9 to view it, and you can revoke that access at any time. All W-9 views are recorded in an access log.
  • TLS 1.2+ in transit for all data.
  • Account passwords are stored as a one-way hash (bcrypt), never as plaintext.

**What we don't collect:** racial or ethnic origin without your voluntary consent, religious beliefs, sexual orientation (other than your own choice to share via pronouns or profile bio), trade union membership, genetic data, biometric identifiers (fingerprints, faceprints, voiceprints), driver's license numbers, passport numbers, or precise health data. If any such information ends up in your profile bio or communications by your own choice, please contact admin@gigmarket.io to remove it.

Google API services disclosure

gigMarket LLC's use and transfer of information received from Google APIs adheres to the **Google API Services User Data Policy**, including its **Limited Use** requirements. Specifically, we:

  • do not allow humans to read user data unless we obtain your affirmative agreement, or as necessary for security purposes, to comply with law, or for limited internal operations such as resolving support issues
  • do not use or transfer Google user data for serving advertisements (including retargeting, personalized, or interest-based advertising)
  • limit our use of Google user data to providing or improving user-facing features
  • only transfer Google user data to others if necessary to provide or improve user-facing features, comply with applicable law, or in connection with a merger, acquisition, or sale of assets where we provide notice to users

Google Calendar Data is encrypted in transit and at rest, and is not made available to sub-processors.

How do we use your information?

We process your personal information to:

  • create and maintain your account, authenticate you, and keep your account in working order
  • deliver the core Services: matching artists with hiring parties, event invitations, availability management, and invoicing
  • send service-related communications (account, security, and event-related messages)
  • send marketing communications you've opted into (waitlist updates, product news), which you can unsubscribe from at any time
  • respond to support requests
  • analyze how the Services are used so we can improve them
  • detect, prevent, and respond to fraud, abuse, or security incidents
  • generate and maintain US tax-reporting records (W-9 collection, 1099-NEC issuance support for agencies and venues paying Artists)
  • power diversity-aware booking analytics if you have voluntarily provided demographic information
  • comply with legal obligations and exercise or defend legal claims
  • protect the vital interests of any person where necessary

Legal bases (GDPR / UK GDPR)

If you are in the EU, EEA, or UK, we rely on the following legal bases:

  • **Performance of a contract** — to provide the Services you signed up for
  • **Consent** — for optional features (e.g., Google Calendar integration, marketing email), which you can withdraw at any time
  • **Legitimate interests** — to keep the Services secure, prevent fraud, analyze usage to improve features, and run our business — provided these don't override your fundamental rights
  • **Legal obligation** — to comply with applicable law
  • **Vital interests** — to protect someone's life or safety in extreme circumstances

If you are in Canada, we rely on your express or implied consent, with the limited exceptions permitted by PIPEDA (e.g., fraud investigation, legal compliance, business transactions, or where consent cannot be obtained in time).

Who we share information with

We share personal information only as needed to operate the Services. Categories of recipients and the specific sub-processors we use today are:

| Purpose | Provider | |---|---| | Cloud hosting, storage, and DNS | DigitalOcean, Cloudns | | Transactional and marketing email | Brevo (formerly Sendinblue), Mailchimp, Amazon SES | | Push notifications (iOS) | Apple Push Notification service, Firebase Cloud Messaging | | Invoicing engine | Self-hosted Invoice Ninja instance (operated by gigMarket) | | Calendar integration (optional, with consent) | Google (Calendar, Maps Platform APIs) | | Marketing waitlist email capture (homepage + /ios) | Self-hosted Mautic instance (mail.cfloinc.com, operated by gigMarket / cflo inc.) | | iOS app support form (/ios-support) | Formspree | | Web analytics (when enabled) | Google Analytics 4 with IP anonymization | | Payment processing | None today — see "Platform model" in our Terms |

Each sub-processor is contractually bound to handle your data only for the purpose for which we engaged them, and to apply appropriate security safeguards.

We may also share personal information:

  • **In a business transfer** — in connection with a merger, financing, acquisition, or sale of all or part of our business. Notwithstanding any other provision, we will not transfer Google user data in such a transaction except as permitted by Google's policies.
  • **With your consent** — when you direct us to share with a specific third party (e.g., when a hiring party shares an event with you, or when you accept an invitation from a venue, the relevant counterparties see relevant details).
  • **With affiliates** — entities under our common control, who are required to honor this notice.
  • **For legal reasons** — if required by subpoena, court order, or to exercise or defend legal rights.

We do not sell your personal information for monetary or other valuable consideration, and we have not done so in the preceding twelve (12) months.

Cookies and similar technologies

We use a small number of cookies and similar local-storage tokens for:

  • keeping you signed in and remembering basic preferences
  • detecting fraud and abuse
  • (when enabled) measuring aggregate web analytics via Google Analytics 4

We do not use third-party advertising trackers, retargeting pixels, or social-network analytics widgets on our marketing site.

How long do we keep your information?

We keep personal information only as long as necessary to provide the Services to you and to comply with our legal obligations. Specifically:

  • account profile data — for the lifetime of your account, plus up to 12 months after account closure for fraud prevention and audit purposes
  • event records, invoices, and payout records — for at least 7 years from the date of the event, to support tax and accounting recordkeeping for both you and the hiring party
  • W-9 forms and tax identification (SSN/EIN, address, completed PDF) — for at least 4 years from the date of the last reportable transaction, per IRS Publication 583 recordkeeping guidelines; we typically retain for 7 years to align with the broader invoice retention window. W-9 access grants survive your departure from an agency so the agency can complete tax filings for prior years' work.
  • demographic survey responses — for the lifetime of your account; deleted on account closure unless you've explicitly asked us to retain anonymized data for aggregate reporting
  • support communications — for up to 24 months after the ticket is closed
  • log and analytics data — generally for 12 months in identifiable form, after which it is aggregated or deleted

If we have no ongoing legitimate need to keep your information, we delete or anonymize it. Backups may retain copies until rotated out, after which they are unreadable.

How do we keep your information safe?

We use industry-standard organizational and technical measures, including:

  • TLS 1.2+ encryption in transit for all web and mobile traffic
  • encryption at rest for databases, file storage, and backups
  • principle-of-least-privilege access for our team, with audit logging
  • multi-factor authentication on administrative accounts
  • regular dependency and vulnerability monitoring

No system is 100% secure. Despite our safeguards, we cannot guarantee that an unauthorized party will never defeat our security. If we discover that personal information has been compromised, we will notify affected users in accordance with applicable law.

Children

The Services are intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with information, contact admin@gigmarket.io and we will deactivate the account and delete the data.

Your privacy rights

Your rights depend on where you live. We honor the rights described below to the extent applicable, regardless of where you reside.

Universal rights we extend to all users

  • **Access** — request a copy of the personal information we hold about you
  • **Correction** — ask us to correct inaccurate information
  • **Deletion** — ask us to delete your account and data (some records, like tax-relevant invoices, may be retained as required by law)
  • **Portability** — receive a machine-readable export of your account data
  • **Withdrawal of consent** — for any feature that depends on your consent (e.g., Google Calendar)

To exercise any of these, email admin@gigmarket.io from the address on file, or use account settings where available. We respond within 30 days; we may need to verify your identity before processing the request.

EU / EEA / UK / Switzerland

In addition to the above, you have the right to object to processing based on legitimate interests, restrict processing, and lodge a complaint with your local data protection authority (or, in Switzerland, the Federal Data Protection and Information Commissioner).

United States — state privacy laws

Residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia (and other states as their laws come into effect) have rights under their applicable privacy laws. These rights generally include:

  • the right to know whether we are processing your personal data and to access it
  • the right to correct inaccuracies
  • the right to delete your personal data
  • the right to obtain a portable copy of your data
  • the right not to be discriminated against for exercising these rights
  • the right to opt out of "sale" or "sharing" of personal data (we don't do either) and of profiling for decisions that produce legal or similarly significant effects

Some states (including California and Delaware) provide a right to obtain a list of the categories of third parties with whom we have shared personal data; Oregon provides a right to obtain the specific identities of those third parties. We list our sub-processors above; contact us for the specific subset relevant to your account.

Categories of personal information collected (CCPA / equivalent state laws)

Within the past 12 months, we have collected the following categories of personal information:

| Category | Examples | Collected? | |---|---|---| | Identifiers | name, email, phone, mailing address, IP address, account ID | Yes | | California Customer Records | name, contact info, payout-related financial info, tax identification (SSN/EIN) on W-9 | Yes | | Protected classification characteristics | race / ethnicity (voluntary, via demographic survey), age (via DOB), pronouns | Yes (where voluntarily provided) | | Commercial information | invoices and payout records you submit through the Services | Yes | | Biometric information | fingerprints, faceprints, voiceprints | No | | Internet activity | usage logs of your activity within the Services | Yes | | Geolocation | approximate location from IP; precise location only with explicit permission | Yes (with consent for precise) | | Audio / electronic / sensory | profile photos you upload | Yes (photos only) | | Professional / employment information | stage name, primary market, equipment preferences, performance history within the Services, business name and tax classification on W-9 | Yes | | Education information | student records, transcripts | No | | Inferences (profiling) | the Music DNA radar (a self-rated and behavior-derived genre strength profile) | Yes | | Sensitive personal information | SSN or EIN (tax reporting), date of birth, race / ethnicity (voluntary), account credentials, precise location with permission | Yes (no driver's license, no passport, no biometrics) |

We retain each category for the durations described in **How long do we keep your information?** above.

How to exercise your rights

Email admin@gigmarket.io. You may also designate an authorized agent. We may need to collect additional information to verify your identity, and we may decline a request from an agent who can't show valid authorization.

If we decline a rights request, you may appeal by replying to the response. If your appeal is denied and your state allows, you may submit a complaint to your state attorney general.

Do-Not-Track signals

There is no industry standard for honoring browser-based Do-Not-Track signals. We currently do not respond to DNT, but we also don't run advertising trackers, so the practical effect on your privacy is limited. If a uniform DNT standard is adopted, we'll update this notice.

Updates to this notice

We may update this notice from time to time. The "Last updated" date at the top will reflect the change. If we make a material change, we'll notify you in the Services or by email at least 30 days before it takes effect, where practical.

How to contact us

Email: admin@gigmarket.io

By post:

gigMarket LLC 221 W 9th St #549 Wilmington, DE 19801 United States