Legal

Privacy Policy

Last updated: March 2026 — plain language, no legalese.

Short version: we collect the minimum needed to run the service. Your songs are yours. We don't sell your data. You can export or delete everything at any time.

What data we collect

We collect only what's needed to make GigFrame work:

Your email address and name — to create your account
Your songs — chord charts, lyrics, tab grids, metadata (title, artist, BPM)
Your setlists — ordered collections of songs with optional BPM overrides
Your band information — band name, tier, member roles
Your preferences — instrument role, display settings
Session tokens — to keep you logged in between visits
Hashed IP addresses — for rate limiting feedback submissions only (SHA-256 hash, not raw IP)

We do not collect payment information (no payments yet). We do not read the content of your songs except to serve them back to you.

How we store it

All data is stored on Cloudflare infrastructure:

Cloudflare D1 — structured data (accounts, songs metadata, bands, setlists)
Cloudflare R2 — song files (.gfr format, PDFs, ChordPro files)
Cloudflare KV — live performance state (temporary, in-memory during a session)

Cloudflare's infrastructure is distributed globally. Data is encrypted at rest and in transit. See Cloudflare's privacy policy for their data handling details.

Who can access it

You — always, via the app or via our export API
Your band members — can see songs and setlists shared within your band
Band admins — can manage band settings and membership
GigFrame team — can access data for support and debugging, but we don't read your songs unless you ask us to help with a problem

We do not sell, rent, or share your data with third parties for advertising or any other commercial purpose.

No tracking cookies

We use Cloudflare Web Analytics for basic traffic statistics. It is cookieless by design — no tracking pixels, no fingerprinting, no cross-site tracking. We do not use Google Analytics or any other tracking service.

Session cookies are used only to keep you logged in. They are not tracking cookies and are not shared with third parties.

Third-party services

Cloudflare — infrastructure, hosting, analytics, DDoS protection
Google OAuth — optional sign-in method (only if you choose "Sign in with Google")
Resend — transactional email (email verification, password reset). We send your email address to Resend for this purpose only.

Your GDPR rights

You have the following rights under GDPR:

Access — export all your data as JSON via GET /api/users/me/export (requires login)
Deletion — delete your account and all data via account settings. This is irreversible.
Correction — edit your profile name and email via profile settings
Portability — the export endpoint returns standard JSON you can take anywhere
Objection — contact us at [email protected] to object to any processing

We respond to GDPR requests within 30 days.

Data retention

We keep your data until you delete your account. When you delete your account, we delete all associated data: your profile, songs, setlists, band memberships (and any bands you are the sole member of), and session tokens.

Backups may retain data for up to 30 days after deletion due to backup rotation schedules.

Children

GigFrame is not directed at children under 16. If you are under 16, please do not create an account. If we become aware that a user is under 16, we will delete their account.

Changes to this policy

We may update this privacy policy as GigFrame evolves. When we make significant changes, we will update the "Last updated" date at the top of this page. Continued use of GigFrame after changes constitutes acceptance of the new policy.

Contact

Questions about your data or this policy? Email us at [email protected].

GigFrame is operated by an independent developer based in Belgium.