2.1 Personal Information

We may collect personal information that you provide directly to us, including:

• •Name and contact information (email address)
• •Profile information (username, display name, profile picture)
• •Account credentials
• •Festival preferences and schedules
• •Reviews and ratings you submit
• •Discussion posts and replies on festival, set, and show pages, including upvotes and downvotes
• •Comments and replies on reviews, including likes
• •@username mentions you make and mentions of you by other users
• •Social connections and interactions
• •Content reports and safety information
• •User blocking and preferences settings
• •Subscription and billing information for Humble VIP (such as plan, billing cycle, billing status, and a Stripe customer identifier; we do not store your full payment card details)
• •Photos and short videos you upload to reviews, discussions, or comments, along with derived metadata (file dimensions, video duration, processing status, and a Mux playback identifier for video). EXIF and GPS metadata are stripped from photos before upload, and video is normalized by our processing pipeline.

2.2 Automatically Collected Information

We automatically collect certain information when you use our Service:

• •Device information (IP address, browser type, operating system)
• •Usage data (pages visited, time spent, features used)
• •Location data (if you enable location services)
• •Cookies and similar tracking technologies

2.3 Third-Party Information

We may receive information about you from third parties, including:

• •Authentication providers (Google and Apple) when you choose to sign in with that account
• •Festival organizers and venues

4.1 Content Reporting

• •Users can report inappropriate content, harassment, or policy violations
• •Reports include the reported content, reason for reporting, and reporter information
• •We review reports to determine appropriate action and ensure community safety
• •Report data is retained for moderation purposes and may be shared with law enforcement if required

4.2 User Blocking

• •Users can block other users to prevent seeing their content
• •Blocking preferences are stored with your account to maintain effectiveness across sessions
• •Blocked user lists are private and not shared with other users

4.3 Moderation Actions

We may take moderation actions on Content, including:

• •Hiding a discussion post, reply, or comment so it is not visible to other users
• •Soft-deleting Content (the original text is removed but a placeholder may remain when replies exist, so thread structure is preserved)
• •Pinning selected discussion posts to the top of a thread
• •Banning a user from posting, replying, voting, or mentioning others — temporarily or permanently — when they violate our community guidelines

4.4 Community Guidelines

Our Service is designed for users 13 and older. We maintain community guidelines to ensure respectful discussions about festivals and live music experiences.

4.5 Photos and Videos

Media you attach to a review, discussion, or comment is treated as Content under our Terms of Service and is subject to the same reporting and moderation processes described above. In addition:

• •EXIF and GPS metadata are stripped from photos before upload so location and device data are not published alongside the image.
• •Reported photos and videos may be hidden pending admin review. We may delete the underlying storage object and any associated Mux video asset to enforce takedowns, copyright notices, or other legal requests.
• •Copyright owners can submit a notice through the DMCA process described in our Terms of Service; repeated infringers will have their accounts terminated.

5.1 Public Information

Certain information you provide may be publicly visible, including your profile information, festival schedules (if set to public), reviews, and social interactions.

5.2 Service Providers

We share information with third-party service providers who perform services on our behalf. Our key sub-processors include:

• •Supabase — database hosting, authentication, realtime infrastructure, and storage of user-uploaded photos
• •Mux — ingest, transcoding, hosting, and streaming of user-uploaded video clips
• •Vercel — web application hosting
• •Stripe — payment processing and billing portal for Humble VIP subscriptions
• •RevenueCat — subscription state synchronization across web and mobile platforms
• •Apple App Store — in-app purchases and subscription billing for iOS users (governed by Apple's privacy policy)
• •Google Play Billing — in-app purchases and subscription billing for Android users (governed by Google's privacy policy)
• •PostHog — product analytics and session-level usage data. EU, UK, EEA, Swiss, Brazilian, and Canadian residents are routed to PostHog Cloud EU (Frankfurt) when an EU-region project is configured; otherwise data is processed by PostHog's US instance under the EU–U.S. Data Privacy Framework.
• •Sentry — error monitoring and diagnostics
• •Resend — transactional email delivery
• •Google (Tag Manager & Analytics) — tag management container that loads measurement and advertising pixels for users who have accepted analytics cookies
• •Meta Platforms (Facebook Pixel) — advertising attribution for users who have accepted analytics cookies

5.3 International Data Transfers

Several of our sub-processors are based in the United States and process personal data outside the European Economic Area, the United Kingdom, and Switzerland. We rely on the following transfer mechanisms under Articles 45–46 of the GDPR / UK GDPR:

• •EU–U.S. Data Privacy Framework (DPF) certifications maintained by participating sub-processors (including PostHog, Sentry, Vercel, Stripe, Google, and Meta).
• •Standard Contractual Clauses (Module 3 — processor to sub-processor) executed with sub-processors that are not DPF-certified, combined with a transfer impact assessment where required.
• •UK International Data Transfer Addendum for transfers from the United Kingdom.

5.4 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests, such as subpoenas or court orders.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the business transaction.

9.1 Types of Cookies We Use

• •Strictly Necessary: Authentication session cookies (Supabase) and security cookies. Always on; required to deliver the Service.
• •Functional: Theme, language, calendar view, and consent-state cookies / local storage entries that remember your preferences.
• •Analytics & Performance: PostHog (product analytics), Sentry (error monitoring; session-replay sampling only when you accept the "Session Recording" toggle), and Vercel Speed Insights (page-load metrics). All are off by default in opt-in regions until you accept via the consent banner. Sentry's basic error monitoring continues for everyone under our legitimate interest in service integrity, with no personal identifiers attached.
• •Marketing & Measurement: Google Tag Manager and Meta (Facebook) Pixel are loaded only after you accept analytics cookies. They power conversion attribution for paid acquisition.
• •Third-Party Cookies: Stripe sets a session cookie when you open the billing portal (set on Stripe's domain, governed by Stripe's privacy policy).

9.2 Managing Cookies

In opt-in regions (EU, UK, EEA, Switzerland, Brazil, and Canada) we display a consent banner on first visit and do not load analytics or marketing cookies until you accept. You can change your preferences at any time at Settings → Privacy. We honor browser Do Not Track and Global Privacy Control (GPC) signals — when either is detected we treat it as an opt-out from analytics and marketing cookies. You can also manage cookies through your browser settings; disabling strictly necessary cookies will prevent the Service from functioning correctly.

13.1 Your CCPA Rights

• •Right to Know: Request information about the personal information we collect, use, and share
• •Right to Delete: Request deletion of your personal information
• •Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
• •Right to Non-Discrimination: We will not discriminate against you for exercising your rights

13.2 Exercising Your Rights

To exercise these rights, contact us at privacy@tryhumble.com with "CCPA Request" in the subject line. We may need to verify your identity before processing your request.