Privacy Policy

Overview

BANDcore is a music-business platform operated by BANDcore LLC, a California limited liability company. The platform includes the band-side service (MERCHcore POS, ROADy, fulfillment, financial reporting) and FANcore, a free companion app for fans. This policy applies to bands and their staff using BANDcore, fans using FANcore, and visitors to bandcore.band.

Who We Are

BANDcore LLC, 3305 Glendale Blvd, Los Angeles CA 90039. For privacy questions, email privacy@bandcore.band.

What We Collect — Bands

Phone numbers (authentication and SMS), business information (band name, leader name, contact details), Stripe Connect account metadata for payouts, merch photos and descriptions, sales transaction records, fulfillment addresses entered by fans for shipping orders, and fan data captured at the booth (name, phone, email). We do not store full credit card numbers, CVCs, or bank account numbers — that data flows directly through Stripe.

What We Collect — Fans

Phone number for authentication, optional email and display name, purchase history at bands you've engaged with, scrapbook entries (your own merch and show history), location at shows only when you actively use FLASH features, and ROCKy chat history when you use the AI music historian.

How We Use Your Data

To authenticate accounts via SMS verification codes, send sale alerts and show summaries to band leaders, process and record merchandise sales, generate profit-and-loss reports, calculate band payouts, generate shipping labels for fulfillment, render the FANcore scrapbook, and provide context to ROADy and ROCKy when you use them. We do not sell your data. We do not use your data for advertising. We do not share mobile numbers with third parties or affiliates for marketing purposes.

Data Ownership

Bands own the fan data they capture at the booth. For that fan database, bands are the data controllers and BANDcore LLC is a data processor acting on their behalf. Anthropic, Stripe, Twilio, Supabase, Vercel, and our shipping providers are subprocessors — they handle data on our behalf under contractual agreements and have no independent right to use it.

AI Agents (ROADy & ROCKy)

ROADy (band advisor) and ROCKy (music historian) are powered by Anthropic's Claude API. When you interact with these agents, your messages and contextual data may be processed by Anthropic per their data policies. Anthropic does not use commercial-API content to train its models. AI responses are informational and do not constitute legal, financial, medical, accounting, or professional advice — see our Terms of Service for liability details.

Payment Data

Card payments are processed by Stripe via Stripe Connect. BANDcore does not store full card numbers, CVCs, or bank account numbers. We receive payment metadata (transaction amounts, last 4, status) for reporting and reconciliation. Fans pay Stripe directly; bands receive payouts to their connected bank accounts.

SMS Messaging

By creating a BANDcore or FANcore account, you consent to receive SMS messages including verification codes, sale notifications, low stock alerts, show summaries, and FLASH messages. Message frequency varies based on your activity — typically up to 50 messages per show date for active band leaders, and only verification codes for one-time signups. Message and data rates may apply. Reply HELP for help. Reply STOP at any time to opt out of non-essential messages. Opting out of verification codes will prevent you from logging in. SMS is delivered through Twilio. We do not share mobile numbers with third parties or affiliates for marketing purposes.

Cookies & Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising cookies. We may use privacy-respecting analytics (e.g., Vercel Analytics) to count page views; these do not include personal identifiers and are not used for cross-site tracking.

Data Storage

Your data is stored on Supabase (database) and Vercel (application hosting), both of which use encryption at rest and in transit. Merch photos are stored in Supabase Storage with public read access for display in the POS. Sale records are immutable — they cannot be edited or deleted, to preserve accurate financial reporting.

Third-Party Services

BANDcore uses the following subprocessors: Supabase (database and authentication), Twilio (SMS messaging), Stripe (payment processing and Connect payouts), Vercel (application hosting), Anthropic (Claude API for ROADy and ROCKy), and our shipping label provider for booth-to-doorstep fulfillment (currently TBD; expected to be Shippo or EasyPost when the feature ships). Each service has its own privacy policy governing how it handles data on our behalf.

Data Retention

While a band's account is active, we retain band and fan data for as long as it is needed to operate the Service. After a band cancels, most account data is retained for 90 days then deleted or anonymized, except sale and tax records, which we retain for 7 years to comply with financial reporting obligations. Fans may request deletion of their scrapbook and profile data at any time; we will honor verified requests within 30 days, subject to legal retention requirements.

Your Rights

You may request access to, correction of, or deletion of your personal data at any time by emailing privacy@bandcore.band. Bands can export their sales and fan data from the dashboard. Fans can export or delete their scrapbook from their FANcore profile. We will respond to verified requests within 30 days. Account deletion will remove your profile and disassociate your data, but immutable sale records will be retained for financial compliance.

California residents have rights under the CCPA/CPRA including the right to know, delete, correct, opt out, and not be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under California law.

EU and UK residents have rights under the GDPR/UK GDPR including access, rectification, erasure, restriction, portability, and objection. To exercise these rights, email privacy@bandcore.band.

Children

BANDcore and FANcore are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact privacy@bandcore.band and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active users via email or SMS. Continued use of the Service after changes take effect constitutes acceptance.

Contact

Privacy questions: privacy@bandcore.band.
Legal notices: BANDcore LLC, 3305 Glendale Blvd, Los Angeles CA 90039.