Privacy Policy

Last updated: May 11, 2026

1. Introduction

Beyond Concierge Events Co. LLC ("the Company," "we," "us") operates the ROSTR+ platform at rosterplus.io. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL) and applicable GCC data protection regulations.

2. Data We Collect

Data Type	Examples	Purpose
Account Data	Name, email, password, role, phone number (optional)	Authentication, account management, contact for confirmed bookings
Profile Data	Stage name, bio, photos, audio/video samples, social links, self-reported city	Public profile display, artist discovery. We do not collect precise device location or GPS data.
Booking Data	Event details, dates, venues, fees	Booking management, contracts
Payment Data	Transaction amounts, bank transfer references. Card data is handled by Stripe and never stored by us.	Payment tracking, invoicing
Communication Data	Messages between users	In-platform messaging
Usage Data	Pages visited, features used, device info (browser, OS)	Platform improvement, analytics
Diagnostic Data	Crash reports, error logs, stack traces	Bug detection and fixing
Identifiers	User ID (Supabase Auth UUID), device push token (iOS only, with consent)	Authentication, push notification delivery

3. How We Use Your Data

To provide and maintain the Platform's services.
To match promoters with artists based on genre, location, and availability.
To facilitate booking requests, contracts, and payment tracking.
To send transactional emails (booking confirmations, contract notifications).
To deliver push notifications to your device when you grant permission in the iOS app (booking events, contract updates, messages).
To prevent fraud and ensure platform security.
To improve the Platform based on usage patterns and to fix bugs detected through anonymous crash reports.

4. Legal Basis for Processing

We process personal data based on:

Consent: When you create an account and agree to these terms.
Contractual necessity: To fulfill booking agreements between promoters and artists.
Legitimate interest: To improve platform security and user experience.
Legal obligation: To comply with UAE tax and business regulations.

5. Data Sharing

We share your data only with:

Other users: Your public profile (name, bio, genre, rates) is visible to all platform users. Private data (email, phone) is shared only with confirmed booking partners.
Service providers:
- Supabase: database hosting, authentication, file storage. Data resides in the EU (eu-west-1).
- Resend: transactional email delivery (booking confirmations, password resets).
- Stripe: payment processing. Card data is handled directly by Stripe; ROSTR+ receives only payment status and reference numbers.
- Apple Push Notification service (APNs): delivers push notifications to your iPhone when you grant permission in the iOS app. Push payloads contain only event-type identifiers (e.g. "new_booking"), never sensitive booking details.
- Sentry: anonymous crash and error reporting from the website and iOS app. Reports contain stack traces and device type; no personal data is intentionally included.
- Plausible Analytics: privacy-respecting page-view analytics. Plausible does not use cookies, does not track users across sites, and does not store personally identifiable information.
- Hostinger: static website hosting for rosterplus.io.
Legal authorities: When required by UAE law or court order.

We do not sell your personal data to third parties.

6. Data Storage and Security

Data is stored on Supabase infrastructure in the EU-West-1 region.
All data in transit is encrypted via TLS/HTTPS.
Passwords are hashed using bcrypt (never stored in plaintext).
Row-Level Security (RLS) policies restrict data access at the database level.
We implement Content Security Policy (CSP), HSTS, and X-Frame-Options headers.

7. Data Retention

Account data: retained while your account is active, deleted within 30 days of account deletion.
Booking and payment records: retained for 7 years for tax compliance (UAE Commercial Transactions Law).
Messages: retained for 1 year after the last message in a conversation.
Usage analytics: aggregated and anonymized after 12 months.

8. Your Rights

Under the UAE PDPL and applicable regulations, you have the right to:

Access: Request a copy of your personal data.
Correction: Update inaccurate or incomplete data.
Deletion: Request deletion of your account and associated data.
Portability: Receive your data in a machine-readable format.
Objection: Object to processing based on legitimate interest.
Withdrawal: Withdraw consent at any time (this does not affect prior processing).

To exercise these rights, contact hi@rosterplus.io.

9. Cookies and Tracking

The Platform uses localStorage for session management. We do not use third-party advertising cookies, and we do not track users across other websites or apps. The service worker caches static assets for offline performance only.

The only analytics we run is Plausible (see §5), which is cookieless and does not collect any personally identifiable information. Crash reports from Sentry are sent automatically when an error occurs in the app or website; these reports contain stack traces and device type but never the contents of your messages, bookings, or other personal data.

10. International Data Transfers

Your data may be processed outside the UAE (Supabase EU infrastructure). We ensure adequate protection through standard contractual clauses and the service provider's compliance with GDPR.

11. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to registered users. The "Last updated" date at the top reflects the most recent revision.

13. Contact

Data Protection inquiries:
Beyond Concierge Events Co. LLC
Email: hi@rosterplus.io
Website: rosterplus.io