Privacy Policy
This Privacy Policy explains how FestiClip ("FestiClip", "we", "us", "our") collects, uses, shares and protects personal data when you use our mobile application (the "App"), our website festiclip.app (the "Website"), and any related services (together, the "Service").
FestiClip is the controller of your personal data within the meaning of the EU General Data Protection Regulation 2016/679 ("GDPR") and the Dutch implementing act (Uitvoeringswet AVG, "UAVG"). We also comply with the Dutch Telecommunicatiewet for cookies and similar technologies, and with the privacy and permission requirements of the Apple App Store and Google Play.
1. Who we are & how to reach us
FestiClip
Vrijheidslaan 85h, 1079 KH Amsterdam, the Netherlands
Privacy contact: [email protected]
General contact: [email protected]
We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. Our privacy contact above handles all data-protection requests.
2. Summary: the short version
- We collect what we need to run the App: your account, the clips you upload, where and when each clip was filmed, and your route while tracking is on.
- Location and camera/microphone access only run when you turn them on. You can switch them off at any time in your device settings.
- Clips you publish are visible to other festivalgoers who were near the same place and time. You can delete a clip or hide it at any time.
- Festival organisers only see aggregated, anonymised figures, never your identity, your route, or your clips.
- Your data is stored on servers in the European Union. Some service providers may process data outside the EU only under appropriate safeguards.
- You have full GDPR rights (access, correction, deletion, portability, objection, withdrawal of consent) and you can complain to the Dutch DPA (Autoriteit Persoonsgegevens).
3. Personal data we collect
3.1 Data you provide
- Account data: name or display name, email address, password (stored only as a salted hash), and optionally a profile photo and date of birth.
- Profile preferences: favourite artists, festivals you attend, language, notification preferences.
- User-generated content: videos and photos you upload ("clips"), captions, comments, ratings and reactions.
- Communications: messages you send to us via email, in-app support, or contact forms.
- Reports: reports you submit about other users' content (used solely for moderation).
3.2 Data collected automatically
- Precise location data: GPS coordinates while live tracking is enabled, used to draw your route and to attach a location to clips. Background-location is only used when you explicitly enable "Live tracking".
- Clip metadata: for every clip, the time of filming, location, device orientation, the festival/event identifier and (where present in the file) the EXIF data the clip already contained when you imported it from your camera roll.
- Device data: device model, operating system and version, app version, language, time zone, mobile network and connection type, advertising identifier (only with your consent on iOS via App Tracking Transparency, or via your Android Ads ID setting).
- Diagnostic data: crash reports, performance metrics, error logs.
- Usage data: features you use, screens you view, clips you watch, save or share, time spent, search queries inside the App.
- Cookies and similar technologies on the Website. See Section 12 and our Cookie Policy.
3.3 Special categories of personal data (Article 9 GDPR)
We do not intentionally collect special categories of personal data, including data revealing your race, ethnicity, political opinions, religion, trade-union membership, health, sex life or sexual orientation, and we do not use facial recognition or biometric identification of any kind. Where such data may incidentally appear in a clip you upload, you remain in control of whether to publish, hide or delete it.
3.4 Children
FestiClip is not intended for users under 16 years of age, in line with Article 8 GDPR as implemented in the Netherlands. If we learn that we have collected personal data from a child under 16 without verified parental consent, we will delete it. If you believe a child has given us data, contact [email protected].
4. Why we use your data and on what legal basis
Under Article 6 GDPR we only process personal data when we have a lawful basis. The table below maps each purpose to its basis.
| Purpose | Categories used | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Create and manage your account; authenticate you; provide the core App and Website | Account data, device data | Performance of a contract, Art. 6(1)(b) |
| Show your route, your clips and nearby clips on the festival map; build your aftermovie | Precise location, clip metadata, user-generated content | Performance of a contract, Art. 6(1)(b); for live tracking, also your consent under Art. 6(1)(a) |
| Send push notifications you have enabled (artist nudges, replies, content alerts) | Account data, profile preferences, device push token | Consent under Art. 6(1)(a); withdrawable at any time |
| Marketing emails about FestiClip | Email address, basic usage | Consent under Art. 6(1)(a); for existing customers, soft opt-in under Art. 11.7 Telecommunicatiewet |
| Moderation, fraud prevention, abuse detection, content takedowns | User-generated content, account data, reports | Legitimate interest, Art. 6(1)(f); legal obligation, Art. 6(1)(c) (e.g. DSA) |
| Service improvement, analytics, crash diagnostics | Usage data, diagnostic data, device data | Legitimate interest, Art. 6(1)(f); for non-essential analytics on the Website, consent under Art. 6(1)(a) and Art. 11.7a Telecommunicatiewet |
| Aggregated, anonymised insights provided to festival organisers | Anonymised/aggregated derivatives only (no longer personal data once anonymised) | Legitimate interest, Art. 6(1)(f) for the anonymisation step |
| Comply with legal obligations (tax, accounting, law-enforcement requests, DSA) | Account data, transaction data, content metadata | Legal obligation, Art. 6(1)(c) |
| Establish, exercise or defend legal claims | As needed | Legitimate interest, Art. 6(1)(f) |
Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms. You may object to such processing at any time (see Section 9).
5. Mobile permissions we ask for
We only ask for the device permissions we actually need, with a clear explanation when we ask. You can change every permission later from your device settings.
| Permission | What it's for | Required? |
|---|---|---|
| Camera | Filming clips inside the App | Optional |
| Microphone | Recording audio with your clips | Optional |
| Photo library / Photos | Importing existing clips from your camera roll | Optional |
| Precise location (foreground) | Showing where you are on the festival map | Recommended for full experience |
| Precise location (background) / "Always" | Live route tracking when the App is closed or the screen is off | Optional, off by default |
| Push notifications | Artist nudges and reply alerts | Optional |
| Bluetooth / Nearby devices | Improving location accuracy on dense festival sites | Optional |
| App Tracking Transparency (iOS) / Ads ID (Android) | Only requested if we ever run cross-app/site advertising, which we currently do not | Optional |
6. How clips work: content you share with other festivalgoers
FestiClip is built around shared clips. You decide what to publish. You can:
- Set any clip to private (visible only to you), festival-only (visible to people who were at the same event), or public.
- Delete any clip you uploaded; it is removed from the App and from our backups within 30 days.
- Choose whether your name and profile photo appear next to a clip, or whether you publish anonymously.
- Ask us to take down a clip that features you and was uploaded by someone else, by sending a request through the App or to [email protected]. We treat this as a GDPR Article 17 erasure request and act on it without undue delay.
If you appear in a clip uploaded by someone else, you have the same rights even if you do not have a FestiClip account. Write to us and we will help.
7. Who we share data with
7.1 Other users
Anything you publish (clips, captions, ratings, profile name and photo) is visible to other users in line with your visibility settings.
7.2 Service providers (processors)
We use carefully selected providers to run the Service. They process data only on our instructions, under a written data-processing agreement (Article 28 GDPR). The parties we use today:
- Supabase, backend hosting, database (Postgres), authentication and serverless edge functions; also the table in which we store our own, non-commercial product and performance events.
- Backblaze B2, object storage for your clips and the festival images.
- Cloudflare, delivery of those same clips and images via our media domain (videos.festiclip.app), as well as anti-abuse checks via Cloudflare Turnstile during registration, sign-in and password reset.
- Mapbox, map tiles, map styles and map interaction for the festival map.
- Google (Firebase Cloud Messaging), delivering push notifications; on iOS, FCM forwards through the Apple Push Notification service.
- Apple and Google (identity), handling Sign in with Apple and Google Sign-In respectively when you choose to use them.
- Google Fonts, providing the typefaces we use in the app and on the website.
A current list of sub-processors is available on request from [email protected].
7.3 Festival organisers
Organisers receive only aggregated and anonymised insights (heat-maps, dwell times, peak-time curves, retention figures) that cannot be traced back to an individual. They do not receive your route, your clips or your identity.
7.4 Apple and Google
When you install or pay for the App, Apple (App Store) or Google (Play Store) processes data as an independent controller under their own privacy policies. We receive only aggregated install, crash and rating reports from them.
7.5 Authorities and legal claims
We may share data with competent authorities when we are legally required to (for example, a valid court order or a request under Dutch law), or to protect the rights, property or safety of FestiClip, our users or the public.
7.6 Corporate transactions
If FestiClip is involved in a merger, acquisition or asset sale, your data may be transferred. We will notify you and ensure your rights remain protected.
We do not sell your personal data, and we do not share it with advertising networks for cross-context behavioural advertising.
8. International data transfers
Personal data is hosted on servers within the European Economic Area (EEA). Some service providers (for example crash-reporting or push-notification gateways operated by US-based companies) may process limited data outside the EEA. In those cases we rely on:
- An adequacy decision by the European Commission (e.g. the EU/US Data Privacy Framework) where available; or
- Standard Contractual Clauses (2021 EU SCCs) supplemented by technical and organisational measures (encryption in transit and at rest, access controls, pseudonymisation).
You can ask us for a copy of the safeguards by emailing [email protected].
9. Your rights
Under the GDPR you have the right to:
- Access: ask whether we hold data about you and receive a copy.
- Rectification: correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): ask us to delete your data, including any clip that features you.
- Restriction: ask us to pause processing in certain situations.
- Portability: receive your data in a structured, machine-readable format and have it transferred where technically feasible.
- Objection: object to processing based on legitimate interests, or to direct marketing at any time.
- Withdraw consent: at any time, without affecting the lawfulness of processing already carried out.
- Not be subject to solely automated decisions with legal or similarly significant effects. We do not currently make any such decisions about you.
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local supervisory authority.
Most of these you can exercise directly inside the App (Settings → Privacy). You can also email [email protected]. We respond within one month and may extend this by up to two further months for complex requests, in line with Article 12(3) GDPR. Requests are free unless they are manifestly unfounded or excessive.
10. How long we keep data
| Category | Retention |
|---|---|
| Account data | While your account is active, plus up to 12 months after closure for fraud prevention and legal claims; tax and accounting records 7 years (Dutch tax law). |
| Clips and captions | Until you delete them or close your account. Deleted clips are removed from backups within 30 days. |
| Location traces (live tracking) | Linked to clips you publish for as long as those clips exist; raw, unattached traces are deleted 30 days after the festival ends, unless you save them as a "memory". |
| Diagnostic and crash logs | 30 days, then deleted or fully aggregated. |
| Moderation records | Up to 24 months after the action, to help us spot repeat abuse. |
| Support correspondence | 24 months after closing the ticket. |
11. Security
We apply technical and organisational measures appropriate to the risk, including TLS encryption in transit, encryption at rest, hashed passwords (Argon2/bcrypt), least-privilege access controls, network segmentation, regular backups, security logging and code review. No service is 100% secure; if a personal-data breach occurs that poses a risk to your rights, we will notify the Autoriteit Persoonsgegevens within 72 hours (Article 33 GDPR) and inform affected users where required (Article 34 GDPR).
12. Cookies and similar technologies
The Website uses strictly necessary cookies to function and, with your consent, optional analytics cookies. The App uses local storage and SDK identifiers needed to operate, plus optional analytics where you have given consent. Full details, including how to change your choices, are in our Cookie Policy. The legal basis for non-essential cookies is your consent under Article 11.7a of the Dutch Telecommunicatiewet and Article 6(1)(a) GDPR.
13. App store privacy disclosures
The App's privacy disclosure on the Apple App Store ("App Privacy" labels) and on Google Play ("Data safety" section) is consistent with this Policy. If you spot a discrepancy, this Policy is leading and we will correct the store disclosure.
We do not use your data to track you across other companies' apps and websites within the meaning of Apple's App Tracking Transparency framework. If that ever changes, we will request your permission first via the standard ATT prompt.
14. Automated decisions and profiling
We use automated systems to rank clips, surface "top moments", detect spam and abuse and personalise your map. These do not produce legal effects on you or similarly significantly affect you within the meaning of Article 22 GDPR. You can always contact us to review or contest a content decision.
15. Changes to this Policy
We may update this Policy to reflect new features, legal changes or operational improvements. Material changes will be announced in-app and by email at least 30 days before they take effect. The "Last updated" date at the top always shows the current version.
16. Contact and complaints
Questions, requests or complaints about this Policy or how we handle your data:
FestiClip
Vrijheidslaan 85h, 1079 KH Amsterdam, the Netherlands
[email protected]
You always have the right to complain to the Dutch Data Protection Authority: Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag, autoriteitpersoonsgegevens.nl.
← Back to FestiClip