Vivo

Musician Management

 Back to login

Privacy Policy

Last updated: 19 February 2026

This Privacy Policy explains how Vivo Musician Management ("Vivo", "we", "us") collects, uses, stores and protects your personal data when you use our web application. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

The data controller is:

  • Name: James Fiddeman, trading as Vivo Musician Management
  • Contact email: james@support.vivomusicianmanagement.co.uk
  • Application: https://vivomusicianmanagement.co.uk
  • ICO registration: not currently required; we will register with the Information Commissioner's Office if our activities change to require it.

2. What data we collect

We collect the minimum data needed to operate a band-management service for you and your band:

  • Account data: name, email address, hashed password, role (admin or player).
  • Member profile data: phone number (optional), section(s) you play in, player type (member / dep / inactive / info only), player notes, emergency contact (optional, visible to admins only), uniform sizes (optional, admins only), medical or dietary requirements (optional, admins only), committee flag.
  • Event activity: your RSVP to each event (yes/no/maybe), optional note you attach to an RSVP, dep invitations you send or receive.
  • Finance & inventory (admins only): transactions, budgets, dep fees paid to you (if you're a dep), items issued to you (uniforms, instruments) and their return status.
  • Technical data: a JSON Web Token stored in your browser's localStorage for login, your Web Push subscription endpoint (only if you enable push notifications), and a calendar subscription token (only if you subscribe to your schedule via iCal).

3. How we use your data (lawful basis)

  • Contract (UK GDPR Art. 6(1)(b)) – to provide the band-management service you or your band administrator signed up for: managing events, attendance, members and music.
  • Legitimate interests (Art. 6(1)(f)) – to keep the service secure, prevent abuse, and improve the product.
  • Consent (Art. 6(1)(a)) – for optional items you tick at signup, e.g. event reminder emails & push notifications. You can withdraw consent at any time from your Profile page.
  • Legal obligation (Art. 6(1)(c)) – where required, e.g. tax records if you subscribe to a paid plan.

4. Who we share your data with

We do not sell your data. We share it only with the following processors, each of which is contractually bound to protect it:

  • Your band administrators — admins of your band(s) can see your profile data to run the band.
  • MongoDB Atlas (MongoDB, Inc.) — database hosting (EU/UK region).
  • Brevo (Sendinblue) — transactional email delivery (welcome, password reset, event reminders). Processor in the EU.
  • Mailgun (Sinch) — inbound email routing for band-wide and committee aliases. Receives the message, our app then forwards it on to the relevant band members via Brevo. Sender + recipient email addresses are processed.
  • Stripe — payment processing for paid subscriptions (if your band upgrades). We never see your card details.
  • Google Drive API — read-only listing of files in public folders that your admin has linked. Google sees only the folder ID and our server API key, not your identity.

We do not currently use Google Analytics, Facebook Pixel, or any other advertising or analytics tracker.

5. International transfers

Where a processor is located outside the UK/EEA, we rely on UK International Data Transfer Agreements or Standard Contractual Clauses to ensure an equivalent level of protection.

6. How long we keep your data

  • While you are an active member of a band, indefinitely for service continuity.
  • When you delete your account (Profile → Danger Zone, or by emailing us), your user, profile, attendance records, push subscriptions and dep invitations are permanently removed within 30 days.
  • When a band is deleted by its admin, all its data is removed within 30 days.
  • Financial and tax records relating to paid subscriptions are retained for 6 years as required by UK HMRC rules.

7. Your rights under UK GDPR

You have the right to:

  • Access — receive a machine-readable copy of your personal data. Download it any time from your Profile → My Data page, or GET /api/me/data.
  • Rectification — correct inaccurate data by editing your Profile, asking your admin, or emailing us.
  • Erasure (“right to be forgotten”) — delete your account any time from Profile → Danger Zone.
  • Restrict or Object to processing — email us and we will stop the relevant processing.
  • Withdraw consent — toggle consents any time on your Profile page.
  • Data portability — your /api/me/data export is structured JSON you can re-import elsewhere.
  • Complain to the UK Information Commissioner's Office — ico.org.uk/make-a-complaint.

8. Security

  • Passwords are hashed with bcrypt, never stored in plain text.
  • All traffic is TLS-encrypted (HTTPS).
  • JWT tokens expire; push subscription endpoints can be revoked from your Profile.
  • Strict multi-tenant data isolation: every database query is scoped by band_id so one band cannot see another band's data.
  • Access logs are kept for a short period for security monitoring only.
  • We will notify affected users and the ICO within 72 hours if we become aware of a personal data breach that is likely to result in risk to your rights.

9. Children

Vivo is intended for use by adults. If a band admin wishes to enrol members under 18, we rely on the band admin to obtain parental consent in line with the UK GDPR age of digital consent (13).

10. Cookies

See our Cookie Policy.

11. Changes to this policy

We will post any updates on this page and update the “last updated” date. Material changes will also be notified to you by email.

12. Contact

For any privacy question, subject access request or complaint, email james@support.vivomusicianmanagement.co.uk.