Privacy Policy - MavelPoint

1. Legal basis

Our primary legal basis for processing your personal data is the performance of a contract — Article 6(1)(b) GDPR. The processing is necessary so that we can deliver the Service you signed up for: creating and maintaining your account, hosting your profile and uploads, enabling discovery by promoters and other industry users, and operating MavelTree and MavelCam.

We rely on consent — Article 6(1)(a) GDPR — only for optional processing: opt-in marketing emails, and non-essential cookies and analytics that are managed through the Iubenda cookie banner. You can withdraw consent for these optional categories at any time without affecting your ability to use the Service.

A limited set of processing rests on legitimate interest under Article 6(1)(f) GDPR (for example, security monitoring and acquisition attribution) or on legal obligation under Article 6(1)(c) GDPR (for example, retaining consent records as evidence under Article 7 GDPR).

2. What we collect

The table below lists each category of personal data we process, why we process it, the legal basis, how long we keep it, and which sub-processor handles it.

Data class	Type	Purpose	Legal basis	Retention	Sub-processor
Email address	Identifier	Account creation, login, transactional email	Art. 6(1)(b)	For account lifetime + 12 months after closure	Clerk, Microsoft Azure
First name, last name	Identifier	Profile display, contact	Art. 6(1)(b)	For account lifetime	Clerk, Microsoft Azure
Profile image	Image	Profile display, MavelTree	Art. 6(1)(b)	For account lifetime	Microsoft Azure (Blob storage)
Cover image	Image	Profile display	Art. 6(1)(b)	For account lifetime	Microsoft Azure (Blob storage)
Country, nationality, province	Location	Profile display, discovery filters	Art. 6(1)(b)	For account lifetime	Microsoft Azure
Birthdate	Identifier	Age verification (16+ floor)	Art. 6(1)(b)	For account lifetime	Clerk, Microsoft Azure
Biography	Text	Profile display	Art. 6(1)(b)	For account lifetime	Microsoft Azure
Profile slug	Identifier	Public URL	Art. 6(1)(b)	For account lifetime	Microsoft Azure
Social network handles	Identifier	Profile links	Art. 6(1)(b)	For account lifetime	Microsoft Azure
Tracks (audio files & metadata)	Media	Music showcase	Art. 6(1)(b)	For account lifetime	Microsoft Azure (Blob storage)
Fees	Commercial	Booking workflow	Art. 6(1)(b)	For account lifetime	Microsoft Azure
Tech rider	Document	Booking workflow	Art. 6(1)(b)	For account lifetime	Microsoft Azure
Contact information	Identifier	Booking workflow	Art. 6(1)(b)	For account lifetime	Microsoft Azure
viberateId	Identifier (3P)	Artist enrichment	Art. 6(1)(b)	For account lifetime	Viberate
Language preference	Preference	Locale selection	Art. 6(1)(b)	For account lifetime	Microsoft Azure
UTM source / referrer	Marketing	Acquisition attribution	Art. 6(1)(f) — legitimate interest	24 months	Amplitude, Microsoft Azure
IP address at consent	Network	Consent record evidence	Art. 6(1)(c) — legal obligation (GDPR Art. 7(1))	For account lifetime + 6 years after closure	Microsoft Azure
User-agent at consent	Network	Consent record evidence	Art. 6(1)(c)	For account lifetime + 6 years after closure	Microsoft Azure
MavelCam audio / video / photo uploads	Media	Event capture and showcase	Art. 6(1)(b)	For account lifetime; deletable on demand	Microsoft Azure (Blob storage), ShazamKit (in-app recognition only)
Sentry error reports	Diagnostic	Service reliability	Art. 6(1)(f)	90 days	Sentry
Analytics events	Behavioural	Product analytics	Art. 6(1)(a) — consent (Iubenda)	24 months	Amplitude

Email address
First name, last name
Profile image
Cover image
Country, nationality, province
Birthdate
Biography
Profile slug
Social network handles
Tracks (audio files & metadata)
Fees
Tech rider
Contact information
viberateId
Language preference
UTM source / referrer
IP address at consent
User-agent at consent
MavelCam audio / video / photo uploads
Sentry error reports
Analytics events

Retention windows are baseline values; specific items may be deleted sooner on a verified erasure request (see §6).

3. Sub-processors

We share personal data with the following sub-processors strictly for the purposes listed. Each operates under a data processing agreement (DPA).

Sub-processor	Purpose	Region	DPA / safeguards
Clerk	Authentication and account management	United States	DPA in place; SCCs (EU 2021/914) cover transfers
Microsoft Azure	Application hosting and Blob storage	European Union (West Europe)	DPA in place; processing within EU
Sentry	Error and exception monitoring	European Union	DPA in place; processing within EU
Amplitude	Product analytics (opt-in via Iubenda)	United States	DPA in place; SCCs (EU 2021/914) + transfer impact assessment
Viberate	Artist metadata enrichment	European Union (Slovenia)	DPA in place; processing within EU
ShazamKit (Apple)	Audio recognition (MavelCam, in-app only)	United States	Apple framework; on-device matching where supported
Iubenda	Consent management and cookie banner	European Union (Italy)	DPA in place; processing within EU
i18nexus	Translation key management	United States	No personal data of end users is processed

Clerk
Microsoft Azure
Sentry
Amplitude
Viberate
ShazamKit (Apple)
Iubenda
i18nexus

4. International transfers

Application data is stored on Microsoft Azure in the European Union (West Europe region) by default. Where a sub-processor is based outside the European Economic Area — notably Clerk, Amplitude, ShazamKit (Apple), and i18nexus, all in the United States — transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) approved under Decision (EU) 2021/914.

We have conducted a transfer impact assessment for transfers to the United States, taking into account the case law of the Court of Justice of the European Union (notably Schrems II) and the safeguards announced under the EU-US Data Privacy Framework. We rely on the SCCs as the primary transfer mechanism, supplemented where appropriate by additional technical measures (encryption in transit and at rest, minimisation of data shared with the recipient). If a future ruling invalidates the SCCs as a basis for transfers to a given sub-processor, we will migrate the relevant processing to an EU-based alternative or terminate the relationship.

5. Retention

We keep personal data only for as long as we need it for the purposes set out in §2 and §3, after which we delete or anonymise it. Account-bound data is generally kept for the lifetime of your account plus a short post-closure window so we can respond to legal claims and provide proof of consent.

Specific retention windows are set out in the data inventory table above. If you ask us to erase your account, we will delete or anonymise the data within thirty (30) days, except for items we are required by law to retain (such as consent records under GDPR Art. 7(1)).

6. Your rights

Under the GDPR, you have the following rights regarding your personal data. We will respond to a verified request within one (1) month, extendable by two further months for complex requests in accordance with Article 12(3) GDPR.

Access — request a copy of your personal data (Art. 15).
Rectification — correct inaccurate or incomplete data (Art. 16).
Erasure — "right to be forgotten" (Art. 17).
Restriction — limit how we process your data (Art. 18).
Portability — receive your data in a structured, machine-readable format (Art. 20).
Objection — object to processing based on legitimate interest (Art. 21).
Withdraw consent — for any optional processing, at any time, without affecting the lawfulness of prior processing (Art. 7(3)).
Lodge a complaint with your local data protection authority (in Spain, the AEPD: www.aepd.es).

https://app.mavelpoint.com/account/privacy

7. Breach notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and in any event within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk, we will also notify the affected users without undue delay, in accordance with Article 34 GDPR.

8. Minors

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If we become aware that a user is under 16, we will terminate the account and delete the associated personal data. If you believe that a child has provided us with personal data, please contact support@mavelpoint.com.

9. Automated and AI processing

We use automated tools to operate the Service, including machine translation of user-facing copy and automated classification of certain content to detect suspected violations of our Acceptable Use Policy. These tools support human decision-making. We do not take decisions producing legal effects concerning you or significantly affecting you in a similar way based solely on automated processing within the meaning of Article 22 GDPR. Material enforcement actions — account suspension, content removal, and appeals — are reviewed by a person.

10. Contact

MavelPoint is operated by IPS Projects, S.L., a company incorporated in Spain. For any privacy-related question — including to exercise the rights in §6 — write to support@mavelpoint.com. We will route your request to the person responsible for handling it.

We have not appointed a formal Data Protection Officer (Article 37 GDPR) or an EU representative (Article 27 GDPR) because the conditions that would require us to do so do not currently apply: we do not perform large-scale systematic monitoring of data subjects, we do not process special categories of data at scale, and we are established in the European Union. We will revisit this determination as the Service grows and update this section accordingly.