Privacy Policy

Korbee is built for touring artists and the people who back them. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it. We follow the EU General Data Protection Regulation (GDPR) and equivalent UK and Swiss laws.

"Korbee", "we", "us" — the company that operates the service, acting as data controller for your account data. Contact: privacy@korbee.app.

1. What we collect

• Account data — name, email, hashed password, the OAuth provider you used (Google or Apple), profile photo.
• Workspace content — projects, tasks, contacts, contracts, invoices, transactions, files, messages, calendar entries, splitsheets, social posts. Anything you create in Korbee.
• Team data — collaborators you invite (their names, emails, roles).
• Booking inquiries — what promoters submit through your public booking link (their name, email, venue, date, message).
• Billing data — handled by Stripe. Korbee stores only your customer ID, plan, and invoice history. We never see your card number or CVC.
• Connected services — when you link Google Calendar, Meta, TikTok, or a streaming DSP, we store the OAuth access token (encrypted with AES-256-GCM) and the minimum data we need to power the integration you asked for.
• Push tokens — APNs, FCM, or Web Push tokens, so we can deliver the notifications you opt into.
• Technical logs — IP address, user agent, request paths, timestamps, error traces, anonymous usage events. Used for security, debugging, and rate limiting.
• Cookies — we set a single first-party session cookie (HTTP-only, Secure, SameSite=Lax) for authentication and a small theme preference. We do not use third-party advertising cookies on Korbee.

We do not collect special categories of data (health, religion, political views, sexual orientation, biometrics) and ask that you do not upload such data into your workspace.

2. Lawful bases (GDPR Art. 6)

• Contract — to provide the service to you (most processing falls here).
• Legitimate interests — security, anti-abuse, product improvement, debugging.
• Consent — push notifications, marketing emails, optional integrations. Withdraw at any time.
• Legal obligation — invoices, tax records, responding to lawful requests from authorities.

3. Where your data lives

• Database: Neon Postgres, region Frankfurt (EU).
• File uploads: Vercel Blob (EU primary).
• Application hosting: Vercel (EU regions primarily; some edge functions are global).
• Transactional email: Resend.
• Payments: Stripe.
• AI features: Anthropic (zero-retention API; no model training on your inputs).
• Push delivery: Apple APNs, Google FCM.
• Voice rooms: LiveKit Cloud (only when you join a room; sessions are not recorded).

Where data leaves the EEA, transfers rely on the European Commission's Standard Contractual Clauses or an applicable adequacy decision.

4. How long we keep it

• Active accounts — for as long as your account is open.
• Closed accounts — workspace content deleted within 30 days of account closure. Encrypted backups rotate out within 60 days after that.
• Invoices & tax records — kept up to 10 years to comply with Romanian / EU accounting law.
• Security logs — up to 90 days, longer when an ongoing incident requires it.
• E-signed contracts — kept for the lifetime of the workspace plus the retention period above so you can prove authenticity later.

5. Who we share data with

We share data only with the processors above and only to the minimum extent needed to run the service. We do not sell personal data, ever. We may disclose data when legally compelled (court order, regulatory request) — we will inform you unless prohibited by law.

Within your workspace, the team members you invite see the projects, contracts, and content you grant them access to. Role permissions (manager, accountant, photographer, etc.) limit what each role can see — review them on the team page.

6. AI processing

AI-powered features (template suggestions, draft replies, stats narratives) send the relevant text to Anthropic via API. Anthropic contractually does not retain the data and does not train models on it. You can disable AI features in Settings.

7. Your rights (GDPR / UK GDPR)

You have the right to:

• Access a copy of your personal data.
• Correct inaccurate data.
• Erase data ("right to be forgotten") subject to legal retention obligations.
• Restrict or object to processing.
• Portability — receive your workspace content as CSV / JSON / PDF. Use the in-app export tools or email us.
• Withdraw consent at any time.
• Lodge a complaint with the supervisory authority where you live or work. In Romania this is ANSPDCP (www.dataprotection.ro).

Send requests to privacy@korbee.app. We respond within 30 days; complex requests may extend by up to 60 days with notice.

8. Security

• TLS 1.2+ for everything in transit.
• Passwords hashed with Argon2id; OAuth tokens encrypted at rest with AES-256-GCM (per-account key derivation).
• Two-factor authentication available on every account.
• Principle of least privilege for staff access; admin actions audit-logged.
• Daily encrypted backups; quarterly disaster-recovery drills.

Report a vulnerability: security@korbee.app.

9. Cookies & similar tech

Korbee uses a small set of strictly necessary cookies for authentication, theme preference, and CSRF protection. We do not use ad tracking or third-party analytics that follow you across sites. We may add a privacy-respecting product analytics tool (such as Plausible or PostHog with EU hosting) — if so, this page will be updated and the tool will only run after you give consent where required by law.

10. Children

Korbee is not intended for people under 16. If you become aware of a minor using Korbee, email privacy@korbee.app and we will close the account and delete the data.

11. Marketing communications

Transactional emails (billing, security alerts, invitation confirmations) are part of the service and you can't opt out while you have an active account. Product update emails are opt-in via Settings — unsubscribe any time.

12. Public profiles & booking pages

Public artist profiles (/a/<slug>) and booking pages (/b/<slug>) are indexable by search engines unless you mark them private. Anything you publish there is, by design, public.

13. Changes to this policy

We may update this Privacy Policy as we add features or change processors. For material changes, we will email active accounts at least 30 days before they take effect.

14. Contact

Privacy questions or requests: privacy@korbee.app
Security disclosures: security@korbee.app
Anything else: hello@korbee.app