Privacy Policy — Frontrow

Who we are

Frontrow is a live concert platform operating at iaminit.live. We stream concerts across three ticket tiers — Standard (2D, $8), VR 180° ($25), and Front Row (10-seat group room, $75) — and facilitate direct payments to artists through Stripe Connect. We are organized under the laws of the State of California. [COUNSEL TO CONFIRM: legal entity name and registered address]

Our data controller contact is: privacy@iaminit.live

Postal address: [COUNSEL TO CONFIRM: insert principal place of business; required under Cal. Civ. Code § 1798.130(a)(1)(A) as one of two or more designated methods for verifiable consumer requests]

[COUNSEL TO CONFIRM: GDPR Art. 27 EU representative — if required at current user volume, insert representative name, address, and email here before publication. Recommended vendors: VeraSafe (https://verasafe.com) or GDPR-Rep.eu. If the Art. 27(2) exemption applies, state that here with the basis for the exemption.]

§ 1. What we collect

§ 1.1 Account and signup data

When you create a Frontrow account, we collect:

Your email address (used for magic-link authentication, transactional communications, and account recovery);
A display name you choose (which may be your real name or a pseudonym);
Your country or region (for tax and rights-territory purposes); and
The timestamp and IP address of your account creation (for fraud detection and security logging).

We do not collect a password. Authentication is handled by a magic-link sent to your email address.

Legal basis (GDPR Art. 6): Performance of a contract — you cannot create an account without these data points (GDPR Art. 6(1)(b)). IP-address collection at signup is also justified by our legitimate interests in fraud prevention (GDPR Art. 6(1)(f)).

CCPA category: Identifiers (Cal. Civ. Code § 1798.140(v)(1)(A)); geolocation data (§ 1798.140(v)(1)(G)) [COUNSEL TO CONFIRM: whether country-level data qualifies as geolocation under CPRA's definition]

§ 1.2 Payment data collected via Stripe

Frontrow uses Stripe, Inc. and Stripe Connect as its payment processor. We do not collect, store, or have access to your full payment-card number, card verification code, or bank-account number. Stripe collects and processes those data directly under Stripe's own privacy policy (https://stripe.com/privacy).

Data we receive from Stripe about your transactions:

A Stripe customer ID (a pseudonymous identifier Stripe assigns you);
A record of each ticket purchase: concert ID, ticket tier, gross amount, Stripe fee amount, and net amount disbursed;
A record of each tip transaction: amount, receiving artist, and timestamp;
Refund records: refund trigger (automated no-show cron or manual), refund amount, refund timestamp, and Stripe refund ID;
Payout records to artists (for artist accounts only): Stripe Connected Account ID, W-9/W-8BEN tax-form status, and payout schedule.

For tax-compliance purposes under 26 U.S.C. § 6050W and California Revenue and Taxation Code § 18631, we retain records sufficient to satisfy IRS Form 1099-K reporting obligations for artists who receive payments through the platform.

Legal basis (GDPR Art. 6): Performance of a contract (Art. 6(1)(b)); compliance with a legal obligation (Art. 6(1)(c)) for tax records.

CCPA category: Financial information (Cal. Civ. Code § 1798.140(v)(1)(D)).

§ 1.3 Spotify OAuth-derived data

When you choose to connect your Spotify account, Frontrow receives data through Spotify's OAuth 2.0 authorization flow. The specific data we collect, the scopes we request, how we use and retain that data, and how you can disconnect are described in full in the Spotify Integration section below, which incorporates the data practices set out in the standalone PRIVACY_POLICY_SPOTIFY_OAUTH_UPDATE.md (Frontrow Week 1 legal deliverable, on file with counsel).

Summary: we request only user-top-read and user-library-read. We do not share your Spotify identity with artists in identifiable form. We retain Spotify-derived data for 24 months from your most recent sync, or 30 days after you disconnect, whichever comes first.

§ 1.4 LiveKit room-state and biometric position data

Frontrow uses LiveKit, Inc. as its real-time communications infrastructure for Front Row group rooms and for VR-tier audio/video streams.

Data we receive or generate through LiveKit:

Room participation records: which Frontrow account joined which room, at what timestamp, and for how long;
Ephemeral signaling data: ICE candidates, DTLS handshake metadata, and WebRTC connection quality metrics used to route your media stream — these are transient and are not stored beyond the session except as aggregated quality telemetry; and
Spatial position data in Front Row group rooms: your virtual "seat" position within the ten-seat room, represented as a relative coordinate used to arrange participant audio levels and on-screen positioning. This is a room-state construct, not a physical geolocation.

We do not collect, generate, or process:

Biometric identifiers or biometric information within the meaning of 740 ILCS 14/10 (Illinois BIPA), including face geometry templates, faceprints, or facial-recognition templates;
Physical GPS or precise geolocation data from the LiveKit session; or
Any audio or video of Front Row participants beyond what is transmitted in real time for the performance and what is captured for Spatial Photo functionality under § 7.3 of the Artist Agreement (artist-facing consent) and, when P2 features launch, under the UGC Consent framework (user-facing consent, separate document).

[COUNSEL TO CONFIRM: If any future LiveKit or overlay feature generates a face geometry template or applies face-recognition to participant video, a separate BIPA written-release regime is required under 740 ILCS 14/15(b) before any such collection begins. The UGC Consent Stub (UGC_CONSENT_STUB_FOR_P2.md) documents the framework for that eventuality.]

Legal basis (GDPR Art. 6): Performance of a contract (Art. 6(1)(b)) — the room-state data is necessary to deliver the Front Row experience you purchased.

CCPA category: Internet or other electronic network activity information (Cal. Civ. Code § 1798.140(v)(1)(F)).

Retention: Ephemeral LiveKit signaling data is not retained beyond 90 days even in backup systems. Participation records (which account, which room, timestamp, duration) are retained for the period described in § 5.

§ 1.5 Product telemetry

We collect product-usage telemetry to understand how the platform is used and to improve it. This includes:

Page views and navigation paths within iaminit.live;
Ticket-purchase funnel events (page load, tier selection, checkout initiation, purchase completion, abandonment);
Video stream quality metrics (buffering rate, bitrate switches, watch duration, dropout events);
Feature-interaction events (Spotify connect clicks, tip-slider interactions, wallet-add clicks); and
Error and crash reports, including browser/device metadata (browser version, OS version, viewport size) but not full device identifiers unless required for debugging a specific issue.

We do not use third-party behavioral advertising trackers (e.g., Meta Pixel, Google Ads conversion tags) on the platform. [COUNSEL TO CONFIRM: this matches the actual tag plan at publication date]

Legal basis (GDPR Art. 6): Legitimate interests (Art. 6(1)(f)) — improving the reliability and performance of a paid service in which users have a direct stake. [COUNSEL TO CONFIRM: whether a Legitimate Interests Assessment (LIA) has been documented for this basis]

CCPA category: Internet or other electronic network activity information (Cal. Civ. Code § 1798.140(v)(1)(F)).

§ 1.6 Spotify Integration (full operative terms)

What we collect when you connect Spotify. When you choose to connect your Spotify account to Frontrow, you authorize Spotify to share the following data with us through Spotify's OAuth 2.0 authorization flow:

Your top artists (the artists you have listened to most over Spotify's short-, medium-, and long-term reporting windows);
Your top tracks (the tracks you have listened to most over the same reporting windows); and
Your saved library (the artists, albums, and tracks you have explicitly saved to your Spotify library).

We request only the OAuth scopes user-top-read and user-library-read. We do not request, collect, or receive: your playlists; your full listening history beyond Spotify's aggregated top-artists and top-tracks endpoints; your currently-playing track or real-time playback state; your Spotify followers, friends, or social graph; your Spotify email address, payment information, or subscription tier; the ability to modify your Spotify account, queue, or library; or any data about other Spotify users.

Lawful basis (GDPR Arts. 6 and 13). We process Spotify-derived data on the basis of your consent under GDPR Art. 6(1)(a). Consent is given by clicking "Connect Spotify" on the Spotify-hosted authorization screen. You may withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing.

CCPA / CPRA Notice at Collection. Categories collected: internet or other electronic network activity information (Cal. Civ. Code § 1798.140(v)(1)(F)) and inferences drawn therefrom (§ 1798.140(v)(1)(K)). We do not sell or share (as defined in § 1798.140(ad), (ah)) Spotify-derived personal information.

How we use Spotify-derived data. We use it only to: (1) compute aggregate matches between your Spotify listening profile and the Frontrow artist catalog to surface concert recommendations; (2) measure, in aggregate and de-identified form, which artists in our catalog are likely to attract Spotify-connected users; and (3) provide a per-artist "you've listened to this artist on Spotify" indicator on artist detail pages. We do not share your Spotify identity with any artist in identifiable form. When we report aggregate insights to artists (e.g., fan count by Spotify match), we apply a k-anonymity threshold of ten or more users.

Retention. We retain Spotify-derived data for 24 months from your most recent sync. If you disconnect Spotify, we delete Spotify-derived data within 30 days. Backups are overwritten on our 35-day rotation schedule (§ 6).

How to disconnect. Navigate to Account Settings → Connected Apps → Spotify → Disconnect within Frontrow. You may also revoke Frontrow's authorization at https://www.spotify.com/account/apps, which causes Spotify to immediately invalidate our tokens.

§ 2. How we use your information

Processing activity	Data used	Legal basis (GDPR Art. 6)	CCPA purpose
Delivering concerts and managing your tickets	Account data, payment data, room-state data	Art. 6(1)(b) — contract performance	Service delivery
Processing refunds under the no-show SLA	Payment data, Stripe webhook data, concert schedule data	Art. 6(1)(b) — contract performance	Refund processing
Exporting fan lists to artists (with notice)	Account display name, purchase record for that artist's shows	Art. 6(1)(b) — contract performance; Art. 6(1)(f) — artist-side legitimate interest in knowing their audience	Artist reporting (see § 2.1)
Fraud detection and account security	IP address at signup/login, device telemetry, payment anomaly signals	Art. 6(1)(f) — legitimate interests	Fraud prevention
Product analytics and improvement	Telemetry, funnel events, stream-quality metrics	Art. 6(1)(f) — legitimate interests [COUNSEL TO CONFIRM: LIA]	Product improvement
Tax reporting and financial compliance	Payment records, artist payout records, W-9/W-8BEN status	Art. 6(1)(c) — legal obligation (26 U.S.C. § 6050W; Cal. R&T Code § 18631)	Legal compliance
Sending transactional emails	Email address	Art. 6(1)(b) — contract performance	Account and order communications
Responding to DMCA takedown notices	Account data, content identifiers	Art. 6(1)(c) — legal obligation (17 U.S.C. § 512)	DMCA compliance
Spotify concert recommendations (if connected)	Spotify-derived data	Art. 6(1)(a) — consent	Personalization

§ 2.1 Fan-list export to artists

When you purchase a ticket to an artist's show, your Frontrow display name and email address become part of that artist's fan record on our platform. Artists may export a list of their fans' display names and email addresses for direct marketing under the following conditions:

Frontrow displays a clear notice on the ticket-purchase confirmation page that your display name and email will be accessible to the performing artist for direct-marketing communications;
The artist must agree to Frontrow's Artist Agreement, which prohibits sharing exported fan data with third parties and requires compliance with CAN-SPAM (15 U.S.C. § 7701), CASL (where applicable), and GDPR (where applicable);
You may opt out of artist direct-marketing communications at any time using the unsubscribe mechanism in any marketing email you receive from an artist, or by contacting privacy@iaminit.live.

[COUNSEL TO CONFIRM: whether this fan-list export practice requires a separate GDPR Art. 13 notice at the point of collection (i.e., at checkout), distinct from this policy. The notice-at-collection requirement under Cal. Civ. Code § 1798.100(a) independently requires disclosure at checkout.]

§ 2.2 What we do not do

We do not sell your personal information. We do not share your personal information with third parties for their own direct-marketing purposes. We do not use your personal information to train any machine-learning model offered to third parties. We do not engage in cross-context behavioral advertising as defined in Cal. Civ. Code § 1798.140(k).

§ 3. How we share your information

§ 3.1 When sharing is necessary for the service

We share your personal information with third parties only in the following circumstances:

Payment processing. We share transaction data with Stripe, Inc. to process payments and disburse artist payouts. Stripe acts as a separate controller for its own payment-infrastructure purposes and as our processor for disbursement processing.
Concert delivery. We share your room-state and session data with LiveKit, Inc. to deliver real-time audio/video in Front Row group rooms. LiveKit acts as our processor for this purpose.
Video streaming infrastructure. We use Amazon Web Services, Inc. ("AWS"), specifically AWS Interactive Video Service ("AWS IVS"), to ingest and deliver the Standard and VR-tier HLS video streams. AWS IVS processes stream metadata that may include viewer session identifiers.
Hosting and database. We use Supabase, Inc. for our production database and authentication infrastructure. Supabase processes all personal data stored in our Postgres database as our processor.
Fan-list export to artists. As described in § 2.1, your display name and email may be accessible to the artist whose shows you have attended, under the conditions stated there.
Legal compliance. We will disclose personal information when required by law, subpoena, or court order, or when we have a good-faith belief that disclosure is necessary to prevent fraud, protect our rights, or protect the safety of our users.
Business transfers. If Frontrow is acquired or merges with another entity, personal information may be transferred as part of that transaction, subject to the acquiring entity's commitment to honor this policy or to provide notice and a choice to you before any material change in use.

§ 3.2 Our subprocessors

The following subprocessors process personal data on our behalf under written data processing agreements (DPAs). [COUNSEL TO CONFIRM: that an executed DPA exists for each before publication; LiveKit's DPA is non-standard and must be specifically requested]

Subprocessor	Purpose	Data processed	Location
Stripe, Inc.	Payment processing; artist payouts; tax-form collection	Payment data, payout data, tax IDs	United States
LiveKit, Inc.	Real-time audio/video for Front Row group rooms	Room-state data, session identifiers, media streams (in transit only)	United States
Amazon Web Services, Inc. (AWS IVS)	HLS video stream delivery for Standard and VR tiers	Stream session identifiers, viewer telemetry	United States [COUNSEL TO CONFIRM: AWS IVS regions used]
Supabase, Inc.	Production database, authentication	All personal data stored in our database	United States
Vercel, Inc.	Frontend hosting and edge-function execution	Request metadata, edge logs	United States / global edge [COUNSEL TO CONFIRM: SCCs or adequacy basis for non-US edge nodes if EU users are served]

We do not currently use any subprocessor for advertising, marketing analytics, or behavioral profiling. [COUNSEL TO CONFIRM: this remains accurate at publication]

§ 4. Your rights

§ 4.1 Rights under GDPR (EU / UK residents)

If you are located in the European Economic Area or the United Kingdom, the following rights apply to your personal data under GDPR Arts. 15–22 (and UK GDPR equivalents):

Art. 15 — Right of access. You may request confirmation of whether we process your personal data and a copy of that data, together with the information specified in Art. 15(1).
Art. 16 — Right to rectification. You may request correction of inaccurate personal data we hold about you.
Art. 17 — Right to erasure ("right to be forgotten"). You may request deletion of your personal data where: (a) it is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and no other legal basis applies; (c) you object under Art. 21 and no overriding legitimate grounds exist; (d) the processing is unlawful; or (e) deletion is required by EU or Member State law. The right to erasure does not apply where retention is required for compliance with a legal obligation (e.g., 7-year tax record retention) or for the establishment, exercise, or defense of legal claims.
Art. 18 — Right to restriction. You may request that we restrict processing of your personal data in the circumstances described in Art. 18(1).
Art. 19 — Notification obligation. We will notify relevant recipients of any rectification, erasure, or restriction under Arts. 16–18.
Art. 20 — Right to data portability. For data you provided to us, processed on the basis of consent or contract performance, you may request a machine-readable copy (JSON or CSV format).
Art. 21 — Right to object. You may object to processing based on our legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Art. 22 — Automated decision-making. We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. [COUNSEL TO CONFIRM: whether the Spotify-match recommendation algorithm constitutes profiling under Art. 4(4) that requires Art. 22 disclosure]

To exercise any of these rights, contact us at privacy@iaminit.live. We will respond within 30 days (extendable by a further two months for complex requests under Art. 12(3)) and will not charge a fee for a first request in any twelve-month period.

You have the right to lodge a complaint with a supervisory authority. If you are in the EU, the lead supervisory authority is determined by our establishment; if we have no EU establishment, you may lodge a complaint with the supervisory authority in your Member State of habitual residence. If you are in the UK, you may complain to the Information Commissioner's Office (ico.org.uk).

§ 4.2 Rights under CCPA / CPRA (California residents)

If you are a California resident, the following rights apply under Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (CPRA, Prop. 24, 2020):

§ 1798.100 — Right to know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
§ 1798.105 — Right to delete. You may request deletion of personal information we have collected about you, subject to exceptions (including legal-compliance retention obligations).
§ 1798.106 — Right to correct. You may request correction of inaccurate personal information.
§ 1798.110 — Right to opt out of sale or sharing. We do not sell or share (as defined in § 1798.140(ad), (ah)) your personal information. No opt-out is required, but you may contact us to confirm.
§ 1798.121 — Right to limit use of sensitive personal information. To the extent we process any "sensitive personal information" as defined in § 1798.140(ae) [COUNSEL TO CONFIRM: whether any data category meets this definition], you may request that we limit such use to the purposes specified in § 1798.121(a).
§ 1798.125 — Right to non-discrimination. We will not discriminate against you for exercising any CCPA / CPRA right.

We will verify your identity before processing a CCPA / CPRA request. We may ask you to confirm your email address and, for deletion requests, may require a second confirmation. We will respond within 45 days, extendable by a further 45 days when reasonably necessary.

Authorized agents may submit requests on your behalf; we require a signed written authorization or power of attorney and will verify the agent's authority before processing.

§ 4.3 Right to disconnect Spotify

You may disconnect your Spotify integration at any time as described in § 1.6 above. Disconnecting Spotify withdraws your consent for processing of Spotify-derived data under GDPR Art. 6(1)(a) and triggers deletion of Spotify-derived data within 30 days, consistent with our CCPA right-to-delete obligation for this data category.

§ 4.4 Other applicable rights

Residents of other jurisdictions with data-protection laws (e.g., Virginia CDPA, Colorado CPA, Texas TDPSA) have rights substantially similar to those described in §§ 4.1–4.2. We apply a uniform standard based on the GDPR / CCPA framework for all users regardless of jurisdiction. Contact privacy@iaminit.live to exercise any privacy right.

§ 5. How long we keep your information

Data category	Retention period	Basis
Account data (email, display name, country)	Duration of account, plus 90 days after deletion request is fulfilled	Contract; CCPA right-to-delete operational window
Spotify-derived data	24 months from most recent sync; 30 days after disconnect	Consent withdrawal; PRIVACY_POLICY_SPOTIFY_OAUTH_UPDATE.md
Stripe payment transaction records	7 years from transaction date	26 U.S.C. § 6050W; IRS record-keeping requirements; Cal. R&T Code § 18631
Refund records	7 years from refund date	Same as payment transaction records
Artist payout and W-9/W-8BEN tax records	7 years from payout year end	26 U.S.C. § 6050W; IRS Form 1099-K obligations
LiveKit ephemeral signaling data	Maximum 90 days, including in backup systems	No ongoing operational need beyond session
Room participation records (account ID, room ID, timestamp, duration)	24 months	Fraud detection; chargeback dispute window
Product telemetry (page views, funnel events, stream quality)	24 months	Legitimate interests in product analytics
IP address at account creation	90 days	Fraud detection; thereafter aggregated or deleted
Backup copies (all categories)	35-day rotation — all backups are overwritten within 35 days of the production record's retention-expiry date	Operational security
DMCA takedown notice records	5 years from receipt	17 U.S.C. § 512(c)(3); BMG Rights Mgmt. (US) LLC v. Cox Commc'ns, Inc., 881 F.3d 293 (4th Cir. 2018) (records required to demonstrate repeat-infringer policy)

[COUNSEL TO CONFIRM: whether the 24-month analytics retention period requires a separate legitimate interests balancing under GDPR, and whether any EU data protection authority guidance on analytics retention is more restrictive]

§ 6. Security

We implement the following technical and organizational measures to protect your personal information:

Encryption at rest. OAuth tokens (Spotify access and refresh tokens) are encrypted at rest using AES-256-GCM via Supabase Vault before storage in our production database. Other personal data stored in our Supabase Postgres database is encrypted at rest using AES-256 at the infrastructure level.
Encryption in transit. All data transmitted between your browser or application and our servers is protected by TLS (Transport Layer Security) version 1.2 or higher. LiveKit media streams are protected by DTLS-SRTP.
Access controls. Database access is governed by row-level security (RLS) policies enforced at the Postgres layer. Application-level access is scoped to the minimum data necessary for each function; service-role access is limited to specific edge functions and is not exposed to client-side code.
Backup rotation. Database backups are retained on a 35-day rolling rotation. Backups are encrypted using the same AES-256 standard applied to production data. After 35 days, backup data is permanently overwritten.
Incident response. We maintain an incident response procedure. If we discover a breach that triggers notification obligations under Cal. Civ. Code § 1798.82 or GDPR Art. 33, we will notify the relevant supervisory authority within 72 hours of discovery (GDPR Art. 33) and will notify affected California residents in the most expedient time possible consistent with § 1798.82.

No security system is impenetrable. We encourage you to use a strong, unique email address and to review which apps have access to your connected accounts periodically.

§ 7. Contact

To exercise privacy rights, report a privacy concern, or ask questions about this policy:

Email: privacy@iaminit.live

Postal address: [COUNSEL TO CONFIRM: insert legal entity name and principal place of business. Cal. Civ. Code § 1798.130(a)(1)(A) requires at least two designated methods; email plus postal address satisfies this requirement.]

For DMCA copyright notices, use the contact information at iaminit.live/legal (separate DMCA Designated Agent contact).

[COUNSEL TO CONFIRM: whether a Data Protection Officer (DPO) must be designated under GDPR Art. 37 given the scale of systematic monitoring (Art. 37(1)(b)) or the nature of data processed. Current assessment: DPO likely not required at pre-launch scale, but document the analysis.]

§ 8. Children

[COUNSEL TO CONFIRM: COPPA applicability] Frontrow is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent as required by COPPA (15 U.S.C. § 6501; 16 CFR Part 312), we will delete it promptly. If you are a parent or guardian and believe your child under 13 has provided us with personal information, contact privacy@iaminit.live.

For users in the European Economic Area: the minimum age for consent to data processing is 16 in most EU member states (GDPR Art. 8; [COUNSEL TO CONFIRM: the minimum age in each jurisdiction where we have material user volume, as some member states have set 13 as the minimum under Art. 8(1)]). Users under 16 in the EEA may not create Frontrow accounts without verifiable parental consent.

§ 9. Changes to this policy

We will post any material changes to this policy at iaminit.live/legal/privacy with a revised "Effective date" at the top. If we make a material change to how we use your personal information, we will notify you by email (to the address on your account) at least 30 days before the change takes effect, and we will seek fresh consent where required by applicable law (e.g., for any new processing of Spotify-derived data for which consent is the legal basis).

Your continued use of the platform after the effective date of a material change constitutes acceptance of the revised policy, except where consent is required — in which case continued use without affirmative re-consent does not constitute consent.