4stage
Get early access

Privacy Policy

Last updated: 2026-05-20

Who we are

4stage is operated by VijfDertien BV, registered in the Netherlands (KvK 88208044), with registered office at Bouwstraat 21-5, 7483PE Haaksbergen, the Netherlands. You can reach us at hello@4stage.app. We are the data controller for personal data processed via the 4stage service.

What we collect

  • Account data: name, email address, and authentication identifiers provided via Auth0 (our identity provider).
  • Band content: songs, setlists, gigs, rehearsals, members, equipment, and any audio references or notes you create.
  • Usage analytics: aggregated page views and event counts via Plausible. Plausible is cookieless and does not collect personal identifiers.
  • Diagnostics: error reports via Sentry to help us fix bugs. Reports may include technical context such as browser version and the URL of the page that errored.
  • Billing data (when you subscribe): processed by Stripe; we do not store card details on our servers.

Why we process it

  • Provide the service — accounts, bands, performance features. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
  • Service emails (transactional) — welcome confirmations, password resets, billing notifications. Sent via Brevo. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
  • Diagnostics and service security — error monitoring via Sentry and related operational telemetry to fix bugs, prevent abuse, and keep the service reliable. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Improve the service — aggregated usage analytics. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Plausible's cookieless model makes the impact on your privacy minimal.
  • Customer support — when you contact us. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Newsletters and waitlists — only if you sign up. Legal basis: consent (Art. 6(1)(a) GDPR). You can unsubscribe at any time. If you sign up to the Founding Band waitlist, you also receive general 4stage updates — you can unsubscribe from either or both at any time.
  • Public listing of Founding Bands — separate opt-in consent (NOT bundled with newsletter or community-space consent). Public data is limited to band name, optional logo, and optional outbound link to your site. Legal basis: consent (Art. 6(1)(a) GDPR). See "Public listing of Founding Bands" further down for revocation rights.
  • Billing — when you subscribe to a paid tier. Legal basis: performance of contract (Art. 6(1)(b) GDPR).

Tracking, advertising, and data linking

We do not engage in cross-app or cross-website tracking for advertising purposes. We do not sell your data. We do not share your data with third parties for marketing.

Data linked to your account:

  • Identity & contact — name, email, authentication identifiers via Auth0.
  • Service content — songs, setlists, gigs, rehearsals, members, equipment, uploaded audio.
  • Financial data (via Stripe) — billing identifiers; we do not store card details on our servers.
  • Support correspondence — emails you send to us and our replies.

Data not linked to your identity:

  • Aggregated analytics (via Plausible) — cookieless, no personal identifiers, page-level counts only.
  • Diagnostic / crash reports (via Sentry) — keyed on session and device, not on your user account; technical context only (browser version, page URL).

Where your data lives

Your band content (songs, setlists, gigs, rehearsals, members, equipment, uploaded audio) is stored on AWS infrastructure in the EU (eu-west-1, Ireland) and is not transferred outside the EU.

Some of our processors operate globally and may process limited personal data outside the EU — typically authentication metadata via Auth0 (Okta Inc.) and diagnostic data via Sentry (Functional Software Inc.), both US-based. When personal data is transferred outside the EU we rely on EU Standard Contractual Clauses (SCCs) and, where the recipient is certified, the EU-US Data Privacy Framework.

Processors we use

  • Auth0 (Okta Inc.) — authentication and session management.
  • AWS (Amazon Web Services EMEA SARL) — application hosting, object/file storage, database.
  • Plausible (Plausible Insights OÜ, EU) — cookieless analytics.
  • Sentry (Functional Software Inc.) — error monitoring.
  • Brevo (Brevo GmbH) — transactional and newsletter email (when you sign up).
  • Stripe (Stripe Payments Europe Ltd.) — payment processing (when you subscribe).

A current list of sub-processors is available on request.

How long we keep it

Account and band content are retained for as long as your account is active. When you delete your account we will delete the associated content within a reasonable period (typically within 30 days), except where retention is required by law — for example, fiscal documents such as invoices are retained for the period mandated by Dutch tax law (currently 7 years). Encrypted operational backups are rotated on a regular cadence (typically within 30 days).

Newsletter and waitlist contacts who never create an account are retained for as long as consent is active and, in any case, no longer than 2 years from the last opened email or link click. After that we remove the address from our active lists. You can unsubscribe at any time via the link in every email or by emailing hello@4stage.app.

Your rights

Under the GDPR you have the right to access your data, request correction or erasure, object to processing, request restriction, and receive your data in a portable format. To exercise any of these rights, email hello@4stage.app. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisory authority in your country of residence.

Public listing of Founding Bands

The Founding Bands public listing on the marketing site is a separate processing activity with its own opt-in consent, captured independently from newsletter consent and community consent. Public data displayed is limited to: band name, optional uploaded logo, and optional outbound link to your site.

Revoking listing consent

You can revoke listing consent at any time from your account settings or by emailing hello@4stage.app. We act on revocation requests within 5 business days. On revocation we remove your band from the public listing and hard-delete any uploaded logo (originals and CDN-derived sizes). A timestamped audit record of the revocation is retained for accountability. Encrypted operational backups are rotated within 30 days, after which all copies are gone.

Listing during subscription lapse

Founding Band status is tied to an active Plus subscription. If payment fails, you have a 7-day grace period during which the listing remains visible. After 7 days of unresolved payment failure, or immediately on explicit cancellation, we remove the listing and notify you by email. If you resubscribe later, the listing is not automatically restored — consent is event-based and we will ask you to opt in again.

Editorial discretion

We reserve the right to remove a listing at any time at our editorial discretion (for example, content that conflicts with our community guidelines or applicable law). We will notify you if we do so.

Cookies

We use only strictly necessary cookies (authentication, session). Plausible analytics is cookieless. We do not use marketing or tracking cookies, which is why you do not see a consent banner.

Children

The service is not directed to children under 16. If you believe a child has provided us with personal data, contact hello@4stage.app and we will delete it.

Changes to this policy

We will notify registered users by email of material changes at least 30 days before they take effect. The current version is dated above.