Skip to content
Legal

Data Processing Agreement

For Operator customers who process third parties' personal data on the platform.

Last updated: April 22, 2026

1. Scope

This Data Processing Agreement ("DPA") applies to any PadVox customer (hereafter the "Operator") who uses the Service to process the personal data of third parties (hereafter the "Data Subjects"), including but not limited to: musicians, staff, contractors, crew, guests, or attendees. By using features that involve uploading or managing data about third parties (such as the Members, Lineup, Availability, Travel Documents, Notes, or Ticketing modules), the Operator accepts this DPA.

2. Roles of the Parties

With respect to Data Subjects' personal data uploaded by the Operator:

  • The Operator is the Data Controller. The Operator determines the purposes and means of processing.
  • PadVox (operated by Carlos Garcia) is the Data Processor. PadVox processes personal data solely on the Operator's documented instructions, which are expressed through the Operator's use of the Service.

3. Subject Matter and Duration

The subject matter of the processing is the provision of the PadVox Service. The duration is the period during which the Operator maintains an active account. Processing may continue for up to 30 days after account deletion to allow for recovery, after which data is permanently erased.

4. Nature and Purpose of Processing

PadVox processes personal data on the Operator's behalf to provide the Service's planning, coordination, and administrative features, including event management, lineup assignment, availability tracking, venue logistics, document storage, ticketing, and communication with Data Subjects invited to a project.

5. Categories of Data Subjects and Data

Data Subjects may include the Operator's musicians, staff, crew, contractors, guests, and ticket holders. Data categories processed by the Service include:

  • Identity data (name, email, phone, photograph, nationality).
  • Travel documents (passport or ID number, date of birth, home address, document expiry, uploaded scans).
  • Financial data (per-event fees).
  • Private operator notes (operator's own observations about the Data Subject).
  • Availability and unavailability periods, with optional reasons that may include health-related context.
  • Venue check-in timestamps and presence data.
  • Behavioural profiling metrics (confirmation rates, decline rates, attendance rates) computed by scheduled processes.

6. Operator's Obligations

The Operator warrants that:

  • A lawful basis exists for each processing activity (contract, consent, legal obligation, or legitimate interest).
  • Data Subjects have been informed of the processing in accordance with applicable transparency requirements (GDPR Art. 13-14 or local equivalents).
  • Any processing of special category data (e.g., health-related availability reasons) is supported by an appropriate lawful basis under GDPR Art. 9.
  • No personal data relating to children below the applicable age of consent (13 in the US, 14 in Spain, 16 in other EU jurisdictions unless lowered) will be uploaded without verifiable parental consent.
  • The Operator will respond to Data Subjects' rights requests (access, rectification, erasure, portability, objection). PadVox will support the Operator via the data export and deletion endpoints.

7. PadVox's Obligations as Processor

  • Process personal data only on the Operator's documented instructions, expressed through the Service's features and settings.
  • Ensure persons authorised to process data are under an appropriate obligation of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (encryption at rest and in transit via Google Cloud, role-based access control, Firestore security rules).
  • Engage subprocessors only as listed publicly at /subprocessors. Notify the Operator of any changes.
  • Transfer personal data outside the EEA only when subject to appropriate safeguards, including Google's Standard Contractual Clauses.
  • Assist the Operator in responding to Data Subjects' rights requests and, where applicable, in carrying out data protection impact assessments.
  • Notify the Operator without undue delay upon becoming aware of a personal data breach affecting the Operator's data.
  • Upon termination, return or delete the Operator's personal data in accordance with the Service's deletion flow, unless retention is required by law.

8. Subprocessors

PadVox engages subprocessors to deliver portions of the Service (hosting, authentication, email delivery, payment processing). A current list is maintained at /subprocessors. The Operator authorises these subprocessors. PadVox will provide at least 15 days' notice before onboarding any new subprocessor by updating that page. If the Operator objects in writing within 15 days, the Operator may terminate the Service without penalty for the remainder of the billing period.

9. International Transfers

Personal data is stored on Google Cloud infrastructure located in the United States. Transfers from the European Economic Area are governed by Google Cloud's Standard Contractual Clauses, available from Google's legal documentation. By accepting this DPA, the Operator acknowledges and authorises these transfers for the purpose of using the Service.

10. Audits and Cooperation

PadVox will make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to reasonable audits, including inspections, conducted by the Operator or an independent auditor mandated by the Operator, with reasonable prior written notice. Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Service.

11. Liability

Liability between the parties is governed by the main Terms of Service at /terms. Nothing in this DPA limits or excludes either party's liability for damage caused to Data Subjects where such limitation is prohibited by applicable data protection law.

12. Acceptance

The Operator accepts this DPA either by ticking the "I accept the Data Processing Agreement" checkbox in Project Settings within the Service, or by continuing to use features that process Data Subjects' personal data after being notified of this document. The current version's acceptance (date and version string) is recorded on the Operator's project and can be reviewed at any time in Project Settings.

13. Changes to this DPA

We may update this DPA from time to time to reflect changes in law, regulatory guidance, or our Service. Material changes will be communicated by updating the "Last updated" date above and, where changes affect Operator obligations, by in-app notice. Continued use of the Service after a change constitutes acceptance of the updated DPA.

14. Contact

Questions or concerns about this DPA:

Carlos Garcia
Operating as PadVox
Email: privacy@padvox.com
Website: www.padvox.com

This document is provided for informational purposes. For legally binding advice consult a qualified attorney in your jurisdiction.