Privacy Policy

Effective date: 1 February 2026

1. About this policy

Capitalised terms in this policy adopt the same meaning as the SettleBeat Terms and Conditions available at https://settlebeat.com/terms, unless otherwise defined in this policy or the context requires otherwise.

This Privacy Policy forms part of the SettleBeat Terms and explains how Tomas Palazzo (ABN 33 405 687 053), operator and data controller of SettleBeat, collects, uses, stores, and discloses personal information for the purposes of the SettleBeat Service.

By using SettleBeat, you agree to the collection and use of information in accordance with this policy.

Notwithstanding that SettleBeat is subject to the small business exemption under the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024 ('the Act'), SettleBeat is committed to protecting your personal information. We voluntarily endeavour to comply with the Australian Privacy Principles (APPs) as outlined in the Act.

2. Contact us

For all privacy-related enquiries, requests, or complaints, contact Tomas Palazzo (data controller) at tomas.palazzo@gmail.com.

3. What information we collect

3.1 Account information

When you create a SettleBeat account, we collect your:

  • Email address
  • Password (stored as a cryptographic hash — we never store your password in plain text)
  • First name and last name
  • Artist or stage name (optional)
  • Country of residence
  • Preferred currency

3.2 Billing profile information

If you set up a billing profile (required before sending invoices), we collect your:

  • Business address
  • Phone number (including country code)
  • Payment details — free-text field for bank account number, BSB, ABN, or other payment information you choose to provide
  • Tax registration status, tax label (e.g. GST), and tax rate
  • Invoice starting number

3.3 Gig information

When you create and manage gigs, we collect:

  • Gig title, date, start time, and end time
  • Venue name and address
  • Rate type and rate amount
  • Currency
  • Notes
  • Recurring schedule settings

3.4 Venue information

When you create saved venues, we collect:

  • Venue name and address
  • Contact name and email address of your venue contact person
  • Default rate and currency settings
  • Notes

3.5 Invoice information

When you create invoices, we collect and store:

  • Invoice number, status, and due date
  • A snapshot of your billing profile at the time of invoice creation
  • A snapshot of your gig details at the time of invoice creation
  • Contact name and email address of the invoice recipient
  • Calculated amounts (subtotal, tax, total)

3.6 Third-party contact information

When you add venue contacts or invoice recipients, you provide us with the personal information of third parties (such as a venue manager's name and email address). By providing this information, you confirm that you have a legitimate basis for doing so and that the collection and use is consistent with applicable privacy law.

We use this information only to generate and send invoices on your behalf. We do not use third-party contact information for any other purpose.

3.7 Location data

When you enter a venue address, we use Google's Places API to autocomplete the address and Google's Timezone API to resolve the correct timezone for that location. We send the geographic coordinates of venue addresses to Google's servers for timezone resolution. We do not collect or store your device's GPS location.

3.8 Technical and usage data

We and our infrastructure providers automatically collect certain technical data when you use the Service, including:

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and actions taken within the Service (via server logs)
  • Session tokens

3.9 Feedback

If you submit feedback via the in-app feedback button, we collect your name, email address, and the content of your message.

4. How we use your information

We use personal information for the following purposes:

  • To provide and operate the Service, including account creation, authentication, and session management
  • To enable you to create and manage gigs, venues, and invoices
  • To generate invoice PDFs containing your billing details and gig information
  • To send invoices and calendar invites by email on your behalf via our email provider
  • To resolve venue timezones using geographic coordinates
  • To protect the security of the Service, including rate limiting to prevent abuse
  • To respond to feedback and support requests
  • To maintain audit records of key account actions for security and dispute resolution purposes
  • To comply with our legal obligations

We do not use your personal information for advertising, marketing to third parties, profiling, or automated decision-making that has legal or significant effects on you.

5. Legal basis for processing

By reference to the APPs, we rely on the following bases for collecting and using personal information:

  • Contract performance — we require certain personal information to provide the Service you have registered to use
  • Legitimate interests — we process technical and usage data to maintain the security and performance of the Service
  • Legal obligations — we may retain certain records where required by law
  • Consent — where we ask for optional information (such as artist name), your provision of such information is voluntary and will not affect your ability to use the Service

6. Who we share your information with

We do not sell your personal information or share it with third parties for marketing purposes.

We share personal information with the following third-party service providers to operate the Service. Each provider acts as a data processor on our behalf.

Vercel Inc. (United States)

Our hosting and infrastructure provider. Vercel serves the SettleBeat web application and processes technical data including IP addresses and request logs as part of delivering the Service.

Supabase Inc. (United States — data hosted in Australia)

Our database and authentication provider. Supabase stores all account data, gig data, venue data, invoice data, and billing profile data. Your data is stored in the ap-southeast-2 (Sydney) region.

Resend Inc. (United States)

Our transactional email provider. Resend processes email addresses and email content when we send invoices, calendar invites, and feedback emails on your behalf.

Google LLC (United States)

  • Google Places API— processes address input you type into venue address fields to provide autocomplete suggestions. Your keystrokes and partial address input are sent to Google's servers.
  • Google Timezone API — processes venue geographic coordinates to resolve the correct IANA timezone for that location.

Upstash Inc. (United States)

Our rate limiting infrastructure provider. Upstash Redis stores user identifiers on a temporary, time-limited basis to prevent abuse.

6.1 Cross-border disclosure

All third-party providers listed above are based in the United States. By using SettleBeat, you acknowledge that your personal information may be transferred to and processed in the United States.

7. Cookies and tracking technologies

SettleBeat uses one cookie:

sb-[project-ref]-auth-token (Supabase session cookie):

  • Purpose: Maintains your authenticated session so you remain logged in
  • Type: Functional / strictly necessary
  • Duration: Expires after 7 days or when you log out
  • Set by: Supabase (via SettleBeat)
  • Third-party access: Supabase processes this token to verify your identity on each request

We do not use advertising cookies, tracking cookies, or analytics cookies. We do not use third-party tracking technologies for marketing or profiling purposes.

Because the only cookie we set is strictly necessary for the Service to function, we do not present a cookie consent banner. If we add any non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms before doing so.

8. Data retention

We retain your personal information for as long as your account is active or as needed to provide the Service.

  • Account data — retained until you delete your account
  • Gig, venue, and invoice data — retained until you delete your account. Soft-deleted records (where you delete a gig or venue) are retained in the database to preserve the integrity of linked records (e.g. invoices linked to deleted gigs), but are not visible to you
  • Invoice records — we recommend retaining invoice records for a minimum of 7 years (the ATO requires most business records to be kept for at least 5 years; we recommend 7 as a precaution). We do not automatically delete invoices
  • Audit log entries — retained for the duration of your account
  • Rate limiting data (Upstash) — transient, expires automatically within minutes to hours
  • Email delivery records — retained by Resend in accordance with their privacy policy

When you delete your account, we permanently delete all personal information associated with your account from our systems, subject to any retention obligations required by law.

9. Security

We take the security of your personal information seriously. The measures we have implemented include:

  • All data is encrypted in transit using TLS
  • All data stored in Supabase is encrypted at rest using AES-256
  • Passwords are stored as cryptographic hashes — never in plain text
  • Row-level security policies ensure each user can only access their own data
  • The service role key (which bypasses access controls) is stored server-side only and never exposed to the browser
  • Rate limiting is applied to email-sending endpoints to prevent abuse
  • HTTP security headers are configured to protect against common web vulnerabilities

No method of electronic transmission or storage is 100% secure. If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

10. Your rights

Under the Australian Privacy Principles, you have the right to:

Access

Request access to the personal information we hold about you. Most of your data is directly accessible within the SettleBeat application itself.

Correction

Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. You can update most information directly in the Settings section of the app.

Deletion

Request deletion of your account and all associated personal information. You can delete your account at any time from Settings > Danger Zone. This action is permanent and cannot be undone.

Complaint

Lodge a complaint with us if you believe we have mishandled your personal information. You can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, contact us at tomas.palazzo@gmail.com. We will respond within 30 days.

11. Third-party links and services

SettleBeat may display links to third-party websites. We are not responsible for the privacy practices of third-party websites.

12. Children

SettleBeat is not intended for use by persons under the age of 18. We do not knowingly collect personal information from minors.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice within the Service before the changes take effect.

Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

14. Complaints

If you raise a complaint with us pursuant to clause 2 of this policy and are not satisfied with our response, you may contact the Office of the Australian Information Commissioner:

  • OAIC: https://www.oaic.gov.au
  • Phone: 1300 363 992