Privacy Policy

Effective date: 6 April 2026

1. About this policy

This Privacy Policy explains how Tomas Palazzo, operating SettleBeat ("SettleBeat", "we", "us", "our"), collects, uses, stores, and discloses personal information when you use the SettleBeat web application at settlebeat.com (the "Service").

SettleBeat is a gig management and invoicing tool for DJs and performing artists. It helps you track gigs, generate invoices, and manage payments. We do not process payments ourselves.

We are committed to handling your personal information in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024. Even though the small business exemption currently applies to businesses with annual turnover below $3 million, we voluntarily comply with the APPs in full given the nature of the financial and business data we handle.

By using SettleBeat, you agree to the collection and use of information in accordance with this policy.

2. Who we are

  • Data controller: Tomas Palazzo
  • Service: SettleBeat (settlebeat.com)
  • Contact: tomas.palazzo@gmail.com

For all privacy-related enquiries, requests, or complaints, contact us at the email above.

3. What information we collect

3.1 Account information

When you create a SettleBeat account, we collect:

  • Email address
  • Password (stored as a cryptographic hash — we never store your password in plain text)
  • First name and last name
  • Artist or stage name (optional)
  • Country of residence
  • Preferred currency

3.2 Billing profile information

If you set up a billing profile (required before sending invoices), we collect:

  • Business address
  • Phone number (including country code)
  • Payment details — free-text field for bank account number, BSB, ABN, or other payment information you choose to provide
  • Tax registration status, tax label (e.g. GST), and tax rate
  • Invoice starting number

3.3 Gig information

When you create and manage gigs, we collect:

  • Gig title, date, start time, and end time
  • Venue name and address
  • Rate type and rate amount
  • Currency
  • Notes
  • Recurring schedule settings

3.4 Venue information

When you create saved venues, we collect:

  • Venue name and address
  • Contact name and email address of your venue contact person
  • Default rate and currency settings
  • Notes

3.5 Invoice information

When you create invoices, we collect and store:

  • Invoice number, status, and due date
  • A snapshot of your billing profile at the time of invoice creation
  • A snapshot of your gig details at the time of invoice creation
  • Contact name and email address of the invoice recipient
  • Calculated amounts (subtotal, tax, total)

3.6 Third-party contact information

When you add venue contacts or invoice recipients, you provide us with the personal information of third parties (such as a venue manager's name and email address). By providing this information, you confirm that you have a legitimate basis for doing so and that the collection and use is consistent with applicable privacy law.

We use this information only to generate and send invoices on your behalf. We do not use third-party contact information for any other purpose.

3.7 Location data

When you enter a venue address, we use Google's Places API to autocomplete the address and Google's Timezone API to resolve the correct timezone for that location. We send the geographic coordinates of venue addresses to Google's servers for timezone resolution. We do not collect or store your device's GPS location.

3.8 Technical and usage data

We and our infrastructure providers automatically collect certain technical data when you use the Service, including:

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and actions taken within the Service (via server logs)
  • Session tokens

3.9 Feedback

If you submit feedback via the in-app feedback button, we collect your name, email address, and the content of your message.

4. How we use your information

We use personal information for the following purposes:

  • To provide and operate the Service, including account creation, authentication, and session management
  • To enable you to create and manage gigs, venues, and invoices
  • To generate invoice PDFs containing your billing details and gig information
  • To send invoices and calendar invites by email on your behalf via our email provider
  • To resolve venue timezones using geographic coordinates
  • To protect the security of the Service, including rate limiting to prevent abuse
  • To respond to feedback and support requests
  • To maintain audit records of key account actions for security and dispute resolution purposes
  • To comply with our legal obligations

We do not use your personal information for advertising, marketing to third parties, profiling, or automated decision-making that has legal or significant effects on you.

5. Legal basis for processing

Under the APPs, we rely on the following bases for collecting and using personal information:

  • Contract performance — we need your information to provide the Service you have signed up for
  • Legitimate interests — we process technical and usage data to maintain the security and performance of the Service
  • Legal obligation — we may retain certain records where required by law
  • Consent — where we ask for optional information (such as artist name), provision is voluntary

6. Who we share your information with

We do not sell your personal information. We do not share it with third parties for their own marketing purposes.

We share personal information with the following third-party service providers to operate the Service. Each provider acts as a data processor on our behalf.

Vercel Inc. (United States)

Our hosting and infrastructure provider. Vercel serves the SettleBeat web application and processes technical data including IP addresses and request logs as part of delivering the Service.

Supabase Inc. (United States — data hosted in Australia)

Our database and authentication provider. Supabase stores all account data, gig data, venue data, invoice data, and billing profile data. Your data is stored in the ap-southeast-2 (Sydney) region.

Resend Inc. (United States)

Our transactional email provider. Resend processes email addresses and email content when we send invoices, calendar invites, and feedback emails on your behalf.

Google LLC (United States)

  • Google Places API — processes address input you type into venue address fields to provide autocomplete suggestions. Your keystrokes and partial address input are sent to Google's servers.
  • Google Timezone API — processes venue geographic coordinates to resolve the correct IANA timezone for that location.

Upstash Inc. (United States)

Our rate limiting infrastructure provider. Upstash Redis stores user identifiers on a temporary, time-limited basis to prevent abuse.

6.1 Cross-border disclosure

All third-party providers listed above are based in the United States. By using SettleBeat, you acknowledge that your personal information may be transferred to and processed in the United States.

7. Cookies and tracking technologies

SettleBeat uses one cookie:

sb-[project-ref]-auth-token (Supabase session cookie)

  • Purpose: Maintains your authenticated session so you remain logged in
  • Type: Functional / strictly necessary
  • Duration: Expires after 7 days or when you log out
  • Set by: Supabase (via SettleBeat)
  • Third-party access: Supabase processes this token to verify your identity on each request

We do not use advertising cookies, tracking cookies, or analytics cookies. We do not use third-party tracking technologies for marketing or profiling purposes.

Because the only cookie we set is strictly necessary for the Service to function, we do not present a cookie consent banner. If we add any non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms before doing so.

8. Data retention

We retain your personal information for as long as your account is active or as needed to provide the Service.

  • Account data — retained until you delete your account
  • Gig, venue, and invoice data — retained until you delete your account. Soft-deleted records (where you delete a gig or venue) are retained in the database to preserve the integrity of linked records (e.g. invoices linked to deleted gigs), but are not visible to you
  • Invoice records — we recommend retaining invoice records for a minimum of 5 years to comply with Australian Tax Office record-keeping requirements. We do not automatically delete invoices
  • Audit log entries — retained for the duration of your account
  • Rate limiting data (Upstash) — transient, expires automatically within minutes to hours
  • Email delivery records — retained by Resend in accordance with their privacy policy

When you delete your account, we permanently delete all personal information associated with your account from our systems, subject to any retention obligations required by law.

9. Security

We take the security of your personal information seriously. The measures we have implemented include:

  • All data is encrypted in transit using TLS
  • All data stored in Supabase is encrypted at rest using AES-256
  • Passwords are stored as cryptographic hashes — never in plain text
  • Row-level security policies ensure each user can only access their own data
  • The service role key (which bypasses access controls) is stored server-side only and never exposed to the browser
  • Rate limiting is applied to email-sending endpoints to prevent abuse
  • HTTP security headers are configured to protect against common web vulnerabilities

No method of electronic transmission or storage is 100% secure. If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

10. Your rights

Under the Australian Privacy Principles, you have the right to:

Access

Request access to the personal information we hold about you. Most of your data is directly accessible within the SettleBeat application itself.

Correction

Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. You can update most information directly in the Settings section of the app.

Deletion

Request deletion of your account and all associated personal information. You can delete your account at any time from Settings > Danger Zone. This action is permanent and cannot be undone.

Complaint

Lodge a complaint with us if you believe we have mishandled your personal information. You can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, contact us at tomas.palazzo@gmail.com. We will respond within 30 days.

11. Third-party links and services

SettleBeat may display links to third-party websites. We are not responsible for the privacy practices of third-party websites.

12. Children

SettleBeat is not intended for use by persons under the age of 18. We do not knowingly collect personal information from minors.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice within the Service before the changes take effect.

Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

14. Contact us

For any questions, requests, or complaints regarding this Privacy Policy or our handling of your personal information:

  • Tomas Palazzo
  • Operating SettleBeat
  • Email: tomas.palazzo@gmail.com
  • Website: https://settlebeat.com

If you are not satisfied with our response to a complaint, you may contact the Office of the Australian Information Commissioner:

  • OAIC: https://www.oaic.gov.au
  • Phone: 1300 363 992