Privacy Policy

This Privacy Notice issued by Kyrylo Myronov ("we", "us", or "our") explains the purposes for which we collect, hold, process, and disclose your personal data in connection with U.M.A services.

• Visit U.M.A Stage — our web platform at https://umetal.app — a management tool for venues, bands, and promoters.
• Download and use the U.M.A fan mobile application (fan.umetal.app) — available on iOS and Android — to discover and follow live music events.
• Sign up for our waitlist or participate in any pre-launch or beta programme linked to this Privacy Notice.

This notice applies to both U.M.A Stage (web platform) and the U.M.A mobile application unless a section explicitly states otherwise.

Summary of key points

• We process personal information needed to operate accounts, organizations, bookings, and app features.
• We do not process sensitive personal information unless explicitly required by law and consented.
• We share data only where needed for service delivery, legal compliance, and vetted processors.
• We use security and organizational controls but no internet transmission is guaranteed 100% secure.
• You can exercise data rights by contacting contact@umetal.app.

Table of contents

• 1. WHAT INFORMATION DO WE COLLECT?
• 2. HOW DO WE PROCESS YOUR INFORMATION?
• 3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
• 4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
• 5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
• 6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
• 7. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
• 8. HOW LONG DO WE KEEP YOUR INFORMATION?
• 9. HOW DO WE KEEP YOUR INFORMATION SAFE?
• 10. DO WE COLLECT INFORMATION FROM MINORS?
• 11. WHAT ARE YOUR PRIVACY RIGHTS?
• 12. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
• 13. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

1. What information do we collect?

We collect personal information that you provide directly, data generated by your use of our Services, and information received from integrated providers.

• Account data: email address, display name, and authentication identifiers provided during registration or via social sign-in (e.g. name and profile image from your OAuth provider).
• Operator content (web platform): organisation names, event details, booking information, and other content you publish as a venue, band, or promoter.
• Waitlist data: email address submitted via waitlist sign-up forms, and any optional information you choose to provide.
• Location data (U.M.A mobile only): approximate and precise GPS location when you use map or venue-discovery features, collected only while the app is in use and only after you grant device permission. Not stored on our servers beyond the active request.
• Device-level tokens (U.M.A mobile only): authentication tokens stored in your device's secure enclave (iOS Keychain / Android Keystore) via expo-secure-store. These never leave your device in plaintext and are not accessible to other apps.
• Usage and diagnostics: API request logs, error diagnostics, and security events used to maintain service integrity.
• Cookie and session identifiers (web): see our Cookie Policy for full details.

2. How do we process your information?

• Provide, administer, and secure accounts and service features.
• Communicate operational messages and service notices.
• Prevent fraud, abuse, and unauthorized access.
• Comply with legal obligations and enforce our legal terms.

3. What legal bases do we rely on?

• Account creation and operation — contract performance (Art. 6(1)(b) GDPR): processing is necessary to provide the service you signed up for.
• Waitlist sign-up — consent (Art. 6(1)(a) GDPR): you can withdraw consent at any time by emailing us at contact@umetal.app.
• Location features in U.M.A (mobile) — consent (Art. 6(1)(a) GDPR): revocable at any time via your device's location settings without affecting other app features.
• Security, fraud prevention, and abuse detection — legitimate interests (Art. 6(1)(f) GDPR): we have a legitimate interest in keeping the platform and its users safe.
• Legal obligations — legal obligation (Art. 6(1)(c) GDPR): where applicable law requires us to retain or process data (e.g. financial or compliance records).

Automated decision-making: We do not use automated decision-making or profiling that produces legal or similarly significant effects, as defined in Art. 22 GDPR.

4. When and with whom do we share information?

We share personal information only where necessary with the following categories of recipients:

• Clerk Inc. (authentication & identity management, USA) — Privacy Policy
• Google LLC (Google Maps SDK — location and map display in U.M.A mobile, USA) — Privacy Policy
• Cloudflare Inc. (security, DDoS protection, USA) — Privacy Policy
• Infrastructure hosting providers as required to operate and deliver the Services.
• Legal authorities where required by applicable law or court order.

We do not sell personal data to third parties.

5. Do we use cookies and tracking technologies?

Yes. We use strictly necessary cookies and related technologies to authenticate users, keep sessions secure, and improve service performance. Optional analytics/marketing technologies are controlled by consent where required.

6. How do we handle social logins?

If you choose social sign-in, we receive profile data from your provider as authorized by you and process it in accordance with this notice and the provider's own policies.

7. Is your information transferred internationally?

Yes. Our processors Clerk Inc., Google LLC, and Cloudflare Inc. are based in the United States. As we are established in Spain (EU), transfers to these processors are protected by Standard Contractual Clauses (Art. 46(2)(c) GDPR) entered into with each processor. You may request a copy of the applicable safeguards by contacting us at contact@umetal.app.

8. How long do we keep your information?

• Account data: retained while your account is active and for up to 30 days after deletion to allow recovery, then permanently deleted.
• Waitlist email addresses: retained until you withdraw consent or the waitlist closes, whichever is sooner.
• Security and diagnostic logs: up to 90 days.
• Location data (U.M.A mobile): not persisted server-side beyond the active request; no historical location log is stored.
• Legal and compliance records: up to 7 years where required by applicable law.

9. How do we keep your information safe?

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. No information system can provide absolute security guarantees.

10. Do we collect information from minors?

We do not intentionally gather personal data from individuals below the minimum age of consent under applicable law unless the required parental or guardian authorisation has been obtained. Upon discovering any such collection, we will act promptly to erase the relevant data.

11. What are your privacy rights?

• Request access to personal data we hold about you.
• Request rectification or deletion where applicable.
• Object to or restrict processing in certain circumstances.
• Withdraw consent for waitlist sign-up or location processing at any time, without affecting the lawfulness of prior processing.
• Lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or with the supervisory authority in your EU member state of residence.

12. How can you review, update, or delete your data?

To review, update, or request deletion of your personal information, email us at contact@umetal.app. We will acknowledge your request promptly and respond within one month of receipt. For complex or multiple requests we may extend this period by a further two months and will notify you accordingly.

13. Contact

Questions or concerns about this notice can be sent to contact@umetal.app.