Privacy Policy

Last updated: August 2024

Overview

Security of your data is our first priority and this page outlines some of our operating procedures and security practices.

In summary:

Our data is encrypted in transit by using a Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client.

We take daily backups of our databases using two seperate backup providers and store the backups on different servers to the ones we use to serve our software.

We conduct weekly/realtime file scanning for malicious files and use of industry leading firewalls.

Users must follow a strict password policy to keep their account secure and user audit logging is in operation.

We do not share your personal data to third-parties without your explicit consent, with the exception of the third party processors outlined below (these third party processors are required for the operation of this software).

Your data is stored in the UK and US. Our hosting servers are based in Asheville, United States and London, UK. Wherever possible your data is processed within the UK and USA.

The operation of our systems requires that some of our employees and contractors have access to the systems that store and process your data. Our employees and contractors are prohibited from using this access to view your data unless absolutely required. They will only access your account and view your data when you raise a support ticket, or for training.

Definitions

  • We, our, us, Design My Setlist - a service provided by Band Pencil Ltd a registered company in England and Wales, registration number: 15732150.
  • You, your, user - a person logging on via the Login page.
  • Client - a person who has been given the builder link to edit the setlist.
  • Support team - our employees or contractors who have access to provide support to you.

Confidentiality

We place strict access controls over your data and are committed to ensuring that nobody has access to your data that shouldn't. If you contact our support team, you will grant them temporary access to your account so that they can provide support to you. The operation of our systems requires that some of our employees and contractors have access to the systems that store and process your data. Our employees and contractors are prohibited from using this access to view your data unless absolutely required.

Security Features

Logging
We track every action on the site through our audit log function. This includes login, the time, user details and IP address. This data is automatically purged after a period of time.

Access
We have a password policy requiring passwords must be at least 8 characters in length and must contain at least one number, one upper case letter, one lower case letter and one special character. Passwords are stored using a non-reversible method. If users forget their credentials, they can only reset their password after receiving an email with a time-restricted link. Users are automatically logged out of the system after a period of inactivity. Users who attempt to login with invalid credentials too many times will be temporarily blocked from the system.

Physical Locations
Our data is stored with hosting providers in Asheville, United States and London, UK. We have off-site backups in another hosting provided also based in the UK.

Data
We do not share personal data to third-parties without your explicit consent, with the exception of the third party processors outlined below who process data according to our contracts with them. We are not responsible for the data that users add within the system, including its accuracy. This includes, but is not limited to, contents of external links, activities, emails, downloads and attachments.

Encryption
Our data is encrypted in transit and sensitive data is encrypted at rest. Database backups are encrypted individually and off-site backups have full-disk encryption too.

Intrusion Detection Systems
We have systems that monitor the usage and automatically block users who appear to be malicious.

Firewalls and Software Patching
Firewalls are configured according to industry best practices and all unnecessary ports are blocked.

Backups
Database and filesystem backups are taken daily, and are stored for a maximum of two weeks.

Data Retention and Processing Duration
We do not automatically delete personal data and will continue processing data until it is deleted. Users can delete data from their account according to their access rights.

Legal Jurisdiction

We operate under the laws of England and Wales.

Third Party Processors

We reserve the right to add a third party processor without prior change to this privacy policy. Where possible we aim to update this policy within two months of adding an additional third party processor. We will never sell your data to any third party.

Stripe
Stripe is used for the collection of monthly or yearly subscription payments to us. Stripe are regulated by the Financial Conduct Authority. We do not receive or store card details or billing information.

Mailgun
Mailgun is used as our email provider.

Digital Ocean, Krystal Hosting & Hostinger (Hosting24)
Digital Ocean, Krystal Hosting and Hostinger (supplying Hosting24) are our hosting providers.

Cloudflare
Cloudflare secures and ensures the reliability of our software.

JetBackup & Snap Shooter
JetBackup & Snap Shooter are our off site backup and restore providers.

Sentry
Sentry handles our error tracking and performance monitoring of our software.

Data Types

We are the data controller of your user account details, which includes your name and email address. We may also store information about your browser and how you use the system. We will send you transactional emails (e.g. invoices, legal document changes and account warning), and if you have opted-in to marketing emails, you may receive occasional marketing emails.

We are the data processor for all information added by users. This is likely to include the following types of data:

  • Name
  • Contact and other organisational details
  • Other details you choose to collect

We process data under the contractual lawful basis, with a contract between us and the user. The user will be collecting data about its members using its own lawful processing basis.

Data Subject Rights

Breach Notification
We will notify our users of any breach of data via email within 72hrs of identifying the breach.

Right to Access
Users are able to download information about members if required, and the support team can provide assistance if the downloads are not sufficient.

Right for Erasure
Users are able to delete all personal data, including from the audit trail.

Data Portability
Users can download personal information in a spreadsheet format. It should be noted that this requirement is only applicable if you use 'consent' for your lawful processing mechanism. 'Legitimate interests' is likely to be more appropriate and therefore consent is not required, as the data provided by parents is expected to be stored and processed for the purposes of normal organisational operations.

Data Protection Officer

Our Data Protection Officer (Simon Hirst) can be contacted via the contact page. Our Information Commissioner's Office (ICO) reference number is ZA556426. Please contact our Data Protection Officer for the copy of this certificate.

Get Started

Start Designing PERFECT Setlists Today

Simplify your setlist creation process and add a personal touch to your performances.

30 day free trial • No credit card required to sign up!

Start Now →