ShowbookSshowbook

Last updated: 2026-05-18

Privacy policy

DRAFT — please review with counsel before opening sign-ups outside the current allowlist.

Showbook is a personal tracker for live shows. It only collects what it needs to keep your logbook working, never sells your data, and gives you tools to export or delete everything we store.

What we collect

  • Account basics— your Google profile (name, email, avatar) from the OAuth sign-in. We don't store your Google password.
  • Show data you create — the concerts, plays, comedy sets, and festivals you add (manually, via Gmail import, or via Spotify import), plus any notes, photos, and setlists you attach.
  • Follows and preferences — venues and artists you follow, your region(s) for nearby-show discovery, theme settings, notification toggles.
  • Integration tokens— when you connect Spotify, we store the OAuth tokens encrypted at rest (AES-256-GCM). When you sign in via Gmail import, we use the one-time access token and don't persist it.
  • Operational logs — error and event logs (no email bodies, no auth tokens), kept for 30 days for troubleshooting.

Third-party processors

Showbook sends data to a handful of trusted services strictly to deliver features you've enabled. Each is bound by its own privacy policy.

  • Google (sign-in + Gmail import + Maps) — OAuth handshake for sign-in, scoped Gmail read access only when you trigger an import, and map tiles when you visit the Map tab.
  • Groq (AI extraction)— when you run the Gmail importer, the matched email subject + body (first 8 KB) is sent to Groq's API to extract ticket details. The raw email content is not stored; only the structured result is. You consent to this each time you connect a new Gmail account.
  • Spotify — playlist generation and listening history (when you import). Tokens are stored encrypted; you can revoke at any time from Preferences or Spotify settings.
  • Ticketmaster Discovery API — discover upcoming shows for venues/artists you follow. We cache results to stay within their rate limits. Event data is attributed to Ticketmaster where displayed.
  • setlist.fm — past setlists used to power predicted-setlist features. We display setlist.fm attribution where their data is shown.
  • Resend (email) — sends the optional daily digest. Every digest includes a one-click unsubscribe.
  • Cloudflare — fronts the app via Cloudflare Tunnel for HTTPS termination and DDoS protection.
  • Axiom — operational log ingest. No PII or email content is shipped to Axiom; we log event names, identifiers, and counters.

Data retention

  • Your show data — kept until you delete it (per-show or whole-account).
  • Backups — encrypted daily snapshots, retained for 30 days.
  • Operational logs — 30 days.
  • Completed background jobs — archived for 24 h, deleted after 7 days.

Your rights

You can exercise the following from your Preferences page:

  • Access / portability— download a complete JSON export of everything tied to your account ("Download your data").
  • Deletion— "Danger zone → Delete account" permanently erases every show, follow, media tag, and integration we hold.
  • Email opt-out — the daily digest toggle plus a one-click unsubscribe link in every email.
  • Integration revoke — disconnect Spotify / Gmail any time from Preferences.

EU/UK users may additionally object to processing or request correction by emailing the contact below. We respond within 30 days.

Contact

Questions or privacy requests: [email protected].