← Bandroid

Privacy Policy

Effective date: March 7, 2026

1. Overview

Bandroid ("we," "our," or "us") is a band management platform for working musicians. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. By using Bandroid, you agree to the practices described here.

2. Information We Collect

Account information

When you sign in with Google, we receive your name, email address, and Google profile picture. We use this to create and identify your account. We do not receive your Google account password.

Content you create

We store content you create within Bandroid: band profiles, events, setlists, songs, messages, contacts, gear records, and financial records. This data is associated with your account and the bands you belong to.

Google Calendar data

If you choose to connect your Google Calendar, we request access to two things:

  • Free/busy information — We read your calendar's free/busy blocks (time ranges where you are unavailable) to help your bandmates find rehearsal and gig times that work for everyone. We read only time blocks — we never read, store, or share your event titles, descriptions, attendees, locations, or any other event content.
  • Event creation (optional write-back) — If you enable the "Write RSVP'd events to Google Calendar" setting for a band, we will add band events you RSVP to directly to your Google Calendar. This feature is off by default and controlled per band in Settings. You can disable it at any time.

We store a Google OAuth refresh token in our database solely to perform these calendar operations on your behalf when you are not actively using the app (e.g., to check availability for scheduling). This token is encrypted at rest and transmitted over TLS.

Google Drive data

If you choose to connect your Google Drive, Bandroid uses the drive.file scope only. This is the narrowest possible Drive scope: we can only see and access files you explicitly select through the Google Picker. We cannot list, search, or access any other files in your Drive.

We use this scope to:

  • Attach chord sheets, lead sheets, and lyrics from your Drive to songs in your band's library — only files you pick
  • Display previews of linked documents
  • Create temporary PDF copies of linked Office files (DOCX, PPTX) for setlist export — these temp files are deleted immediately after conversion

Bandroid's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train AI/ML models, sell or share it for advertising, or transfer it to third parties.

We store a Google OAuth refresh token for Drive in our database, encrypted at rest using AES-256-GCM and transmitted over TLS. You can disconnect Drive at any time from Settings, which immediately revokes the token with Google and deletes it from our database.

Usage data

We may collect basic server logs (IP address, request timestamps, HTTP status codes) for security monitoring and debugging. We do not use third-party analytics services that track individual behavior across the web.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Bandroid service
  • Display your availability heatmap to bandmates (free/busy time blocks only, never event content)
  • Write band events to your Google Calendar when you have enabled that feature
  • Send in-app notifications about band activity
  • Respond to support requests
  • Detect and prevent fraud, abuse, and security incidents

We do not use your data for advertising, sell your data to third parties, or use Google user data for any purpose other than providing the scheduling, calendar, and document features described in this policy.

4. Google API Limited Use Disclosure

Bandroid's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Google user data is used only to provide the features described in this policy.
  • We do not use Google user data for serving advertisements.
  • We do not use Google user data to develop, improve, or train generalized AI/ML models.
  • We do not allow humans to read your Google Calendar or Drive data except with your explicit permission or as required by law.
  • We do not transfer Google user data to third parties except as necessary to provide our service, and only to service providers bound by equivalent data protection terms.

5. Data Sharing

We do not sell your personal information. We share data only in these limited circumstances:

  • With your band members — Content you create within a band (events, setlists, messages, etc.) is visible to other members of that band. Your free/busy availability (time blocks only, no event details) is visible to your bandmates when they use the scheduling features.
  • Service providers — We use Amazon Web Services to host our infrastructure. These providers process data on our behalf and are bound by contractual data protection terms.
  • Legal requirements — We may disclose data if required by law, court order, or to protect the safety of users or the public.

6. Data Retention

We retain your account data and content for as long as your account is active. Google Calendar refresh tokens are retained only while your Google Calendar connection is active. When you disconnect Google Calendar, we immediately delete your refresh token from our database and revoke it with Google so it can no longer be used.

If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or compliance purposes.

7. Your Rights and Controls

You have the following controls over your data:

  • Disconnect Google Calendar — Go to Settings at any time to disconnect. This immediately revokes our access and deletes your refresh token.
  • Disable calendar write-back — Toggle off per-band in Settings → Google Calendar.
  • Revoke access directly via Google — Visit myaccount.google.com/permissions to revoke Bandroid's access at any time.
  • Access or export your data — Contact us at privacy@bandroid.net to request a copy of your data.
  • Delete your account — Contact us to delete your account and associated data.

8. Security

We use industry-standard security practices: data is encrypted at rest and in transit over TLS. Our database is hosted in a private network with no direct public internet access. OAuth tokens are stored encrypted. We do not log or expose session tokens.

Despite our safeguards, no system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@bandroid.net.

9. Children's Privacy

Bandroid is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Changes to This Policy

We may update this policy from time to time. When we do, we will update the effective date at the top of this page. For significant changes, we will notify you via email or an in-app notice. Continued use of Bandroid after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at:

Bandroid

Email: privacy@bandroid.net

Website: bandroid.net