Privacy Policy

1. Controller

CueGain ("we", "us", "the controller") is a Helsinki-based product team building a payment-and-engagement platform for working DJs. Our contact address for all data protection matters is info@cuegain.com.

We have not appointed a Data Protection Officer (DPO) because we do not meet the mandatory appointment thresholds under GDPR Article 37. If this changes, we will update this policy and publish the DPO contact details here.

2. Data we collect

We collect personal data only through the DJ waitlist signup form on this site. The categories of data collected are:

• Identity data: real name, DJ name/handle.
• Contact data: email address, city.
• Professional data: venues you play (optional free text), main genre.
• Consent record: GDPR consent boolean, consent policy version, timestamp of consent.
• Technical data: IP address and user-agent string (processed transiently for bot mitigation and rate limiting only; not stored against your waitlist record).

We do not collect any special category data (Article 9 GDPR), nor do we collect financial, biometric, or location data beyond the city you voluntarily provide.

3. Lawful bases for processing

We rely on the following lawful bases under GDPR Article 6(1):

• Consent (Article 6(1)(a)): Your explicit, freely given, informed consent provided via the waitlist form checkbox. This covers the storage and use of your identity, contact, and professional data for the purpose of contacting you about CueGain beta access. You may withdraw consent at any time (see Section 8 below) without affecting the lawfulness of processing carried out before withdrawal.
• Legitimate interests (Article 6(1)(f)): Transient processing of IP address and user-agent string for bot mitigation (Cloudflare Turnstile) and rate limiting (Upstash). Our legitimate interest is preventing automated spam submissions to our database. We have conducted a balancing test and concluded that this minimal, transient processing does not override your rights. The data is held for a maximum of 60 seconds and is never linked to your waitlist record.

4. Purpose and use of data

We process your data to:

• Register your interest in the CueGain private beta (Summer 2026, Helsinki pilot).
• Contact you about beta launch dates, early access, and onboarding.
• Verify that form submissions originate from real humans, not automated bots.

We do not use your data for profiling, automated decision-making (Article 22 GDPR), direct marketing beyond beta-launch communications, or any purpose other than those stated above.

5. Data retention

• Waitlist data: Retained until you request deletion or for a maximum of 24 months from the date of signup, whichever comes first. After this period, your record is permanently deleted from our database.
• Bot-mitigation telemetry: IP address and user-agent processed in Upstash sliding-window rate limiter with a TTL of 60 seconds maximum, then automatically discarded.
• Consent records: Retained for as long as necessary to demonstrate compliance with GDPR Article 7(1), and deleted when the corresponding waitlist record is deleted.

6. Data processors and recipients

We share your personal data only with the following processors, each bound by data processing agreements:

• Supabase Inc. Postgres database hosting. Data stored in EU region (Stockholm, eu-north-1). Supabase acts as a data processor under a GDPR DPA.
• Cloudflare Inc. Turnstile bot verification service. Processes IP address and browser fingerprint transiently. Cloudflare operates under Standard Contractual Clauses (SCCs) for any data routed outside the EEA.
• Upstash Inc. Redis-based rate limiting, EU region. Processes IP address transiently (≤60 seconds TTL).
• Vercel Inc. Site hosting, edge serving, and serverless function execution. Vercel processes requests under their DPA with SCCs for non-EEA routing.

We do not sell, rent, or trade your personal data to any third party. We do not share data with advertisers, data brokers, or social media platforms.

7. International transfers

Your waitlist data is stored exclusively within the European Economic Area (Supabase Stockholm, eu-north-1). Where our processors may route data through non-EEA infrastructure (Cloudflare, Vercel), such transfers are protected by Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR, or by an adequacy decision under Article 45 GDPR where applicable.

8. Your rights under GDPR

Under GDPR Articles 15–22, you have the following rights:

• Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17):Request deletion of your data ("right to be forgotten").
• Right to restrict processing (Art. 18): Limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): Withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We do not engage in automated decision-making or profiling as defined by Article 22 GDPR.

9. How to exercise your rights

Email info@cuegain.com with the subject line "GDPR data request". Please include sufficient information to verify your identity (the email address used to sign up is usually sufficient). We will respond within 30 days of receiving your request, in accordance with GDPR Article 12(3). If we require an extension (up to an additional 60 days for complex requests), we will notify you within the initial 30-day period with reasons for the delay.

There is no fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request per Article 12(5).

10. Cookies

This site uses one cookie:

• cf_clearance Strictly necessary. Set by Cloudflare Turnstile during bot verification when you submit the waitlist form. Scoped to the Cloudflare domain. Lifetime determined by Cloudflare. This cookie is exempt from consent requirements under Article 5(3) of the ePrivacy Directive (2002/58/EC) as it is strictly necessary for the service explicitly requested by the user.

We use no analytics cookies, no marketing cookies, no tracking pixels, and no third-party social media embeds.

11. Children and age restrictions

This site and the CueGain waitlist are intended for professional or aspiring DJs aged 16 or older. We do not knowingly collect personal data from children under the age of 16 (the threshold set by Finnish national implementation of GDPR Article 8). If you become aware that a child under 16 has submitted personal data to us, please contact info@cuegain.com and we will delete the record without undue delay.

12. Security measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with GDPR Article 32. These measures include:

• Supabase Row-Level Security (RLS): the anonymous API key permits INSERT operations only (no SELECT, UPDATE, or DELETE).
• Server-side input validation via structured schema validation.
• HTTPS with HSTS preload for all data in transit.
• Content-Security-Policy and security headers on all responses.
• Rate limiting to prevent brute-force or volumetric abuse.

13. Changes to this policy

We may update this privacy policy to reflect changes in our processing activities, legal requirements, or processors. If we make material changes (new lawful basis, new data category, new processor, changed retention period), we will update the "Last updated" date, increment the policy version, and re-display the cookie/consent banner to all visitors so you are informed of the change. We encourage you to review this page periodically.

14. Supervisory authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR). Our lead supervisory authority is:

15. Contact us

For any question regarding this privacy policy or our data processing practices, contact us at info@cuegain.com.