About

Privacy Policy

Last updated: 27 May 2026.

ThaPame ("we", "us") is a hobby project for curating concert calendars with friends. We take privacy seriously and only collect what we need to make the service work. This page explains what we collect, why, and how to remove it.

1. What data we collect

1.1 Account data

  • Email address — used as your sign-in identifier and to send essential account messages (password resets, security notices). Never shared, never sold.
  • Password (hashed) — PBKDF2 with HMAC-SHA512, 100,000 iterations. We never store or see your plaintext password.
  • Nickname, bio, avatar — your public identity inside ThaPame, shown to other signed-in users.
  • External login link if you sign in via Google / Microsoft / GitHub / Apple / Facebook — only the provider's user ID is stored, never their access token beyond the sign-in moment.

1.2 Content you create

  • Calendars + concerts you create or save.
  • RSVPs to concerts.
  • Ratings and reviews you write after attending a show.
  • Photos you upload to concert galleries.
  • Friendships, friend lists, and concert/calendar shares you send or receive.

1.3 Operational data

  • Essential cookies: authentication, antiforgery, and locale preference. No analytics, no advertising, no third-party trackers.
  • Server logs with IP + timestamp for security forensics. Rotated regularly; not used for profiling.

2. What we share with third parties

  • Setlist.fm — we send an artist name + show date to fetch published setlists for past concerts. No information about you is sent.
  • MusicBrainz — we send an artist name to resolve it to a canonical artist ID. No information about you is sent.
  • Bandsintown — only when a promoter explicitly uses the "Pull from Bandsintown" feature. We send the artist name; no user identifiers.
  • External login providers — Google / Microsoft / GitHub / Apple / Facebook each see only what you authorise at their consent screen. We request email + name + profile picture, nothing more.

We do not sell, rent, or advertise your data. There are no third-party analytics scripts.

3. Cookies

ThaPame uses essential cookies only. Under EU law these are exempt from consent requirements because they are strictly necessary for the service to work:

  • .AspNetCore.Identity.Application — keeps you signed in (HttpOnly, SameSite=Lax).
  • .AspNetCore.Antiforgery.* — protects you from cross-site request forgery on form posts.
  • .AspNetCore.Correlation.* — short-lived (15 minutes) during external login round-trips.
  • .AspNetCore.Culture — remembers your language/locale preference if you change it.

No advertising or analytics cookies are set.

4. How long we keep your data

  • Account + content data: until you delete your account.
  • Server logs: rotated after ~30 days.
  • Cached external data (setlists, MusicBrainz lookups): see Sections 6 + 7 of EXTERNAL_DATA_SOURCES.md.

5. Your rights (GDPR)

You have the right to:

  • Access your data — download a JSON export of everything we hold about you.
  • Rectify incorrect data — edit your profile at any time.
  • Erase your account — see Delete personal data. Your account and personal content are removed; content you created for the public (concert pages other people RSVP'd to) is anonymised so other users don't lose their data, with your nickname replaced by "(deleted account)".
  • Restrict or object to processing — open an issue on GitHub.
  • Portability — the JSON export is machine-readable.
  • Complain to a supervisory authority. In Greece, that's the Hellenic Data Protection Authority.

6. Security

  • Passwords stored as PBKDF2-HMAC-SHA512 hashes (Identity v3 defaults).
  • HTTPS-only in production (HSTS enabled).
  • Uploaded images are decoded + re-encoded with SkiaSharp to strip EXIF / metadata and avoid serving malicious payloads.
  • Rich-text reviews are server-side sanitised against a strict allow-list (no scripts, no iframes, no inline event handlers).
  • Concert and calendar visibility is enforced server-side on every read, not just in the UI.

7. Children

ThaPame is not directed at children under 16 and we do not knowingly collect their data. If you believe a child has registered, contact us and we will delete the account.

8. Contact

File issues on the public GitHub repository, or email privacy@thapame.local.

See also Terms of Service. ThaPame is open source under the project's repository terms.

An unhandled error has occurred. Reload 🗙

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.