festival things

Privacy

Privacy Policy

Last updated: 22 May 2026

This policy explains what personal information festival things ("we", "us") collects when you use the site at festival-things.com, why we collect it, and the choices you have. Plain language is the goal — if anything here is unclear, email us at the address below.

Who runs the site

festival things is operated by Michael Bonner. For any privacy question or request, contact: [email protected].

What we collect

When you create an account and use the site, we store:

  • Account details — the name and email address you give us, and a hashed password (we never store your password in plain text).
  • Email verification status — whether you've confirmed your email address.
  • Profile avatar — if you upload one. Images are stored in Amazon S3.
  • Session information — a session token, plus the IP address and browser user-agent string from the device that signed in, so we can keep you logged in and detect unusual activity.
  • Your festival activity — the festivals you join, the artists you rank, your tier choices (must-see, want-to-see, maybe, pass), and any artists you pin.
  • Group membership — which groups you belong to, your role in each group, and any group invitations you send (including the recipient's email address).

How we use it

  • To run the service — sign you in, show your wishlist, compare picks with your group.
  • To send transactional email — verification emails when you sign up, and invitation emails when someone invites you (or you invite a friend) to a group.
  • To keep the service secure — detect abuse, rate-limit, and investigate problems.

We do not sell your personal information, and we do not use it to target you with advertising.

What other people in your group can see

A group is a shared planning space. When you join a group, the other members can see your name, your avatar, and the picks (rankings and pins) you've made for the festival that group is built around. They cannot see your email address, your password, or anything from groups they are not in.

Third parties we share data with

To deliver the service, we use the following processors:

  • Amazon Web Services (AWS) — hosting, database, S3 object storage for avatars and festival posters, and SES for sending transactional email.
  • Spotify Web API — used server-side to fetch public artist metadata (names, images, genres). We do not connect to your Spotify account and do not send your personal data to Spotify.
  • Apple iTunes Search API — used server-side to look up artist information. No personal data is shared.
  • EasyCustomerFeedback — when you're signed in, a "Send feedback" widget loads. If you submit feedback, your name, email, and user ID are sent to the widget provider so we can follow up.

We only share data with these processors to the extent needed to operate festival things. We do not share your data with advertisers or data brokers.

Cookies

We use a small number of strictly-necessary cookies — primarily a session cookie that keeps you signed in. See our Cookie Policy for the details.

How long we keep your data

We keep your account data for as long as your account is active. If you delete your account or ask us to delete your data, we'll remove your profile, wishlist entries, pins, and group memberships. Some records (such as system logs or invitation history needed to prevent abuse) may be retained for a short additional period before being deleted.

Your rights

You can ask us to:

  • Show you what data we hold about you.
  • Correct anything that's wrong.
  • Delete your account and personal data.
  • Export your wishlist and group data.

Email [email protected] from the address on your account and we'll respond within a reasonable time.

Children

festival things is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has signed up, please contact us and we'll remove the account.

International users

festival things is operated from the United States, and our infrastructure runs on AWS in the United States. If you use the site from somewhere else, your data is transferred to and processed in the US.

Security

We use industry-standard practices to protect your account: passwords are hashed, traffic is encrypted in transit, and access to production systems is restricted. No service can promise absolute security, but we take reasonable steps to keep your data safe.

Changes to this policy

If we make material changes to this policy, we'll update the date at the top and, where appropriate, notify you by email or in the app before the change takes effect.

Contact

Questions or requests: [email protected].