Privacy Policy of the Gigle.me Application

Last update: February 1, 2026

This Privacy Policy (hereinafter the "Policy") describes how ICHOSYNDESI G.P., with registered office at Leoforos Konstantinoupoleos 180, 12133 Peristeri, Tax ID (AFM) 803054010, registered in the General Commercial Registry (G.E.MI.) under number 188299603000 (hereinafter the "Company", "We" or "Data Controller"), collects, uses, stores, transmits, and protects the personal data of users (hereinafter "Users") of the mobile application Gigle.me (hereinafter the "Application" or "Platform"). The Application operates as a digital intermediary platform for booking artists and performers (hereinafter "Artists") by restaurants, event venues, or other establishments (hereinafter "Venues").

The Company is committed to protecting the privacy of Users and fully complies with the General Data Protection Regulation (EU) 2016/679 (GDPR), Law 4624/2019 on the Hellenic Data Protection Authority, as well as all other applicable provisions of Greek and European law. By registering, accessing, or using the Application, the User consents to the processing of their personal data in accordance with this Policy. If the User does not agree, they must refrain from using the Application.

The Application is addressed exclusively to individuals aged 18 years and older and not to minors. We do not knowingly collect personal data from individuals under 18 years of age. If such collection is discovered, data will be deleted immediately.

For any questions regarding this Policy, Users may contact the Company at info@gigleme.com or by post at the Company's registered office.

1. Types of Personal Data We Collect

The Company collects and processes the following personal data, depending on the User's role (Artist or Venue) and the services used:

1.1. Identification and Contact Information: First name, last name, email address, phone number, registered office address.

1.2. Professional Information: For Artists: Service description (e.g., type of performance, biography). For Venues: Venue capacity, technical specifications.

1.3. Tax Information: Tax ID (AFM) for payment processing and transaction history.

1.4. Technical Data: IP address, device type, operating system, browser, access logs, cookies, and similar technologies for usage analysis.

1.5. Rating and Feedback Data: Comments, ratings, and reviews published by Users after completed transactions.

1.6. Special Categories of Data: We do not knowingly collect sensitive personal data (e.g., health data, racial or ethnic origin).

1.7. Application & Device Data: Device type, operating system version, access logs (for improvement and security purposes). We do not collect location data, camera, microphone, contacts, or any other sensitive device data.

1.8. Audience Profile Visibility: If you register as an Audience member (a fan account), your profile — your display name, photo (if provided), and city — is visible to Performers and Venues on the platform. When you follow a Performer or Venue, that Performer or Venue can see that you follow them. Your email and phone number are never shown on your Audience profile.

Data is collected directly from the User during registration, use of the Application, or transaction processing, or indirectly through automated means (e.g., cookies).

2. Purposes of Processing Personal Data

Data processing is carried out for the following purposes:

2.1. Performance of the Contract: Management of registrations, conclusion of agreements between Artists and Venues, and processing of payments.

2.2. Improvement of Services: Usage analysis for improvement of the Application, fraud detection, and resolution of technical issues.

2.3. Communication: Sending notifications, updates, newsletters, or responses to User inquiries.

2.4. Compliance with Legal Obligations: Compliance with Greek tax legislation (e.g., myDATA), responding to authority requests.

2.5. Security: Protection against unauthorized access, threat detection, and maintenance of access logs.

2.6. Technical Functionality of the Application: Collection of basic device data for proper operation of the mobile application (without access to camera, microphone, or location).

3. Legal Basis for Processing

Processing is based on the following legal bases under the GDPR (Article 6):

3.1. Performance of a Contract (Article 6(1)(b)): For processing transactions and providing services.

3.2. Legal Obligation (Article 6(1)(c)): For tax and regulatory compliance.

3.3. Legitimate Interests (Article 6(1)(f)): For service improvement and security, provided that the rights of Users do not override these interests.

For special categories of data, processing is based on explicit consent (Article 9(2)(a)).

4. Transmission of Personal Data

4.1. Processors: Data may be transmitted to third-party providers (e.g., payment platforms such as Stripe or Viva Wallet) acting as processors, under contractual guarantees of GDPR compliance.

4.2. Third Parties: Data may be transmitted to authorities (e.g., AADE, EFKA) for legal obligations, or to partners (e.g., insurance companies) with consent. We do not sell or rent data to third parties.

4.3. Transfer of Data Outside the European Union

The Platform uses certain service providers established outside the European Union. For each transfer, appropriate safeguards are implemented in accordance with the GDPR (e.g., Standard Contractual Clauses – SCCs).

Stripe (United States of America)

Stripe is used for payment processing and disbursement of fees to performers. The data transferred includes: payment details (handled directly by Stripe in accordance with PCI-DSS), booking amounts, email addresses and phone numbers of performers, tax information for Stripe Connect accounts, and transaction metadata. Stripe applies Standard Contractual Clauses and is PCI-DSS Level 1 certified. The use of Stripe is necessary for the secure processing of card payments and SEPA bank transfers to performers.

Google Cloud / Firebase (Data centers in the EU with potential processing outside the EU)

Database data (Firestore), application hosting (Firebase Hosting), email delivery (Gmail SMTP via Google Workspace), and scheduled tasks (Cloud Tasks) are hosted in data centers within the European Union (region europe-west4, Netherlands). However, certain Google support services may process data outside the EU. The data stored include: user profiles, bookings, payment history, conversations, notifications, profile images, email addresses and email content. Google applies Standard Contractual Clauses and additional technical security measures. The use of Firebase is necessary for the application infrastructure, user authentication, and real-time data storage. Google Cloud Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

Google AI / Gemini (United States of America)

The Google AI service is used for artificial intelligence features within the platform. The data that may be transferred depends on the specific use of the service. Google applies Standard Contractual Clauses for data transfers. Google AI / Gemini Privacy Policy: https://policies.google.com/privacy

OneSignal (United States of America)

The Application supports optional push notifications, used solely for in-app features. Data transferred may include: push tokens, device IDs, email addresses (for targeting), and interaction data (e.g., notification opens). OneSignal applies Standard Contractual Clauses for data transfers. OneSignal Privacy Policy: https://onesignal.com/privacy_policy

5. Data Storage Period

5.1. Data is retained for as long as necessary for the purposes of processing, e.g.:

• Registration information: Until account deletion + 6 months for legal reasons.
• Financial data: 10 years in accordance with tax legislation.
• Logs: 12 months for security purposes.

5.2. After expiration, data is deleted or anonymized, unless retention is required for legal reasons.

5.3. Data Not Deleted: Bookings and payment logs are retained even after account deletion. This retention is necessary for compliance with tax legislation requiring financial records to be kept for at least ten (10) years. These records are also necessary for resolving disputes with payment providers and supporting legal claims. The legal basis for retention is Article 17(3)(b) of the GDPR, which allows retention when required for compliance with a legal obligation. Conversation messages are retained (with sender anonymization) to protect the rights of the other participant and support legal claims in case of dispute. The legal basis is Article 17(3)(e) of the GDPR. User blocks are active for platform security and user protection, although names are anonymized.

6. User Rights

Under the GDPR, Users have the following rights:

6.1. Access (Article 15): Right to information about processed data.

6.2. Rectification (Article 16): Right to correct inaccurate data.

6.3. Erasure ("Right to be Forgotten") (Article 17): Right to erasure, unless legal obligations require retention. When a User chooses to delete their account, the process begins from the profile editing page (artist or venue). Upon clicking the "Delete Profile" button, a confirmation window appears informing the User that the action is irreversible. Upon confirmation, a progress screen appears, and the system performs the following steps:

• A. The user document is anonymized. The email address is replaced with an anonymous form, two-factor authentication data (2FA) is deleted, and the account status is set to "deleted".
• B. Performer and venue profiles belonging to the User are anonymized. The name is replaced with "Deleted User", and all contact details, profile image, biography, address, social media links, music genres, and social media links are deleted.
• C. Financial records (bookings and payment logs) are retained unchanged for tax compliance reasons.
• D. Conversations are anonymized by replacing names and profile images with "Deleted User", while retaining the message content for the other participant.
• E. All notifications received by the User, as well as all collaboration requests (gig requests) related to them, are fully deleted.
• F. Finally, the account is deleted from Firebase Authentication, making login with old credentials impossible. The User is automatically logged out and redirected to the registration page.

Deletion Timeframe: Immediate upon clicking the button. User Notification for Account Deletion: The Application will send an email confirming that the account has been deleted, specifying which data cannot be deleted and why.

6.4. Restriction of Processing (Article 18): Right to restrict processing in specific cases.

6.5. Data Portability (Article 20): Right to receive data in a structured format.

6.6. Objection (Article 21): Right to object to processing based on legitimate interests.

6.7. Withdrawal of Consent (Article 7): Right to withdraw consent at any time, without retroactive effect.

6.8. Complaint: Right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

To exercise your rights, send a request to info@gigleme.com. We will respond within 1 month, with the possibility of extension.

7. Data Security

7.1. We implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, or destruction. These include:

• Automatic SSL/TLS encryption (HTTPS) for all communications, as provided by Firebase Hosting.
• Use of firewalls, DDoS protection, and secure infrastructure from Google Cloud.
• Access restriction through Firebase Authentication and Security Rules.
• Regular audits and compliance with international security standards.

Additionally, data is stored encrypted at rest where supported by Firebase services.

7.2. In the event of a data breach, we will notify Users and authorities within 72 hours, in accordance with Article 33 of the GDPR.

8. Cookies and Similar Technologies

8.1. The Application uses exclusively strictly necessary technical cookies or equivalent technologies (e.g., authentication tokens) through Firebase Authentication, solely for user login, security, and proper operation of the Application. No cookies or tracking technologies are used for analysis, advertising, profiling, or marketing purposes, nor is cross-app or cross-website tracking performed.

9. Policy Amendments

The Company reserves the right to amend this Policy, notifying Users via email or in-app notification at least 15 days in advance. Continued use constitutes acceptance.

10. Payment Processing and Personal Data via Stripe

Gigle.me uses the Stripe service (Stripe, Inc.) for all payment processing, money transfers, Express account creation, and KYC verification (identity check).

Stripe collects, processes, and stores directly from you personal and financial data, such as: name, email, phone, bank accounts, identity documents (e.g., ID/passport for verification), addresses, and transaction history.

Gigle.me does not store sensitive payment information (e.g., card numbers or CVV). All payment data is processed exclusively by Stripe, which acts as an independent data controller for such data.

Stripe processes your data in accordance with Stripe's Privacy Policy: https://stripe.com/privacy

By registering and using payment services on Gigle.me, you consent to the transfer and processing of your data by Stripe for the purposes described in their policy (e.g., payment processing, fraud prevention, legal compliance).

For rights of access, rectification, or erasure of data processed by Stripe, contact Stripe directly through their policy.

11. Applicable Law and Jurisdiction

This Policy is governed by Greek law. Any disputes are subject to the exclusive jurisdiction of the Courts of Athens.