Privacy Policy

1. Who we are

BlastRadius ("we", "us", "our") operates the BlastRadius concert tracking service. For privacy questions, contact privacy@blastradius.live.

2. What we collect

Account data

• Email address and (optionally) name — required to create and authenticate your account.
• Hashed password (we never store passwords in plain text). If you sign in via a third-party OAuth provider, we receive a unique identifier and your email from the provider.
• Account metadata: creation timestamp, last sign-in time, email verification status.

Profile and preferences

• Approximate location: city, state, country, and (if you grant browser geolocation) latitude and longitude. Used to compute your "Blast Radius" — the geographic search area for events.
• Preferred radius (in miles), notification advance days, digest frequency, IANA timezone.
• Tracked artists, tracked venues, attended events, and genre affinity — so we can send relevant notifications and recommendations.
• Theme and accessibility preferences.

User-uploaded content (Headliner merch tracker)

• Photos you upload to your private merch collection. Photos are stored in Cloudflare R2 object storage and are visible only to you when signed in. We do not display or share your uploads with other users.
• Filename, MIME type, file size, and upload timestamp. We do not parse or extract metadata embedded in the image (such as EXIF location data) for any purpose.
• Automated classification results — every uploaded photo is run through an automated content classifier at upload time to detect prohibited content (see Section 3). The classifier output (a confidence label, scan timestamp, file size, and the model's brief textual responses) is logged for service safety and internal audit purposes. The image bytes themselves are not retained by the classification service.

Subscription data (Headliner only)

If you subscribe, billing is processed by Paddle.com, our merchant of record. Paddle collects and stores payment-related personal data (card number, billing address, tax identifiers) directly under Paddle's privacy policy. BlastRadius never sees or stores card numbers. What we receive from Paddle and store is limited to: a Paddle customer identifier, a Paddle subscription identifier, plan code, subscription status, and renewal/cancellation dates.

Usage and technical data

• Pages and events you view, queries you search, and interactions with notifications. Used to surface relevant content and measure feature health.
• IP address, browser/device user agent, and approximate geolocation derived from IP — used for security, abuse detection, and content-delivery routing. Logs are retained for 30 days.
• Authentication session cookies (essential — required to keep you signed in) and a small number of preference cookies (theme, timezone toggle).

What we don't collect

We don't use third-party advertising, analytics, or social-tracking pixels. We don't fingerprint your device for cross-site tracking. We don't sell or rent your data to anyone.

3. How we use it

• To provide the service: authenticate you, store your preferences, and surface concert events relevant to your location and interests.
• To send notifications you've requested (email today; SMS, push, Discord, and Telegram for Headliners as those channels become available).
• To process subscription payments (via Paddle) and provide support.
• To run automated content moderation on user uploads — every photo you upload is classified before being accepted, and uploads our classifier flags as prohibited content are rejected and never stored. Classification logs are kept for service safety and admin review (see Section 4 for the model used).
• To maintain security, prevent abuse, and comply with legal obligations.
• To measure feature usage in aggregate so we can improve the service.

We do not use your personal data to train AI models, and we do not share it with third parties for their independent purposes.

4. Subprocessors

We use the following processors to run the service. Each receives only the data necessary for its role:

• Cloudflare — application hosting, content delivery, database (Cloudflare D1), object storage (Cloudflare R2 for user-uploaded photos), and security/WAF. Receives all service traffic.
• Cloudflare Workers AI — automated content classification of user-uploaded photos at upload time. The image is processed in-memory by the classifier; image bytes are not retained by the model provider. Only the classifier's output (a confidence label and short textual responses) is persisted, in our own database.
• Resend — transactional email delivery (verification, password reset, notifications). Receives recipient email address and message contents.
• Paddle — payment processing and merchant of record for subscriptions. Receives billing data directly from you at checkout.

Concert event data we surface to you is sourced from public-facing endpoints of Ticketmaster, SeatGeek, Setlist.fm, and MusicBrainz. We do not share your personal data with these sources — data flows from them to us, not the other way around.

5. Sharing

We share personal data only:

• With the subprocessors listed above, for the limited purposes described.
• To comply with valid legal requests (subpoenas, court orders) or to protect against fraud, abuse, or security threats. We will challenge requests we believe are overbroad.
• In connection with a business transfer (acquisition, merger, asset sale), in which case the acquirer assumes the obligations of this Privacy Policy.

We never sell or rent personal data, and we don't share it for behavioral advertising.

6. Your rights

Regardless of where you live, you can exercise the following rights at any time. Most are accessible from Settings; for the rest, email privacy@blastradius.live and we'll respond within 30 days.

• Access — request a copy of the personal data we hold about you.
• Correction — update inaccurate data via Settings or by emailing us.
• Deletion — delete your account from Settings. We purge personal data within 30 days, except where retention is required for legal, billing, or fraud-prevention reasons.
• Portability — export your tracked artists, venues, and concert history (Headliner feature; available to all users on request).
• Object / restrict — object to specific processing or restrict it.
• Withdraw consent — for any processing based on consent.
• Lodge a complaint — with your local data protection authority. EU residents may contact their national supervisory authority; UK residents may contact the ICO.

California residents have specific rights under the CCPA/CPRA, including the right to know what we collect, to delete it, and to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.

7. International data transfers

BlastRadius is operated using globally distributed infrastructure (Cloudflare's edge network). Your data may be processed in the United States, the European Economic Area, the United Kingdom, and other regions where our subprocessors operate. We rely on Standard Contractual Clauses and our subprocessors' compliance certifications (Cloudflare, Resend, and Paddle each maintain SCCs and applicable data-transfer frameworks) for transfers out of the EEA, UK, and Switzerland.

8. Security

We protect personal data with industry-standard practices: TLS encryption in transit, encryption at rest in Cloudflare D1, scoped access tokens, automated security scanning, and a Web Application Firewall on all public endpoints. Passwords are stored as bcrypt-hashed digests. No system is perfectly secure — if you believe your account has been compromised, contact us immediately.

9. Retention

We keep account data for as long as your account is active. After account deletion, we purge personal data within 30 days, except: billing records (retained 7 years for tax/regulatory compliance), security logs (retained 30 days), and any data we are legally required to keep longer.

Uploaded photos are retained while your account is active. They are deleted within 30 days of either photo deletion via Settings or account deletion, whichever is earlier. Content classification audit logs (which do not include the image itself) are retained for security and abuse-prevention purposes.

10. Children

BlastRadius is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact privacy@blastradius.live and we will delete it.

11. Cookies

We use a small number of cookies — all strictly necessary or for user-set preferences. We do not use third-party advertising or analytics cookies.

• Authentication session cookie — required to keep you signed in across requests. Expires when your session ends.
• Preference cookies — your theme, timezone display preference, and onboarding state. Stored in localStorage, not transmitted to us.

12. Changes to this policy

We may update this policy as the service evolves. Material changes will be communicated by email and posted with a new effective date. Older versions are available on request.

13. Contact

Privacy questions: privacy@blastradius.live. General support: support@blastradius.live.