Privacy Policy

1. Introduction

This Privacy Policy describes how Island Breeze Affiliates Inc., a Florida corporation doing business as IBA Music ("IBA Music", "we", "us", or "our"), collects, uses, shares, and protects information in connection with the products and services listed in section 1.2 below.

IBA Music is the data controller for the information described in this policy. If you have questions or wish to exercise any right described here, contact us at privacy@ibamusic.com.

1.1 Who this policy is written for

IBA Music's apps and web tools are business tools for our own operations. They are used by musicians contracted to perform for IBA Music, by band leaders, by IBA Music office staff, and by authorized contractors. They are not general-purpose consumer products. You are most likely reading this policy because you are one of those people, because you are a regulator or legal reviewer, or because you are a Google OAuth verification reviewer assessing IBA Companion's use of the Google Calendar API.

1.2 Products covered by this policy

This policy applies to:

• IBA Companion — our iOS app for iPhone. Musicians use it to view their performance schedule, check in at venues, rehearse setlists with multitrack stems (Practice), and optionally sync their schedule to Apple Calendar (via EventKit) or Google Calendar (via the scope described in section 5).
• IBA Music Admin Dashboard at admin.ibamusic.com — the internal operations tool used by IBA Music staff to manage performances, venues, and musician assignments.
• IBA Music web tools — availability forms and band leader schedule tools used by band leaders and musicians.

If IBA Music launches a new product or service in the future, we will either update this policy to cover it or publish a separate policy and link to it from the Legal Center.

2. Summary

Plain language, up front: IBA Music does not sell your data. We do not use analytics or advertising trackers. We do not read your Google calendar — the scope we request only lets IBA Companion manage calendars it creates itself. We collect the information we need to run live-music performances (schedule, check-ins) and nothing more.

The rest of this policy explains each item in detail.

3. Information We Collect

3.1 Account information

When you sign in to IBA Companion or any IBA Music web tool, we receive your name, email address, and (for some providers) a unique identifier from the sign-in provider you choose: Apple Sign-In, Google Sign-In, Microsoft Sign-In, or an IBA Music-hosted email and password sign-in.

We use this information to create and maintain your account and to link you to the musician, staff, or contractor record IBA Music already has for you. We do not receive your sign-in provider password and we do not store plaintext passwords of our own.

3.2 Profile information

Your musician or staff profile may include: legal name, performing name or nickname, phone number, emergency contact, instrument(s), preferred bands, uniform sizes, and similar operational details. This information is supplied by you or by IBA Music staff on your behalf. You can request corrections at any time.

3.3 Location (GPS)

IBA Companion uses your device's precise location for one purpose only: to verify that you are physically present at the venue where IBA Music booked you to perform, at the time of check-in. Check-in is manual — you tap Check In on your upcoming performance, IBA Companion requests your current location once, and compares it against the venue's coordinates. There is no background or automatic location tracking.

iOS location permission we request

IBA Companion declares one Core Location authorization on iOS:

If you deny the prompt, the check-in feature is unavailable but the rest of the app continues to function normally.

What we do with location data

• We request precise location (kCLLocationAccuracyBest) because venue-matching accuracy of tens of meters is necessary — adjacent Disney-resort venues can be within 100 meters of one another. We do not collect reduced-accuracy location and do not currently expose a reduced-accuracy toggle.
• Location fixes are taken only during a check-in transaction — IBA Companion does not log a continuous location history, does not track your movement between venues, and does not retain location points outside of check-in records.
• IBA Companion does not declare the location background mode and does not monitor geofences. CLLocationManager.allowsBackgroundLocationUpdates is set to false at all times. The app cannot read your location while it is in the background.

Sharing

Location data associated with check-ins is stored in IBA Music's own database on Cloudflare D1 and is used only as described in section 4. We do not transfer location data to any advertising network, data broker, analytics provider, or third party other than the sub-processors listed in section 7. We do not sell it.

How to turn it off

Go to Settings → Privacy & Security → Location Services → IBA Companion on your iPhone to change or revoke permission at any time. Disabling location will prevent the check-in feature from working but will not affect schedule viewing, calendar sync, or any other part of the app.

3.4 Performance and schedule data

We receive your upcoming performance schedule from IBA Music's internal booking system. This includes the venue, date, start and end times, dress code, call time, band name, and any notes relevant to the performance. This is the core data IBA Companion exists to display to you.

3.5 Check-in and attendance records

When you check in at a venue, we record the timestamp, your location at check-in, the performance you checked in to, and whether the check-in was on time. IBA Music uses these records for payroll reconciliation, attendance disputes, and operational reporting.

3.6 Device and technical information

• Push notification tokens. If you grant notification permission (the standard iOS prompt) IBA Companion registers for remote notifications with Apple and hands us the Apple Push Notification service (APNs) device token your device reports. We store that token so IBA Music's backend can deliver operational push notifications — schedule changes, check-in reminders, payroll updates. We do not send marketing or advertising push notifications.

• Background delivery modes. IBA Companion declares the iOS background modes listed below, each tied to a specific, user-visible feature. It does not declare voip, external-accessory, bluetooth-central, or any other background mode beyond those listed here.

  Background mode	Feature	Purpose
  remote-notification	Push notifications (§6.3)	Silent push payloads wake the app to refresh your schedule or update an active Live Activity in the background.
  fetch	Calendar sync v2	Periodic BGAppRefreshTask with identifier com.rolotrealanis.IBA-Companion.calendarsync.refresh reconciles your opted-in calendar with your performance schedule while the app is in the background.
  audio	Practice (multitrack rehearsal, §3.9)	Allows Practice audio you started to continue playing when the screen is locked or the app is backgrounded — identical behavior to any music or podcast app.

  IBA Companion does not use the audio background mode to record audio, capture microphone input, run speech recognition, or do anything other than continue user-initiated rehearsal playback. The microphone is never accessed — NSMicrophoneUsageDescription is not declared and AVAudioSession is configured for .playback (output only), never .record or .playAndRecord.

• Crash and diagnostic logs. IBA Companion does not integrate Firebase Crashlytics, Sentry, Bugsnag, or any other third-party crash-reporting SDK, and IBA Music does not operate any custom diagnostic telemetry pipeline of its own. Platform-level crash reports are collected by Apple on IBA Music's behalf only when you opt in to sharing with developers through your device settings (Apple's "Share With App Developers" toggle). Those reports are delivered through Apple's App Store Connect console and are used only to find and fix bugs. We do not knowingly include personal data in these reports.

3.7 Calendar integration data

Calendar sync is optional. Your choices are:

• Google Calendar — see section 5 for the exact OAuth scope, calendar names created, and Google-specific Limited Use commitments.
• Apple Calendar (EventKit) — see section 6.1 for the EventKit permission we request and how we handle on-device calendar data.

You can use one, both, or neither. Choosing neither does not disable any other feature of IBA Companion.

3.8 Biometric identifiers (NOT collected)

IBA Music does not collect, store, transmit, or process biometric identifiers of any kind. Specifically, IBA Music does not receive, record, or retain:

• Face geometry, facial scans, or FaceID template data
• Fingerprint templates, TouchID data, or any other friction-ridge data
• Voiceprints or voice characteristics
• Retina or iris scans
• Hand or palm geometry
• Gait or behavioral-biometric signatures

When you sign in to IBA Companion using Face ID or Touch ID via your device's standard auto-fill or sign-in provider flow, the biometric check happens entirely on your device, inside Apple's Secure Enclave. The biometric data never leaves your device and is never visible to IBA Music or our servers. We receive only the OAuth assertion the device produces after it has locally verified your biometric — an opaque cryptographic token that contains no biometric information.

This policy addresses the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), and similar biometric-specific statutes: because IBA Music does not collect biometric identifiers, the notice, consent, retention, and destruction requirements of those statutes do not apply to us. If that ever changes — for example, if a future feature required biometric processing on our servers — we would update this policy, obtain express written consent before collecting any biometric data, and comply with all applicable biometric-privacy laws.

3.9 Practice (multitrack rehearsal)

IBA Companion includes a Practice tab that lets you rehearse the songs on your IBA Music setlist with separated instrument stems (vocals, drums, bass, keys, guitar, etc.). All practice data belongs either to IBA Music's backend or to your device — it is not shared with any third party outside the sub-processors listed in section 7.

What we collect for Practice

• Song catalog metadata — title, artist, key, tempo, section markers, cover art. This metadata is stored in IBA Music's own database on Cloudflare D1 and is delivered to your device via our Companion API when you open the Practice tab.
• Audio stems — individual instrument recordings that belong to IBA Music's internal multitrack library, stored in IBA Music's own Cloudflare R2 bucket. When you choose to practice a song, IBA Companion downloads those stems to your device for offline playback using a standard iOS background URLSession.
• On-device usage signals — your per-song mixer preset (mute, solo, volume per stem), the last position you played to, and a "recently practiced" list. These are stored on your device only and are not transmitted to IBA Music unless you are signed in and IBA Companion synchronizes preferences across your own devices in a future release.

On-device storage, limits, and deletion

• Downloaded stems are cached in IBA Companion's sandboxed Documents directory (Documents/Songs/{songId}/). They are not indexed by iOS Spotlight, not shared to the Files app unless you explicitly export, and not visible to other apps.
• IBA Companion enforces a storage cap (10 downloaded songs by default, configurable between 5 and 20) and a time-to-live (TTL) auto-delete (7 days by default, configurable between 3 and 30). Stems you have not practiced in a while are automatically removed to keep device storage in check. You can review usage and delete downloads manually from Settings → Practice → Storage.
• Uninstalling IBA Companion removes every stem file.

Lock screen, CarPlay, and Bluetooth transport controls

When you are practicing, IBA Companion publishes Now Playing metadata (song title, artist, cover art, playback position) via MPNowPlayingInfoCenter so iOS can display it on your lock screen and in Control Center. It also registers for the standard remote command center (play, pause, next, previous, and scrub) so the transport buttons on Bluetooth headphones, CarPlay, and your lock screen control the Practice player. This is identical to how any music or podcast app integrates with iOS.

IBA Companion does not:

• Access Apple Music, the Music app's library, or any audio file outside its own downloaded stems.
• Record audio or use the microphone — NSMicrophoneUsageDescription is not declared and AVAudioSession is configured for .playback (output only).
• Share what you are practicing with other musicians, bandleaders, or IBA Music staff. Practice playback happens locally and is not reported back to our servers.
• Apply any copy protection or DRM beyond the standard iOS sandbox — the stems are IBA Music's intellectual property (see Terms of Service §4.5) and your right to use them ends when your engagement with IBA Music ends, at which point your access to the Companion API is revoked and any local downloads become orphaned and age out via TTL.

3.10 Photos and camera (not collected)

IBA Companion does not declare NSCameraUsageDescription or NSPhotoLibraryUsageDescription. It does not access the device camera or photo library.

3.12 Maps and external apps (canOpenURL only)

IBA Companion declares three URL schemes in LSApplicationQueriesSchemes so that it can render "open in…" options if you have those apps installed:

Each check is an on-device-only existence query using Apple's canOpenURL API — no information about your installed apps, your device, your location, or your account is transmitted to IBA Music or any third party. IBA Companion does not enumerate any other app schemes and does not use these queries for analytics, fingerprinting, or any purpose other than rendering the optional "open in…" buttons.

4. How We Use Information

We use the information described in section 3 to:

• Provide the service — show you your performance schedule, route push notifications, accept check-ins, and (if you opt in) keep your calendar in sync.
• Run internal operations — payroll, attendance reconciliation, performance reporting, customer-service responses to musicians who write to us with questions about their schedule.
• Security and fraud prevention — detect abusive sign-in attempts, investigate suspected fake check-ins, and protect the integrity of payroll data.
• Legal compliance — respond to lawful subpoenas and court orders, comply with tax and labor-law record-keeping, and meet other statutory obligations.

We do not:

• Sell, rent, or lease your information to anyone for any purpose.
• Use your information to serve advertisements.
• Build behavioral advertising profiles.
• Use your information to train generalized machine-learning models.

5. Google Calendar Integration

When you choose to sync your IBA Music performance schedule to Google Calendar, IBA Companion uses the Google OAuth 2.0 authorization flow to request a single, narrow scope:

https://www.googleapis.com/auth/calendar.app.created

This scope permits IBA Companion to create and manage only the calendars IBA Companion itself creates in your Google account. It does not grant access to any calendar you created manually, any calendar shared with you by another person, or any other Google service.

5.1 What IBA Companion creates

On first sync, IBA Companion creates:

• One primary calendar named IBA Music in your Google account.
• Optionally, one sub-calendar per band you perform with, named IBA — {Band Name} (for example, IBA — Beach Boys Tribute).

All events written to those calendars come directly from your IBA Music performance schedule and contain only: event title, venue name and address, start and end time, notes (call time, dress code, parking), and the IBA Music event identifier used to look up the event on subsequent syncs. We do not write events containing any information you did not provide to IBA Music in the first place.

5.2 What IBA Companion never accesses

IBA Companion never:

• Reads any calendar you created manually in Google Calendar.
• Reads any calendar another person has shared with you.
• Accesses event details, attendees, attachments, or descriptions from any calendar IBA Companion did not itself create.
• Accesses any other Google service (Gmail, Drive, Contacts, Photos, Maps, YouTube, Tasks, Keep, or any other).

The calendar.app.created scope is technically incapable of reading user-created or shared calendars — the Google Calendar API refuses such requests at the server. IBA Companion requests no other Google scope, so there is no other API path by which we could reach your data.

5.3 Google API Services User Data Policy — Limited Use

IBA Music's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In plain English:

• No advertising. We do not use Google user data — including the contents of any calendar IBA Companion creates on your behalf — to serve ads of any kind.
• No selling. We do not transfer Google user data to third parties for money or any other consideration.
• No AI or ML training. We do not use Google user data to develop, improve, or train generalized machine-learning models.
• No human reading. IBA Music personnel do not read the contents of calendars created through the Google Calendar integration except (a) with your explicit consent, typically for a support request you opened; (b) for a narrow security investigation where doing so is necessary to protect you or IBA Music; or (c) where required by law.

5.4 Revoking access

You can revoke IBA Companion's Google Calendar access at any time:

• Inside IBA Companion: open Settings → Calendar Sync → and choose Disconnect Google.
• In your Google account: visit myaccount.google.com/permissions and remove IBA Companion.

Either action immediately stops IBA Companion from reading or writing any Google Calendar data.

5.5 What happens to the calendars after revocation

The IBA Music calendar and any IBA — {Band Name} sub-calendars IBA Companion created remain in your Google account under your sole control after revocation. IBA Companion can no longer add, edit, or remove events in them. You can delete these calendars entirely from calendar.google.com at any time. IBA Music does not retain an independent copy of Google user data on our servers — your performance schedule is stored in our own database and is the source we push to Google Calendar, not the other way around.

6. Apple Platform Disclosures

This section covers the additional disclosures that Apple App Store reviewers, App Tracking Transparency rules, and iOS platform conventions expect IBA Companion to make. It applies to the IBA Companion app on iPhone.

6.1 Apple Calendar integration (EventKit)

IBA Companion can also sync your performance schedule to your device's Apple Calendar using Apple's EventKit framework. This is an on-device, local integration — the calendar and its events live in your device's own calendar database (and in iCloud if you have Apple Calendar iCloud sync enabled through your Apple ID), not on IBA Music's servers.

When you enable Apple Calendar sync, IBA Companion asks you for calendar permission. iOS shows the standard prompt with the string NSCalendarsFullAccessUsageDescription — "IBA Companion adds your performance schedule directly to your device calendar so it stays up to date even when the app is closed."

We request full calendar access (rather than the more limited "write-only access" introduced in iOS 17) because IBA Companion needs to read back the events it previously wrote so it can update or delete them when your schedule changes without duplicating them. IBA Companion reads only the events it itself created for IBA Music — it identifies them by a stable IBA Music event identifier stored on each EventKit EKEvent. It does not read, modify, delete, or transmit events that belong to any other calendar source or that were created by any other app.

You can revoke calendar access at any time in Settings → Privacy & Security → Calendars → IBA Companion. Revocation immediately stops IBA Companion from touching your Apple Calendar. The IBA Music calendar and any events IBA Companion previously wrote remain under your sole control — you can delete them from Apple Calendar whenever you like. IBA Music does not retain a mirror of your device calendar on our servers.

6.2 Sign in with Apple

IBA Companion offers Sign in with Apple as a first-class authentication option alongside Google Sign-In, consistent with App Store Review Guideline 4.8. If you sign in with Apple:

• You may choose to share your real Apple ID email or to use Private Relay (Apple's email-masking service). Either way, IBA Companion treats the address as your account email and sends operational email to it.
• If Apple provides a display name to us during the first-time sign-in, we store it as your profile name. You can change this at any time in the IBA Music admin dashboard or by emailing privacy@ibamusic.com.
• Apple assigns IBA Music a stable "user identifier" that is unique to your Apple ID and the IBA Companion app. IBA Music stores this identifier to recognize your account on future sign-ins. It cannot be used to look you up in any other Apple service.

6.3 Push notifications (APNs)

Push notifications are optional. iOS asks you for permission the first time IBA Companion tries to register. If you grant it, IBA Companion registers for remote notifications and hands the APNs device token to IBA Music's backend so we can deliver operational notifications to you.

IBA Music uses push notifications only for:

• Schedule changes (a performance moved, added, or cancelled)
• Check-in reminders before a performance
• Payroll status updates
• Stage Alerts — time-sensitive on-stage messages sent by IBA Music staff during a performance. You can acknowledge or reply from the notification by choosing one of four predefined responses (OK, On my way, Need 5 min, Can't right now). Replies are posted only to IBA Music's Companion API — no free-text input is accepted and no third party sees them.
• Critical service announcements from IBA Music operations

We do not send advertising notifications, marketing offers, third-party promotions, or behavioral re-engagement nudges. You can disable notifications at any time in Settings → Notifications → IBA Companion.

6.4 Live Activities (Set Tracker) and WeatherKit

IBA Companion declares NSSupportsLiveActivities so that during a live performance it can optionally display a Set Tracker Live Activity on your lock screen and in the Dynamic Island. The Live Activity shows set-by-set timing — current set, remaining time, countdown to the next break — drawn entirely from the performance schedule IBA Music already holds on its servers. No new categories of personal data are collected by the Live Activity: it is a presentation-layer feature over schedule data already described elsewhere in this policy.

The Live Activity may also show an optional hourly precipitation timeline for the venue using Apple WeatherKit. When the Live Activity has venue coordinates from the performance schedule, IBA Companion asks WeatherKit for a short-range forecast at those coordinates. WeatherKit is an Apple service: the forecast query uses the venue's coordinates (not your device's location) and is subject to Apple's own WeatherKit privacy terms. IBA Music does not receive any additional personal data back from Apple in this flow — only a forecast — and the forecast is rendered locally on your device. IBA Companion does not query WeatherKit for your current location and does not log or transmit the forecast data elsewhere.

Live Activities are managed by iOS and follow Apple's timing rules: they appear while the performance is active, update via ActivityKit, and are dismissed automatically (or on your manual swipe) when the performance ends. You can disable Live Activities for IBA Companion at any time in Settings → IBA Companion → Live Activities (or globally via Settings → Face ID & Passcode → Allow Access When Locked → Live Activities).

6.5 App Tracking Transparency (ATT) and the IDFA

IBA Companion does not track you across apps and websites owned by other companies, and does not show the App Tracking Transparency prompt, because there is nothing to ask permission for:

• IBA Companion does not read, request, or store the Identifier for Advertisers (IDFA / advertisingIdentifier).
• IBA Companion includes no advertising SDKs of any kind — no Google Ads Mobile SDK, no Meta Audience Network SDK, no AppLovin, no Unity Ads, no Chartboost, no IronSource, none.
• IBA Companion includes no analytics SDKs — no Firebase Analytics, no Amplitude, no Mixpanel, no Segment, no Hotjar, no Sentry, no Crashlytics, none.
• IBA Companion does not share any data with third parties for cross-app or cross-site advertising. It does not share data with data brokers.

Consistent with this, IBA Companion declares in its App Store privacy report that it does not use data to track users and does not perform any of Apple's defined tracking activities.

6.6 Account deletion

You can close your IBA Music account at any time.

In-app option (recommended). Open IBA Companion, go to Settings → Account → Delete Account, and follow the prompts. The flow discloses what happens to your data, asks you to re-authenticate to prove you own the account, and closes your account once you confirm. You do not need to email us or leave the app to complete this. This satisfies Apple App Store Review Guideline 5.1.1(v).

Email option. If you cannot reach the in-app control for any reason — for example, you no longer have the app installed or cannot sign in — email privacy@ibamusic.com from the email address on your account. We verify your identity and close your account on the same terms.

What happens when you close your account. We immediately deactivate your IBA Music account so you can no longer sign in to IBA Companion or to the web tools through any sign-in provider (Apple, Google, Microsoft, or email). You are signed out on every device you were using. Push notifications to those devices stop. In-app closures take effect immediately; email closures take effect within 30 days of receipt.

What we retain, and why. Florida labor and tax recordkeeping law requires IBA Music to retain records of the performances you worked, the payroll artifacts tied to them, and the minimum personal identifiers — your name, contact information, instruments, and the performance history itself — needed to keep those records meaningful to a tax auditor or labor regulator. IBA Music retains this information for seven (7) years from the date of the underlying record.

During the retention period IBA Music uses the retained information only for tax, labor, audit, and legal-process purposes, and only when specifically required by law or by a legitimate business continuity need. The retained information is not made available to any active feature of the Service — it is not used for scheduling, messaging, push notifications, marketing, automated processing, feature enrichment, model training, analytics, or any operational function of IBA Companion after your account is closed. You are not contacted about events, schedules, availability, or any other operational matter after closure.

After the seven-year retention window elapses, IBA Music reviews the retained information and removes it from the live system unless a pending audit, legal hold, or ongoing dispute requires continued retention.

What happens to your calendars. Closing your IBA Music account does not automatically delete calendars IBA Companion previously created in your Google Calendar or Apple Calendar. Those calendars belong to you and remain in your account under your sole control. See sections 5.5 and 6.1 for how to remove them if you wish.

Your state-law privacy rights are unchanged. Nothing in this section limits any right you have under the California Consumer Privacy Act or any other applicable privacy law to request access, correction, deletion, or limitation of use with respect to specific categories of personal information. See section 11 for details and the contact path for exercising those rights. Requests are honored subject to the retention carve-outs described above, which reflect legal obligations IBA Music is required to meet.

6.7 App Store privacy labels — data mapping

Below is how the data described elsewhere in this policy maps to Apple's App Store privacy-label categories. This exists so App Store reviewers can cross-check the policy against the privacy nutrition label displayed on IBA Companion's App Store page.

"Used to track?" is No for every category because IBA Companion does not perform any of Apple's defined tracking activities (see section 6.5).

Practice stem audio (§3.9) is delivered to your device from IBA Music's own servers — it is not user-provided content and is not "collected" in the App Store privacy-label sense. The User Content row above is "Not collected" for exactly this reason: Practice does not upload audio and does not link that audio to your user identity, and the camera / photo library are never accessed (§3.10).

6.8 Supported operating systems and upgrade path

IBA Companion supports the current major version of iOS plus the immediately previous major version where practical. Security fixes target the current version first. If your iPhone cannot run a supported version, some features — notably calendar sync and modern privacy prompts — may not be available. IBA Music does not intentionally limit functionality on older devices as long as they remain supported by Apple.

7. Information We Share

We share information only with the sub-processors we need in order to operate the service. We never sell personal information, share it for cross-context behavioral advertising, or permit any third party to use your information for its own marketing purposes. A stand-alone, always-current list of sub-processors is published at legal.ibamusic.com/subprocessors — the table below is a summary.

We also disclose information when we reasonably believe disclosure is necessary to comply with a lawful subpoena, court order, or similar legal process; to investigate fraud, security incidents, or violations of our Terms of Service; or to protect the rights, property, or safety of IBA Music, our musicians, or the public. We will contest overbroad legal demands where we believe doing so is proper and practical.

8. Data Retention

9. Your Rights

Regardless of where you live, you may request:

• Access — a copy of the personal information we hold about you.
• Correction — a fix for inaccurate or incomplete information.
• Deletion — removal of your information, subject to our retention obligations under section 8.
• Portability — a machine-readable export.
• Objection and withdrawal of consent — an end to processing based on your consent, where consent is the lawful basis.

Send requests to privacy@ibamusic.com from the email address on file with your account, or use another method reasonable to verify your identity. We respond within the time frames required by applicable law.

For step-by-step instructions on deleting your IBA Companion account from inside the iOS or Android app, see the dedicated Account deletion page.

10. European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following additional information applies.

• Data controller: Island Breeze Affiliates Inc., Florida, USA.
• Lawful bases for processing:
  • Contract performance — operating IBA Companion and admin tools so you can do the work you were hired to do.
  • Legitimate interests — running IBA Music's business safely, preventing fraud, investigating security incidents, and meeting tax and labor-law record-keeping.
  • Consent — specifically for the optional Google Calendar integration and any future marketing communications.
  • Legal obligation — meeting requirements of Florida and US federal tax, labor, and civil law.
• International transfer: IBA Music is based in the United States and uses US-based and globally-distributed sub-processors. Transfers of EEA/UK/Swiss personal data to the United States are made in reliance on the Standard Contractual Clauses published by the European Commission and (where applicable) the EU–US Data Privacy Framework.
• Right to complain: you may lodge a complaint with your local supervisory authority. In the UK that is the ICO (ico.org.uk). We prefer that you contact us first so we have a chance to resolve the concern directly.

We do not currently maintain an EU representative because IBA Music's operations are focused on Florida, USA. We will appoint one if our processing reaches the thresholds that require it under Article 27 GDPR.

11. California (CCPA / CPRA)

If you are a California resident, the following additional information applies.

• Categories of personal information we collect: identifiers (name, email, account ID), contact information (phone, address), employment-related information (performances, check-ins), geolocation (precise, only at check-in), internet activity (technical logs), and inferences drawn from the foregoing for the limited purpose of running the service.
• Categories sold or shared for cross-context behavioral advertising: None. IBA Music does not sell personal information and does not share it for cross-context behavioral advertising.
• Sources: you, IBA Music staff acting on your behalf, and the devices you use to interact with the service.
• Retention: see section 8.
• Your rights: you may request to know, delete, correct, and limit use of sensitive personal information (which, for our purposes, means your precise geolocation at check-in). Contact us at privacy@ibamusic.com to exercise any right. We do not discriminate against users who exercise rights under the CCPA.

12. Children's Privacy

IBA Music's apps and services are not directed to children under 13 years of age, and we do not knowingly collect personal information from anyone under 13. IBA Music contracts musicians who are adults; users of our apps are expected to be at least 18.

If you believe a child under 13 has provided personal information to us, please contact privacy@ibamusic.com and we will delete the information promptly.

13. Security

We take reasonable measures to protect information against unauthorized access, use, disclosure, alteration, and destruction:

• All traffic between your device and our servers is encrypted with TLS 1.2 or higher.
• Data at rest in Cloudflare D1 and R2 is encrypted by Cloudflare using industry-standard algorithms.
• OAuth tokens on the device are stored in the iOS Keychain, protected by the operating system's hardware-backed security.
• Authentication uses OAuth 2.0 (Apple, Google, Microsoft) for third-party sign-in. IBA Music-hosted email-and-password sign-in uses an industry-standard salted, slow-hash password store (we do not store plaintext passwords). The IBA Music admin dashboard additionally supports WebAuthn passkeys for staff sign-in.
• Access to the IBA Music admin dashboard requires sign-in and is limited to authorized IBA Music personnel.

No security measure is perfect, and we cannot guarantee the security of information transmitted over the internet. If you believe your account has been compromised or you have identified a vulnerability in our services, please email privacy@ibamusic.com — see the Security page for our responsible disclosure policy.

Breach notification. If we determine that a security incident has resulted in unauthorized access to your personal data, we will notify you without undue delay and, where required by law, within the timeframes set by applicable breach-notification statutes — including 72 hours of becoming aware of a personal data breach for notifications to supervisory authorities under Article 33 of the EU GDPR and the equivalent UK GDPR provision, and the timeframes required by Florida Statute §501.171 (Florida Information Protection Act of 2014) for affected Florida residents. Our notice will describe the nature of the breach, the categories of data affected, the steps we are taking in response, and the steps you can take to protect yourself.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of the page. For material changes — changes that expand the categories of data we collect, change how we share it, or meaningfully reduce your rights — we will notify registered users by email or in-app notice at least 30 days before the change takes effect where practical. Your continued use of the service after the effective date means you accept the updated policy.

15. Contact

For any question about this Privacy Policy or to exercise any right described here, contact:

Island Breeze Affiliates Inc. (d/b/a IBA Music) Privacy inquiries: privacy@ibamusic.com Jurisdiction: Florida, USA

A physical mailing address will be provided on request to privacy@ibamusic.com or on this page at a later date.