ONTOUR

Data & Compliance

Last updated: 1 June 2026

This page summarises how ONTOUR handles, secures and governs data. It complements our Privacy Policy and Terms of Service.

Regulatory frameworks

ONTOUR is operated from Ontario, Canada and is designed to comply with PIPEDA (Canada), the EU/UK GDPR, and the CCPA/CPRA (California). Individual data-subject and consumer rights are described in our Privacy Policy.

Security practices

  • All traffic is served over HTTPS; ontour.app is on the HSTS preload list (HTTPS-only).
  • Authentication is delegated to Google OAuth; we never store passwords.
  • Database access is protected by row-level security (RLS); the service-role key is server-only and never exposed to the browser.
  • Per-IP and per-account rate limiting protects against abuse and credential-stuffing.
  • Access to production data is limited to authorised administrators.

Sub-processors

We rely on the following sub-processors to deliver the Service. Personal information may be processed by these providers under appropriate contractual safeguards:

  • Supabase — authentication, database, hosting (account and usage data).
  • Vercel — application hosting and content delivery.
  • Google — OAuth authentication and (with consent) Google Analytics.
  • Anthropic — AI venue-capacity estimation in internal admin tooling only.

Public data sources

Concert, artist and venue results are built from public data providers — setlist.fm, Wikidata and Deezer. We query these for public information only and do not transmit your personal information to them.

Data residency

Data may be stored and processed in Canada, the United States and the European Union depending on the sub-processor. Cross-border transfers rely on adequacy decisions or Standard Contractual Clauses where required.

Data retention and deletion

Account data is retained while your account is active. On account deletion we delete or anonymise associated personal information within 30 days, except where the law requires retention. To request deletion, email privacy@ontour.app.

Breach notification

In the event of a personal-data breach that poses a risk to your rights, we will notify affected users and the relevant supervisory authorities without undue delay and in accordance with applicable law (including the GDPR's 72-hour authority-notification expectation and PIPEDA's breach-reporting obligations).

Contact

For data-protection, compliance or processing-agreement (DPA) requests, contact privacy@ontour.app. ONTOUR, Ontario, Canada.