Legal

Privacy
Policy.

This is our privacy policy in plain English. We've written it to be read, not avoided. We collect only what we need, use it only for what we say, and never sell it to anyone.

Last updated: June 2026 · Applies to totheband.com and all associated services

Contents

Who We Are What We Collect Why We Collect It How Long We Keep It Who We Share It With Your Consent Choices Your Rights Cookies Contact Us

Section 01

Who We Are

ToTheBand is a fanmail platform for rock and metal fans, operated as a sole trader business based in Scotland, United Kingdom.

For the purposes of UK GDPR and the Data Protection Act 2018, the data controller is the founder and sole operator of ToTheBand.

You can contact us at any time at craig@totheband.com. We will always respond personally.

Section 02

What We Collect

We collect only what is necessary to provide the service. Here is exactly what that is:

Data	Why we collect it	Required?
Email address	To send your delivery confirmation and any communications you explicitly consent to. Used for account login.	Yes — at registration
Display name	Collected at registration. Can be your real name, a nickname, or a username — entirely your choice. Shown to the band alongside your letter. Editable at any time in your profile settings.	Yes — at registration
City and country	Added optionally in your profile settings after registration. Attached to your letters automatically when you write to a band — helps bands understand where their music reaches geographically. Editable or removable at any time in your profile settings.	No — optional in profile
Letter content	To moderate and deliver your message to the band	Yes — per letter
Letter type and context	To categorise and format your message for delivery	Yes — per letter
Consent choices	Two required consents per letter submission — consent to letter being read by the band, and age confirmation. One optional marketing consent — whether you want to hear about relevant rock and metal events from trusted partners.	Two required, one optional — per letter
Consent timestamp	To maintain a legal record of when each consent was given — retained 6 years as required by UK law	Yes — automatic
IP address	Basic security and spam prevention only — not stored beyond session	Automatic

We do not collect phone numbers, physical addresses, payment details, social media handles, or any other personal information beyond the above.

Section 03

Why We Collect It

We process your data under two lawful bases as defined by UK GDPR:

Legitimate interest— processing your letter submission, moderating it, and delivering it to the band. This includes your letter being accessible to the band's official management team in the normal course of managing the band's communications. This is standard practice in the music industry and does not extend beyond the band's official team.

Consent — your explicit confirmation that you are 16 or older and that you consent to your letter being read by the specific band you are writing to. We never assume consent and never pre-tick boxes.

We do not use your data for automated decision-making, profiling, or any purpose not listed in this policy.

Section 04

How Long We Keep It

Data	Retention period
Profile data (email, display name, city, country)	Retained for as long as your account is active. Deleted within 30 days of account deletion or deletion request. City and country can be removed by you at any time in your profile settings.
Letter content	Retained in anonymised form indefinitely for platform analytics. Personal identifiers removed after 30 days unless consent given.
Consent records	Retained for 6 years as required by UK law.
Email address — marketing consent given	Retained until you withdraw consent or request deletion. Withdrawal takes effect within 5 working days.

Section 05

Who We Share It With

We never sell your data. Ever. This is a core principle of the platform and will never change.

We share limited data with the following third parties solely to operate the service:

Third party	What they receive	Why
Supabase	All platform data — user accounts, letters, replies, consent records. Stored in a secure hosted database with row level security enabled.	Database and authentication infrastructure
Resend	Your email address and first name for the purpose of sending transactional notifications — delivery confirmations and reply notifications only.	Email delivery infrastructure
Vercel	Standard web traffic data	Website hosting and deployment
Bands on the platform	Your display name, letter type, message content, and any city and country stored in your profile settings. Your email address is never shared with any band or their management. City and country are optional — leaving them blank in your profile has no impact on letter delivery.	Delivery of your letter. Management access is covered under legitimate interest — standard practice in the music industry.
Trusted partners	No personal data is ever shared with or sold to partners. Partners pay ToTheBand to send relevant communications to fans who have explicitly opted in to receiving them. Your email address is never passed to any partner directly — all messages are sent by ToTheBand on their behalf.	Relevant rock and metal promotions to fans who explicitly opted in. Only applicable if you ticked the optional marketing consent when submitting a letter.

All third party processors we use are GDPR compliant and operate under appropriate data processing agreements.

Section 07

Your Rights

Under UK GDPR you have the following rights regarding your personal data. To exercise any of them, email craig@totheband.com. We will respond within 30 days.

→

Right of Access

You can request a copy of all personal data we hold about you.

→

Right to Rectification

You can ask us to correct inaccurate data we hold about you.

→

Right to Erasure

You can ask us to delete your personal data. We will do so within 5 working days except where we are legally required to retain it (consent records).

→

Right to Restrict Processing

You can ask us to stop processing your data while a dispute is resolved.

→

Right to Data Portability

You can request your data in a machine-readable format.

→

Right to Object

You can object to processing based on legitimate interest. We will stop unless we can demonstrate compelling grounds.

→

Right to Withdraw Consent

You can withdraw any consent you have given at any time. This does not affect the lawfulness of processing before withdrawal.

→

Right to Complain

If you are unhappy with how we handle your data you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Section 08

Cookies

ToTheBand uses only essential cookies necessary to operate the website. We do not use advertising cookies, tracking cookies, or third party analytics cookies.

We do not run Google Analytics, Facebook Pixel, or any similar tracking tools. We have no interest in tracking your behaviour across the web.

The only cookies set are those required for basic website function such as session handling. These are deleted when you close your browser.

Section 09

Contact Us

Any question about this policy or how we handle your data — email us. We respond personally to every message.

Data Controller Contact

ToTheBand
Scotland, United Kingdom

Email: craig@totheband.com

Response time: within 5 working days for data requests, within 30 days for formal rights requests as required by UK GDPR.

If you are not satisfied with our response you may contact the Information Commissioner's Office at ico.org.uk.

PrivacyPolicy.