Privacy

The honest summary, in plain language.

What Loadout stores about you

Account basics — your name, email, password hash (bcrypt), emailVerified flag, whether you're an admin.
OAuth links — if you signed in with Google, the link to that Google account (not your Google password, obviously).
Sessions — token-keyed records of your active sign-ins, expiration timestamps. Bound to your account.
Band memberships — which bands you're in, your role on each.
Audit log entries — append-only records of meaningful actions (created band, accepted invite, deleted song). Used for compliance + support troubleshooting.
Tip transactions — for the connected tier, every tip you process. Card details are NOT on Loadout's side — Stripe handles those. Loadout sees: amount, currency, the tipper's email if they entered one, the band-side connected-account ID.
AI run logs — every Claude or Workers AI call is logged with inputs/outputs/tokens/cost. Used for prompt observability and optimization. Your prompts to the AI setlist generator are stored.

Stage view preferences — transpose, font scale, hide-chords, line-pointer mode. Stored in localStorage, never sent to the server.
Offline setlist cache — IndexedDB cache of recent setlists for offline use.
First-run hint flags — "you've seen the gesture hint" markers in localStorage.

If you clear your browser storage, those reset. No server-side mirror.

Tipper card numbers — Stripe handles those. Loadout receives the payment-intent ID, the band-side fees, and the resulting balance — never the card itself.
Audio recordings — Loadout doesn't accept audio uploads. The metronome and stage view are pure rendering; nothing's recorded.
Tracking pixels or third-party analytics — no Google Analytics, no Facebook pixel, no marketing trackers. Cloudflare Workers Logs handle operational telemetry; that data stays on Cloudflare.

You — everything in your account.
Your bandmates — the band's songs, setlists, gigs, tip totals. They cannot see your personal account settings.
Admins — Loadout admins can read band, user, and tip data through the admin panel for support purposes. All admin actions are written to the audit log. Admins do not have access to user passwords or card details.
The public — your band's public page (loadout.band/[bandSlug]) when publicEnabled is on. That's it; nothing about your personal account is ever public.

Account + bands + songs — as long as the account exists. See Deleting your account for the 30-day grace + hard purge.
AI run logs — kept indefinitely for prompt optimization. Inputs may include song lyrics or your generator prompts; outputs include the AI's drafts.
Audit log — kept indefinitely. Anonymized when the actor's account is purged.
Tip transactions — kept indefinitely for Stripe compliance + tax records.

For data export, deletion outside the grace period, or any other privacy question, email support@loadout.band.