Privacy Notice

Last updated: 2026-05-12

1. Who We Are

Lee Tagg Pty Ltd ATF Tagg Family Trust (ABN 63 193 632 093, T/A The Mix Bus) ("we", "us", or "our") is the data controller responsible for the personal data you provide when using our service at https://bigname.music.

Contact: privacy@themixbus.com.au | PO BOX 57, Mount Nebo 4520 Queensland Australia

If you have questions about how we handle your data or wish to exercise your rights, please use the contact details above.

2. Personal Data We Collect

We collect only the minimum data required to operate, secure, and deliver our service. Data collection is strictly purpose-limited and falls into three categories:

Account & Authentication Data: Full name, email address, and password (stored exclusively as a cryptographic hash)
Technical & Session Data: IP address, browser/device user-agent strings, and framework session tokens
Security & Infrastructure Logs: Authentication attempts, rate-limit triggers, threat indicators, and system health metrics (automatically generated)

Providing this data is necessary to fulfill our service contract. You cannot create or use an account without providing at least an email address and password. All other technical data is collected automatically as part of standard web infrastructure operation.

3. Why & How We Process Your Data

We process your personal data only for explicit, legitimate purposes:

Data Collected	Purpose	Lawful Basis
Name, email, password hash	Create & manage your account; authenticate access; deliver service	Contract performance (Art. 6(1)(b))
IP, browser identifiers, session tokens	Maintain session continuity; prevent unauthorized access; detect threats	Legitimate interests (Art. 6(1)(f))
Subscription status & billing records	Manage tier access, process payments, enforce storage limits	Contract performance (Art. 6(1)(b))

Lawful bases: Contract performance (Art. 6(1)(b)) for account & billing data; Legitimate interests (Art. 6(1)(f)) for security data.

We do not use your data for marketing, profiling, cross-site tracking, analytics, or any purpose unrelated to service delivery and security. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

4. Data Retention & Account Lifecycle

We retain your personal data only as long as necessary to deliver our service, fulfill our contract, or comply with legal obligations.

Active Accounts

Free-tier accounts: Data is retained while your account remains active and your storage usage stays within the free threshold.
Paid subscription accounts: Data is retained while your subscription remains active. Billing and usage records are processed by Stripe under strict GDPR-compliant data processing agreements.

Downgrading to Free Tier

If your storage needs decrease below the free-tier threshold:

You may request or trigger a switch to the free plan.
The downgrade takes effect at the end of your current billing period.
Once the billing cycle concludes, your account operates under free-tier rules.

Account Deletion (Right to Erasure)

Deletion is immediate and automated. When you initiate account deletion:

Your recurring subscription is terminated effective immediately.
Your personal data is anonymized or permanently purged from active systems within 24 hours.
Encrypted infrastructure backups may retain residual data for up to 30 days for disaster recovery.

If you delete mid-cycle, you forfeit access to paid-tier features for the remainder of that period. Your right to delete is absolute and not contingent on your billing cycle.

Legal & Financial Record Retention

After account deletion, we may retain minimal, anonymized transaction records (e.g., invoice IDs, payment timestamps) for up to 7 years to comply with tax, accounting, or consumer protection laws. These records contain no usable personal data.

5. Security Measures

We implement technical and organizational measures aligned with GDPR Article 32:

TLS/HTTPS encryption for all data in transit; industry-standard hashing (Argon2) for passwords at rest
Strict role-based access controls and least-privilege architecture
Automated threat detection, rate limiting, and intrusion monitoring
Regular infrastructure updates and vulnerability patching

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access a copy of the data we hold about you
Rectify inaccurate or incomplete information
Erase your data ("Right to be Forgotten")
Restrict processing under specific legal conditions
Data portability (receive your data in a structured, machine-readable format)
Object to processing based on legitimate interests

Reporting GDPR Concerns

Contact us at privacy@themixbus.com.au. We will acknowledge receipt within 5 business days and respond substantively within 30 calendar days. For urgent concerns, mark your email with [URGENT: DATA PROTECTION] in the subject line.

Exercising the Right to Erasure

You may delete your account at any time via Settings or by emailing privacy@themixbus.com.au. Upon confirmation, your subscription stops immediately and your data is purged from active systems within 24 hours.

7. Cookies & Essential Technologies

Our application uses only strictly necessary cookies and browser storage required to maintain your authenticated session, prevent cross-site request forgery (XSRF), and preserve application state.

These technologies are exempt from prior consent under the ePrivacy Directive and GDPR. We do not deploy analytics, advertising, social tracking, or any non-essential cookies.

8. Third Parties & Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing or commercial purposes. Data may only be processed by essential infrastructure providers (e.g., cloud hosting, CDN, payment processors) under strict GDPR-compliant Data Processing Agreements (DPAs).

9. International Transfers

If any personal data is transferred outside the European Economic Area (EEA) or United Kingdom, we ensure an adequate level of protection through EU/UK adequacy decisions, Standard Contractual Clauses (SCCs), or other GDPR-compliant transfer safeguards.

You may request details of the specific safeguards applied by contacting privacy@themixbus.com.au.

10. Complaints & Supervisory Authority

You have the right to lodge a complaint with a data protection authority if you believe your data has been processed in violation of applicable privacy laws.

UK: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
EU: Your national supervisory authority — edpb.europa.eu/about-edpb/about-edpb/members_en

We encourage you to contact us first at privacy@themixbus.com.au so we can resolve your concern directly.

11. Changes to This Notice

We may update this notice to reflect changes in our service, technical infrastructure, or legal requirements. Where changes significantly affect how we process your data, we will notify you via email or a prominent notice on our platform prior to implementation.