LEGAL · PRIVACY POLICY

Privacy Policy — LOCK

Draft for legal review — not legal advice. v0.2-corrected · 8 Jul 2026

Temporary draft under legal counsel review — not final wording (task #23). Subject to the Privacy Protection Law 5741-1981, including Amendment 13 (in effect from 14 Aug 2025). To be confirmed with legal counsel before publishing.

Draft under legal review — not final

1. Who Operates the Service

The Service is operated by:

  • Full legal name: [business/company name]
  • Business registration / company number: [number]
  • Address: [full address]
  • Privacy contact email: privacy@lock.show

[Business/company name] is the database controller — the party that determines the purposes and means of processing personal information within the Service.

2. What the Service Is

The Service is a pre-booking risk-reduction tool for the live music industry. It lets artists, their representatives, and professional stakeholders upload, organize, and review professional information and evidence, build a private view, and produce a public Passport containing only the information the artist has chosen and approved for publication.

The Service does not guarantee bookings, performances, income, event fit, or any commercial decision.

3.1 Account and Identification Information

  • Name and stage name;
  • Email address;
  • Phone number, if provided;
  • Encrypted password or login identifier;
  • Role within the Service, such as artist, representative, booking manager, producer, or team member;
  • Organization name and affiliation;
  • Profile picture and basic account details, if sign-in via an external provider is enabled in the future and with your consent.

3.2 Professional Information About the Artist

  • Stage name, musical genre, region of activity, and biography;
  • Photos, videos, and links to music or professional profiles;
  • Performances, lineups, professional experience, and technical information;
  • Audience ranges, ticketing activity, fee ranges, or other professional data;
  • Information about community, independent activity, events, and commercial offering.

3.3 Evidence and Documents

The user may upload or link evidence, such as:

  • Public links;
  • Screenshots;
  • Exports from ticketing systems;
  • Settlement pages;
  • Professional documents;
  • Ranges or figures the user declares;
  • Confirmations or responses from producers and professional stakeholders.

When uploading information, the user is required to confirm they are authorized to provide it and that it does not include excess personal information about other people.

Client lists, ID numbers, payment details, medical information, information about minors, or personal information not necessary for reviewing the evidence must not be uploaded.

We may remove, redact, black out, or reject a document that contains excess information or third-party information not necessary for the purpose of the Service.

3.4 Claims, Labels, and Processing Outputs

We may retain:

  • Data points extracted from evidence;
  • The source of the evidence;
  • The verification method;
  • The date of verification or update;
  • A status such as supported, self-reported, or confirmed by a producer;
  • Corrections and approvals made by the user;
  • The user's choice of which items remain private and which are published;
  • Previous versions of the Passport;
  • Consent records and system actions.

Internal information, internal assessments, gaps, and information not approved for publication will not be shown on the public Passport.

3.5 Availability Requests and Professional Responses

When someone sends an availability request or a response through the Service, we may collect:

  • Name and contact details;
  • The organization's name;
  • Event type;
  • Event date and location;
  • Capacity range or budget;
  • Message content;
  • Request status;
  • Responses, approvals, or cancellations from a professional stakeholder.

3.6 Technical and Security Information

We may automatically collect:

  • IP address;
  • Device type, operating system, and browser;
  • Login times and system actions;
  • Pages viewed;
  • Security events, login attempts, and errors;
  • Technical identifiers and necessary cookies.

3.7 Payment Information

During the pilot, payments may be made via Bit, bank transfer, or another external payment method.

We do not request or store passwords, secret codes, or access details for the payment account. For accounting reconciliation, receipts, and customer service, we may retain the payer's name, amount, payment date, reference, and invoice details.

4. How Information Is Collected

Information may be received:

  • Directly from you;
  • From a person or organization authorized to act on your behalf;
  • From files and links you uploaded;
  • From responses and requests sent through the Service;
  • From a public source you referred us to;
  • From connecting to an external account, only if that option is enabled and you approve it;
  • Automatically while using the website or application.

The Service is not intended to perform systematic scraping, continuous monitoring, or covert collection of information about artists. Information from a public source is reviewed in the context the user provided and is not published automatically without review and approval.

5. Is Providing Information Mandatory

Unless stated otherwise, there is no legal obligation to provide us with personal information.

That said, certain details, such as an email address and login details, are required to open and operate an account. Without these details we cannot provide the Service.

Uploading evidence, documents, and professional information is the user's choice. Declining to upload certain information may limit the ability to present or substantiate professional claims.

Publishing the Passport is optional and requires separate, explicit approval. The private area of the Service can be used without publishing a public Passport.

Consent to receive marketing messages is optional and is not a condition for receiving the Service.

6. Purposes of Using the Information

We may use the information to:

  • Open accounts, identify users, and manage permissions;
  • Provide the Service and tailor it to the user's role;
  • Build the artist's private view (the Radar);
  • Organize, classify, and review professional evidence;
  • Present information to the user for correction, approval, or removal;
  • Create a public Passport, only after explicit approval to publish;
  • Convey availability requests and responses between the relevant users;
  • Manage payments, invoices, and accounting records;
  • Secure the Service, prevent abuse, and handle faults;
  • Improve performance, user experience, and functionality;
  • Comply with legal, accounting, and regulatory requirements;
  • Send marketing messages, only after obtaining separate consent and to the extent required.

Information will be processed in accordance with your consent, your request to receive the Service, the need to fulfil a legal obligation, or another basis permitted by law, as applicable.

7. Processing via Automated Rules and Artificial Intelligence

The Service uses automated rules as well as an external artificial-intelligence provider (Anthropic) to help organize, classify, and label professional evidence uploaded by the user.

AI-based processing takes place server-side: evidence is not sent directly from the user's browser to the external provider, but is routed through the Service's servers, which minimize the information sent to what the labeling requires.

Accordingly:

  • We minimize the information transferred to the AI provider to what is necessary for labeling and assessing the evidence;
  • We do not transfer excess personal information about third parties to the AI provider;
  • Processing outputs (e.g. labels, classifications, or suggested wording) are shown to the user for review, correction, or removal before any publication;
  • Automated processing — whether based on deterministic logic or on artificial intelligence — does not, and will never, constitute a booking decision, score, ranking, percentile, prediction, or guarantee of any kind. The professional stakeholder receiving the information is solely responsible for their decision.

If we expand the use of additional AI providers or materially change the scope of processing, we will update this policy or present an appropriate notice in advance.

8. The Private Area and the Public Passport

The private area (the Radar) may include strengths, gaps, documents, data, and recommendations that are not shown publicly.

The public Passport will include only information the user has: (1) seen; (2) selected; (3) explicitly approved for publication.

The public Passport will not include internal information, unapproved contact details, exact figures designated as private, internal assessments, or information not approved for publication.

Bear in mind that a public page may:

  • Be accessible to anyone who received the link;
  • Be forwarded to others;
  • Be screenshotted or copied;
  • Be retained in cache memory;
  • Appear in search engines, unless configured otherwise on a technical level.

You may request to stop publishing the Passport or to remove information from it. However, we are unable to delete copies already saved or independently distributed by third parties.

9. Sharing Information

We do not sell or rent personal information. We may disclose information only to the extent required, to the following parties.

Infrastructure providers active in the pilot:

  • Supabase — database, user authentication, permissions, and file storage;
  • Vercel — website hosting, content delivery, and technical logs generated as part of hosting;
  • Anthropic — AI processing for labeling evidence, server-side;
  • Google Analytics 4 — only if the measurement tool is enabled and after obtaining appropriate consent for measurement cookies;
  • Payment and invoicing providers — for payment processing, receipt issuance, and accounting reconciliation.

Additional parties:

  • Legal advisors, accountants, and professional service providers, to the extent required to provide their services;
  • A relevant business party when the user has requested that we send them a request or information;
  • Competent authorities, courts, or enforcement bodies, where a legal obligation exists;
  • A buyer, investor, or other party in the context of a corporate structural change, subject to preserving the purposes of use and protecting the information.

Resend, Google/Facebook OAuth, or similar providers are not used to process real information during the pilot, until they are actually activated and the corresponding disclosure is updated.

10. Transfer of Information Outside Israel

Some infrastructure providers may store or process information outside Israel.

When information is transferred outside Israel, we will act in accordance with applicable legal provisions and take appropriate measures to protect the information, including agreements, undertakings, or other safeguards, as needed.

11. Data Retention

We will retain information only for as long as necessary for the purpose for which it was collected, for operating and securing the Service, handling disputes, or complying with a legal obligation. Among other things:

  • Account information will be retained as long as the account is active;
  • Evidence and content will be retained as long as the user wishes to use them within the Service;
  • Published Passports and their versions will be retained to manage publication and document user actions;
  • Availability requests and responses will be retained to handle the request, for documentation, and to improve the Service;
  • Consent, security, and audit records may be retained for a longer period to demonstrate compliance with legal requirements;
  • Payment and accounting documents will be retained in accordance with legally required periods;
  • Backup copies will be deleted in accordance with the backup and operational cycles of the systems.

When information is no longer needed, we will act to delete it, anonymize it, or restrict its use, subject to legal obligations and reasonable technical limitations.

12. Information Security

We employ organizational and technological measures designed to reduce the risk of unauthorized access, misuse, alteration, loss, or exposure of information. Measures may include:

  • Role-based access and permission control;
  • Separation between private and public information;
  • Row Level Security in the database;
  • Encryption of communications;
  • Permission management on a need-to-know basis;
  • Logging of actions and security events;
  • Backups and security updates;
  • Permission checks and separation between organizations and users.

No system is completely immune. If a material security incident is discovered, we will act in accordance with applicable obligations and the incident-response plan.

13. Your Rights

Subject to law, you may contact us to:

  • Review the personal information held about you;
  • Request correction of information that is incorrect, incomplete, unclear, or outdated;
  • Request to close the account;
  • Request deletion of information, to the extent there is no legal obligation or justified need to continue retaining it;
  • Remove or cancel publication of a Passport;
  • Withdraw consent to optional processing;
  • Remove yourself from marketing lists;
  • Receive additional information about how information is processed.

The right to delete an account or information is provided as part of the Service policy and subject to law. There may be cases where we are required to retain certain information, for example for accounting, security, legal defense, or compliance purposes.

To protect your privacy, we may request reasonable details to verify identity before handling a request.

Requests should be sent to: privacy@lock.show.

14. Cookies and Measurement Tools

The Service may use cookies or similar technologies.

Strictly necessary cookies — required for account login, session persistence, security, language and preference management, and basic operation of the Service. These may operate even without consent, to the extent necessary to run the Service.

Measurement and analytics cookies — Google Analytics 4 or similar measurement tools will be activated only after obtaining consent, to the extent required (Consent Mode v2, default denied). The measurement tool may collect information about pages viewed, on-site actions, device type, browser, and usage characteristics.

You may decline measurement cookies or withdraw consent via the cookie banner or privacy settings. Declining measurement will not prevent use of the core functions of the Service.

15. Marketing Messages

We will send marketing messages only after obtaining separate consent, to the extent required by law.

Consent may be withdrawn at any time via the unsubscribe link in a message or by contacting us. Removal from a marketing list will not affect service messages required for account operation, security, payment, or handling a request.

16. Minors

The Service is intended for business and professional use by persons aged 18 and over.

We do not knowingly request personal information directly from minors. If we become aware that information about a minor was collected without appropriate approval, we will act to delete it or restrict its use.

17. Third-Party Websites and Services

The Service may include links to websites, music platforms, social networks, or external services.

Use of these services is subject to their own privacy policies, and we have no control over how they collect or process information once a user has moved on to them.

18. Changes to This Policy

We may update this policy from time to time due to a change in the Service, providers, technology, or legal requirements.

The update date will appear at the top of the policy. In the event of a material change, we will publish a prominent notice within the Service or provide notice through an appropriate means of contact.

19. Contact

For questions, requests, or complaints regarding privacy:

  • Controller name: [legal name]
  • Email: privacy@lock.show
  • Address: [postal address]
  • Phone, if applicable: [number]