Privacy Policy
Document version: 1.0 Effective date: 2026-04-23 Last updated: 2026-04-23 Primary jurisdiction: Hungary (with UK provisions taking effect on launch in the United Kingdom)
This Privacy Policy explains how Balazs Okros (the "Operator", "we", "us") handles personal data in connection with the Dayliner production-management service (the "Service"). It is written to meet the transparency requirements of Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), as supplemented in Hungary by Act CXII of 2011 on Informational Self-Determination and Freedom of Information (the "Info Act" / "Infotv."), and (for users in the United Kingdom) the UK GDPR and the Data Protection Act 2018.
This policy covers the Service itself. Your use of the Service is also governed by our Terms of Service, including the intellectual-property and content rules in Schedule 1 of those Terms, which describe how rights in the Service and in the content you upload are handled.
A Hungarian-language translation of this policy is available on request. In the event of any discrepancy, the Hungarian version prevails for users whose habitual residence is in Hungary.
1. Who is responsible for your data
The Service is a multi-tenant business application. Two different relationships apply, and they decide who is responsible for what.
- When we act as a processor. Most of the personal data inside the Service is uploaded and managed by the organisation that holds the account (the "Customer") — for example, performer contacts, crew and guest lists, personnel records, riders, and email collected into the Service. For that data the Customer is the data controller and we are a data processor acting on the Customer's documented instructions. If your personal data is in the Service because an organisation put it there, you should direct your privacy requests to that organisation; we will assist them as their processor.
- When we act as a controller. For a limited set of data we decide the purposes and means ourselves, and we are therefore the controller: account and login data of registered users, security and audit logs, billing and contract data with the Customer, and operational communications with account administrators.
Operator (controller / processor) contact details:
| Legal name | Balazs Okros |
| Registered address | Hamer Avenue 36, Carterton, OX18 3GS United Kingdom |
| Company registration number | - |
| Tax number | - |
| Data-protection contact | dayliner@pelso.co.uk |
We have not appointed a Data Protection Officer under Article 37 GDPR, as we are not required to. Data-protection questions and requests should be sent to dayliner@pelso.co.uk.
2. The personal data we process
| Category | Examples | Our role |
|---|---|---|
| Account & identity | Name, email, password (hashed), avatar, language, roles and permissions, two-factor settings | Controller |
| Authentication & security | Login timestamps, IP address, user-agent, session and "remember me" tokens, policy-acceptance records (timestamp, user, IP, document version) | Controller |
| Activity & audit logs | Records of who created, changed or deleted content, and when | Controller |
| Customer content | Performer profiles, biographies, photos, riders, setlists, personnel and guest lists, deals and contracts, transport and accommodation details, messages and email collected into the Service, and any other content the Customer uploads | Processor (Customer is controller) |
| External portal users | Performers, suppliers and guests who authenticate to a scoped portal via a token to view or submit material for a specific performance or task | Processor (Customer is controller) |
| Communications with us | Support requests and correspondence with account administrators | Controller |
| Billing | Customer company details and subscription/invoice records | Controller |
We do not intentionally seek out special-category data (Article 9 GDPR). Customers may, however, include such data in free-text fields, riders, or dietary/accessibility notes (for example, allergies in catering requirements). Where that happens, the Customer is responsible for having a lawful basis, and we process it only as part of operating the Service for them.
3. Why we process it, and our legal basis
As controller, we rely on the following bases under Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)). To create and run accounts, authenticate users, deliver the Service, and provide support.
- Legitimate interests (Art. 6(1)(f)). To keep the Service secure (logging, abuse and fraud prevention, audit trails), to administer and improve it, and to enforce our terms. You may object to processing based on legitimate interests (see section 8).
- Legal obligation (Art. 6(1)(c)). To keep accounting and tax records, and to respond to lawful requests from authorities.
- Consent (Art. 6(1)(a)). Where we ask for it explicitly — for example, any non-essential cookies. You may withdraw consent at any time.
As processor, we process Customer content only on the documented instructions of the Customer and for the purposes set out in our agreement with them (hosting, storage, rendering thumbnails and PDFs, sending email and attachments, transmitting setlists to collective rights organisations such as Artisjus when instructed, and similar operating functions). The Customer is responsible for establishing the legal basis for that processing.
We do not use Customer content to train machine-learning models, and we do not sell personal data.
4. Cookies and similar technologies
The Service uses cookies that are strictly necessary for it to function — to keep you signed in (session and authentication cookies), to protect form submissions against cross-site request forgery (CSRF), and to remember your interface preferences. These do not require consent under the ePrivacy Directive 2002/58/EC (as implemented in Hungary by Act C of 2003 on Electronic Communications) and Article 6(1)(f) GDPR.
We do not use advertising cookies. Any analytics or other non-essential cookies, if introduced, will be loaded only after you give consent, and this policy and the consent banner will be updated accordingly.
5. Who we share data with
We share personal data only as needed to run the Service:
- Sub-processors. Carefully selected service providers who process data on our behalf under written contracts that meet Article 28 GDPR — in particular our hosting/infrastructure provider, email delivery and inbound email (IMAP) providers, and any error-monitoring or backup providers. A current list of sub-processors is available on request at dayliner@pelso.co.uk.
- Other users in the same organisation. Within a Customer's account, content is visible to other authorised users according to the Service's role-based access controls and per-event, per-facility and per-performer scoping. Content is never shared across organisation boundaries.
- Collective rights organisations. When a Customer instructs the Service to do so, setlist data is transmitted to the relevant organisation (for example, Artisjus in Hungary, or PRS for Music / PPL in the UK).
- Authorities and legal. Where we are required by law, or to establish, exercise or defend legal claims.
- Business transfers. If the Operator is involved in a merger, acquisition or asset sale, data may be transferred subject to this policy.
We do not sell personal data and do not share it for third-party advertising.
6. International transfers
We host and process personal data within the European Economic Area (EEA), and we do not transfer it to countries outside the EEA. If this ever changes — for example, if we engage a sub-processor located outside the EEA — we will put an appropriate safeguard under Chapter V GDPR in place (such as a European Commission adequacy decision or the Standard Contractual Clauses), update this policy, and tell you which safeguard applies before the transfer takes effect.
7. How long we keep data
- Account, security and audit data: for as long as the account is active, and then for a limited period afterwards to meet our legal, security and accountability obligations.
- Customer content: for as long as the Customer keeps it in the Service. When the Customer deletes content or closes the account, we delete or anonymise it within a reasonable period, except where retention is required by law, by an active legal hold, or in routine backups for a limited rolling window.
- Billing and accounting records: retained for the period required by Hungarian accounting and tax law (generally 8 years under the Act on Accounting).
When personal data is no longer needed, we delete or irreversibly anonymise it.
8. Your rights
Subject to the conditions in the GDPR, you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate data;
- request erasure ("right to be forgotten");
- request restriction of processing;
- data portability — receive your data in a structured, machine-readable format;
- object to processing based on legitimate interests; and
- withdraw consent at any time, where processing is based on consent, without affecting prior processing.
How to exercise them. If your data is in the Service because an organisation uploaded it (we are the processor), please contact that organisation; we will support them in responding. For data where we are the controller, contact us at dayliner@pelso.co.uk. We respond within one month, as required by Article 12(3) GDPR. We may need to verify your identity first.
Right to complain. You may lodge a complaint with the Hungarian supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) 1055 Budapest, Falk Miksa utca 9-11., Hungary Web: naih.hu · Email: ugyfelszolgalat@naih.hu
UK users may complain to the Information Commissioner's Office (ICO), ico.org.uk. You may also complain to the authority in your country of habitual residence.
9. How we protect data
We apply technical and organisational measures appropriate to the risk (Article 32 GDPR), including: encryption of traffic in transit; hashing of passwords; multi-tenant isolation with server-side scoping so records cannot be read across organisation boundaries; role-based access control and per-entity access grants; storage isolation that prevents enumeration of other tenants' files; session-bound media URLs; audit logging of content lifecycle events; and least-privilege, ticket-based access for support staff. No system is perfectly secure, but we work to protect your data and to detect and respond to incidents.
In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required (Article 33 GDPR) and, where the breach is likely to result in a high risk, affected individuals without undue delay (Article 34 GDPR).
10. Automated decision-making
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing, and we do not carry out profiling of that kind (Article 22 GDPR).
11. Children
The Service is a business tool intended for use by professionals and is not directed at children. We do not knowingly collect personal data from children. Customers are responsible for any data concerning minors (for example, a minor performer) that they choose to enter, and for the lawful basis for doing so.
12. Changes to this policy
We may update this policy. Material changes will be announced through the Service's in-app notification system and/or by email to account administrators, and the "Last updated" date above will change. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.
13. Contact
Questions, requests, or the Hungarian-language version of this policy:
Balazs Okros Hamer Avenue 36, Carterton, OX18 3GS United Kingdom Email: dayliner@pelso.co.uk