This Privacy Policy explains how we process personal data when you use the j.show platform ("Platform", "Service") or visit our public website. It supplements our Terms of Use.
1. Controller / Contact
Jonas Stricker
Im Geigersberg 8, 74348 Lauffen am Neckar, Germany
Email: hello@j.show
VAT ID: DE288958387
We have not appointed a data protection officer (not legally required). For data protection questions, please contact us directly at the address above.
2. Roles under the GDPR
j.show is a Software-as-a-Service platform for professional tour and show management. Depending on context, we act in different roles:
Controller for data we process to provide the Service to our customers (Platform owners) – e.g. registration, billing and support data – and for the public website.
Processor for data our customers (artists, agencies) store inside their Platform instance about their crew, contacts, venues, etc. The Platform Admin is the controller for that data. A data processing agreement (DPA) under Article 28 GDPR is available and will be concluded upon request at no cost.
Profile data of crew members / invited users: name, email address, phone number, location, role/function, password (stored hashed), language, device type, optional profile picture.
Third-party contacts (venues, promoters, hotels, contact persons): name, email, phone, address, tax numbers – entered by the Platform Admin.
Special categories (Art. 9 GDPR): health-related information such as allergies or dietary preferences of crew members, to the extent entered by the Admin or the data subject themselves. The Platform Admin is responsible for the legal basis (typically consent).
Business data: show and tour details, invoices, contract data, bank details (IBAN) – entered by the Admin.
Access and activity data: IP address on login, session ID, login/logout timestamps, device information (iPhone/Android, app version).
Legal basis: Art. 6(1)(b) GDPR (contract performance) for Platform owners and directly registered users; for crew data we act as processor on behalf of the Admin (Art. 28 GDPR); for health data Art. 9(2)(a) GDPR (consent, to be obtained by the Admin).
3.2 Billing and payments
Invoicing and payment data (company name, billing address, VAT ID, bank details via Stripe).
Legal basis: Art. 6(1)(b) GDPR (contract) and (c) GDPR (statutory retention obligations, sec. 147 AO, sec. 257 HGB).
3.3 Email communication
Transactional emails (registration, password reset, notifications, invoices) and support communication.
Legal basis: Art. 6(1)(b) GDPR (contract).
3.4 AI assistant "Kira" (optional)
The Platform includes an optional AI-based help assistant. Kira only processes data when you actively use the chat and send a message.
Transmitted to the AI provider (via our central AI service; either Anthropic PBC or OpenAI, L.L.C., each USA): your chat input, user role, language, Platform subdomain, platform type (Artist Basic, Artist Pro, or Agency), email address (for support routing), IP address, URL of the page, and the most recent messages of the current conversation as context. The AI model selection in the platform settings applies only to the AI advancing assistant, not to Kira.
Not transmitted: show details, crew lists, contacts, financial figures, contracts, uploaded files or similar business data from your Platform.
Chat history is stored on our servers for quality assurance. You may request deletion via hello@j.show.
The respective AI provider does not use transmitted content for model training (Anthropic in accordance with its enterprise API policy; OpenAI in accordance with its API data policy). Transmission occurs over TLS-encrypted connections.
Legal basis: Art. 6(1)(a) GDPR (consent through active use).
Transfer to a third country (USA): based on Standard Contractual Clauses under Art. 46(2)(c) GDPR and the EU-US Data Privacy Framework.
3.5 AI advancing assistant (optional)
The Platform includes an optional AI-powered advancing assistant that interprets instructions sent by email to the Platform's dedicated address or via the assistant tab in the Platform chat, and can then create, modify, or link shows, venues, hotels, partners, deals, etc. The feature is disabled by default, must be enabled by the Admin, and only processes instructions from authorized senders; emails from non-authorized senders are discarded before any AI processing.
Transmitted to the AI provider (depending on the model selected, Anthropic PBC or OpenAI, L.L.C., each USA): unlike Kira, actual business data is transmitted here: the content of the instruction, any attachments included (PDF, images, text documents – including image/PDF content for analysis), the email address of the instructing person, and the show, venue, hotel, partner, crew, and financial/deal data required to process the instruction. For the tour-routing feature, additionally venues, coordinates, and travel distances.
You interact exclusively with our systems hosted in Germany; from there, transmission to the respective AI provider (Anthropic PBC or OpenAI, L.L.C., each USA) is TLS-encrypted.
The AI provider does not use the content for training in accordance with its enterprise or API policy.
We store the history of assistant runs (instruction, model response, executed actions) for a maximum of 90 days for quality assurance and abuse prevention; file attachments are not stored in full text in this log. Incoming raw emails are deleted within a few hours after processing.
Legal basis: Art. 6(1)(b) GDPR (performance of the contract with the Platform owner); for crew/contact data contained therein we act as processor on behalf of the Admin (Art. 28 GDPR).
Transfer to a third country (USA): based on Standard Contractual Clauses under Art. 46(2)(c) GDPR and the EU-US Data Privacy Framework.
3.6 Public website (j.show)
When you visit our public website, your IP address is transmitted once to ip-api.com to determine your country and show regional pricing (EUR/USD). No trackers, cookies or analytics pixels are used.
We use only strictly necessary cookies required for Platform operation:
JSHOW_N2 – session cookie for login (HttpOnly, Secure, SameSite=Lax).
JSHOW_APP – token to recognize the mobile app.
farben_auto – dark/light mode preference.
appversion, device – for device/version detection in the app.
No cookie banner is required because no consent-based cookies (tracking, analytics, advertising) are set. You may delete cookies through your browser; without the session cookie, login is not possible.
Legal basis: sec. 25(2)(2) TTDSG (strictly necessary cookies) in conjunction with Art. 6(1)(b) GDPR.
5. Encryption
All data transmitted between your device and our servers is secured via SSL/TLS.
Passwords are stored only as cryptographic hashes, never in plain text.
Other personal data is stored server-side on encrypted file systems; no additional application-level field-level encryption is applied.
6. Recipients / Data sharing
6.1 Within the Platform
Inside a Platform instance: a person's name, email, phone, location and role are visible to all users with access to that Platform (except users with "Guest" role, who have restricted access).
Travel party of an event: visible to "Guests" if they are part of that travel party themselves.
LINK function: Admins, agencies and tour managers can grant third parties (e.g. local promoters) a time-limited link with selected event information. Creation is logged.
Data subjects can toggle "Hide my contact" under "Edit profile" so contact data (email, phone) is visible only to Admins/agencies.
6.2 Subprocessors
We engage carefully selected service providers with whom we have data processing agreements under Art. 28 GDPR. Data transfer is encrypted; providers outside the EU are contracted under Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework.
Provider
Location
Purpose
Condition
Hetzner Online GmbH
Germany
Hosting (server & database infrastructure)
always
Mailgun (Sinch Email)
EU region
Email delivery
always
Anthropic PBC
USA
Kira AI assistant (central AI service) & AI advancing assistant (Claude model, when selected or as fallback)
only on use
OpenAI, L.L.C.
USA
Kira AI assistant (central AI service) & AI advancing assistant (GPT/ChatGPT model, when selected or as fallback)
only on use
Stripe
EU (Stripe Payments Europe)
Payment processing
only on payment
DocuSign, Inc.
EU (eu.docusign.net)
E-signatures
only if Admin enables
Box, Inc.
USA
E-signatures
only if Admin enables
OneSignal, Inc.
USA
Push notifications to mobile app users (device push tokens, notification content)
only when using the mobile app with push enabled
DATEV eG
Germany
Accounting export (transfer of booking data)
only when connected by Admin
Google LLC (Google Maps Platform)
USA
Address verification, place search, travel-distance/time-zone determination for venue, hotel, and travel data (server-side)
when using the address/travel/routing features
Mapbox, Inc.
USA
Map display of venues and routes (client-side)
when the map view is opened
FlightAware (AeroAPI)
USA
Retrieval of flight schedule/status data for travel planning
when using the flight data feature
Open-Meteo GmbH
Germany
Weather forecast for venues (geocoordinates + date)
when using the weather feature
Pdfcrowd
Czech Republic
PDF rendering
on PDF generation
Frankfurter / Exchange Rate API
EU/USA
Currency exchange rates (no personal data)
on currency conversion
ip-api.com
USA
Country detection
public website only
We do not use advertising trackers, analytics pixels, profiling services, social media plugins or ad services (no Google Analytics, no Meta Pixel, no Matomo). We do not sell or trade your personal data.
7. Storage location
Primary storage of Platform data is on servers in Germany. Individual subprocessors (see above) may process data within their responsibility in other countries.
8. Retention period
Profile data of crew members: stored until either the data subject or an Admin/agency deletes the profile. After deletion, all data about that person is removed completely and irrevocably; a backup-independent blacklist ensures that deleted profiles remain deleted even after a backup restore.
Platform instance: during the subscription term and, after the license ends (cancellation or expiry of the subscription), for one (1) more year, so that the Platform can be reactivated at any time during this period. After this year the database is fully deleted unless statutory retention obligations apply. From the moment the license ends, the Admin may also have the Platform instance archived and/or permanently deleted earlier at any time.
Invoicing and accounting data: 10 years (sec. 147 AO, sec. 257 HGB).
Kira chat history: when a user deletes a chat, it is first archived and hidden; full removal occurs on request or together with the deletion of the Platform instance.
AI advancing history: log of assistant runs for a maximum of 90 days; incoming raw emails deleted within a few hours after processing.
Authentication logs (login attempts): 30 days. General access/activity logs are retained for backup and accountability purposes and pruned at reasonable intervals.
9. Your rights as a data subject
Under the GDPR you have the following rights:
Access (Art. 15 GDPR) – all data stored about you is viewable inside the Platform.
Rectification (Art. 16 GDPR) – editable under "Edit profile".
We may update this Privacy Policy when services, legal frameworks or subprocessors change. Material changes will be communicated to registered users with reasonable advance notice via email or Platform notification. The current version is always available at j.show/privacy.
