Legal

Privacy Policy

Last updated: 1 June 2026 Effective: 1 June 2026

This Privacy Policy explains how Togapa ("Togapa", "we", "us", "our") — a service owned and operated by DJ Graffiti LLC, 2232 S Main St #216, Ann Arbor, MI 48103, USA — collects, uses, shares, and protects information when you use the Togapa service at togapa.com and app.togapa.com (together, the "Service").

The Service is a real-time song-request and voting platform for event hosts. Guests scan a QR code or open a link to request and vote on songs; the event host manages a live queue from a dashboard, with an optional big-screen venue display.

By using the Service you agree to this Policy. If you do not agree, please do not use the Service.

1. Who this Policy covers, and our role

Two kinds of people use Togapa, and our responsibility differs for each:

RoleWho they areOur role
Event Host / Account HolderAn event host, venue or organisation that creates a Togapa account and runs events.We are the data controller for your account, billing, and login information.
GuestA member of the public who joins an event host's event to request or vote on songs. No account or password is required.For guest information collected inside an event, the event host who runs that event is the controller, and Togapa acts as a data processor on the event host's behalf. We also act as a controller for the limited technical data needed to run the Service securely.

What this means in practice: An event host decides what guest information to collect (for example, whether to ask for a name, email, job title, company, or phone number), sets the wording of any consent or terms shown to guests, and controls how that information is used after the event. If you are a guest and want your information corrected or removed, you can contact us, but the event host who ran your event is primarily responsible for it — see Section 9.

2. Information we collect

2.1 Information from Event Hosts / Account Holders

When you create and use a Togapa account, we collect:

  • Account & identity: email address, password (stored only as a salted hash by our authentication provider — we never see your plain-text password), first name, last name, and display name.
  • Profile & branding: your custom URL slug, bio, profile photo, logo, header and background images, accent colour, and theme preference.
  • Social & links: any LinkedIn, X (Twitter), Instagram, YouTube, TikTok, website, or custom links you choose to add.
  • Event configuration: event settings, the guest fields you choose to capture, any custom terms text and email-opt-in wording you write, allowed email domains, genre and content controls, and display preferences.
  • Billing & subscription: your subscription tier and status, Stripe customer and subscription identifiers, current billing-period end date, trial end date, and cancellation status. We do not store your card or bank details — those are handled entirely by Stripe (see Section 5).
  • Authentication method: whether you signed up with email/password or "Continue with Google". If you use Google, we receive your email address and basic profile information from Google to create your account.

2.2 Information from Guests

When you join an event as a guest, the following may be collected — but only the fields the event host has chosen to ask for:

  • Always: a randomly generated, anonymous session identifier (a UUID) used to link your requests and votes and to enforce one-vote-per-song. This is not tied to your real identity unless you provide contact details.
  • Guest display name (if the event host asks for it), shown next to your requests/messages.
  • Email address (if the event host asks for it) — used for the event host's follow-up and, if you choose, to verify you via a one-time code.
  • Optional, only if the event host enables them: job title, company, phone number, profile photo.
  • Consent flags: whether you accepted the event host's terms and whether you opted in to the event host's email contact.
  • Your activity: the songs you request, the votes you cast, and any messages you send to or receive from the event host (up to 500 characters each).
  • Theme preference: light or dark mode, stored on your own device.
Guest email protection. By design, guest email addresses are never stored on the public song-request record. A database trigger strips them out and stores any email separately in a protected contacts table that only the event's own host can read.

2.3 Information collected automatically

  • Authentication & session cookies (see Section 7).
  • Technical & security logs: for security-sensitive actions we record an audit entry that may include the action taken, the acting user's ID, IP address, user-agent (browser/device string), and a timestamp.
  • Search queries: when a guest searches for a song, the search terms are sent to the Apple iTunes Search API to return matching tracks (see Section 5).

We use third-party analytics and advertising cookies — from Google (Analytics and Ads), Meta (Facebook/Instagram), and LinkedIn — to understand how our sites are used and to measure and target our marketing. Where the law requires it (for example in the EU/UK), these are set only with your consent. See Section 7 for the full list and how to opt out.

3. How we use information

We use the information above to:

  • Provide, operate, and maintain the Service (run events, queues, voting, messaging, and the venue display).
  • Authenticate event hosts and keep accounts secure.
  • Let event hosts manage events, collect guest requests, and contact guests who opted in.
  • Process payments, manage subscriptions, trials, overages, and one-time purchases.
  • Send transactional and service emails (one-time login codes, billing notices, pre-deletion warnings, and event recaps).
  • Generate analytics and exportable reports (PDF/CSV) for event hosts about their own events.
  • Measure and improve our websites, and deliver and measure our advertising on third-party platforms such as Google, Meta, and LinkedIn (see Sections 5 and 7).
  • Detect, prevent, and investigate fraud, abuse, and security incidents, and to comply with our legal obligations.

Legal bases (where GDPR / UK GDPR applies)

  • Contract — to provide the Service you signed up for.
  • Legitimate interests — to secure the Service, prevent abuse, and operate our business, balanced against your rights.
  • Consent — for analytics and advertising cookies (where required by law), and for guest email opt-in to an event host's marketing/follow-up. You may withdraw consent at any time through our cookie settings.
  • Legal obligation — to keep records (e.g. tax/billing) we are required to keep.

4. We do not sell your personal data

Togapa does not sell personally identifiable user data, and we will not do so without your express permission. We do not share personally identifiable information with third parties for their own marketing or for monetary or other valuable consideration, except:

  • with the subprocessors listed in Section 5, who only process data to provide the Service to us under contract; and
  • with the event host who runs an event you joined (for guest data); and
  • where you have given us explicit, opt-in permission, or where disclosure is required by law (Section 8).

We do not exchange your personal information for money. However, our use of advertising cookies (Section 7) shares online identifiers — such as cookie IDs and device/usage data — with Google, Meta, and LinkedIn to measure and target advertising. Under some laws (for example California's CPRA), this may be considered "sharing" or a "sale" of personal information for cross-context behavioural advertising. You can opt out at any time through our cookie settings or the controls in Section 7, and we honour Global Privacy Control (GPC) browser signals where required.

Anonymised or aggregated data that cannot reasonably identify you is not subject to this restriction.

5. Third parties and subprocessors

We rely on a small number of trusted providers to run the Service. Each processes only the data needed for its function:

ProviderPurposeData involved
SupabaseDatabase, authentication, real-time updates, storageAll account, event, request, vote, message, guest-contact, and billing-state data; login credentials (hashed).
NetlifyHosting and content deliveryAll application traffic and server logs (incl. IP addresses).
StripePayment processing and subscription managementEvent host email, payment card/bank details (handled entirely by Stripe — never stored by Togapa), subscription and purchase data.
ResendTransactional & service email deliveryRecipient email address and message content (e.g. one-time login codes, billing and recap emails).
Apple — iTunes Search APISong catalogue searchSearch terms and the searching device's IP address. No account data is sent.
Apple Music (optional)Catalogue/preview features, where enabledConfigured via a developer token; no guest identity is sent.
Spotify (optional)Export an event's requests to a Spotify playlist, when an event host connects their accountThe event host's Spotify authorisation and the song selection to be added to the playlist.
Google — FontsWeb fonts (Hanken Grotesk, Permanent Marker)The loading device's IP address and user-agent (standard for any font CDN).
Google — Sign-In (optional)"Continue with Google" login for event hostsYour Google email and basic profile, only if you choose this login method.
Google — Analytics & AdsWebsite analytics, advertising, and conversion measurementCookie/advertising IDs, device and browser information, IP address, and on-site activity (pages viewed, actions taken). Set only with consent where required.
Meta (Facebook/Instagram)Advertising, retargeting, and conversion measurementCookie/advertising IDs (e.g. the Meta Pixel _fbp), device and browser information, IP address, and on-site activity. Set only with consent where required.
LinkedInAdvertising, retargeting, and conversion measurementCookie/advertising IDs (LinkedIn Insight Tag), device and browser information, IP address, and on-site activity. Set only with consent where required.

These providers may process data outside your country, including in the United States. Where required, such transfers are covered by appropriate safeguards (for example, the providers' Standard Contractual Clauses and Data Processing Addenda).

We will keep this list current. Material changes to our subprocessors will be reflected in an updated version of this Policy.

6. Your data, downloads, and portability

You can get your data out of Togapa and use it as you see fit:

  • Event hosts can export their own event data, including PDF event reports and CSV files of songs and guests, and can export an event's requests to a Spotify playlist (subject to plan limits). Once exported, that data is in your hands; you may use it as you see fit, but you remain responsible for using it lawfully — including handling your guests' personal data in line with applicable privacy laws and any consent your guests gave.
  • Guests can request a copy of the personal data held about them, or its deletion, by contacting us or the event host who ran the event (see Section 9).

7. Cookies and local storage

Togapa uses cookies and similar technologies in three categories: strictly necessary (always on), analytics, and advertising. Necessary cookies are required for the Service to work. Analytics and advertising cookies are optional and, where the law requires it (for example in the EU/UK), are set only after you consent via our cookie banner — you can change or withdraw your choice at any time through our cookie settings. Everything we set is described below.

Cookies

Name / patternTypePurposeLifetime
sb-…-auth-token (and related …-code-verifier, …-expires-at)EssentialKeeps an event host securely signed in (authentication tokens).Session / token refresh
togapa_gs_{eventId}EssentialAnonymous guest session for an event, so requests/votes are linked and one-vote-per-song is enforced. HTTP-only.24 hours
spotify_oauth_stateEssentialSecurity (CSRF protection) during the optional Spotify connection flow.Short-lived, during connect
_ga, _ga_*, _gid (Google Analytics)AnalyticsMeasures how visitors find and use our sites so we can improve them.Up to 2 years
_gcl_au (Google Ads)AdvertisingMeasures ad conversions and supports remarketing via Google.Up to 3 months
_fbp (Meta / Facebook Pixel)AdvertisingMeasures ad performance and lets us show and retarget ads on Facebook and Instagram.Up to 3 months
bcookie, lidc, UserMatchHistory, li_* (LinkedIn Insight Tag)AdvertisingMeasures ad performance and lets us show and retarget ads on LinkedIn.Up to 2 years

On-device storage (localStorage / sessionStorage)

Key / patternPurpose
togapa-admin-themeRemembers an event host's light/dark theme on the dashboard.
togapa-theme-{eventId}Remembers a guest's light/dark theme for an event.
togapa_guest_{eventId} (legacy)Older guest-session storage, being phased out in favour of the cookie above.
Song-artwork cacheTemporarily caches album-art URLs to speed up search, cleared when the browser tab closes.

You can change or withdraw your consent at any time through our cookie banner or cookie settings, and you can clear cookies and local storage through your browser settings. You can also opt out directly with the providers — for example via Google Analytics' opt-out browser add-on and the ad-preference settings of Google, Meta, and LinkedIn. Note that blocking essential cookies will prevent sign-in and guest sessions from working.

8. How long we keep information (retention)

  • Guest sessions expire automatically after 24 hours.
  • Guest personal data within an event can be automatically deleted by the event host on a schedule they choose — 15, 30, or 90 days after an event ends. When this runs, guest names, emails, titles, companies, phone numbers, and photos are erased (anonymised), though anonymous request/vote counts may be retained for statistics. Warning emails are sent to the event host shortly before deletion.
  • Account and profile data is kept while your account is active and deleted when you delete your account (see Section 9).
  • Billing records are retained as long as required for accounting, tax, and legal compliance.
  • Security/audit logs and payment-event records are retained for as long as needed for security, dispute resolution, and legal compliance.
  • Song search caches are short-lived (cleared within minutes).

9. Your rights and choices

Depending on where you live (e.g. the EU/UK under GDPR, or California under CCPA/CPRA), you may have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Correct inaccurate or incomplete data.
  • Delete your data ("right to be forgotten").
  • Port your data to another service.
  • Object to or restrict certain processing, and withdraw consent at any time (e.g. an email opt-in).
  • Not be sold to — which, as stated in Section 4, we already honour by default.

Event hosts: you can update most data directly in your account, and you can delete your account, which removes your profile and cascades deletion to your events, requests, votes, messages, and guest contacts.

Guests: because the event host who ran your event controls your guest information, the fastest route is usually to ask that event host. You may also contact us at support@iwantoverflow.com and we will help facilitate your request with the relevant event host.

To exercise any right, contact us at support@iwantoverflow.com. We may need to verify your identity first. We will respond within the timeframe required by applicable law (generally within 30 days). You also have the right to complain to your local data protection authority.

10. Security

We protect data with measures including: encrypted transport (HTTPS), hashed and salted passwords managed by our authentication provider, HTTP-only and Secure cookies, database Row-Level Security so that event hosts can only access their own data, restricted-access guest contact tables, signed and verified payment webhooks, rate-limiting on sensitive actions, and audit logging. No system is perfectly secure, but we work to protect your information and to respond promptly to any incident.

11. Children

The Service is intended for event hosts and event guests and is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it. Event hosts are responsible for ensuring their events comply with laws applicable to their audience.

12. International users

Togapa is operated from the State of Michigan, USA, and uses providers located in various countries, including the United States. If you use the Service from outside those countries, you understand your data may be transferred to and processed there, with the safeguards described in Section 5.

13. Changes to this Policy

We may update this Policy from time to time. When we make material changes we will update the "Last updated" date and, where appropriate, notify account holders by email or in-app notice. Your continued use of the Service after changes take effect constitutes acceptance.

14. Contact us

For privacy questions, data requests, or complaints: