Privacy Notice

About this notice

SaFest 2026 is a private, invite-only gathering of family and friends on private land. It is not a commercial event and does not raise money for any business — the suggested £70 donation only covers shared infrastructure and equipment costs for the weekend.

Because of this, SaFest falls within the “domestic purposes” exemption of UK data protection law. We're not acting as a formal data controller. Even so, we want to be clear and sensible about the information we collect from you, so this notice explains it in plain English.

What we collect and why

• Your name and email — so we can send you your invitation, magic link, and practical info about the weekend.
• Your phone number — so the organisers can reach you quickly about event logistics and last-minute changes.
• Who invited you — so we can keep the guest list a community of friends and friends-of-friends.
• Donation details — processed by Stripe. We don't see or store your card details, only that a donation completed.
• Your account and QR code — so you can sign in, see festival info, and get through the gate on the day.

We only ask for what we genuinely need to run the weekend. If a field isn't necessary, we don't include it.

Photos and filming at the event

We or other guests may take photos and video during the weekend. Some may be shared privately among attendees afterwards, or used in limited, tasteful ways to document the event. If you'd rather not appear in any shared photos, please let us know on the day or email safest.space.admin@gmail.com and we'll respect that.

Who helps us run this

The site uses a few standard services to work. Each of them has its own privacy policy; they are bound by data protection law regardless of our own status.

• Supabase — account sign-in and the database that holds your invitation and ticket record.
• Stripe — handles donation payments. See Stripe's privacy policy.
• Vercel — hosts the site itself.
• Resend — sends the invitation, magic link, and confirmation emails.
• Cloudflare Turnstile — a lightweight bot-check on the invitation-request form.

Google user data

SaFest connects to a single YouTube account — the one owned by the festival organiser — so the site can add guest-submitted tracks to a shared festival playlist. Guests themselves never sign in with Google; they just paste a YouTube link into the submission form.

What we access. With the organiser's explicit consent we request the https://www.googleapis.com/auth/youtube.force-ssl OAuth scope. We use it only to read and update the organiser's SaFest playlist (adding submitted videos and reordering them). We do not read, write, or store any other data from the connected Google account — no email, contacts, subscriptions, watch history, channel analytics, comments, or uploaded videos.

Who we share, transfer, or disclose it to. We do not sell, rent, or share Google user data with any third party. The OAuth refresh token sits as an encrypted server-side environment variable on Vercel, which hosts the site and only acts as a sub-processor on our behalf. The token is sent only to Google's own API endpoints (oauth2.googleapis.com and www.googleapis.com) over TLS so we can manage the playlist. It is never exposed to other guests, embedded in browser code, sent to analytics, advertisers, AI/ML training pipelines, data brokers, or any other recipient.

Limited Use compliance. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Revoking access. The organiser can revoke SaFest's access at any time from Google Account → Third-party apps with account access. Once revoked, the stored refresh token stops working and is removed from our environment.

How we protect your data

We treat the OAuth refresh token, account credentials, and guest contact details as sensitive data and protect them with standard industry safeguards:

• Encryption in transit. All traffic to and from the site, Supabase, Stripe, Resend, and Google APIs runs over HTTPS / TLS 1.2+. The site is served with HTTP Strict Transport Security so browsers refuse to fall back to plain HTTP.
• Encryption at rest. The Google OAuth refresh token, API keys, and other secrets are stored as encrypted environment variables on Vercel and are only readable by the running server-side code. Account, invitation, and donation records sit in a managed Supabase Postgres database with encryption at rest (AES-256) provided by Supabase / AWS.
• Access controls. Secrets are never sent to the browser or embedded in client code. Database access is gated by Supabase row-level security policies so a signed-in guest can only see their own record. Administrative access to Vercel and Supabase is limited to a small number of named maintainers, each protected by a strong password and two-factor authentication.
• Minimisation. We request the narrowest Google OAuth scope that lets the playlist feature work, and we don't copy Google user data into our own database — the token is used live against Google's APIs and nothing more.
• Incident response. If we ever suspect a token has been exposed, we revoke it immediately via Google Cloud Console, rotate the affected secret, and notify the organiser. Material incidents affecting guest data will also be communicated by email to the people involved.

Cookies

The site only uses strictly necessary cookies — the session cookie that keeps you signed in, and a short-lived cookie that remembers your invitation code during sign-up. No analytics, no tracking, no advertising cookies. That means there's nothing you need to consent to.

How long we keep things

We keep account and donation records for up to three months after the festival ends, in case of questions, refunds, or follow-up. After that we delete them, unless you've asked us to keep them for future years.

Getting in touch / deleting your data

If you want to see what we have about you, correct something, or have us delete your record, email us at safest.space.admin@gmail.com and we'll sort it.