Privacy Policy

The short version

We collect only what we need to respond to inquiries, run shows you’re working on, and keep accounts secure.
We never sell your personal information. We do not run advertising trackers or third‑party analytics.
You can ask us to show you, correct, export, or delete your data at any time — one email to DArn@DArnDesigns.com.
Show paperwork and crew records are kept while a show is active and for a limited period after, then deleted or de-identified.
If you’re in the EU, UK, California, or Canada, additional rights are described below.

Who we are
Scope
What we collect
Why we collect it
Who processes data for us
How long we keep it
Security
Your rights
How to exercise your rights
California (CCPA/CPRA)
EU / UK / Switzerland
International transfers
Children
Changes to this policy
Contact

1. Who we are

D-Arn Designs LLC (“D-Arn Designs,” “we,” “us,” or “our”) is a Nevada limited liability company. We provide lighting design, crew chief, and production electrician services for corporate events, touring productions, and festivals, and we operate websites and a crew portal to coordinate that work.

For the purposes of the EU and UK General Data Protection Regulations (GDPR / UK GDPR), D-Arn Designs LLC is the data controller of personal information collected through the surfaces listed below.

2. Scope

This policy covers personal information we collect through:

darndesigns.com — our public marketing site, including the project portfolio and the /book inquiry form.
crew.darndesigns.com — the crew portal where show paperwork, scopes of work, crew rosters, and related artifacts are managed.
Email and direct correspondence sent to addresses ending in @darndesigns.com.

It does not cover third-party services we link out to (App Store, vendor websites, etc.) or our standalone iOS/macOS app Wrap Times, which is governed by its own privacy policy at wraptimes.com/privacy.

3. What we collect

We collect different categories of information depending on how you interact with us. We try to collect only what we actually need.

3.1 Information you provide

Where	What
Booking inquiry form (`/book`)	Name, email, phone number, your role on the production, the show name, dates, venue, vendor contact details (if you provide them), gig type, rate offered, and any notes you include.
Crew registration at `crew.darndesigns.com/show/…`	Name, email, phone number (normalized to international format), and the show access code you enter.
Crew account (when enabled)	Email, name, phone, and an authenticator-app shared secret used for two-factor login. Optionally a recovery code that we store as a one-way hash.
Scope of Work signing (`/sign`)	Typed signature, signatory name and email, the date and time you signed, and the contents of the SOW you accepted.
Email correspondence	The contents of messages you send us and any contact information you include.

3.2 Information we collect automatically

Where	What
Every server request	Your IP address, the page or endpoint you requested, the time, your browser’s User-Agent string, and the approximate country derived from your IP by our hosting provider.
Authenticated sessions	A randomly-generated session token stored in an `HttpOnly` cookie and a hashed copy stored server-side. Last-seen timestamps so we can expire idle sessions.
Crew device registration	A device token (we store a one-way hash, not the token itself) so a crew member who scanned a show QR doesn’t have to re-register every visit until the show wraps.
Audit log	A record of significant actions (login, document upload, SOW signed, crew approved or revoked, etc.) with the actor, IP, User-Agent, timestamp, and a short summary. Used for security and dispute resolution.
Email delivery	When we send you transactional email (verification codes, approval links, SOW signing links, signed SOW copies), our email provider records standard delivery metadata such as whether the message was delivered, bounced, or opened.

What we do not collect: we do not run third-party advertising trackers, web analytics, or fingerprinting libraries. We do not load Google Analytics, Meta pixels, or similar. We do not collect precise geolocation, biometrics, or special-category data (race, religion, health, sexual orientation, etc.) and we ask that you do not send us any.

4. Why we collect it

We process each category of information for a specific purpose:

Inquiry and booking information — so we can respond to your inquiry, prepare a Scope of Work, and decide whether to take on the engagement. Legal basis: pre-contractual measures at your request and our legitimate interest in running our business.
Crew identity (name, email, phone, authenticator secret) — so we can identify and contact you for shows you’re working on, give you access to the right paperwork, and protect your account from impersonation. Legal basis: performance of the engagement (or pre-contract steps) and your consent for non-essential elements.
Show participation records — so we can run the show, comply with payroll and tax obligations for the engagement, and keep a record of who worked what for our own scheduling. Legal basis: performance of contract and our legitimate interest in operating a touring business.
Signed SOWs and signature evidence (typed name, IP, timestamp) — so we have legally durable proof of the agreement. Legal basis: performance of contract and our legitimate interest in enforceable agreements.
Server logs and audit trail — so we can detect abuse, investigate security incidents, and demonstrate compliance with our own policies. Legal basis: our legitimate interest in security and accountability, and where applicable our legal obligations.
Transactional email metadata — so we know whether important notifications (approvals, signing links, contracts) actually reached you. Legal basis: performance of contract and our legitimate interest in reliable communication.

We do not use your information for advertising, sell it to data brokers, or share it with anyone except the service providers listed below.

5. Who processes data for us

We use a small set of vendors (“sub-processors”) to actually deliver the service. We rely on their published security and privacy commitments, and we keep the list short on purpose.

Vendor	What they do for us	Where
Supabase, Inc.	Database (Postgres) for crew records, shows, paperwork, audit log; file storage for show documents.	United States
Cloudflare, Inc.	Hosting for the crew portal (Workers), DNS, CDN, DDoS protection, edge security, and headless-browser PDF rendering for SOWs.	United States · global edge network
Resend, Inc.	Transactional email delivery (verification codes, approvals, SOW emails, notifications).	United States
GitHub, Inc.	Hosting of the static marketing site (darndesigns.com) via GitHub Pages.	United States

We do not currently use other sub-processors. If that changes materially we will update this list and, where required, notify affected users in advance.

6. How long we keep it

Retention depends on the type of information:

Booking inquiries are retained while we are in active conversation and for up to 3 years afterwards so we can maintain continuity with returning clients. You can ask us to delete an inquiry sooner.
Show participation records (crew rosters, registration timestamps) are retained for the duration of the show and for 90 days after the show wraps, after which device sessions are deleted. The underlying crew identity row is retained while you are in our directory.
Signed SOWs and signature evidence are retained for 7 years after the engagement ends, which is a typical statute-of-limitations window for contract disputes in the United States.
Audit logs are retained for 2 years, after which personally identifying fields (IP address, User-Agent) are removed but the action record may be retained in de-identified form.
Login codes, one-time tokens, and pending sessions are deleted automatically 30 days after expiration.
Email correspondence is retained for as long as our email provider stores it in our mailboxes, typically indefinitely unless we delete the thread.

You can ask us to delete data sooner than these defaults at any time (see Your rights). We may retain a minimal record of the deletion itself (date, request reference, requester identity) to demonstrate that we honored the request.

7. Security

We use commercially reasonable technical and organizational measures to protect personal information, including:

Encryption in transit via HTTPS (TLS) for every request to darndesigns.com and crew.darndesigns.com.
Hashed credentials. Verification codes are bcrypt-hashed before storage; device and session tokens are stored only as one-way SHA-256 hashes.
Server-side mediation. The crew portal database is not directly reachable by browsers; every read and write goes through our application code with row-level access controls.
Audit trail. Significant administrative and crew actions are logged with actor, IP, and timestamp for accountability.
Two-factor authentication. The admin login and (where enabled) crew login require a code from an authenticator app in addition to email-based verification.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the appropriate regulator within 72 hours of becoming aware, as required by GDPR Article 33-34.

8. Your rights

Subject to applicable law, you have the right to:

Access the personal information we hold about you, and receive an explanation of how we process it.
Rectify information that is inaccurate or incomplete.
Delete personal information we hold about you (also known as the “right to be forgotten”), subject to legal retention obligations.
Restrict or object to certain types of processing, including processing based on our legitimate interests.
Receive a copy of your information in a machine-readable format (data portability).
Withdraw consent at any time where we relied on your consent to process information. Withdrawal does not affect the lawfulness of processing before the withdrawal.
Lodge a complaint with a data protection authority in your country of residence. See the regional sections below for specifics.
Not be discriminated against for exercising any of these rights (California CCPA).

9. How to exercise your rights

Send an email to the address below from the email address associated with your records, describing what you’d like us to do.

Privacy contact DArn@DArnDesigns.com

We will respond within 30 days. For complex requests we may extend that period by up to 60 additional days and will tell you why. We do not charge a fee for the first request in any 12-month period; for repetitive or excessive requests we may charge a reasonable administrative fee or decline to act.

We may need to verify your identity before acting on a request. For most requests we will do this by replying to the email address on file; for sensitive actions (deletion, large exports) we may ask for additional confirmation.

10. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

Right to know what categories of personal information we have collected about you in the past 12 months, the sources, the purposes, and the categories of recipients.
Right to delete personal information we have collected, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of, but you may confirm this with us.
Right to limit use of sensitive personal information. We do not knowingly collect sensitive personal information as defined under the CPRA. The authenticator secret we store is used solely to authenticate you and not for any other purpose.
Right to non-discrimination. We will not deny services, charge different prices, or provide a different quality of service if you exercise any of these rights.

You can exercise these rights by emailing the address in section 9 above. If we deny your request you may appeal by replying to our denial; we will respond to the appeal within 60 days.

11. EU / UK / Switzerland residents

If you are in the European Economic Area, United Kingdom, or Switzerland, your data protection rights are governed by GDPR (or UK GDPR for the UK, or the FADP for Switzerland).

D-Arn Designs LLC is the controller of your personal information. The legal bases on which we rely are described in section 4 above and summarized here: (a) performance of a contract or pre-contractual steps for processing necessary to engage you on a show or respond to your inquiry; (b) consent for optional processing where indicated at the point of collection; (c) our legitimate interests in operating, securing, and improving our services, where those interests are not overridden by your rights and freedoms; and (d) compliance with legal obligations where applicable.

You have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred. A list of EU authorities is available at edpb.europa.eu; the UK ICO is at ico.org.uk.

We do not currently have an EU or UK representative under GDPR Article 27 because our processing of EU/UK resident data is incidental to engagements that originate outside the EU/UK. If you believe we are required to appoint one for your interaction with us, please contact us at the email above.

12. International transfers

We are based in the United States and our sub-processors are headquartered in the United States. If you access our services from outside the United States, your personal information will be transferred to and processed in the United States.

For transfers from the EU, UK, or Switzerland to the United States, we rely on the recipient sub-processor’s adherence to recognized transfer mechanisms (such as the EU-US Data Privacy Framework and Standard Contractual Clauses) where they are available, and on additional contractual and technical safeguards (encryption in transit and at rest, access controls). You can request additional information about transfer safeguards by contacting us.

13. Children

Our services are intended for working professionals in the live entertainment industry. They are not directed at children. We do not knowingly collect personal information from anyone under the age of 16 in the EU/UK or under 13 in the United States. If you believe a child has provided us with personal information, contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. When we do, we will change the “Effective” date at the top of the page and increment the version number. If the changes are material, we will notify affected users by email or by a notice on the relevant site, and where required will obtain renewed consent before applying the new terms to existing records.

15. Contact

Questions about this policy, or about how we handle your personal information, should be directed to:

D-Arn Designs LLC Nevada, United States
Privacy contact: DArn@DArnDesigns.com