The basics: Controllers and Processors
When it comes to personal data (anything that can identify a person, like a name, email address, or location) there are three key roles defined under data protection law:
Data controller: The person or organisation that decides why data is collected and how it's used. They are ultimately responsible for that data and for ensuring it's handled lawfully.
Data processor: A third party that handles data on the controller's behalf, following the controller's instructions.
Sub-processor A third party engaged by a processor to help carry out specific data processing tasks (still on behalf of the controller).
At Openstage, you are the data controller of your fan data. Openstage is your data processor. We provide the infrastructure that collects, stores, and processes fan data, but we do so on your behalf and under your direction.
This means your fan relationships are yours. No other platform gives artists this level of legal ownership over their fan data.
Responsibilities as a Data Controller
Being the data controller comes with real responsibilities. Here's what that means for you as an artist on Openstage:
Having Terms and a Privacy Policy in place
You must have your own Terms of Service and Privacy Policy that your fans can read. These should explain:
What data you collect from fans
Why you collect it and how you use it
How fans can request access to, correction of, or deletion of their data
How to contact you with questions or complaints
Openstage auto-generates both documents for you, pre-filled with your information, and automatically applies them across your fan-facing surfaces. You can review, edit, or replace them any time in Artist Settings → Compliance.
⚠️ Please note: It's important that you complete the Compliance section of your Settings before running your first first fan acquisition campaigns (i.e. collecting new fan data). When joining your world, fans must be able to access and review both your Fan Terms and Privacy Policy when opting in.
Collecting data with proper consent
You are responsible for making sure fans have agreed to their data being collected; typically by accepting your terms and privacy policy when they sign up. Openstage handles the consent mechanism on your fan-facing surfaces, but the legal basis for that consent sits with you as the controller.
Responding to fan data requests
Fans have the right to ask:
What data you hold on them
Request corrections, or
Ask for their data to be deleted.
As the data controller, you are responsible for responding to these requests. Openstage cannot do this on your behalf.
Keeping fan data secure
As the controller, you're responsible for ensuring fan data is handled securely. Openstage maintains robust security infrastructure on your behalf as your processor, but you should also take care with how you access, export, or share fan data outside the platform.
How Openstage supports you
While the legal responsibility sits with you, Openstage has built the tools to make compliance as easy as possible.
When you join Openstage, we generate a Terms of Service and Privacy Policy for you, pre-filled with your artist information. These are live across your fan-facing surfaces from day one. You can edit key fields, rewrite them entirely, or replace them with your own documents.
Everything you need to manage your compliance obligations lives in one place: your terms, your privacy policy, and the tools to handle fan data requests.
When a fan contacts you about their data, you can action the request directly inside Openstage without needing to handle raw data exports or contact our support team.
Data Processing Addendum (DPA)
Openstage operates under a formal DPA with all artists, which defines exactly how we handle your fan data as your processor. This gives you a clear legal record of our obligations to you.
Our current sub-processors are Amazon Web Services (EU) and Google, both used for cloud hosting, storage, and data processing. These are listed in the DPA. If we ever engage a new sub-processor, we'll notify you in advance. You'll have 5 business days to raise any objection on data protection grounds before the engagement proceeds. We ensure all sub-processors are bound to data protection obligations equivalent to those we hold ourselves to.
What Openstage is not responsible for
To be clear about the boundaries:
Openstage does not provide legal advice. Our auto-generated policies are a solid starting point, but they are not a substitute for legal counsel. If you operate in regulated markets, collect sensitive data, or have specific use cases, we recommend having your documents reviewed by a legal professional.
Openstage cannot respond to fan data requests on your behalf. You are the data controller, so the responsibility (and the relationship) is yours. We've made it easy to action these requests yourself inside the platform.
Openstage is not liable for your compliance. We provide the tools and infrastructure to help you stay compliant, but ensuring you meet your legal obligations as a data controller is your responsibility.
Frequently asked questions
What is GDPR and does it apply to me?
GDPR (General Data Protection Regulation) is a data protection law that applies to anyone collecting personal data from people in the European Union or United Kingdom, regardless of where you're based. If any of your fans are in the EU or UK, GDPR applies to you. Other regions have similar laws (CCPA in California, for example). As the data controller, you are responsible for compliance with applicable laws in the territories where your fans are based.
What if a fan asks me to delete their data?
This is called a deletion request (or "right to erasure" under GDPR). You're required to action it. Use the fan data request tool in Artist Settings → Compliance to process it directly inside Openstage. → [See here for how to handle fan data requests]
Do I need to respond to fan data requests within a certain timeframe?
Under GDPR, you must respond within 30 days. We recommend acknowledging the request promptly and using the in-platform tool to action it as quickly as possible.
What if I already have my own terms and privacy policy?
You can replace the auto-generated versions at any time in Artist Settings → Compliance — either by uploading a document to be hosted on your Openstage link, or by providing a URL to your own hosted terms.
Do I need a lawyer to review my terms? Openstage is not providing legal advice. The auto-generated policies cover the essentials, but if you have specific requirements or operate in regulated markets, a legal review is a good idea.
What is a DPA?
A Data Processing Addendum is a formal agreement between you (the controller) and Openstage (the processor) that defines how we handle your fan data.
Who are Openstage's sub-processors?
Our current sub-processors are Amazon Web Services (EU) and Google, used for cloud hosting, storage, and data processing. If we add a new sub-processor, we'll notify you in advance and give you 5 business days to raise any objection.
What if I use other tools alongside Openstage (like Shopify)?
Any third-party tool you connect to your fan data is a sub-processor under your controllership. You are responsible for making sure those tools handle fan data compliantly. Openstage's DPA covers our role only, not tools you bring in independently.
Does Openstage ever control any of my data directly?
Openstage acts as an independent controller only for its own administrative data — your account details and your team members' platform accounts. This is separate from your fan data and is not part of your controllership.
What happens to fan data if I leave Openstage?
As the data controller, your fan data belongs to you. [See here for more information on closing an Openstage account.]
⚠️ Please note: Openstage is not providing legal advice. The auto-generated policies cover the essentials, but if you have specific requirements or operate in regulated markets, a legal review is a good idea.
Have a question that isn't covered here? Reach out to us at support@openstage.live.