Privacy Policy
Last updated: 7 July 2026
Theima (“we”, “us”) is operated from Australia. This policy describes how we collect, use, and protect your personal information when you use the Theima service.
1. What information we collect
Account information. When you create an account we collect your email address, the name and (optionally) artist name you provide, the genres you select, an avatar image if you upload one, and your follow-up reminder preferences.
Billing information. If you subscribe to Theima Pro, payment is processed by Stripe. We store a Stripe customer ID and subscription ID; we never store card details directly.
Data you create in the app. Saved venues, tour plans, email templates, outreach pipeline status, logged interactions, performance records, reviews, private notes you keep about your industry contacts, and any contributions you submit (venue suggestions, field updates).
Google OAuth tokens. If you choose to connect your Google account, we store the OAuth access token, refresh token, expiry timestamp, and the email address of the connected Google account, so we can send outreach emails and create calendar events on your behalf. See section 4 for the scopes requested and how we use this data.
Sent email records.When you send emails through Theima’s Gmail integration, we retain the recipient, subject, body, scheduled send time, and delivery status so you can review your sent queue and audit your outreach history. This record is accessible only to you.
2. Industry and venue contact information
To help you find and contact gig opportunities, Theima maintains a database of professional contact information for venues, radio stations, radio shows, promoters, and similar music-industry organisations. This includes business contact details such as booking or submission email addresses, phone numbers, and websites, and — where relevant to the booking or submission process — the name and role of the relevant contact person.
This information is compiled from publicly available and industry sources (for example, venue and station websites, public booking pages, and industry directories) and from contributions submitted by Theima users. It is professional contact information, held for the legitimate purpose of helping artists make booking and airplay enquiries. Where possible we hold role-based contact details (such as a bookings@ inbox) in preference to an individual’s personal details.
If you are an industry contact and would like to know what information Theima holds about you, correct it, or have it removed, email privacy@theima.app and we will action your request.
3. How we use your information
We use your information to operate the Theima service — to show you relevant venues and radio contacts, to send emails on your behalf when you use the Gmail integration, to create Google Calendar events for confirmed bookings when you use the Calendar integration, and to process subscription payments.
We do not use your personal data for advertising, and we do not sell your data. We do share data with the following sub-processors strictly to deliver the service:
- Supabase — managed PostgreSQL hosting and authentication; stores your account and app data.
- Stripe — payment processing for Theima Pro subscriptions.
- Google — Gmail API for outreach email sending and Google Calendar API for booking events, when you opt in.
- Anthropic (Claude API) — used to generate AI-personalised outreach emails and to assist with smart-import data extraction. We do not send Gmail inbox content or Google Calendar event content to this service.
- OpenCage — converts venue and radio-station addresses to map coordinates so we can show them on the map.
- Mapbox — renders the interactive map and computes tour routes between waypoints.
- Vercel and Railway — application and API hosting infrastructure.
- Sentry— error monitoring and session replay (US region). Receives stack traces, request URLs, IP addresses, browser metadata, and short replays of sessions in which errors occur, so we can diagnose and fix bugs. Form input fields are masked by default and not captured. Sentry does not receive Gmail content, Google Calendar event content, or payment card details. If the “Do Not Track” setting is enabled in your browser, Theima disables session replay for Sentry; stack traces from genuine errors are still captured so we can fix the bug, since a broken page hurts you too.
- PostHog— product analytics and session replay (US region). Receives events about how you use the app (which pages you visit, which features you activate), your IP address, browser metadata, and short replays of your interactions, so we can measure feature usage and improve the product. PostHog does not receive Gmail content, Google Calendar event content, or payment card details. You can opt out of all PostHog tracking (events, profiles, and session replay) by enabling the “Do Not Track” setting in your browser — Theima honours that signal automatically.
4. Google integration (Gmail and Calendar)
Theima requests only the Google OAuth scopes strictly required for the features you choose to use:
gmail.send— to send outreach emails on your behalf when you use the email composer. We never requestgmail.readonlyor any scope that would let us read your inbox.calendar.events— to create and update Google Calendar events for confirmed bookings, so your gigs appear in your own calendar.userinfo.email— read-only access to the email address of the connected Google account, so we can show you which account Theima is linked to. This is a non-sensitive scope.
We retain a record of the emails you send through the integration (recipient, subject, body, scheduled send time, and delivery status) so you can review your sent queue and audit your outreach history within the app. This record is accessible only to you and is deleted when you delete your account. We do not read your Gmail inbox at any point, and we do not store any Google Calendar event content beyond the gig details you enter directly into Theima.
You can disconnect your Google account at any time from the Profile page in Theima, or from your Google Account permissions page. Disconnecting clears the stored tokens; reconnecting requires fresh consent for these scopes.
Limited Use compliance.Theima’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to develop, improve, or train generalised AI/ML models; we do not transfer it to third parties for advertising; and we do not use it for any purpose other than the features described above.
5. Data security and protection
Your data is protected by the following mechanisms:
- Encryption in transit. All traffic to and from Theima uses HTTPS with TLS 1.2 or higher. OAuth tokens and credentials are never transmitted in plaintext.
- Encryption at rest. All data stored in our Supabase-hosted PostgreSQL database is encrypted at rest using AES-256.
- Access controls. User data is protected by row-level security policies in the database, ensuring each account can only access its own records. Server-side service-role access is restricted to authorised Theima operators for support, debugging, and compliance only.
- Credential storage. OAuth refresh tokens are held in a dedicated table with server-only access; they are never exposed to the browser or shared with any third party.
- Data minimisation. We collect only the data required to operate the service and request the minimum OAuth scopes needed for each feature.
- Breach response. In the event of an eligible data breach affecting personal information, we will notify affected users as soon as practicable after we form the reasonable belief that an eligible data breach has occurred, in line with the Australian Notifiable Data Breaches scheme.
6. Location data and maps
Theima uses location data in two ways, both treated with the same data-minimisation principle as the rest of your information.
Browser geolocation. On pages that show a map (venue and radio search, tour planning) we may ask your browser for permission to share your current location. If you grant permission, your coordinates are used during the current session to centre the map on your location and rank search results by distance. Your browser-supplied location is not stored in our database, never associated with your account, and never shared with any third party. Coordinates may appear in the URL of search pages so that refreshing the page reproduces your view. You can deny browser location sharing at any time via your browser’s permission settings, and search will still work — you’ll just need to choose an area manually.
Geocoding (address → coordinates). When a venue or radio-station address is added to Theima, we send the address text to the geocoding service OpenCage to obtain map coordinates. We only send the address text — never personal information. The resulting coordinates are stored alongside the venue or station record so the entry can be displayed on the map.
Map rendering and area search. Map tiles, tour route geometry, and the autocomplete used for choosing a city or region are provided by Mapbox. The Mapbox SDK contacts Mapbox’s servers directly from your browser to load tiles and serve autocomplete suggestions; this involves your IP address being visible to Mapbox, governed by their privacy policy. We do not pass your account identity to Mapbox, and Mapbox geocoding results are never stored in our database (we use OpenCage for any coordinates that need to be persisted, in line with each provider’s terms).
7. Data retention and deletion
Your account and all associated data is retained until you delete your account. To delete your account and all associated data, contact us at privacy@theima.app. We will process your request within 30 days.
8. Cookies and tracking
Theima uses essential cookies required for authentication and session management, plus cookies set by PostHog (our product analytics sub-processor — see section 3) so we can understand how the app is used. We do not use advertising cookies or tracking pixels, and we do not sell your data.
9. Australian Privacy Act
Theima is operated from Australia and complies with the Australian Privacy Act 1988. If you have a complaint about how we handle your personal information, please contact us at privacy@theima.app. If we cannot resolve your complaint, you may contact the Office of the Australian Information Commissioner.
10. Contact
Questions about this policy: david@theima.app