Privacy Policy

Last updated: 31 May 2026

Theima (“we”, “us”) is operated from Australia. This policy describes how we collect, use, and protect your personal information when you use the Theima service.

1. What information we collect

Account information. When you create an account we collect your email address, the name and (optionally) artist name you provide, the genres you select, an avatar image if you upload one, and your follow-up reminder preferences.

Billing information. If you subscribe to Theima Pro, payment is processed by Stripe. We store a Stripe customer ID and subscription ID; we never store card details directly.

Data you create in the app. Saved venues, tour plans, email templates, outreach pipeline status, logged interactions, performance records, reviews, and any contributions you submit (venue suggestions, field updates).

Google OAuth tokens. If you choose to connect your Google account, we store the OAuth access token, refresh token, expiry timestamp, and the email address of the connected Google account, so we can send outreach emails and create calendar events on your behalf. See section 3 for the scopes requested and how we use this data.

Sent email records.When you send emails through Theima’s Gmail integration, we retain the recipient, subject, body, scheduled send time, and delivery status so you can review your sent queue and audit your outreach history. This record is accessible only to you.

2. How we use your information

We use your information to operate the Theima service — to show you relevant venues and radio contacts, to send emails on your behalf when you use the Gmail integration, to create Google Calendar events for confirmed bookings when you use the Calendar integration, and to process subscription payments.

We do not use your personal data for advertising, and we do not sell your data. We do share data with the following sub-processors strictly to deliver the service:

  • Supabase — managed PostgreSQL hosting and authentication; stores your account and app data.
  • Stripe — payment processing for Theima Pro subscriptions.
  • Google — Gmail API for outreach email sending and Google Calendar API for booking events, when you opt in.
  • Anthropic (Claude API) — used to generate AI-personalised outreach emails and to assist with smart-import data extraction. We do not send Gmail inbox content or Google Calendar event content to this service.
  • OpenCage — converts venue and radio-station addresses to map coordinates so we can show them on the map.
  • Mapbox — renders the interactive map and computes tour routes between waypoints.
  • Vercel and Railway — application and API hosting infrastructure.
  • Sentry — error monitoring and session replay (US region). Receives stack traces, request URLs, IP addresses, browser metadata, and short replays of sessions in which errors occur, so we can diagnose and fix bugs. Form input fields are masked by default and not captured. Sentry does not receive Gmail content, Google Calendar event content, or payment card details.

3. Google integration (Gmail and Calendar)

Theima requests only the Google OAuth scopes strictly required for the features you choose to use:

  • gmail.send — to send outreach emails on your behalf when you use the email composer. We never request gmail.readonly or any scope that would let us read your inbox.
  • calendar.events — to create and update Google Calendar events for confirmed bookings, so your gigs appear in your own calendar.
  • userinfo.email — read-only access to the email address of the connected Google account, so we can show you which account Theima is linked to. This is a non-sensitive scope.

We retain a record of the emails you send through the integration (recipient, subject, body, scheduled send time, and delivery status) so you can review your sent queue and audit your outreach history within the app. This record is accessible only to you and is deleted when you delete your account. We do not read your Gmail inbox at any point, and we do not store any Google Calendar event content beyond the gig details you enter directly into Theima.

You can disconnect your Google account at any time from the Profile page in Theima, or from your Google Account permissions page. Disconnecting clears the stored tokens; reconnecting requires fresh consent for both scopes.

Limited Use compliance.Theima’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to develop, improve, or train generalised AI/ML models; we do not transfer it to third parties for advertising; and we do not use it for any purpose other than the features described above.

4. Data security and protection

Your data is protected by the following mechanisms:

  • Encryption in transit. All traffic to and from Theima uses HTTPS with TLS 1.2 or higher. OAuth tokens and credentials are never transmitted in plaintext.
  • Encryption at rest. All data stored in our Supabase-hosted PostgreSQL database is encrypted at rest using AES-256.
  • Access controls. User data is protected by row-level security policies in the database, ensuring each account can only access its own records. Server-side service-role access is restricted to authorised Theima operators for support, debugging, and compliance only.
  • Credential storage. OAuth refresh tokens are held in a dedicated table with server-only access; they are never exposed to the browser or shared with any third party.
  • Data minimisation. We collect only the data required to operate the service and request the minimum OAuth scopes needed for each feature.
  • Breach response. In the event of a data breach affecting personal information, we will notify affected users via email within 72 hours of becoming aware of the incident, in compliance with the Australian Notifiable Data Breaches scheme.

5. Location data and maps

Theima uses location data in two ways, both treated with the same data-minimisation principle as the rest of your information.

Browser geolocation. On pages that show a map (venue and radio search, tour planning) we may ask your browser for permission to share your current location. If you grant permission, your coordinates are used during the current session to centre the map on your location and rank search results by distance. Your browser-supplied location is not stored in our database, never associated with your account, and never shared with any third party. Coordinates may appear in the URL of search pages so that refreshing the page reproduces your view. You can deny browser location sharing at any time via your browser’s permission settings, and search will still work — you’ll just need to choose an area manually.

Geocoding (address → coordinates). When a venue or radio-station address is added to Theima, we send the address text to the geocoding service OpenCage to obtain map coordinates. We only send the address text — never personal information. The resulting coordinates are stored alongside the venue or station record so the entry can be displayed on the map.

Map rendering and area search. Map tiles, tour route geometry, and the autocomplete used for choosing a city or region are provided by Mapbox. The Mapbox SDK contacts Mapbox’s servers directly from your browser to load tiles and serve autocomplete suggestions; this involves your IP address being visible to Mapbox, governed by their privacy policy. We do not pass your account identity to Mapbox, and Mapbox geocoding results are never stored in our database (we use OpenCage for any coordinates that need to be persisted, in line with each provider’s terms).

6. Data retention and deletion

Your account and all associated data is retained until you delete your account. To delete your account and all associated data, contact us at david@theima.app. We will process your request within 30 days.

7. Cookies and tracking

Theima uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics services.

8. Australian Privacy Act

Theima is operated from Australia and complies with the Australian Privacy Act 1988. If you have a complaint about how we handle your personal information, please contact us at david@theima.app. If we cannot resolve your complaint, you may contact the Office of the Australian Information Commissioner.

9. Contact

Questions about this policy: david@theima.app