Listium

Privacy Policy

Privacy Policy

Listium, Inc.

Last updated: December 3, 2025

This Privacy Policy describes how Listium, Inc. ("Listium," "we," "us") collects, uses, and protects personal data when visitors browse our marketing site, when users create accounts and operate the Listium platform, and when venue staff use Listium on the door, VIP floor, production line, or show control desk. By using the Service, you agree to the practices outlined here.

Who we are and how we handle roles

For venue and organization customers who use Listium to manage guest lists, tables, talent advancing, and show control, Listium acts as a data processor. Those customers are the data controllers responsible for the lawful basis of processing, transparent notices to their guests, and honoring their own regulatory requirements.

For website visitors, people who sign up for Listium accounts, billing and support contacts, and anyone interacting with Listium outside of a venue’s own data, Listium acts as the data controller. We determine the purposes and means of processing this information and comply with applicable privacy laws.

Information we collect

Account & Profile Data

We collect name, email, role, organization, contact details, and authentication data when you create or manage an account. Credentials are handled by BetterAuth, our authentication provider, so Listium does not store raw passwords. BetterAuth manages sign-in, session lifetimes, MFA, and device approvals.

Operational Data (entered by customers)

Customers load guest lists, VIP reservations, artist advancing details, show control timelines, incidents, and internal notes into Listium. This may include guest names, contact information, tiers, RSVP status, table spend and comps, artist riders, hospitality counts, travel info, security notes, and production cues. Listium processes this data only to provide the contracted services and does not sell or repurpose it.

Usage & Device Data

When you access Listium we collect IP address, device type, operating system, browser, app version, timestamps, logins, feature interactions, error diagnostics, and local device identifiers used for approvals. This helps secure accounts, prevent abuse, and keep audit trails.

Analytics & Experimentation Data

We use PostHog to gather aggregated product analytics and run experiments. Events like page views, feature usage, and experiment assignments are sent to PostHog with pseudonymous identifiers to measure performance. PostHog does not use this data for cross-site tracking.

Payment & Billing Data

Billing contact information, subscription status, invoice history, and limited card metadata (card brand, expiration, last 4 digits) are collected and processed by Polar. Polar stores and tokenizes card numbers; Listium never sees full card numbers or CVVs.

Communication Data

When you email support, send feedback, or receive transactional emails (account invites, device approvals, alerts), we process message content, attachments, and metadata. Resend delivers these operational emails and stores recipient, subject, delivery timestamps, and error metadata to ensure delivery.

Cookies & Similar Technologies

We use cookies, local storage, and similar technologies to maintain sessions, remember device approvals, record analytics metrics, and keep the app functional offline. We do not use third-party advertising pixels or sell cookie data.

Offline use and local device storage

Listium is designed to work even when Wi-Fi drops. Authorized devices keep an encrypted working copy of the current event’s data (guest lists, reservations, tasks, incidents) for operational use. This local data is tied to authenticated accounts and syncs to our Neon-hosted Postgres database via APIs hosted on Vercel as soon as a connection is available. When a user or device loses access, the local cache becomes unreadable and the device can no longer sync. Venue administrators must maintain physical control over devices to protect this data.

How we use your information

  • Provide, operate, and maintain door, VIP, talent advancing, and show control workflows.
  • Authenticate and secure access via BetterAuth, including device approvals and session management.
  • Process payments, subscriptions, and invoicing through Polar.
  • Send transactional communications through Resend for invites, alerts, and operational notices.
  • Analyze usage, run experiments, and improve reliability with PostHog.
  • Detect and prevent abuse, investigate incidents, and maintain audit trails.
  • Comply with legal obligations, accounting rules, and requests from authorities where appropriate.

Legal bases for processing (EEA/UK users)

  • Contractual necessity: Delivering the Listium platform to customers and their teams.
  • Legitimate interests: Securing the service, running analytics, improving features, and ensuring business continuity.
  • Consent: Collecting certain cookies, sending optional marketing communications, or handling data beyond contractual needs.
  • Legal obligation: Retaining invoices, responding to lawful requests, and maintaining security records.

Service providers and sub-processors

We rely on vetted service providers who act as processors under written agreements. They process data only to provide their services to Listium and are not permitted to use it for their own marketing.

  • Vercel: Hosts the Listium web application and APIs, processing encrypted traffic between users and our backend.
  • Neon: Managed Postgres database that stores application data with SOC 2 aligned controls and encryption at rest and in transit.
  • BetterAuth: Authentication and user management platform handling logins, MFA, and device approvals.
  • Polar: Payment processor for subscriptions, invoicing, and receipts.
  • PostHog: Analytics and experimentation platform that handles product metrics and feature tests.
  • PowerSync: Offline sync provider that enables local data caching and background synchronization between devices and our database.
  • Axiom: Observability platform for application logs, error tracking, and performance monitoring.
  • Resend: Email delivery provider for transactional and operational emails.

Data may be stored in the United States or European Union depending on the provider. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to enable international transfers.

How long we keep your data

  • Account and profile data remain while an account is active and for a reasonable period afterward to satisfy legal and contractual obligations.
  • Operational data (guest lists, reservations, advancing records, incidents) persists for the duration of a customer’s subscription unless the customer requests deletion or anonymization.
  • Audit logs and security records are kept as long as necessary to investigate issues and comply with legal requirements.
  • PostHog retains analytics events according to their data retention policies; aggregated metrics may be stored longer to evaluate product performance.

How we protect your data

  • All traffic between clients, Vercel, and Neon is encrypted via HTTPS/TLS.
  • Neon, Polar, BetterAuth, PostHog, PowerSync, Axiom, and Resend maintain their own security programs (including SOC 2 or equivalent certifications) to safeguard data they process for us.
  • Listium limits internal access using least-privilege, enforces device approvals, and uses role-based access controls.
  • We monitor for suspicious activity, maintain audit trails, and review logs for incidents.
  • We regularly update dependencies and infrastructure to address vulnerabilities.

International data transfers

Our service and sub-processors may store or process data in the United States, the European Union, or other locations where they operate. When transferring personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on Standard Contractual Clauses or other appropriate safeguards to ensure an adequate level of protection.

Your rights

EEA/UK individuals

You have the right to access, correct, or delete your personal data; restrict or object to certain processing; receive a copy of your data in a portable format; and lodge a complaint with your local supervisory authority. Where we act as a processor, please contact the relevant venue or organization to exercise your rights, they control the operational data stored in Listium.

California and US individuals

You have the right to know what categories of personal information we collect, request deletion (subject to exceptions), and not be discriminated against for exercising your rights. Listium does not sell personal information. To submit a request, contact us at privacy@listium.app.

Children’s privacy

Listium is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe a minor has provided data to us, please contact privacy@listium.app so we can remove it.

Your choices

  • Update account and organization settings within the app.
  • Manage marketing email preferences via unsubscribe links or by contacting us.
  • Control cookies and local storage through browser settings, though disabling certain cookies may impact functionality.

Contact us

If you have questions about this Privacy Policy or would like to exercise your rights, email us at privacy@listium.app.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, if the changes are material, we will provide additional notice such as via email or in-app messaging.