Privacy
Last updated: 12 March 2026
WHO WE ARE
Apparatus Operations Pty Ltd. Two directors, a handful of collaborators, and a website. Electronic music events in Brisbane. Not a tech company. No data team. No investors who need your behavioural profile. Questions about your data go to hello@apparatus.fm. That reaches Josh and Jax directly.
WHAT WE COLLECT
Signup form — name, email, phone, optionally address. Used to contact you about events and occasionally send you something physical. That is the entire purpose.
Tickets — payment processed by Stripe. We never see your full card number. We receive your name, email, and a transaction record. Kept minimum 5 years (ATO requirement).
Drawings — stored as PNG images with optional signature and messages. Kept in our database. By submitting a drawing you assign all intellectual property rights to Apparatus Operations Pty Ltd. We may use drawings in emails, at events, on the site, in print, on merch, projected onto walls, or in any other format we feel like. They become ours. We are not giving them back. You were warned.
Analytics — Umami for page views (no cookies, no personal data). Microsoft Clarity for session recordings and heatmaps (first-party cookies, no cross-site tracking, no personal data sold). Neither is Google Analytics.
Server logs — IP address, browser type, pages requested. Generated by Vercel (hosting). Retained ~30 days, deleted automatically.
Rate limiting — IP address used to prevent abuse. Expires within 1 hour.
Local storage — small flags in your browser (e.g. whether you submitted a drawing). Never leaves your device. We cannot see it.
Tickets — payment processed by Stripe. We never see your full card number. We receive your name, email, and a transaction record. Kept minimum 5 years (ATO requirement).
Drawings — stored as PNG images with optional signature and messages. Kept in our database. By submitting a drawing you assign all intellectual property rights to Apparatus Operations Pty Ltd. We may use drawings in emails, at events, on the site, in print, on merch, projected onto walls, or in any other format we feel like. They become ours. We are not giving them back. You were warned.
Analytics — Umami for page views (no cookies, no personal data). Microsoft Clarity for session recordings and heatmaps (first-party cookies, no cross-site tracking, no personal data sold). Neither is Google Analytics.
Server logs — IP address, browser type, pages requested. Generated by Vercel (hosting). Retained ~30 days, deleted automatically.
Rate limiting — IP address used to prevent abuse. Expires within 1 hour.
Local storage — small flags in your browser (e.g. whether you submitted a drawing). Never leaves your device. We cannot see it.
WHAT WE DO NOT COLLECT
No Google Analytics. No Facebook Pixel. No TikTok Pixel. No tracking pixels from any advertising platform. No retargeting. No behavioural profiles. We do not buy or sell data. Clarity uses first-party cookies for session replay — no cross-site tracking.
WHY
Send you event information you signed up for. Send you the occasional physical thing if you gave us your address. Process tickets. Understand site usage. Prevent abuse. Meet Australian tax obligations.
WHERE YOUR DATA GOES
Third-party services that run the site. None are advertising companies.
Stripe — payments. US. PCI DSS Level 1. stripe.com/privacy
Brevo — email + SMS. EU. GDPR compliant. brevo.com/legal/privacypolicy
Vercel — hosting. US/EU. SOC 2. vercel.com/legal/privacy-policy
Upstash — database. Encrypted in transit and at rest. upstash.com/trust/privacy
Cloudflare — DNS + CDN. US/EU. cloudflare.com/privacypolicy
Umami — analytics. EU. No cookies, no personal data. umami.is/privacy
Microsoft Clarity — session recordings + heatmaps. US. No personal data sold. privacy.microsoft.com
We do not sell, rent, or share your information with anyone outside these providers.
Stripe — payments. US. PCI DSS Level 1. stripe.com/privacy
Brevo — email + SMS. EU. GDPR compliant. brevo.com/legal/privacypolicy
Vercel — hosting. US/EU. SOC 2. vercel.com/legal/privacy-policy
Upstash — database. Encrypted in transit and at rest. upstash.com/trust/privacy
Cloudflare — DNS + CDN. US/EU. cloudflare.com/privacypolicy
Umami — analytics. EU. No cookies, no personal data. umami.is/privacy
Microsoft Clarity — session recordings + heatmaps. US. No personal data sold. privacy.microsoft.com
We do not sell, rent, or share your information with anyone outside these providers.
HOW LONG WE KEEP IT
Contact details — until you unsubscribe or ask us to delete them.
Purchase records — minimum 5 years. Australian tax law.
Drawings — indefinitely, or until you ask us to remove one.
Server logs — ~30 days. Automatic.
Analytics — indefinitely. Anonymised. Cannot identify you.
Rate limit data — 1 hour.
Purchase records — minimum 5 years. Australian tax law.
Drawings — indefinitely, or until you ask us to remove one.
Server logs — ~30 days. Automatic.
Analytics — indefinitely. Anonymised. Cannot identify you.
Rate limit data — 1 hour.
YOUR RIGHTS
Email hello@apparatus.fm to: see what data we hold, correct it, delete it, unsubscribe from marketing, export it, or remove a drawing. We respond within 30 days. Usually faster.
EU RESIDENTS
GDPR applies. Legal bases: contract (ticket sales), consent (marketing), legitimate interest (analytics, rate limiting), legal obligation (tax records). You can withdraw consent at any time. You can complain to your local data protection authority.
MARKETING
Emails and SMS about events. You signed up. Every email has an unsubscribe link. If it breaks, email us and we remove you manually.
SECURITY
TLS encryption on all connections. Payment data handled by Stripe, never touches our servers. Database encrypted at rest. If we discover a breach affecting your data, we notify you directly and notify the OAIC as required by the Notifiable Data Breaches scheme.
UNDER 16
We do not knowingly collect information from anyone under 16. Our events are 18+.
CHANGES
Meaningful changes will be noted here with an updated date. Significant changes (new third parties, etc.) will be emailed to the dispatch list.
COMPLAINTS
Email hello@apparatus.fm. We investigate and respond within 30 days. If unsatisfied, lodge a complaint with the OAIC at oaic.gov.au.
Apparatus Operations Pty Ltd — Brisbane, Australia.