Privacy Policy

1. Introduction

This Privacy Policy explains how your personal data is collected, used, and protected when you use Sergio, a theatre production operations platform.

• Data Controller: Sergio Performance Ltd (registered in Northern Ireland, company number NI739006) — we determine how and why your personal data is processed.
• Data Processor: Hypership Ltd (NI736697) — they build and operate the platform on our behalf, processing data strictly according to our instructions.

We are committed to protecting your privacy and handling your data transparently and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

We collect the following categories of information:

• Account information: your name, email address, and role within your production, provided during registration or by your Company Manager
• Production data: show reports, attendance records, cover arrangements, and operational notes that you or your Company Manager enter into the platform
• Wellbeing check-ins: responses you voluntarily submit through the wellbeing feature, including mood and energy indicators
• Holiday and absence records: holiday requests, approvals, allowances, and absence reasons recorded in the system
• Usage data: information about how you interact with the platform, including pages visited, features used, device type, and browser information, collected automatically to help us improve the service

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the Sergio platform, including show reporting, attendance tracking, and holiday management
• Enable production management workflows such as cover coordination and schedule planning
• Generate aggregated wellbeing insights for production management (individual responses are never shared — see section 8)
• Send you service-related communications, including notifications about holiday requests, schedule changes, and platform updates
• Improve the platform through aggregated, anonymised usage analysis

4. Legal Basis for Processing

Under the UK GDPR, we process your personal data on the following legal bases:

• Performance of a contract: processing necessary to provide you with the Sergio service, as agreed between your production company and Sergio Performance Ltd
• Legitimate interests: processing necessary for our legitimate interests in operating, improving, and securing the platform, provided these interests do not override your rights
• Consent: for optional features such as wellbeing check-ins, where your participation is entirely voluntary and you may withdraw consent at any time

5. Data Sharing

We do not sell your personal data. We share your information only with the following parties, strictly as needed to operate the platform:

• Hypership Ltd — our technical partner who builds and operates the Sergio platform on our behalf
• Clerk — our authentication provider, which handles secure sign-in and account management
• Vercel — our hosting provider, which serves the platform infrastructure
• Neon — our database provider, where your production data is securely stored

Each of these providers is bound by appropriate data processing agreements and handles your data in accordance with applicable data protection laws.

6. Data Retention

We retain your personal data for as long as your account is active and your production is using Sergio. Specifically:

• Account information is kept while your account remains active
• Production data (show reports, attendance records) is retained for the duration of the production's use of the platform
• Wellbeing data is retained in aggregated form; individual responses may be deleted on a rolling basis

When you or your production company request account deletion, we will remove your personal data within 30 days, except where we are legally required to retain certain records.

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data, subject to legal retention obligations
• Right to data portability: receive your data in a structured, commonly used format
• Right to object: object to processing based on legitimate interests
• Right to restrict processing: request that we limit how we use your data in certain circumstances
• Right to withdraw consent: where processing is based on consent (such as wellbeing check-ins), you may withdraw at any time

To exercise any of these rights, please contact us using the details in section 12. We will respond to your request within one month.

8. Wellbeing Data

We take particular care with wellbeing check-in data. This feature is designed with privacy at its core:

• Wellbeing check-ins are entirely voluntary — you are never required to participate
• Production management only ever sees aggregated, anonymised data — they cannot view individual responses or identify who submitted what
• Aggregated insights are only shown when enough responses have been collected to prevent identification of individuals
• Individual wellbeing responses are never shared with producers, general managers, or any third party

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS) and at rest in our database
• Role-based access controls ensuring users only see data relevant to their role
• Secure authentication through Clerk with support for multi-factor authentication
• Regular security reviews of the platform and its dependencies

10. International Transfers

Your data may be processed outside the United Kingdom and the European Economic Area by our infrastructure providers. Where this occurs, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent mechanisms approved under UK data protection law, to protect your data to the same standard as within the UK.

11. Children

Sergio is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete that information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the platform or by email and ask you to explicitly acknowledge the updated policy before continuing to use the platform. The “Last updated” date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact:

• Sergio Performance Ltd (NI739006) — data controller for the Sergio platform
• Hypership Ltd (NI736697) — data processor and technical operator of the platform

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have not been respected.