Privacy policy

Mainstage Studio is the data fiduciary for personal data collected through this website. The registered business address will be added on lawyer review.

For questions about this policy or your data, write to hello@mainstagestudio.in.

We collect personal data only when you actively give it to us. There are three entry points:

• Studio audit application: name, email, company, website (optional), vertical (optional), revenue band, founder time commitment, free-text answers about your content situation and goals, and how you heard about us.
• Talent application: name, email, primary handle and platform, follower band, niche, tier interest, and free-text answers about deal flow and goals.
• Contact form: name, email, topic, and your message.

We also record a small amount of technical context with each submission: your IP country (derived from the request header; we do not store the IP itself), your user agent, and any UTM parameters on the URL you arrived at. The site does not set tracking cookies. Plausible, the analytics platform we use, is cookieless and does not track individuals.

We use the data above for three purposes:

• to read and respond to your application or message (lawful basis: your consent, given when you submit the form);
• to send the email confirmation you've explicitly opted into (also consent);
• to keep an internal record of inbound demand for capacity planning (a legitimate use under the DPDP Act, limited to aggregated and de-identified analysis where possible).

We do not sell personal data. We do not share personal data with advertisers. We do not use personal data to train any machine-learning model. Decisions about application outcomes are made by humans, not algorithms.

• Supabase (database): hosted on AWS, region Singapore. Stores submitted form data.
• Resend (transactional email): stores outgoing email logs. Used to send confirmations and ops notifications.
• Vercel (hosting): stores HTTP request logs for short periods.
• Plausible (analytics): privacy-friendly and cookieless. Stores aggregated page-view data only.

Each of these processors has its own privacy policy and security posture. They are bound by data-processing agreements where applicable. We update this list when processors change; the "Last updated" date at the top of the page reflects that change.

• Audit applications, talent applications, and contact messages are retained for up to five years from the last interaction with us, then purged, unless we are legally required to retain them longer (for example, to defend a legal claim).
• Server logs are retained for as long as Vercel, Supabase, and Resend's default policies dictate, typically 30 to 90 days.

You can ask us to delete your data at any time. We will comply within the timelines the DPDP Act requires, and confirm the deletion in writing.

You have the right to:

• ask what personal data we hold about you;
• ask us to correct or update inaccurate personal data;
• ask us to delete your personal data, subject to legal retention obligations;
• nominate another individual to exercise these rights on your behalf in the event of incapacity or death;
• withdraw consent for processing where consent is the basis;
• complain to the Data Protection Board of India if you believe your rights have been violated.

To exercise any of these rights, write to hello@mainstagestudio.in. We respond within seven business days.

Per the DPDP Act, our grievance officer is named on the signed final version of this policy (lawyer review pending). Until then, all grievances are read by the founder at hello@mainstagestudio.in.

We do not knowingly collect personal data from anyone under eighteen. Please do not submit any forms on this site if you are under eighteen. If we discover we have collected data from a child, we delete it. We do not track children, profile them behaviourally, or target them with any communication.

If we discover a personal data breach affecting your data, we will notify the Data Protection Board of India and the affected individuals within the timeframes required by the DPDP Act. The notification will describe what happened, what data was involved, and the steps we are taking to contain and remediate the breach.

We protect personal data with reasonable technical and organisational measures: encrypted transport (HTTPS) for everything in transit, encrypted storage at the processor level, access scoped to the minimum number of people needed, and credentials rotated when staff changes. No system is unbreakable. We commit to keeping the standard of care current as the threat landscape evolves.

Some of the processors above store data outside India (for example, Supabase's Singapore region). The DPDP Act permits cross-border transfer subject to government notification. We will update this section if and when those notifications affect our processors.

We update this policy as the business and the law evolve. The "Last updated" date at the top reflects the most recent change. Material changes are announced via email to active subscribers and applicants.