// privacy policy
Privacy Policy — KC26 (Kendal Calling 2026) App
Last updated: 16 July 2026
This Privacy Policy explains what personal information the KC26 mobile app (the "App") collects about you, why we collect it, how we use and protect it, and the rights you have over it. Please read it alongside any terms of use for the App.
1. Who we are
The App is provided by Sappar Ltd, a company registered in England and Wales (Company No. 17113810), registered office at Unit B, 6 Oldham Road, Ancoats, Manchester, M4 5DB, United Kingdom ("we", "us", "our"). We build and operate the App as the official app of the Kendal Calling festival, with the festival organiser's authorisation.
Sappar Ltd is the sole data controller for the personal information described in this policy — we decide what data is collected and how it is used. The Kendal Calling festival organiser does not receive or control your personal information: it receives only anonymous, aggregated statistics, anonymous crowd-safety views, and the public game leaderboards, as described in section 6.
If you have any questions about this policy or about how your data is handled, contact us at:
- Email: privacy@sappar.uk
- Post: Sappar Ltd, Unit B, 6 Oldham Road, Ancoats, Manchester, M4 5DB, United Kingdom
2. Who this App is for
Kendal Calling is a music festival that admits attendees of all ages, including children accompanied by an adult. The App is designed primarily for adult festival-goers.
You must be at least 13 years old to create an account. We do not knowingly collect personal information from children under 13. If you are under 16, we encourage you to involve a parent or guardian before enabling optional features such as location sharing.
3. The information we collect
Account information
When you create an account you sign in using Google, Apple, or an email address and password. Depending on the method you choose, we collect your email address and a display name, and optionally an avatar image. We record which sign-in method you used.
Optional profile and demographic information
You may optionally provide additional details such as your year of birth (used to work out your age range), the region or county you live in, and how many years you have attended the festival. Providing these is entirely optional and the App works without them. This information is used only to produce anonymous, aggregated statistics for the festival organiser, as described in section 6 — it is never shared in a form that identifies you.
Location information
Location sharing is off by default and entirely opt-in. If you turn it on, the App uses your device's GPS to determine your position only while you are actively using the App. The App asks for "While Using the App" location permission — it does not request, and cannot use, background or "Always" location access. When you close the App or switch away from it, location collection stops.
While you are using the App, your position is updated roughly every 30 seconds, and refreshed immediately when you open or return to the App. If you stop using the App, your last position becomes marked as out of date for your friends after about 10 minutes ("last seen X minutes ago").
We use your location for two purposes only:
- Finding friends. Your location is shown on the festival map to people you have accepted as friends, so you can meet up on a large site. You control this through in-app sharing toggles and can turn it off at any time — sharing stops immediately.
- Crowd safety and operations. Your position contributes to anonymous crowd views used by festival management and security to monitor how busy different areas are. These take two forms: an aggregated heatmap (locations grouped into approximately 50-metre grid cells and reported only as counts) and a live operations map showing individual positions as anonymous points — with no names, account details, or any other identifying information attached to any point.
We store only your single most recent position — one record per person, overwritten each time. We do not keep any location history. All location data is deleted at the end of the festival (see section 8).
You can stop location sharing at any time, either in the App's settings or by revoking the permission in your device settings.
Friends and contact discovery
To add friends you can share a code in the App, or you can choose to find friends from your phone's contacts. If you use contact discovery, your contacts' phone numbers are converted into one-way codes (a cryptographic hash) on your device before anything is sent to us — the actual phone numbers never leave your phone. We use these codes only to match you with other people who have chosen to be findable. Similarly, if you choose to be findable, your own phone number is hashed on your device and only the resulting code is sent to us.
Map pins
You can drop pins on the map to remember places such as your tent or car. Pins are private to you. Any label you give a pin (for example "Mum and Dad's tent") is stored exactly as you type it, so please avoid including other people's personal details you would not want stored.
Activity and step data
If you take part in the step-counting game, where it is available on your device, the App reads your step count from your device's motion sensor — Motion & Fitness (Core Motion) on iOS — with your permission. Only a daily step total is sent to us, never a minute-by-minute record. This is used to show your steps and your position on a game leaderboard. You can decline this permission and still use the rest of the App.
Games and leaderboards
We collect your game scores and progress (quizzes, treasure hunts, crosswords, mini-games). Where a game has a leaderboard, your display name and score are visible to other users of the App and to festival staff — for example, so that prizes can be awarded to leaderboard winners. If you win a prize, we (Sappar Ltd) will contact you — your contact details are not passed to the festival organiser without your agreement. Choose your display name with this in mind.
App usage information
We collect information generated by your use of the App, including the artists and set times you bookmark and friend requests you send and receive.
Notifications
If you allow notifications, we store a push notification token for your device so we can send you alerts — for example, reminders for acts you've bookmarked and official announcements from the festival.
4. How we use your information and our lawful basis
Under UK data protection law we must have a lawful basis for using your personal information. We rely on the following:
- To provide the App and the features you choose to use (your account, the schedule, bookmarks, friend-finding, games) — this is necessary to deliver the service you have asked for.
- With your consent — for location sharing, contact discovery, step data, and push notifications. Each of these is optional and you can withdraw consent at any time by turning the feature off in the App or your device settings.
- For our legitimate interests — to keep the App secure, prevent abuse, fix problems, to produce anonymous aggregated statistics about how the App and the festival are used, and to contact you by email with service and pilot-programme communications (for example set-up instructions, important notices about the App, and a post-event feedback survey). We will not send you marketing without your separate opt-in consent.
- For crowd safety — the anonymous crowd views described in sections 3 and 6 support the festival's and our legitimate interest in monitoring crowd density and keeping attendees safe. They use non-identifying data only.
5. Sharing your information with service providers
We use trusted third-party providers to run the App. They process data on our behalf, under contract, and only as instructed:
- Supabase — database, authentication, file storage, and real-time updates.
- Render — hosting for the App's backend service.
- Resend — delivery of account emails, such as sign-up confirmations and password resets.
- Expo, Apple (APNs), and Google/Firebase (FCM) — delivery of push notifications.
- Cloudflare — hosting for our website.
When you sign in with Google or Apple, that sign-in is handled by Google or Apple respectively, subject to their own privacy policies.
Festival merch store — When you open the festival merch store inside the App, your activity on that store is subject to Shopify's privacy policy at https://www.shopify.com/legal/privacy. No personal data from your festival app account is shared with the store.
The App contains no third-party analytics, advertising, or crash-reporting SDKs — we do not embed tools that send your data to advertising networks or analytics companies. Data leaves your device only to the first-party services listed above.
We do not sell your personal information, and we do not share it with third parties for their own marketing.
6. Information shared with the festival organiser
The Kendal Calling festival organiser receives only the following from the App:
- An anonymised, aggregated crowd-density heatmap. Locations are grouped into approximately 50-metre cells and reported only as counts. No individual attendee can be identified from it.
- A live crowd-safety map showing attendee positions as anonymous points. No names, account details, or other identifying information are attached to any point.
- Aggregate statistics about the festival audience and the App's use — for example artist popularity totals and audience demographics reported in age bands and regional groupings, as group counts only. Where a group would be so small that individuals might be identifiable, it is suppressed rather than reported.
- Game leaderboards — the display names and scores that are already publicly visible on leaderboards in the App may be shared with the festival organiser, for example to award prizes. Nothing beyond what is publicly visible in the App is shared, and prize winners are contacted by us, not by the festival (see section 3, Games and leaderboards).
The festival organiser never receives your email address, your real name, or any other information that identifies you through the App. If the festival wishes to contact App users, any such message is sent by us on its behalf — your contact details are not passed on.
7. International transfers
Our systems are hosted in the United Kingdom and Europe wherever possible. Some of our service providers may process limited data outside the UK; where that happens, we rely on appropriate safeguards recognised under UK data protection law (such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or adequacy regulations) to ensure your information remains protected.
8. How long we keep your information
The 2026 App is operated as a pilot programme. We keep personal information only as long as we need it:
| Data | How long we keep it |
|---|---|
| Location data | Deleted at the end of the festival |
| Push notification tokens | Deleted at the end of the festival |
| Your account, profile, bookmarks, and game progress | Deleted within 3 months after the festival |
| Record of official broadcast notifications | Kept for 12 months for audit purposes (contains no personal attendee data) |
| Account deletion requests | Your account is deactivated immediately and your data is permanently deleted within 30 days |
9. Keeping your information secure
We take security seriously. Among other measures:
- Access to your data is authenticated on every request, and database access controls restrict each user to their own data.
- Phone numbers used for friend discovery are stored only as one-way cryptographic codes, never as the original numbers.
- Administrative access to the festival dashboard is restricted by role.
No system can be guaranteed completely secure, but we work to protect your information using appropriate technical and organisational measures.
10. Your rights
Under UK data protection law you have the right to:
- Access the personal information we hold about you. The App includes a data export feature that returns a copy of your key data, including your game scores; for a complete copy of everything we hold, contact us using the details below.
- Correct information that is inaccurate.
- Delete your account and the data associated with it, directly within the App. Your account is deactivated immediately and your data is permanently deleted within 30 days.
- Withdraw consent at any time for any feature you opted into (location, contacts, step data, notifications).
- Object to or restrict certain processing.
- Data portability — receive your data in a usable format.
To exercise any of these rights, use the relevant controls in the App or contact us at privacy@sappar.uk.
If you have a concern about how we handle your data, we would like the chance to resolve it. You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO), at https://ico.org.uk.
11. Changes to this policy
We may update this policy from time to time — for example, when we add features such as photo sharing. We will update the "Last updated" date at the top, and where changes are significant we will make this clear in the App.
12. Contact us
Sappar Ltd
Unit B, 6 Oldham Road, Ancoats, Manchester, M4 5DB, United Kingdom
Email: privacy@sappar.uk