In a recent briefing I heard the question that always shows up: “This is a dream of an operation. I'm just left with one doubt — doesn't it run into the data-protection law?” It's the right question. And the answer starts with an uncomfortable truth: today, for most artists and festivals, fan data lives scattered across spreadsheets on each team member's laptop, in loose exports and WhatsApp threads. No access control, no records, no one accountable. That is the real risk — and it already exists, with or without a consultant.
Who actually owns it
Brazil's LGPD organizes responsibility by roles, and that changes the whole conversation. The artist, manager or festival is the Controller: the one who decides what the data is for and who the fans are. Whoever helps process that data — in this case, me — is the Processor: working on the client's behalf, under instructions, under contract. You don't lose control; on the contrary, it becomes clearer than ever, because it gets written down.
How the data is actually handled
Instead of spreadsheets floating around, access is read-only and encrypted — we never edit the client's platforms. Personal identifiers (email, phone) are pseudonymized: each fan becomes a code, and the identity is stored separately and protected. The cross-matching across sources — streaming, ticketing, social, merch — happens on those codes, not on the raw data. And when the work ends, the data is returned or deleted. No extra footprint.
Compliance isn't a blocker — it's the method
The irony is that the work, beyond activating the audience, does the first step of any compliance program: mapping where the data lives. By organizing, protecting and documenting it, it lowers the client's exposure rather than raising it. The question “doesn't this run into the law?” comes from a legitimate fear — that handling data is dangerous. It's the opposite: what's dangerous is not handling it.
If a fan asked your artist today to see or delete their own data — would you know where it is and be able to respond on time? If the answer hesitates, the risk is already there. And that is exactly what this fixes.
