Privacy Policy
Version 2026-05-31 · Effective May 31, 2026
1. Who We Are & Our Role
Alvaro Berlanga, an individual operating the Conduct Studio service, with NIF 53995589F and registered address at Calle Estrellas 2, 28224 Pozuelo de Alarcón, Madrid, Spain, is responsible for your personal data.
We act as the data controller for the personal data we use to run the Service and our relationship with you — for example your account, billing, usage, and support data. Where you use the Service to upload or process personal data of other people (for example, personal data contained in the content you store, or about collaborators you invite), you are the controller of that data and we act as your processor, on your instructions, under our Data Processing Addendum (conductstudio.com/legal/dpa).
A formal Data Protection Officer (DPO) is not required for sole-trader operations of this size under GDPR Article 37, and we have documented that assessment. All privacy questions and data-subject requests should be directed to: privacy@mail.conductstudio.com
We acknowledge requests within 72 hours and respond in full within one month (extendable by two further months for complex requests, as permitted by GDPR Article 12).
2. What Data We Collect
2.1 Account Data
Name, email address, profile photo, organisation name, role within organisation, job title (optional), account creation date, and last-active timestamp.
2.2 Content Data
Audio and picture files uploaded to the Service; project metadata including cue names, timecodes, reel/episode structure, delivery notes, and version history; chat messages, @mentions, and cue thread comments; review feedback; and delivery and approval history. This content may itself contain personal data of third parties, for which you are the controller (see Section 1).
2.3 Payment Data
Billing name and address, country, subscription plan, payment-method type (last 4 digits only), transaction history, and invoice records. Full card details are processed exclusively by Stripe — we never receive or store raw card numbers or CVVs.
2.4 Usage & Technical Data
Device type, operating-system and app version, features accessed, session duration, and error or diagnostic reports. Our hosting, security, and (where you consent) analytics providers process your IP address transiently to deliver, secure, and monitor the Service. We do not store your IP address in our own application database; limited abuse-prevention records may contain a non-reversible (hashed) representation of an IP address or similar identifier, which cannot be read back to the original value.
2.5 Communications
Support tickets and responses, and any feedback or survey submissions you choose to send us.
3. Legal Basis for Processing (GDPR Article 13)
Every processing activity we carry out has a named legal basis under GDPR. Where we rely on legitimate interests (Article 6.1(f)), you have the right to object — see Section 6. Where we rely on consent (for example, for non-essential analytics or marketing email), you may withdraw it at any time. See the table below for the full breakdown.
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Contract performance | 6.1(b) |
| Delivering the Service (storage, sync, audio processing, streaming) | Contract performance | 6.1(b) |
| Payment processing via Stripe | Contract performance | 6.1(b) |
| Transactional emails (receipts, delivery notifications, account alerts) | Contract performance | 6.1(b) |
| Product update emails and newsletters | Consent (or legitimate interests for existing customers, soft opt-in) | 6.1(a) / 6.1(f) |
| Product analytics (where you consent) | Consent | 6.1(a) |
| Security monitoring, fraud prevention, abuse detection | Legitimate interests | 6.1(f) |
| Service improvement and error monitoring | Legitimate interests | 6.1(f) |
| Retaining payment records for tax compliance | Legal obligation | 6.1(c) |
| Responding to legal requests (DMCA, court orders) | Legal obligation | 6.1(c) |
4. Third-Party Processors (Sub-processors)
We share data with the following processors solely to deliver the Service. All processors are bound by Data Processing Agreements (DPAs). The authoritative, up-to-date list — and how to subscribe to change notifications — is published at conductstudio.com/legal/subprocessors.
We do not sell your personal data to any third party. We do not use third-party advertising networks, ad tracking, or cross-context behavioural advertising on any part of the Service.
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase Inc. | Authentication, database, file storage, realtime | EU (AWS eu-west-1) | supabase.com/legal/dpa |
| Vercel Inc. | Application hosting, web portal, serverless functions, cron | EU region (dub1); company USA — SCCs/DPF | vercel.com/legal/dpa |
| Stripe, Inc. / Stripe Payments Europe | Payment processing, billing, tax | EU + USA (SCCs/DPF applied) | stripe.com/legal/dpa |
| Brevo SAS | Transactional email delivery | EU (France) | brevo.com/legal/dpa |
| PostHog Inc. | Product analytics (account ID, organisation ID, feature-usage events) — only with consent | EU (eu.posthog.com) | posthog.com/dpa |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracing (PII scrubbed) | USA (SCCs/DPF applied) | sentry.io/legal/dpa |
| Cloudflare, Inc. | Encrypted off-site backups (R2 storage) | EU / USA (SCCs/DPF applied) | cloudflare.com/cloudflare-customer-dpa |
5. International Data Transfers
We host your data in the European Union. Some of our processors are based in, or may process data in, countries outside the EU/EEA and UK (notably the United States). Where personal data is transferred outside the EU/EEA, we rely on one or more of the following safeguards under Chapter V GDPR: (a) an adequacy decision, including the EU-US Data Privacy Framework where the recipient is certified; (b) the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) together with supplementary technical and organisational measures; and (c) for transfers subject to UK law, the UK International Data Transfer Agreement or the UK Addendum to the SCCs, and for Switzerland the applicable Swiss addendum. A copy of the relevant transfer mechanism is available on request via privacy@mail.conductstudio.com.
6. Your Rights
6.1 GDPR & UK GDPR Rights (EU, EEA & UK users)
Right of access (Art. 15) — request a copy of all personal data we hold about you. Right to rectification (Art. 16) — correct inaccurate or incomplete data. Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten"). Right to data portability (Art. 20) — receive your data in a structured, machine-readable format. Right to restriction (Art. 18) — pause processing while a dispute is resolved. Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing. Right to withdraw consent (Art. 7.3) — where processing is based on consent, withdraw it at any time without affecting prior processing.
6.2 California Rights (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect and how it is used; to access and delete it; to correct inaccurate information; to opt out of the sale or sharing of personal information; and to limit the use of sensitive personal information. We do not sell or share your personal information and we do not use it for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) browser signal as a valid opt-out. You will not be discriminated against for exercising these rights.
6.3 Other U.S. State Rights
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive privacy law, you generally have the right to confirm whether we process your personal data and to access it; to correct it; to delete it; to obtain a portable copy; and to opt out of the sale of personal data, targeted advertising, and certain profiling (we do not engage in these activities). Where required, we recognise universal opt-out mechanisms such as the Global Privacy Control. If we decline a request, you may appeal by replying to our decision or emailing us; we will respond to appeals within the period your state's law requires.
6.4 Canadian Rights (PIPEDA & Quebec Law 25)
If you are in Canada, you have the right to access and correct your personal information and to withdraw consent, subject to legal and contractual restrictions. We obtain meaningful consent for the collection, use, and disclosure of personal information, and report qualifying breaches to the Office of the Privacy Commissioner of Canada (and, for Quebec residents, the Commission d'accès à l'information). For Quebec residents, our privacy contact below acts as the person in charge of the protection of personal information, and we carry out the privacy assessments required by Law 25 before transferring personal information outside Quebec.
6.5 How to Exercise Your Rights
Open Settings → Privacy in the Conduct app for self-serve consent toggles, processing-restriction toggle, rectification form, objection to legitimate-interests processing, and request submission. Self-serve actions are recorded immediately to an immutable audit trail and reach a staff queue within minutes. You may also email privacy@mail.conductstudio.com — both routes flow into the same SLA-tracked queue.
We acknowledge requests within 72 hours and respond in full within one month (GDPR) or 45 days (most U.S. state laws). We may need to verify your identity before processing your request, particularly when the change affects identity-bearing fields (email, billing identity). We will not discriminate against you for exercising your rights.
When you exercise the right to data portability, your archive ships as JSON Lines (one record per line) accompanied by JSON Schema draft-2020-12 definitions for each category — the GDPR Article 20 "structured, commonly used, machine-readable" format. A SHA-256 of each file is included for tamper-evidence.
EU residents may lodge a complaint with the AEPD — Agencia Española de Protección de Datos, C/ Jorge Juan, 6, 28001 Madrid (www.aepd.es) — or their local supervisory authority. UK residents may contact the ICO (ico.org.uk).
7. Data Retention
We retain data only as long as necessary for the purpose for which it was collected or as required by law. Retention of payment records for tax compliance is a legal obligation under Spanish tax law that overrides the right to erasure for that specific data category. See the table below.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account and project data | Duration of active subscription | Contract necessity |
| Audio files and content | 30 days after account deletion or lapse | Grace period for export |
| Backup copies | Up to 60 days after primary deletion | Technical backup cycles |
| Payment and invoice records | Up to 7 years | Spanish tax law (Ley General Tributaria) |
| Security and audit logs | As long as needed for security, then minimised | Legitimate interests (security, forensics) |
| Support communications | 3 years | Legitimate interests (dispute resolution) |
| Usage and analytics logs | 12 months rolling | Legitimate interests / consent (service improvement) |
| Legal hold data | Duration of legal proceedings | Legal obligation |
9. Security
We implement appropriate technical and organisational measures, including TLS 1.2+ encryption for data in transit, AES-256 encryption at rest, role-based and row-level access controls enforced at API and database level, opaque storage keys, time-limited signed URLs for media, and regular dependency and security audits.
No method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
Data-breach notification: in the event of a breach likely to result in a risk to your rights and freedoms, we will notify the AEPD (and any other competent authority) within 72 hours of becoming aware, as required by GDPR Article 33, and affected users without undue delay where the breach is high-risk (Article 34). We maintain an internal record of all breaches.
Staff access for support: a small number of authorised platform-staff members may, when strictly necessary to investigate a support request or technical incident, view your account from your perspective ("impersonation"). This is logged on every use — including who accessed, when, and the stated reason — and the session is automatically revoked after 30 minutes. Lawful basis: Art. 6(1)(b) GDPR (necessary to perform the contract). We do not use this access for marketing or profiling. You may request the access log for your account at any time via privacy@mail.conductstudio.com.
10. Automated Decision-Making
We do not carry out solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Article 22. Automated rate-limiting and abuse-prevention controls are used only to protect the Service and do not make significant decisions about you without human involvement.
11. Children's Privacy
The Service is intended for business and professional use and is not directed at children. We do not knowingly collect personal data from children. We apply, at a minimum, the age of digital consent in the user's jurisdiction (for example, 14 in Spain under LOPDGDD Art. 7, 16 in some EU member states, and under-13 under the U.S. COPPA standard). If we become aware that we have collected personal data from a child below the applicable age without the required consent, we will delete it promptly.
12. Changes to This Policy
We will notify you of material changes by email and in-app notification at least 30 days before they take effect. The effective date is displayed at the top of this document.
13. Contact
Privacy enquiries: privacy@mail.conductstudio.com Response: 72-hour acknowledgement, one-month full response
Alvaro Berlanga NIF: 53995589F Calle Estrellas 2 28224 Pozuelo de Alarcón, Madrid, Spain