Privacy Policy
Version 2026-TBD · Effective TBD — fill at launch
1. Data Controller Identity
[APP NAME] S.L. (CIF: [XXX], [Registered Address], Madrid, Spain) is the data controller responsible for your personal data.
A formal Data Protection Officer (DPO) is not required for companies of this size under GDPR Article 37. All data subject requests should be directed to: privacy@[domain].com
We will acknowledge requests within 72 hours and respond in full within 30 days.
2. What Data We Collect
2.1 Account Data
Name, email address, profile photo, organisation name, role within organisation, account creation date, and last login timestamp.
2.2 Content Data
Audio files (WAV, AIFF, M4A) uploaded to the Service; project metadata including cue names, timecodes, reel/episode structure, delivery notes, and version history; chat messages, @mentions, and cue thread comments; delivery records and approval history.
2.3 Payment Data
Billing name and address, subscription plan, payment method type (last 4 digits only), transaction history, and invoice records. Full card details are processed exclusively by Stripe — we never store raw card numbers or CVVs.
2.4 Usage Data
IP address, device type, operating system version, app version, features accessed, session duration, and crash reports or error logs.
2.5 Communications
Support tickets and responses, and feedback or survey submissions.
3. Legal Basis for Processing (GDPR Article 13)
Every processing activity we carry out has a named legal basis under GDPR. Where we rely on legitimate interests (Article 6.1(f)), you have the right to object — see Section 5. See the table below for the full breakdown.
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Contract performance | 6.1(b) |
| Delivering the Service (storage, sync, audio processing, streaming) | Contract performance | 6.1(b) |
| Payment processing via Stripe | Contract performance | 6.1(b) |
| Transactional emails (receipts, delivery notifications, account alerts) | Contract performance | 6.1(b) |
| Product update emails and newsletters | Legitimate interests / Consent | 6.1(f) / 6.1(a) |
| Security monitoring, fraud prevention, abuse detection | Legitimate interests | 6.1(f) |
| Retaining payment records for tax compliance | Legal obligation | 6.1(c) |
| Product analytics and improvement | Legitimate interests | 6.1(f) |
| Responding to legal requests (DMCA, court orders) | Legal obligation | 6.1(c) |
4. Third-Party Processors (Subprocessors)
We share data with the following processors solely to deliver the Service. All processors are bound by Data Processing Agreements (DPAs).
For processors based outside the EU/EEA (Stripe, Vercel), data transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46.
We do not sell your personal data to any third party. We do not use third-party advertising networks or ad tracking on any part of the Service.
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase Inc. | Authentication, database, file storage | EU (AWS eu-west-1) | supabase.com/dpa |
| Stripe Inc. | Payment processing, billing | USA (SCCs applied) | stripe.com/dpa |
| Brevo SAS | Transactional email delivery | EU (France) | brevo.com/legal/dpa |
| Vercel Inc. | Director Review web portal hosting | USA/EU (SCCs applied) | vercel.com/legal/dpa |
5. Your Rights
GDPR and UK GDPR Rights (EU and UK users)
Right of access (Art. 15) — request a copy of all personal data we hold about you. Right to rectification (Art. 16) — correct inaccurate or incomplete data. Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten"). Right to data portability (Art. 20) — receive your data in a structured, machine-readable format. Right to restriction (Art. 18) — pause processing while a dispute is resolved. Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing. Right to withdraw consent (Art. 7.3) — where processing is based on consent, withdraw it at any time.
CCPA/CPRA Rights (California users)
Right to know what personal information is collected and how it is used. Right to delete personal information. Right to correct inaccurate personal information. Right to opt out of sale of personal information — we do not sell your personal information. Right to limit use of sensitive personal information. Right to non-discrimination for exercising any of these rights.
How to Exercise Your Rights
Submit requests to privacy@[domain].com. We will acknowledge within 72 hours and respond in full within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.
EU residents may lodge a complaint with the AEPD — Agencia Española de Protección de Datos, C/ Jorge Juan, 6, 28001 Madrid (www.aepd.es).
UK residents may contact the ICO (ico.org.uk).
6. Data Retention
We retain data only as long as necessary for the purpose for which it was collected or as required by law. The 7-year retention of payment records is a legal obligation under Spanish tax law that overrides the right to erasure for that specific data category.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account and project data | Duration of active subscription | Contract necessity |
| Audio files and content | 30 days after account deletion or lapse | Grace period for export |
| Backup copies | Up to 60 days after primary deletion | Technical backup cycles |
| Payment and invoice records | 7 years | Spanish tax law (Ley General Tributaria) |
| Support communications | 3 years | Legitimate interests (dispute resolution) |
| Usage and analytics logs | 12 months rolling | Legitimate interests (service improvement) |
| Legal hold data | Duration of legal proceedings | Legal obligation |
8. Security
We implement industry-standard security measures including TLS 1.2+ encryption for all data in transit, AES-256 encryption at rest (via Supabase), role-based access controls enforced at API level, and regular dependency and security audits.
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
Data breach notification: in the event of a breach likely to result in a risk to your rights and freedoms, we will notify you and the AEPD within 72 hours of becoming aware, as required by GDPR Article 33. Affected users will be notified without undue delay per GDPR Article 34.
9. Children's Privacy
The Service is not directed at individuals under 14 years of age (the minimum age for digital consent under Spanish law, LOPDGDD Art. 7). We do not knowingly collect personal data from children under 14. If we become aware of such collection, we will delete it immediately.
10. Changes to This Policy
We will notify you of material changes by email and in-app notification at least 30 days before they take effect. The effective date is displayed at the top of this document.
11. Contact
Privacy enquiries: privacy@[domain].com Response: 72-hour acknowledgement, 30-day full response
[APP NAME] S.L. [Registered Address] Madrid, Spain