Privacy Policy
Version 1.2 · Last Updated: April 11, 2026
1. Controller
The above person is the controller within the meaning of the General Data Protection Regulation (GDPR) with regard to personal data processed through THE SERVICE.
2. Scope of This Policy
This Privacy Policy applies to:
- Visitors of the website
- Registered users (THE CREATOR)
- Invited authorized users (THE CUSTOMER)
It explains how personal data is processed when accessing and using THE SERVICE.
3. Categories of Personal Data
Depending on use, the following data may be processed:
- Name
- Email address
- Account credentials
- IP address
- Login timestamps
- Session identifiers
- Project access logs
- Communication data
- Billing information (if applicable)
- Technical log data
- Device and browser information (User-Agent)
- Error reports
Audio files uploaded by users may contain personal data if included by the uploader.
4. Purposes and Legal Basis
4.1 Account Registration and Access
Purpose:
- Account creation
- Authentication
- Access management
- Project collaboration
Legal basis:
- Art. 6(1)(b) GDPR (contract performance) for THE CREATOR
- Art. 6(1)(f) GDPR (legitimate interest in secure access management) for authorized users
4.2 Hosting and Infrastructure
THE SERVICE uses third-party infrastructure providers, including:
- Cloudflare (content delivery and infrastructure services)
- Supabase (authentication and database services)
These providers process data on behalf of THE SERVICE PROVIDER.
Legal basis:
- Art. 6(1)(b) GDPR
- Art. 6(1)(f) GDPR
4.3 Transactional Emails (Resend)
Transactional emails (e.g., login links, account notifications) are sent via Resend.
Processed data may include:
- Email address
- Email content
- Technical delivery metadata
Legal basis:
- Art. 6(1)(b) GDPR
- Art. 6(1)(f) GDPR
4.4 Payment Processing
Subscription payments may be processed via external providers such as Stripe. Payment data is processed directly by the respective payment provider. THE SERVICE PROVIDER does not store full payment card details.
The payment provider acts as an independent controller.
Legal basis:
- Art. 6(1)(b) GDPR
4.5 Error Monitoring and System Security
THE SERVICE may use error tracking and monitoring tools to ensure system stability and security. Such tools may process:
- IP address
- Device and browser information
- Error logs
- Technical usage context
Legal basis:
- Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation)
Error monitoring is used solely for technical diagnostics.
5. Cookies
THE SERVICE uses technically necessary cookies for:
- Secure authentication
- Session management
- Protection against unauthorized access
These cookies are required for the operation of the platform and do not require consent.
No marketing or tracking cookies are used.
6. Data Retention
Personal data is retained only as long as necessary for the purposes for which it was collected. The following retention periods apply:
- Account data (name, email address, login credentials): retained for the duration of the contractual relationship and deleted upon account deletion.
- Session and access logs (IP address, login timestamps, session identifiers, access logs): retained for 90 days after the recorded event.
- Uploaded project content: retained until deletion by THE CREATOR, or for a maximum of 30 days after termination of the contractual relationship, whichever comes first.
- Billing and transaction records: retained for 10 years as required by statutory obligations (§ 257 HGB, § 147 AO).
- Error and system logs: retained for 30 days.
- Email delivery metadata (transactional emails via Resend): retained for 30 days.
After the applicable retention period, data is deleted or anonymized. Restoration after deletion is not guaranteed.
7. Data Sharing
Personal data may be shared with:
- Hosting and infrastructure providers (Cloudflare, Supabase)
- Email delivery providers (Resend)
- Payment providers (e.g., Stripe)
- Error monitoring providers
All providers are carefully selected and contractually bound where required by law.
Personal data is not sold.
8. International Data Transfers
Some service providers may process data outside the European Economic Area (EEA). In such cases, data transfers are based on:
- Adequacy decisions of the European Commission, or
- Standard Contractual Clauses (SCCs), or
- Other legally recognized safeguards
9. Data Subject Rights
You have the right to:
- Access your personal data
- Rectification
- Erasure
- Restriction of processing
- Data portability
- Object to processing
To exercise any of these rights, please contact us at mail(at)arneschumann.music or via the contact form on the website. We will respond within 30 days.
You have the right to lodge a complaint with a supervisory authority. The competent authority for Berlin, Germany is:
10. Security Measures
Appropriate technical and organizational measures are implemented to protect personal data against:
- Unauthorized access
- Loss
- Alteration
- Disclosure
However, no internet-based system can be guaranteed to be completely secure.
11. Processing on Behalf of Creators
Where THE CREATOR uploads or manages personal data within projects, THE SERVICE PROVIDER may act as a processor within the meaning of Art. 28 GDPR.
In such cases, a separate Data Processing Agreement (DPA) governs the relationship between THE CREATOR and THE SERVICE PROVIDER.
12. Automated Decision-Making
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.
13. Changes to This Policy
This Privacy Policy may be updated from time to time. The current version is always available on the website. In case of material changes, registered users will be informed by email prior to the effective date.