Privacy Policy

Effective Date: March 2026

LUV Music / BedroomProducers ("we", "our", "us") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website (bedroomproducers.app), our cloud services (cloud.bedroomproducers.app), and the BedroomProducers desktop application ("the App").

1. Information We Collect

1.1 Account Information (Provided by You)

When you register an account, we collect:

• Email address - Account identification, login, transactional emails.
• Password - Stored only as a bcrypt hash (we never store your actual password). Not applicable if you register via OAuth.
• Display name - Optional, shown in your profile.
• Producer name - Optional, used in audio metadata and email templates.

1.2 Information from OAuth Providers

If you sign in with Google, we receive from the provider:

• Your email address.
• Your display name.
• Your profile picture URL.
• A unique provider identifier.

We do not receive or store your OAuth passwords.

1.3 Information Collected by the Desktop App (Stored Locally)

The desktop application stores the following data on your local machine only:

• Audio file metadata - File paths, filenames, file hashes (SHA-256), BPM, musical key, duration, loudness (LUFS), tags, categories, collaborators.
• Client contacts - Email addresses, names, preferences, notes, group memberships, send history.
• Email send records - Which files were sent to which clients, timestamps, match scores.
• Automation presets - Email automation rules, templates, schedules.
• Collaborator information - Names, email addresses, publisher info, PRO affiliations.
• Watch folder configuration - Which folders are monitored for new audio files.

This data is stored in a local SQLite database at Documents\BedroomProducers\data\ and is not transmitted to our servers.

1.4 OAuth Tokens (Stored Locally)

When you connect Gmail or Dropbox in the App, OAuth tokens are stored locally using:

• Windows: DPAPI (Data Protection API) encryption via Windows Credential Manager.
• macOS: Keychain encryption.

Tokens include access tokens, refresh tokens, and the associated email address. These tokens are encrypted at rest and only decryptable by your operating system user account.

1.5 Information Collected Automatically by Our Servers

When you interact with our API or website, we may collect:

• IP address - Collected during login, registration, consent acceptance, and for rate limiting and security.
• User agent - Browser or app identifier string, collected during consent acceptance and for security event logging.
• Device information - Machine identifier (hardware hash), operating system, and device name during license activation.
• Timestamps - When actions occur (login, consent, license activation, etc.).

1.6 License and Subscription Data

• License key - Generated by us and linked to your account.
• Device activations - Machine ID (hashed), machine name, OS, activation date, last seen date.
• Subscription details - Tier (Starter/Pro/Business), status, renewal dates. Payment details are handled by Stripe (see Section 5).

1.7 Consent Records

When you accept our Terms of Service and Privacy Policy, we record:

• ToS and PP version numbers accepted.
• SHA-256 content hashes of the exact document text you agreed to.
• Your IP address and user agent at the time of acceptance.
• An RFC 3161 timestamp token from an independent Time Stamping Authority.
• App version (if from the desktop app).
• A consent UI screenshot, if captured by the app or website (stored in Cloudflare R2).

1.8 Email Tracking Data (Optional Feature)

If you use the email tracking features in the App, we collect data about your recipients (the clients you email):

• Email opens - IP address, user agent, timestamp, bot detection flag.
• Link clicks - IP address, user agent, timestamp, which link was clicked.

This data is collected via tracking pixels embedded in emails you send and link redirects. You are the data controller for your recipients' data - you are responsible for having a lawful basis to track your recipients and for disclosing tracking in your own privacy communications.

1.9 Cloud Storage Data

When you use the cloud storage features, we collect and store:

• Uploaded files - Audio files you upload are stored in Cloudflare R2. We store the file content, filename, file size, content type, and optional metadata (BPM, musical key, genre, duration).
• File metadata - Upload timestamps, storage keys, upload status.
• Playlists - Playlist names, track ordering, and references to cloud files.

1.10 Share Link Visitor Data

When someone accesses a share link you created, we collect the following server-side (no cookies or device-side tracking):

• IP address - Used for rate limiting, fraud detection, and abuse prevention. Retained for up to 90 days, then automatically purged. Never shared with link creators.
• User agent - Used for abuse detection. Same retention and access restrictions as IP address.
• Event type and timestamp - Whether the visitor viewed, streamed, or downloaded content, and when. Used to generate aggregate analytics visible to the link creator.
• File identifier - Which specific file was streamed or downloaded (for playlists with multiple tracks).

What link creators see: Only aggregate, anonymized statistics - total views, unique visitor count, download counts, and a timeline of event types with timestamps. Creators never receive IP addresses, user agents, or other visitor-identifying information.

1.11 Email-Gated Share Link Data

When a visitor submits their email address to access an email-gated share link:

• Visitor email - Stored and shared with the link creator. The visitor is informed of this at the point of collection.
• The link creator is the data controller for collected visitor emails. We act as a data processor on their behalf.

1.12 Security and Audit Data

For security and compliance purposes, we log:

• Security events - Failed login attempts, rate limit violations, suspicious activity, webhook signature failures. Includes IP address and user agent.
• Audit logs - Administrative actions (user management, license changes, document publishing). Includes admin ID, IP address, and before/after state changes.

2. How We Use Your Information

We use your information for the following purposes:

| Purpose | Legal Basis (GDPR) | |---------|-------------------| | Provide and maintain the App and services | Performance of contract (Art. 6(1)(b)) | | Process your subscription and license | Performance of contract (Art. 6(1)(b)) | | Send transactional emails (verification, password reset, license delivery, consent receipts) | Performance of contract (Art. 6(1)(b)) | | Validate your license and manage device activations | Performance of contract (Art. 6(1)(b)) | | Record and prove consent to legal documents | Legal obligation (Art. 6(1)(c)) | | Detect fraud, abuse, and security threats | Legitimate interest (Art. 6(1)(f)) | | Rate limiting and bot protection | Legitimate interest (Art. 6(1)(f)) | | Error tracking and debugging (Sentry) | Legitimate interest (Art. 6(1)(f)) | | Deliver software updates | Performance of contract (Art. 6(1)(b)) | | Store and deliver cloud-uploaded files | Performance of contract (Art. 6(1)(b)) | | Provide aggregate share link analytics to creators | Legitimate interest (Art. 6(1)(f)) - minimal privacy impact, no PII exposed | | Collect visitor IP/UA on share links for security | Legitimate interest (Art. 6(1)(f)) - fraud detection, rate limiting; 90-day retention | | Collect visitor email on email-gated share links | Consent (Art. 6(1)(a)) - visitor actively submits their email with disclosure | | Website analytics (Google Analytics) | Consent (Art. 6(1)(a)) - only with your cookie consent |

We DO NOT:

• Sell your personal data to third parties.
• Use your client contact lists for our own marketing.
• Access your files without your explicit action.
• Send you marketing emails without your consent.
• Use your data for automated decision-making or profiling.

3. Data Storage and Security

3.1 Local Storage (Desktop App)

Your audio files, client lists, send history, and automation settings are stored locally on your computer. We do not have access to this data unless you explicitly transmit it (e.g., by sending emails through connected services).

3.2 What We Store on Our Servers

We store the following on our cloud infrastructure:

• Account data - Email, display name, producer name, password hash, registration source.
• License data - License key, tier, status, device activations (machine ID hash, OS, last seen).
• Consent records - Acceptance timestamps, document version hashes, IP address, user agent, RFC 3161 tokens, consent screenshots.
• Email tracking data - Tracked email metadata, open/click records with IP addresses and user agents.
• Webhook events - Payment and subscription event payloads from Stripe.
• Security events and audit logs - IP addresses, user agents, action details.
• Cloud files - Audio files uploaded by users, stored in Cloudflare R2.
• Share link data - Link metadata, access settings, aggregate analytics counters.
• Share link events - Visitor event logs (IP address, user agent, event type, timestamp) retained for up to 90 days for security purposes. Visitor emails from email-gated links stored until the share link is deleted.
• App releases - Software installer files and metadata.
• Legal documents - Published versions of our Terms of Service and Privacy Policy.

3.3 Infrastructure and Security Measures

| Component | Provider | Purpose | |-----------|----------|---------| | Database | Neon (PostgreSQL) | Primary data storage, encrypted at rest | | Cache | Upstash (Redis) | Rate limiting, session management | | File Storage | Cloudflare R2 | App releases, consent screenshots, cloud-uploaded audio files | | API Hosting | Railway | Application hosting | | Website Hosting | Vercel | Website hosting |

Security measures:

• All data in transit encrypted via TLS/HTTPS.
• Database encrypted at rest by the hosting provider (Neon).
• Passwords hashed with bcrypt (work factor 12+).
• OAuth tokens stored with OS-level encryption (DPAPI/Keychain).
• JWT access tokens expire after 15 minutes; refresh tokens after 7 days.
• Rate limiting on authentication and sensitive endpoints.
• Cloudflare Turnstile bot protection on registration, login, and password reset.
• Webhook signature verification (HMAC-SHA256) for all incoming webhooks.
• Security headers (HSTS, X-Frame-Options, X-Content-Type-Options, CSP).

4. Third-Party Services and Data Sharing

We share data with the following third-party services, each acting as a data processor:

4.1 Payment Processing

• Stripe - Processes subscription payments. Receives your email address and handles all payment card data directly. We do not store your payment card information. Stripe Privacy Policy

4.2 Email Delivery

• Resend - Sends transactional emails on our behalf (verification, password reset, license delivery, consent receipts, subscription notifications). Receives recipient email addresses and email content. Resend Privacy Policy

4.3 OAuth Providers (Desktop App)

When you connect third-party services in the App:

• Google (Gmail, Google Drive) - We request permission to send emails on your behalf (gmail.send) and read your email address (userinfo.email). For Google Drive integration, we request access to files created by the app (drive.file). Google Privacy Policy
• Dropbox - We request permission to read and write files you select and create shareable links. Dropbox Privacy Policy

You can disconnect any OAuth integration at any time. When you disconnect, we revoke the tokens with the provider and delete them from your local storage.

4.4 Security and Infrastructure

• Cloudflare - Provides R2 file storage and Turnstile bot protection. Turnstile receives your IP address during registration, login, and password reset. Cloudflare Privacy Policy
• Sentry - Error tracking and monitoring. May receive user ID, email, and request context when errors occur. Sentry Privacy Policy

4.5 Consent Timestamping

• FreeTSA - Independent RFC 3161 Time Stamping Authority. Receives a cryptographic hash of your consent receipt data (not the raw data itself) and returns a signed timestamp proving when consent was recorded. FreeTSA

4.6 Website Analytics

• Google Analytics - Collects anonymized page views, session duration, and device type on our website. Only activated with your explicit cookie consent. IP anonymization is enabled. Google Analytics Privacy

5. Cookies

Our website uses cookies and similar technologies:

Necessary Cookies

Required for the website to function. These cannot be disabled.

• Authentication tokens (keeping you logged in).
• Security cookies (CSRF protection).
• Cookie consent preferences.

Analytics Cookies

Help us understand how visitors use our website. Only set with your explicit consent.

• Google Analytics (_ga, _gid) - Anonymized page views and session data.

Marketing Cookies

Currently not in use. If introduced in the future, they will require your explicit consent.

You can change your cookie preferences at any time by clicking "Cookies" in the website footer or through your browser settings.

Share Link Pages

Share link pages (cloud.bedroomproducers.app/s/...) do not set any cookies. All visitor analytics are collected server-side without device-side storage. No cookie consent banner is required on these pages.

6. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

6.1 Right of Access

You can view your account data at any time through the App or website. You can request a full export of all data we hold about you via GET /auth/export-data or through the App settings.

6.2 Right to Data Portability

You can export all your data as JSON through the account settings. Local app data (audio files, client lists) can be exported as a ZIP backup from the App.

6.3 Right to Rectification

You can update your display name and producer name through the App or website profile settings.

6.4 Right to Erasure (Right to Be Forgotten)

You can delete your account and all associated server-side data via POST /auth/delete-account or through the App settings. This permanently removes:

• Your user account and profile data.
• Your license and device activation records.
• Your email tracking data (tracked emails, opens, clicks).
• Your cloud-uploaded files and share links (including all associated analytics).
• Your consent records.
• Your subscription data.

Data retained after deletion: Audit logs and security events may be retained for up to 2 years for legal compliance and fraud prevention (legitimate interest basis).

Local data: Deleting your account does not automatically delete data stored locally on your computer. To delete local data, remove the Documents\BedroomProducers\data\ directory or use the "Reset App" option in the App settings.

6.5 Right to Withdraw Consent

• OAuth connections: Disconnect any time via App settings. Tokens are revoked at the provider and deleted locally.
• Cookie consent: Change preferences via the website footer.
• Email tracking: You can choose not to use the tracking features.

6.6 Right to Restrict Processing

Contact us at privacy@bedroomproducers.app to request restriction of processing of your personal data.

6.7 Right to Object

You have the right to object to processing based on legitimate interests. Contact us at privacy@bedroomproducers.app.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. If you are in Austria, this is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

7. Information for Share Link Visitors

If you are not a registered user but have accessed a share link or submitted your email on an email-gated link:

• What we collect: Your IP address and user agent (for security, retained up to 90 days) and your email address if you submitted it on a gated link.
• Who controls your email: The creator of the share link is the data controller for your email address. Contact them directly regarding how they use it.
• Your rights: You may contact us at privacy@bedroomproducers.app to request deletion of any data we hold about you as a share link visitor. IP and user agent data is automatically purged after 90 days.
• No cookies: We do not set cookies or use any device-side tracking on share link pages.

8. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Account data | Until you delete your account | | License and device records | Duration of subscription + 30 days | | Consent records | Retained for legal compliance (duration of service + 6 years) | | Email tracking data | Until you delete your account | | Cloud-uploaded files | Until you delete them or your account | | Share link aggregate stats | Until the share link is deleted | | Share link visitor events (IP, UA) | Up to 90 days (auto-purged) | | Share link visitor emails (email-gated) | Until the share link is deleted | | Security events | Up to 2 years | | Audit logs | Up to 2 years | | Webhook event payloads | Up to 1 year | | OAuth tokens (local) | Until you disconnect or uninstall | | Local app data | Until you delete it | | JWT access tokens | 15 minutes (auto-expire) | | JWT refresh tokens | 7 days (auto-expire) | | Rate limiting data | Seconds to hours (auto-expire) |

9. International Data Transfers

Our infrastructure is hosted primarily in the United States:

• Railway (API hosting) - US region.
• Neon (PostgreSQL database) - US East (us-east-1).
• Upstash (Redis cache) - US region.
• Cloudflare R2 (file storage) - Globally distributed CDN.
• Google (OAuth) - US-based, operating under EU-US Data Privacy Framework.
• Sentry (error tracking) - US-based, operating under Standard Contractual Clauses.
• Resend (email) - US-based, operating under Standard Contractual Clauses.

For users in the EU/EEA, data transfers to the United States are protected by appropriate safeguards as required by GDPR, including the EU-US Data Privacy Framework and Standard Contractual Clauses.

10. Children's Privacy

BedroomProducers is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete that data promptly.

11. Consent UI Screenshots

When you accept our Terms of Service and Privacy Policy, the App or website may capture a screenshot of the consent user interface. This screenshot:

• Records what was visually displayed to you at the time of acceptance.
• Is stored securely in Cloudflare R2.
• Is hashed (SHA-256) and independently timestamped via RFC 3161.
• Is accessible to you and to our administrators for dispute resolution.
• Is processed under legitimate interest (Art. 6(1)(f)) for legal compliance and dispute resolution.

12. Changes to This Policy

We may update this Privacy Policy. When we make material changes, we will:

• Publish a new version with an updated effective date and version number.
• Prompt re-acceptance in the App and on the Website.
• Send a notification to your registered email address.

Each published version is cryptographically hashed and linked to previous versions in a tamper-evident chain. You can verify the integrity of any version through the consent proof system.

13. Contact Us

For privacy questions, data requests, or to exercise your rights:

• Privacy inquiries: privacy@bedroomproducers.app
• Legal inquiries: legal@bedroomproducers.app
• General support: bedroomproducers.app/support

Data Controller: LUV Music, Johann Kert, Vienna, Austria.