Legal
Last updated: June 2025
This Privacy Policy explains how BuyMyTune collects, uses, stores, and protects your personal data. We operate under UK data protection law, including the UK GDPR and the Data Protection Act 2018.
BuyMyTune is the data controller for personal data collected through this platform. If you have questions about how we handle your data, contact us at the address provided at the bottom of this page.
We collect the following categories of personal data:
Account data
Email address, display name, and (optionally) profile photo when you register or sign in via Google or email/password.
Artist profile data
Artist name, biography, social links, hero image, banner colour, and tagline you provide when setting up an artist account.
Transaction data
Purchase records, order amounts, VAT applied, PayPal transaction identifiers, and payout history. Card or bank details are held only by PayPal, so we never see them.
Uploaded content
Audio files and artwork you upload as an artist. These are stored in Google Cloud Storage on your behalf.
Usage data
IP address, browser type, pages visited, and session identifiers used for security and platform improvement. Collected via server logs and (where consented) analytics.
Guest session data
If you purchase without creating an account, we store a session identifier (in localStorage) to associate your cart and purchase with your browser session.
We process your personal data on the following legal bases:
We share data with the following third-party processors:
Firebase / Google Cloud (Google LLC)
Authentication, Firestore database, and Cloud Storage. Data may be stored in Google's EU/UK data centres. Governed by Google's Data Processing Addendum.
PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A.)
Payment processing and dispute resolution. PayPal collects and holds payment instrument data under their own privacy policy. We share order amounts and buyer reference identifiers.
OpenAI (OpenAI, LLC)
AI-generated content features (e.g. release description suggestions). We send release metadata (title, genre, track listing) but no buyer personal data to OpenAI's API.
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
Under UK GDPR you have the following rights regarding your personal data:
To exercise any of these rights, contact us using the details below. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
You can request an export of your personal data or ask us to delete your account by contacting us at the address below. We will process deletion requests within 30 days, subject to any retention obligations we must fulfil under law (for example, VAT records).
We protect your data using industry-standard measures including encrypted connections (HTTPS/TLS), server-side authentication token verification (Firebase Admin SDK), signed time-limited download URLs for stored files, and request rate limiting to prevent abuse.
Despite these measures, no internet service can guarantee absolute security. If you believe your account has been compromised, contact us immediately.
For data protection queries, requests to exercise your rights, or complaints, contact us at: [privacy contact, NEEDS LEGAL REVIEW]
See also: Terms of Service · Copyright Policy · Acceptable Use Policy
Questions? Contact us.