Legal

Privacy Policy

Last updated: June 2025

This Privacy Policy explains how BuyMyTune collects, uses, stores, and protects your personal data. We operate under UK data protection law, including the UK GDPR and the Data Protection Act 2018.

1. Who is the data controller?

[NEEDS LEGAL REVIEW] Insert registered company name, company number, registered address, and ICO registration number (if applicable) before publishing. Confirm whether a Data Protection Officer (DPO) is required given the scale of processing.

BuyMyTune is the data controller for personal data collected through this platform. If you have questions about how we handle your data, contact us at the address provided at the bottom of this page.

2. What data we collect

We collect the following categories of personal data:

Account data

Email address, display name, and (optionally) profile photo when you register or sign in via Google or email/password.

Artist profile data

Artist name, biography, social links, hero image, banner colour, and tagline you provide when setting up an artist account.

Transaction data

Purchase records, order amounts, VAT applied, PayPal transaction identifiers, and payout history. Card or bank details are held only by PayPal, so we never see them.

Uploaded content

Audio files and artwork you upload as an artist. These are stored in Google Cloud Storage on your behalf.

Usage data

IP address, browser type, pages visited, and session identifiers used for security and platform improvement. Collected via server logs and (where consented) analytics.

Guest session data

If you purchase without creating an account, we store a session identifier (in localStorage) to associate your cart and purchase with your browser session.

4. Third-party processors

[NEEDS LEGAL REVIEW] Audit the full list of sub-processors and confirm DPA agreements are in place with each before publishing. The list below covers known processors but may be incomplete.

We share data with the following third-party processors:

Firebase / Google Cloud (Google LLC)

Authentication, Firestore database, and Cloud Storage. Data may be stored in Google's EU/UK data centres. Governed by Google's Data Processing Addendum.

PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A.)

Payment processing and dispute resolution. PayPal collects and holds payment instrument data under their own privacy policy. We share order amounts and buyer reference identifiers.

OpenAI (OpenAI, LLC)

AI-generated content features (e.g. release description suggestions). We send release metadata (title, genre, track listing) but no buyer personal data to OpenAI's API.

5. Data retention

[NEEDS LEGAL REVIEW] Confirm specific retention periods with legal and finance teams. UK HMRC requires financial records to be kept for 6 years. Confirm whether shorter periods are appropriate for other categories.

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Account data: retained while your account is active, and for up to 12 months after closure;
  • Transaction and payout records: retained for 6 years to comply with UK tax and financial record-keeping requirements;
  • Uploaded audio and artwork: retained while the release is active; deleted promptly if the release is removed and no buyer entitlements depend on it;
  • Usage/log data: retained for up to 90 days for security and debugging purposes.

6. Your rights

Under UK GDPR you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you;
  • Rectification: ask us to correct inaccurate or incomplete data;
  • Erasure: request deletion of your data where we no longer have a lawful basis to hold it;
  • Restriction: ask us to limit how we use your data in certain circumstances;
  • Portability: receive your data in a machine-readable format;
  • Objection: object to processing based on legitimate interests;
  • Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us using the details below. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Data export and deletion

[NEEDS LEGAL REVIEW] Confirm the self-service data export and account deletion process before publishing. Describe the mechanism (e.g. account settings page) if one exists, or direct users to contact support.

You can request an export of your personal data or ask us to delete your account by contacting us at the address below. We will process deletion requests within 30 days, subject to any retention obligations we must fulfil under law (for example, VAT records).

8. Cookies and local storage

[NEEDS LEGAL REVIEW] Conduct a full cookie audit and confirm which storage mechanisms require PECR consent. The guest cart session key in localStorage likely does not require consent (functional necessity) but analytics cookies do.

We use browser localStorage to maintain guest shopping cart sessions and your authentication state. We may also use cookies for security, session management, and (with your consent) analytics.

You can clear localStorage and cookies at any time using your browser settings. Doing so will sign you out and clear any guest cart data.

9. Security

We protect your data using industry-standard measures including encrypted connections (HTTPS/TLS), server-side authentication token verification (Firebase Admin SDK), signed time-limited download URLs for stored files, and request rate limiting to prevent abuse.

Despite these measures, no internet service can guarantee absolute security. If you believe your account has been compromised, contact us immediately.

10. Contact

[NEEDS LEGAL REVIEW] Insert a dedicated privacy contact email address (e.g. privacy@buymytune.co.uk) and/or postal address before publishing.

For data protection queries, requests to exercise your rights, or complaints, contact us at: [privacy contact, NEEDS LEGAL REVIEW]