Privacy Policy
Version 1.0 · Last updated: May 2026 · Effective: May 2026
1. Who we are
Insound Music Ltd (“Insound”, “we”, “us”, “our”) is the data controller responsible for your personal data. We are a company registered in England and Wales (Company Number: 17179694).
| Registered name | Insound Music Ltd |
| Company number | 17179694 |
| ICO registration | ZC133088 |
| Contact email | privacy@getinsound.com |
| Website | getinsound.com |
This policy applies to all visitors, fans, and artists who use the Insound website and platform. It explains what personal data we collect, why, how long we keep it, who we share it with, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).
This Privacy Policy forms part of the Terms of Service. Terms defined in the Terms of Service have the same meaning when used in this policy.
2. What data we collect and why
We collect different data depending on how you use Insound. We only collect what is necessary for each purpose.
2.1 Artists
| Data | Purpose |
|---|---|
| Name | Display name on your artist profile and releases |
| Email address | Account login, transactional notifications (sales, payouts), and optional marketing |
| Stripe Connect details | To process and route payments to your Stripe account. Card data is handled entirely by Stripe — we never see or store it |
| Uploaded files (audio, artwork) | To host and deliver your music to buyers |
| Independence confirmation (boolean + timestamp) | To verify eligibility — Insound is restricted to independent artists. We record that you confirmed this and when |
| Sales analytics (amounts, timestamps, buyer count) | To provide your dashboard earnings data and generate aggregate platform statistics |
2.2 Fans
| Data | Purpose |
|---|---|
| Email address (collected at purchase) | To deliver download links, purchase receipts, and optional marketing if you opt in |
| Purchase history (releases bought, amounts, dates) | To provide your collection, re-download access, and generate artist sales reports |
| Pay-what-you-want amounts | To process the transaction at the price you chose |
2.2.1 Fan data shared with Artists
When you purchase music on Insound, your name and email address are shared with the Artist whose music you purchased. This is necessary to fulfil the purchase transaction (UK GDPR Article 6(1)(b) — contractual necessity). The Artist may use this data only to contact you about their own music. The Artist may not sell, share, or use your data for any other purpose. If you believe an Artist has misused your data, contact privacy@getinsound.com.
2.3 All users
| Data | Purpose |
|---|---|
| IP address, browser type, device info | Automatically collected by Cloudflare for security, DDoS protection, and basic analytics. We do not use this to identify individuals |
| localStorage values | To remember view preferences and authentication state. These are not cookies and are not shared with third parties |
3. Legal basis for processing
Under UK GDPR Article 6(1), we rely on the following legal bases:
| Basis | Applies to |
|---|---|
| Consent — Art. 6(1)(a) | Marketing emails. You can withdraw consent at any time via the unsubscribe link in any email or by contacting us |
| Contract — Art. 6(1)(b) | Processing artist and fan data necessary to provide the platform: account creation, file hosting, payment processing, download delivery |
| Legitimate interest — Art. 6(1)(f) | Basic analytics, fraud prevention, platform security, and improving the service. We have conducted Legitimate Interest Assessments for each of these purposes and maintain them on file |
| Legal obligation — Art. 6(1)(c) | Retaining transaction records as required by UK tax and accounting law (HMRC) |
4. How long we keep your data
| Data type | Retention period |
|---|---|
| Artist account data | Duration of your account plus 6 years after deletion (UK tax record-keeping) |
| Fan purchase history | Duration of your account plus 6 years (UK tax/accounting obligations) |
| Uploaded audio files & artwork | Deleted within 90 days of an artist removing a release or closing their account (to allow existing purchasers continued download access as described in the Terms of Service) |
| Stripe Connect details | Managed by Stripe under their retention policy. We store only the Stripe account ID |
| Server logs (IP, device info) | Automatically purged by Cloudflare (typically 72 hours) |
5. Third-party processors
We share personal data only with processors and recipients who are necessary to operate the platform. If we add or replace a sub-processor in a way that materially changes how personal data is processed, we will update this policy and notify registered users by email before the change takes effect.
| Recipient | Purpose | Data shared |
|---|---|---|
| Artists | Purchase fulfilment — so the Artist can contact you about their music (see section 2.2.1) | Fan name, email address |
| Supabase | Database, authentication, file storage | All account data, uploaded files, purchase records |
| Stripe | Payment processing (Stripe Connect) | Artist payout details, fan payment data. Card data goes directly to Stripe |
| Resend | Transactional and marketing email | Email addresses, names |
| Cloudflare | Hosting, CDN, DNS, DDoS protection | IP addresses, request metadata |
We do not sell your personal data to anyone. We do not share data with advertisers. We do not use third-party tracking pixels or advertising networks.
6. International data transfers
Some of our processors may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place:
- UK adequacy decisions for the destination country, or
- Standard Contractual Clauses (SCCs) approved by the ICO, or
- The processor's binding corporate rules
7. Your rights
Under UK GDPR, you have the following rights. To exercise any of them, email privacy@getinsound.com. We will respond within 30 days.
- Right of access (Art. 15) — Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — Ask us to correct inaccurate data.
- Right to erasure (Art. 17) — Ask us to delete your data (“right to be forgotten”).
- Right to restrict processing (Art. 18) — Ask us to limit how we use your data while a dispute is resolved.
- Right to data portability (Art. 20) — Request your data in a structured, machine-readable format (JSON or CSV).
- Right to object (Art. 21) — Object to processing based on legitimate interest.
- Right to withdraw consent — Withdraw consent for marketing at any time via unsubscribe links or by contacting us.
We do not carry out automated decision-making or profiling that produces legal effects.
8. Cookies & local storage
Insound does not use traditional tracking cookies. Here is what we do use:
8.1 localStorage (browser)
| Key | Purpose | Duration |
|---|---|---|
insound_view_mode | Remembers your compact/expanded view preference | Persistent until cleared |
insound_exchange_rates | Caches currency exchange rates to reduce API calls | Persistent until cleared |
insound_genre_done | Records that genre onboarding has been completed | Persistent until cleared |
insound-visit-count | Counts site visits for PWA install prompt timing | Persistent until cleared |
insound-install-dismissed | Records when you dismissed the app install banner | 30 days (auto-expires) |
insound-notif-optin-dismissed | Records that you dismissed the notification opt-in | Persistent until cleared |
insound-recently-played | Stores your recently played tracks (up to 20) | Persistent until cleared |
insound-basket | Stores your shopping basket contents | Persistent until cleared |
8.1.1 sessionStorage (browser)
| Key | Purpose | Duration |
|---|---|---|
insound_verification_dismissed | Hides the email verification banner for this session | Current session only |
insound_genre_dismissed | Hides genre onboarding for this session | Current session only |
insound_genre_prompt_dismissed | Hides the genre prompt card for this session | Current session only |
newsletter-subscribed | Records newsletter signup to avoid repeat prompts | Current session only |
insound_splash | Records that the PWA splash screen was shown | Current session only |
localStorage values are stored entirely in your browser. They are not sent to our servers, not shared with third parties, and can be cleared at any time via your browser settings.
8.2 Supabase authentication
When you create an account, Supabase stores authentication tokens in localStorage to maintain your session. Strictly necessary for the platform to function.
8.3 Stripe
Stripe may set cookies on its own domain during checkout. These are governed by Stripe's cookie policy and are strictly necessary for payment security.
8.4 Cloudflare
Cloudflare may set a __cf_bm cookie for bot detection. This is a strictly necessary security cookie exempt from consent requirements under UK PECR.
We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking technology.
9. Children's privacy
Insound is for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided us with personal data, please contact us and we will delete it promptly.
10. Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
- Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by UK GDPR Article 34.
- Document the breach, its effects, and the remedial action taken, regardless of whether notification to the ICO is required.
11. Data protection contact
Insound Music Ltd has not appointed a Data Protection Officer, as we are not required to do so under UK GDPR Article 37. All data protection enquiries, rights requests, and complaints should be directed to:
Email: privacy@getinsound.com
We will respond to all data protection enquiries within 30 days.
12. Changes to this policy
If we make material changes to this policy, we will:
- Update the “last updated” date at the top of this page
- Notify existing users by email where the change affects how their data is processed
- Not retroactively reduce your rights without explicit consent
13. How to contact us or complain
If you have questions about this policy or want to exercise your rights:
Email: privacy@getinsound.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
| Website | ico.org.uk/make-a-complaint |
| Helpline | 0303 123 1113 |
| Post | Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |